On Wed, Jun 18, 2008 at 09:15:48AM -0700, Russ Allbery wrote: > Wouter Verhelst <[EMAIL PROTECTED]> writes: > > I've attached three files: one containing the output of the same script > > above, but with the Net::LDAP constructor having the extra options > > "debug => 15". This causes Net::LDAP to throw a lot of debugging output > > on stdout. The second is a pcap capture (captured with wireshark) of all > > the Kerberos and LDAP traffic going over the wire as the script runs. > > The final is the output of 'strace perl ./test.pl', but with the > > debugging option removed again (so as not to pollute the data with > > extraneous 'write' lines). > > Okay, what this shows is that you successfully completed a GSSAPI > exchange, or at least the client thought it successfully completed the > exchange, the client sent the search, and the LDAP server told it to go > pound sand. From the packet capture: > > 06:32:16.607174 IP country.nixsys.be.42746 > samba.grep.be.ldap: P > 941:1099(158) ack 345 win 108 <nop,nop,timestamp 27361117 948824446> > 06:32:16.608061 IP samba.grep.be.ldap > country.nixsys.be.42746: F 345:345(0) > ack 1099 win 74 <nop,nop,timestamp 948824447 27361117> > 06:32:16.608108 IP country.nixsys.be.42746 > samba.grep.be.ldap: P > 1099:1573(474) ack 346 win 108 <nop,nop,timestamp 27361117 948824447> > 06:32:16.608357 IP samba.grep.be.ldap > country.nixsys.be.42746: R > 1321331696:1321331696(0) win 0 > > you can see that the LDAP server sent a FIN and a RSET. So you're getting > a broken pipe error because indeed the LDAP server broke the pipe.
Right; I hadn't noticed that. Since I could successfully log on using 'ldapsearch -Y GSSAPI' and using Authen::SASL::Perl, I assumed Authen::SASL::Cyrus was to blame. This, at least, shows something more is going on... > The next step is probably to look at the logs on the LDAP server. > Hopefully it will have logged why it abruptly closed the connection. The > client at that point doesn't think there was anything wrong. Gotta love heisenbugs. When I stop slapd, and start it with '-d Any' (so that it doesn't detach, but throws a *huge* bunch of debugging details on stdout), I can't reproduce the bug. Luckily, the bug is reproducible when changing the configuration file to get those details in syslog, but that pollutes things... *sigh*. Checking the logs reveals that there's a little bug in the script: $res = $ldap->search(base => 'ou=People,dc=grep,dc=be', filter => "(&(objectClass=posixUser)(uid=wouter))"); should get an s/posixUser/posixAccount/. Doing that changes the error message from "Broken pipe" to "Connection reset by peer". This suggests that the only bug in Authen::SASL::Cyrus is one of insufficient error handling, but that the real bug is in slapd. What a surprise. Sorry for the noise. -- <Lo-lan-do> Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
