From flyingbeefhead at verizon.net  Wed May  4 21:28:11 2022
From: flyingbeefhead at verizon.net (flyingbeefhead at verizon.net)
Date: Thu, 5 May 2022 01:28:11 +0000 (UTC)
Subject: [python-ldap] Interesting Django, RHEL, openldap, python-ldap,
 oracle 19c client problem
References: <1550362224.2646403.1651714091355.ref@mail.yahoo.com>
Message-ID: <1550362224.2646403.1651714091355@mail.yahoo.com>

I am having a very interesting problem with python-ldap, Django, and RHEL. I am hoping someone can help me.
I am running RHEL 7 with SELinux turned on, but in advisory mode only.I am running the Redhat provided httpd server version 2.4.6-97.el7_9.2I am running mod_wsgi compiled by me version 4.9.0There are 2 WSGI instances running on the httpd server. They are both in Daemon mode. One is 1 process/3 threads, the other is 2 processes/3 threads each.Running Python 3.9.0 compiled by myself. The Python 3.9.0 has its own copy of openssl and openldap and don't use the system provided ones.Running openssl version 1.1.1g and openldap version 2.6.1 with python-ldap version 3.4.0.Running Django version 3.2.9Running python-ldapdb 1.5.2Django is accessing Oracle 19c binaries as well.I have multiple DATABASE entries, 3x oracle and 1x ldap. Django is configured to use Oracle for the main repository.

When running ./manage shell, I can use python-ldap without any issues. Pull data, etc. It all works well.When running from a Django view using the same calls, I get a segfault when python-ldap performs the bind_s() call.
Here is the top of the stack trace for the segfault:
Program received signal SIGSEGV, Segmentation fault.[Switching to Thread 0x7f216ba42700 (LWP 26161)]0x00007f217ea832b1 in gslcctp_PutControls () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1(gdb) backtrace#0? 0x00007f217ea832b1 in gslcctp_PutControls () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1#1? 0x00007f217ea9a1b0 in gslcsa_SaslBind () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1#2? 0x00007f217ea7b220 in ldap_sasl_bind () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1#3? 0x00007f216e23d6f9 in l_ldap_simple_bind (self=0x7f212a147cf0, args=<optimized out>) at Modules/LDAPObject.c:564#4? 0x00007f2181c56acf in cfunction_call (func=0x7f216a2c1c20, args=<optimized out>, kwargs=<optimized out>)??? at Objects/methodobject.c:546#5? 0x00007f2181c0d282 in _PyObject_Call (tstate=0x7f215c00a090, callable=0x7f216a2c1c20, args=0x7f2169f92900,????kwargs=<optimized out>) at Objects/call.c:280#6? 0x00007f2181c0d36f in PyObject_Call (callable=<optimized out>, args=<optimized out>, kwargs=<optimized out>)??? at Objects/call.c:292#7? 0x00007f2181bc1a53 in do_call_core (kwdict=0x7f212a1502c0, callargs=0x7f2169f92900, func=0x7f216a2c1c20, tstate=0x7f215c00a090)??? at Python/ceval.c:5092

Here is the basic code that I am running. I had to pull this out and strip off a lot before and after:
ldap_conn = ldap.initialize('ldap://%s:%d' % (url,port))ldap_conn.set_option(ldap.OPT_REFERRALS, 0)ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)ldap_conn.bind_s(bind_u,?pind_p)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-ldap/attachments/20220505/a35a4ad8/attachment.html>

From stephen.butler at gmail.com  Fri May  6 12:35:32 2022
From: stephen.butler at gmail.com (Stephen J. Butler)
Date: Fri, 6 May 2022 11:35:32 -0500
Subject: [python-ldap] Interesting Django, RHEL, openldap, python-ldap,
 oracle 19c client problem
In-Reply-To: <1550362224.2646403.1651714091355@mail.yahoo.com>
References: <1550362224.2646403.1651714091355.ref@mail.yahoo.com>
 <1550362224.2646403.1651714091355@mail.yahoo.com>
Message-ID: <CAD4ANxUTL+zKYwn2r8AGzSJFMx3vL1H+g3ne80QqeY3KntfHcg@mail.gmail.com>

