Bug#601627: /usr/sbin/saslauthd: ldap connection shutdown problem

Vaclav Ovsik vaclav.ovsik at i.cz
Wed Oct 27 21:35:00 UTC 2010 

Package: sasl2-bin
Version: 2.1.23.dfsg1-6
Severity: minor
File: /usr/sbin/saslauthd

Hi,
I have configured saslauthd to authenticate postfix users via Active Directory
LDAP interface.  My /etc/saslauthd.conf contains:

ldap_servers: ldap://first-ad-server/ ldap://second-ad-server/
ldap_bind_dn: service-account at my-ad-domain
ldap_bind_pw: password
ldap_search_base: ou=Accounts,dc=example,dc=com
ldap_filter: sAMAccountName=%U

I have configured this on Lenny production server and I reproduce this on
Squeeze virtual host to see if this problem still exist in newer saslauthd...

I noticed the errors:

Oct 27 22:44:53 squeeze saslauthd[4418]: user ldap_search_st() failed: Can't contact LDAP server
Oct 27 22:44:53 squeeze saslauthd[4418]: Retrying authentication

The problem is, that Active Directory servers after some time (in my case 15
minutes) of inactivity on LDAP connection shutdowns TCP connection by sending
the FIN packet. Saslauthd don't handle this and trys to reuse the connection.

188 22:13:55.223837 192.168.1.10 -> 192.168.2.10 LDAP searchResDone(2) success  [0 results]
189 22:13:55.260594 192.168.2.10 -> 192.168.1.10 TCP 50894 > ldap [ACK] Seq=131 Ack=45 Win=5840 Len=0 TSV=7802696 TSER=10387887
243 22:28:52.037488 192.168.1.10 -> 192.168.2.10 TCP ldap > 50894 [FIN, ACK] Seq=45 Ack=131 Win=65405 Len=0 TSV=10396855 TSER=7802696
245 22:28:52.076598 192.168.2.10 -> 192.168.1.10 TCP 50894 > ldap [ACK] Seq=131 Ack=46 Win=5840 Len=0 TSV=8026900 TSER=10396855
253 22:44:53.837430 192.168.2.10 -> 192.168.1.10 LDAP searchRequest(3) "ou=Accounts,dc=example,dc=com" wholeSubtree 
254 22:44:53.837580 192.168.2.10 -> 192.168.1.10 TCP 50894 > ldap [FIN, ACK] Seq=213 Ack=46 Win=5840 Len=0 TSV=8267340 TSER=10396855
255 22:44:53.837652 192.168.1.10 -> 192.168.2.10 TCP ldap > 50894 [RST] Seq=46 Win=0 Len=0
256 22:44:53.837775 192.168.1.10 -> 192.168.2.10 TCP ldap > 50894 [RST] Seq=46 Win=0 Len=0
257 22:44:53.841652 192.168.2.10 -> 192.168.1.10 TCP 47384 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=8267341 TSER=0 WS=2
258 22:44:53.841905 192.168.1.10 -> 192.168.2.10 TCP ldap > 47384 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
259 22:44:53.841918 192.168.2.10 -> 192.168.1.10 TCP 47384 > ldap [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=8267341 TSER=0

There should be a FIN - shutdown from saslauthd after the packet 245.
A new searchRequest was sent instead. After the old connection shutdown a new
connection is established and processing continues.

Best Regards
-- 
Zito


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sasl2-bin depends on:
ii  db4.8-util             4.8.30-2          Berkeley v4.8 Database Utilities
ii  debconf [debconf-2.0]  1.5.36            Debian configuration management sy
ii  libc6                  2.11.2-6+squeeze1 Embedded GNU C Library: Shared lib
ii  libcomerr2             1.41.12-2         common error description library
ii  libdb4.8               4.8.30-2          Berkeley v4.8 Database Libraries [
ii  libgssapi-krb5-2       1.8.3+dfsg-2      MIT Kerberos runtime libraries - k
ii  libk5crypto3           1.8.3+dfsg-2      MIT Kerberos runtime libraries - C
ii  libkrb5-3              1.8.3+dfsg-2      MIT Kerberos runtime libraries
ii  libkrb5support0        1.8.3+dfsg-2      MIT Kerberos runtime libraries - S
ii  libldap-2.4-2          2.4.23-6          OpenLDAP libraries
ii  libpam0g               1.1.1-6           Pluggable Authentication Modules l
ii  libsasl2-2             2.1.23.dfsg1-6    Cyrus SASL - authentication abstra
ii  libssl0.9.8            0.9.8o-2          SSL shared libraries
ii  lsb-base               3.2-23.1          Linux Standard Base 3.2 init scrip

sasl2-bin recommends no packages.

sasl2-bin suggests no packages.

-- Configuration Files:
/etc/default/saslauthd changed:
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"


-- debconf information:
  cyrus-sasl2/backup-sasldb2: /var/backups/sasldb2.bak
  cyrus-sasl2/upgrade-sasldb2-failed:
  cyrus-sasl2/upgrade-sasldb2-backup-failed:
  cyrus-sasl2/purge-sasldb2: false

More information about the Pkg-cyrus-sasl2-debian-devel mailing list