Bug#486698: Authen::SASL::Cyrus produces bogus SIGPIPE

Wouter Verhelst w at uter.be
Wed Jun 18 21:14:06 UTC 2008


On Wed, Jun 18, 2008 at 09:15:48AM -0700, Russ Allbery wrote:
> Wouter Verhelst <w at uter.be> writes:
> > I've attached three files: one containing the output of the same script
> > above, but with the Net::LDAP constructor having the extra options
> > "debug => 15". This causes Net::LDAP to throw a lot of debugging output
> > on stdout. The second is a pcap capture (captured with wireshark) of all
> > the Kerberos and LDAP traffic going over the wire as the script runs.
> > The final is the output of 'strace perl ./test.pl', but with the
> > debugging option removed again (so as not to pollute the data with
> > extraneous 'write' lines).
> 
> Okay, what this shows is that you successfully completed a GSSAPI
> exchange, or at least the client thought it successfully completed the
> exchange, the client sent the search, and the LDAP server told it to go
> pound sand.  From the packet capture:
> 
> 06:32:16.607174 IP country.nixsys.be.42746 > samba.grep.be.ldap: P 941:1099(158) ack 345 win 108 <nop,nop,timestamp 27361117 948824446>
> 06:32:16.608061 IP samba.grep.be.ldap > country.nixsys.be.42746: F 345:345(0) ack 1099 win 74 <nop,nop,timestamp 948824447 27361117>
> 06:32:16.608108 IP country.nixsys.be.42746 > samba.grep.be.ldap: P 1099:1573(474) ack 346 win 108 <nop,nop,timestamp 27361117 948824447>
> 06:32:16.608357 IP samba.grep.be.ldap > country.nixsys.be.42746: R 1321331696:1321331696(0) win 0
> 
> you can see that the LDAP server sent a FIN and a RSET.  So you're getting
> a broken pipe error because indeed the LDAP server broke the pipe.

Right; I hadn't noticed that.

Since I could successfully log on using 'ldapsearch -Y GSSAPI' and using
Authen::SASL::Perl, I assumed Authen::SASL::Cyrus was to blame. This, at
least, shows something more is going on...

> The next step is probably to look at the logs on the LDAP server.
> Hopefully it will have logged why it abruptly closed the connection.  The
> client at that point doesn't think there was anything wrong.

Gotta love heisenbugs.

When I stop slapd, and start it with '-d Any' (so that it doesn't
detach, but throws a *huge* bunch of debugging details on stdout), I
can't reproduce the bug. Luckily, the bug is reproducible when changing
the configuration file to get those details in syslog, but that pollutes
things... *sigh*.

Checking the logs reveals that there's a little bug in the script:

$res = $ldap->search(base => 'ou=People,dc=grep,dc=be', filter => "(&(objectClass=posixUser)(uid=wouter))");

should get an s/posixUser/posixAccount/. Doing that changes the error
message from "Broken pipe" to "Connection reset by peer". This suggests
that the only bug in Authen::SASL::Cyrus is one of insufficient error
handling, but that the real bug is in slapd. What a surprise.

Sorry for the noise.

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22





More information about the pkg-perl-maintainers mailing list