You can see in the stack trace the web Django python-ldap has somehow
linked Oracle libraries for LDAP and not OpenLDAP:

0x00007f217ea832b1 in gslcctp_PutControls () from
*/apps/oracle/product/19.0.0/client_1/lib/libclntsh.so
<http://libclntsh.so/>.11.1*
(gdb) backtrace
#0  0x00007f217ea832b1 in gslcctp_PutControls () from
*/apps/oracle/product/19.0.0/client_1/lib/libclntsh.so
<http://libclntsh.so/>.11.1*
#1  0x00007f217ea9a1b0 in gslcsa_SaslBind () from
*/apps/oracle/product/19.0.0/client_1/lib/libclntsh.so
<http://libclntsh.so/>.11.1*
#2  0x00007f217ea7b220 in ldap_sasl_bind () from
*/apps/oracle/product/19.0.0/client_1/lib/libclntsh.so
<http://libclntsh.so/>.11.1*

Did you set some custom LD_LIBRARY_PATH in your webserver or process that
runs web Django that isn't present when you're using manage?


On Fri, May 6, 2022 at 11:28 AM Lance Ellinghaus via python-ldap <
python-ldap at python.org> wrote:

> I am having a very interesting problem with python-ldap, Django, and RHEL.
> I am hoping someone can help me.
>
> I am running RHEL 7 with SELinux turned on, but in advisory mode only.
> I am running the Redhat provided httpd server version 2.4.6-97.el7_9.2
> I am running mod_wsgi compiled by me version 4.9.0
> There are 2 WSGI instances running on the httpd server. They are both in
> Daemon mode. One is 1 process/3 threads, the other is 2 processes/3 threads
> each.
> Running Python 3.9.0 compiled by myself. The Python 3.9.0 has its own copy
> of openssl and openldap and don't use the system provided ones.
> Running openssl version 1.1.1g and openldap version 2.6.1 with python-ldap
> version 3.4.0.
> Running Django version 3.2.9
> Running python-ldapdb 1.5.2
> Django is accessing Oracle 19c binaries as well.
> I have multiple DATABASE entries, 3x oracle and 1x ldap. Django is
> configured to use Oracle for the main repository.
>
>
> When running ./manage shell, I can use python-ldap without any issues.
> Pull data, etc. It all works well.
> When running from a Django view using the same calls, I get a segfault
> when python-ldap performs the bind_s() call.
>
> Here is the top of the stack trace for the segfault:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7f216ba42700 (LWP 26161)]
> 0x00007f217ea832b1 in gslcctp_PutControls () from
> /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> (gdb) backtrace
> #0  0x00007f217ea832b1 in gslcctp_PutControls () from
> /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> #1  0x00007f217ea9a1b0 in gslcsa_SaslBind () from
> /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> #2  0x00007f217ea7b220 in ldap_sasl_bind () from
> /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> #3  0x00007f216e23d6f9 in l_ldap_simple_bind (self=0x7f212a147cf0,
> args=<optimized out>) at Modules/LDAPObject.c:564
> #4  0x00007f2181c56acf in cfunction_call (func=0x7f216a2c1c20,
> args=<optimized out>, kwargs=<optimized out>)
>     at Objects/methodobject.c:546
> #5  0x00007f2181c0d282 in _PyObject_Call (tstate=0x7f215c00a090,
> callable=0x7f216a2c1c20, args=0x7f2169f92900,
>     kwargs=<optimized out>) at Objects/call.c:280
> #6  0x00007f2181c0d36f in PyObject_Call (callable=<optimized out>,
> args=<optimized out>, kwargs=<optimized out>)
>     at Objects/call.c:292
> #7  0x00007f2181bc1a53 in do_call_core (kwdict=0x7f212a1502c0,
> callargs=0x7f2169f92900, func=0x7f216a2c1c20, tstate=0x7f215c00a090)
>     at Python/ceval.c:5092
>
>
> Here is the basic code that I am running. I had to pull this out and strip
> off a lot before and after:
>
> ldap_conn = ldap.initialize('ldap://%s:%d' % (url,port))
> ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
> ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
> ldap_conn.bind_s(bind_u, pind_p)
>
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-ldap/attachments/20220506/01d6bb6e/attachment-0001.html>

From william at blackhats.net.au  Sun May  8 20:44:23 2022
From: william at blackhats.net.au (William Brown)
Date: Mon, 9 May 2022 10:44:23 +1000
Subject: [python-ldap] Interesting Django, RHEL, openldap, python-ldap,
 oracle 19c client problem
In-Reply-To: <1550362224.2646403.1651714091355@mail.yahoo.com>
References: <1550362224.2646403.1651714091355.ref@mail.yahoo.com>
 <1550362224.2646403.1651714091355@mail.yahoo.com>
Message-ID: <483D5AF3-9A66-4605-9731-F8BA3418653A@blackhats.net.au>



> On 5 May 2022, at 11:28, Lance Ellinghaus via python-ldap <python-ldap at python.org> wrote:
> 
> I am having a very interesting problem with python-ldap, Django, and RHEL. I am hoping someone can help me.
> 
> I am running RHEL 7 with SELinux turned on, but in advisory mode only.
> I am running the Redhat provided httpd server version 2.4.6-97.el7_9.2
> I am running mod_wsgi compiled by me version 4.9.0
> There are 2 WSGI instances running on the httpd server. They are both in Daemon mode. One is 1 process/3 threads, the other is 2 processes/3 threads each.
> Running Python 3.9.0 compiled by myself. The Python 3.9.0 has its own copy of openssl and openldap and don't use the system provided ones.
> Running openssl version 1.1.1g and openldap version 2.6.1 with python-ldap version 3.4.0.
> Running Django version 3.2.9
> Running python-ldapdb 1.5.2
> Django is accessing Oracle 19c binaries as well.
> I have multiple DATABASE entries, 3x oracle and 1x ldap. Django is configured to use Oracle for the main repository.
> 
> 
> When running ./manage shell, I can use python-ldap without any issues. Pull data, etc. It all works well.
> When running from a Django view using the same calls, I get a segfault when python-ldap performs the bind_s() call.
> 
> Here is the top of the stack trace for the segfault:
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7f216ba42700 (LWP 26161)]
> 0x00007f217ea832b1 in gslcctp_PutControls () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> (gdb) backtrace
> #0  0x00007f217ea832b1 in gslcctp_PutControls () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> #1  0x00007f217ea9a1b0 in gslcsa_SaslBind () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> #2  0x00007f217ea7b220 in ldap_sasl_bind () from /apps/oracle/product/19.0.0/client_1/lib/libclntsh.so.11.1
> #3  0x00007f216e23d6f9 in l_ldap_simple_bind (self=0x7f212a147cf0, args=<optimized out>) at Modules/LDAPObject.c:564
> #4  0x00007f2181c56acf in cfunction_call (func=0x7f216a2c1c20, args=<optimized out>, kwargs=<optimized out>)
>     at Objects/methodobject.c:546
> #5  0x00007f2181c0d282 in _PyObject_Call (tstate=0x7f215c00a090, callable=0x7f216a2c1c20, args=0x7f2169f92900,
>     kwargs=<optimized out>) at Objects/call.c:280
> #6  0x00007f2181c0d36f in PyObject_Call (callable=<optimized out>, args=<optimized out>, kwargs=<optimized out>)
>     at Objects/call.c:292
> #7  0x00007f2181bc1a53 in do_call_core (kwdict=0x7f212a1502c0, callargs=0x7f2169f92900, func=0x7f216a2c1c20, tstate=0x7f215c00a090)
>     at Python/ceval.c:5092
> 
> 


Because you didn't define a simple bind, it tries to fall back to sasl bind and then panics because there is no gssapi or sasl context setup.

You likely need to define a simple bind. 

> Here is the basic code that I am running. I had to pull this out and strip off a lot before and after:
> 
> ldap_conn = ldap.initialize('ldap://%s:%d' % (url,port))
> ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
> ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
> ldap_conn.bind_s(bind_u, pind_p)
> 
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap

--
Sincerely,

William