LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Authentication problems
From:	John Hanks <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Tue, 23 May 2006 08:13:19 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (53 lines)

On Tue, 2006-05-23 at 15:59 +0200, Jan Iven wrote:
> On Tue, 2006-05-23 at 07:31 -0600, John Hanks wrote:
> .. 
> > Good idea. When I tried to strace "su - baduser' it forked and did too
> > much to keep track of. An strace of adduser hangs at some type of LDAP
> > lookup (tail of 'strace adduser tester' is:
> > 
> > rt_sigaction(SIGPIPE, {SIG_DFL}, NULL, 8) = 0
> > rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
> > [those two lines are repeated many times...]
> > select(1024, [5], [], NULL, NULL
> > [hangs there for a long time...]
> 
> check what file descriptor "5" is (socket/pipe, to where - this could be
> the "netstat" connection you have seen, but also could be a helper app).
> And check whether the application has already received data over it -
> maybe we are waiting for naught, and the server believes it already sent
> everything.

lsof has this to say:

adduser   9310    root    3u     sock                0,5
585984 can't identify protocol

> > read(5, "", 5)                          = 0
> > brk(0x6b6000)                           = 0x6b6000
> > [more stuff happens that I've snipped...]
> > rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_DFL}, 8) = 0
> > write(2, "adduser: ../../../libraries/libl"...,
> > 113adduser: ../../../libraries/liblber/io.c:171: ber_free_buf: Assertion
> > `((ber)->ber_opts.lbo_valid==0x2)' failed.
> > ) = 113
> 
> This looks rather like an error message from openldap that never makes
> it back to your console (perhaps STDERR got redirected). This is an
> internal assertion - did you kill the running "adduser"? Or it is just a
> funny way to handle a TCP timeout.

This happens if I allow it to time out. If I kill it (CTRL-C) it says:

select(1024, [5], [], NULL, NULL <unfinished ...>

Now that I know it works without SSL and given that there is minimal
exposure from allowing my clusters to do non-SSL LDAP queries, I'm just
disabling SSL. I'll test every so often to see if recent updates have
"fixed" the problem. Unless it suddenly starts affecting the FC5
workstations that connect to LDAP over less than friendly links, this
just became low priority for me.

Thanks for your help,

jbh

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV