[Pkg-openldap-devel] Bug#466569: slapd: Needs a newer libdb, now that sasl is using 4.6

Tue Feb 19 21:29:24 UTC 2008

On Tue, 19 Feb 2008, Steve Langasek wrote:

> On Tue, Feb 19, 2008 at 04:56:23PM +0000, Richard A Nelson wrote:
>> Package: slapd
>> Version: 2.4.7-5
>> Severity: important
>
>> Recently, SASL moved from db4.2 to db4.6, while slapd is still built
>> against 4.2 - and as a result, slapd is flooding the logs with this:
>
>> slapd[24852]: SASL [conn=7156] Error: unable to open Berkeley db
>> /etc/sasldb2: Invalid argument
>
> No, I don't believe this is the source of the error.  There are no handles
> being passed between libsasl and slapd that would cause the wrong libdb to
> be used when accessing this file, only libsasl itself will access this file
> directly; and both versions of libdb have symbol versioning which ensures
> that libsasl uses the correct libdb when opening this database.

Indeed, that does appear to be the case, which makes the message rather
odd !

> Do you have an /etc/sasldb2 that you intend to use with slapd?

# ls -l /etc/sasldb2
-rw-rw---- 1 root sasl 3072 Feb 19 16:31 /etc/sasldb2

# grep sasl /etc/group
sasl:x:45:smmta,smmsp,openldap

my only use of sasldb2 is for smtp auth (until I have that working with
Kerberos - which I've already moved everything else to)... And the few
systems where Kerberos is active are the ones generating these
messages... The rest are setup strictly for auxprop/ldapdb auth.

> By default SASL will try to use this database when not otherwise configured;

Yes, SASL is royal pita wrt libraries/db usage... I've had several bugs
opened on sendmail because of SASL OTP messages, even though (then, there's the
slapd/saslauthd message during daemon startup - something 'bout ldapdb).

> I don't recall what error message it spits out in that case, and don't have that in
> front of me at the moment.  If you do have an /etc/sasldb2 that works with
> other apps but not with slapd, then we'll have to dig deeper for the cause,

In my case, it hasn't really hurt that much - since sasl is using
ldap/kerberos; from the message text (open error), I assumed it was
the lib change - and that someone might get royally messed up if they
used sasldb2 with slapd.

> since upgrading slapd to db4.6 should not be required and is not really
> appropriate right now.

Ok, I'll do some more checking on the systems exhibiting the message and
make sure smtp auth is actually working - and if so, I'll just ignore
the messages.

-- 
Rick Nelson
"I don't know why, but first C programs tend to look a lot worse than
first programs in any other language (maybe except for fortran, but then
I suspect all fortran programs look like `firsts')"
(By Olaf Kirch)