Segmentation fault in mod_ldap

Server OS: CentOS 5.3
Kernel: 2.6.18-164.el5
httpd: 2.2.3-22.el5.centos.2

One of my httpd servers started getting a segmentation fault in mod_ldap
this morning.

As far as I can tell, nothing related to httpd changed between a time I
know it worked and when the failures started showing up in the
error_log. The httpd binary, the conf files, and the module binaries do
not have new timestamps.

I have several different locations protected via LDAP authentication to
our Active Directory server. Some are applications like Subversion and
Trac. Others are for static content. It appears that any URL that is
protected via LDAP is failing.

According to auditing in Active Directory, the authentication is
succeeding there.

Here is a sample config with sensitive data in the URL's changed:

AuthType basic
AuthName "OrangeBlood AD"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL
"ldap://company.com/DC=orangeblood,DC=org?sAMAccountName?sub ?"
AuthLDAPBindDN "CN=ProxyUser,DC=orangeblood,DC=org"
AuthLDAPBindPassword "*******"
Require valid-user

Here is a stack trace:

#0 0x00002b23b9be4020 in ?? () from /etc/httpd/modules/mod_ldap.so
#1 0x00002b23b9be5066 in ?? () from /etc/httpd/modules/mod_ldap.so
#2 0x00002b23b9def7ad in ?? () from /etc/httpd/modules/mod_authnz_ldap.so
#3 0x00002b23b81b8f93 in ?? () from /etc/httpd/modules/mod_auth_basic.so
#4 0x00002b23b422ecb2 in ap_run_check_user_id () from /usr/sbin/httpd
#5 0x00002b23b422feb7 in ap_process_request_internal () from
/usr/sbin/httpd
#6 0x00002b23b42418f8 in ap_process_request () from /usr/sbin/httpd
#7 0x00002b23b423eb40 in ?? () from /usr/sbin/httpd
#8 0x00002b23b423aca2 in ap_run_process_connection () from /usr/sbin/httpd
#9 0x00002b23b4245849 in ?? () from /usr/sbin/httpd
#10 0x00002b23b4245ada in ?? () from /usr/sbin/httpd
#11 0x00002b23b4245b90 in ?? () from /usr/sbin/httpd
#12 0x00002b23b424687b in ap_mpm_run () from /usr/sbin/httpd
#13 0x00002b23b4220e48 in main () from /usr/sbin/httpd

I changed LogLevel to debug in httpd.conf and was able to see some debug
level logging, but nothing about the failure.

Do I have any choice but to compile mod_ldap.so with symbols?
--
David L. Crow Texas! It's like a
crow@OrangeBlood.org whole other country.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Segmentation fault in mod_ldap

David L. Crow wrote:
> Server OS: CentOS 5.3
> Kernel: 2.6.18-164.el5
> httpd: 2.2.3-22.el5.centos.2
>
> One of my httpd servers started getting a segmentation fault in mod_ldap
> this morning.

Does it happen if you upgrade to 2.2.13?

> Here is a stack trace:

Are you in a position to get that with debug information?
Compiling mod_ldap and mod_authnz_ldap with debug (which is
apache's default) will get you that.

--
Nick Kew

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Segmentation fault in mod_ldap

We determined it was a problem with an incompatible apr package that got
auto-updated on the server from an alternate repository. Going back to
the CentOS versions got us back in business.
--
David L. Crow Texas! It's like a
crow@OrangeBlood.org whole other country.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Segmentation fault in mod_ldap

David L. Crow wrote:
> We determined it was a problem with an incompatible apr package that got
> auto-updated on the server from an alternate repository. Going back to
> the CentOS versions got us back in business.

Can you tell us the APR version that caused the coredump
and the one that works well for you?

That should NOT happen with any sane upgrade! If you've
got a regression there, it would be good to know about it.

--
Nick Kew

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Segmentation fault in mod_ldap

Nick Kew wrote:
> David L. Crow wrote:
>> We determined it was a problem with an incompatible apr package that
>> got auto-updated on the server from an alternate repository. Going
>> back to the CentOS versions got us back in business.
>
> Can you tell us the APR version that caused the coredump
> and the one that works well for you?
>
> That should NOT happen with any sane upgrade! If you've
> got a regression there, it would be good to know about it.

The failing ones were

apr.x86_64 1.3.8-1.jason.1
apr-util.x86_64 1.3.9-1.jason.1
apr-devel.x86_64 1.3.8-1.jason.1
apr-util-devel.x86_64 1.3.9-1.jason.1

from the utterramblings repository
(http://www.jasonlitka.com/yum-repository/). We were using that
repository for another package and picked these up unexpectedly.

Jason provides an httpd, but that wasn't picked up. I'm guessing if
both had been installed, we would be in better shape.

We're back to

apr-1.2.7-11.el5_3.1
apr-devel-1.2.7-11.el5_3.1
apr-util-1.2.7-7.el5_3.2
apr-util-devel-1.2.7-7.el5_3.2

from the CentOS repository.

Sorry for the noise.

--
David L. Crow Texas! It's like a
crow@OrangeBlood.org whole other country.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org