Comment 1 Mark Linimon 2014-06-04 01:50:44 UTC

Make this a ports PR and assign.

Comment 2 Matthias Andree 2014-06-04 20:36:31 UTC

It would appear to be an issue with openvpn-auth-ldap rather than openvpn, so I am reassigning this bug report and adding me to the Cc: for now.

Comment 3 John Marino 2014-07-28 19:30:43 UTC

Sean released the port, it's now unmaintained.

Comment 4 Matthias Andree 2014-07-29 18:46:48 UTC

a.ulasov, please provide instructions to reproduce the problem.

Created attachment 145155 [details]
How to reproduce the proplem

Comment 6 Matthias Andree 2014-07-31 20:11:11 UTC

Comment on attachment 145155 [details]
How to reproduce the proplem

Thank you.  Can you get any details on the exact failure if you:

- run openvpn at higher verbosity?

- run openvpn under "truss -f" and watch it to the point where it complains about the ldap plugin failure?

Created attachment 145206 [details]
openvpn output with extremely verbose level

Created attachment 145207 [details]
truss output

Comment 9 Matthias Andree 2014-08-03 07:55:37 UTC

I made two fixes to the port's build framework, but I cannot seem to debug the initialization methods with gdb 7; however I'm not an objective-C programmer.

I do not know if the gazillions of +alloc warnings are relevant to your problem.

Anyways it does not look like the port would get to the point where it actually reads the LDAP configuration file.

Sorry, I cannot help beyond this point.

Comment 10 Matthias Andree 2014-08-03 08:07:03 UTC

The issue with debugging is:

I am using devel/gcc, compiling openvpn-auth-ldap WITH_DEBUG=yes,
and then using the testplugin program.

I set a breakpoint on the initWithConfigFile: method, but GCC does not stop there. Perhaps this is wrong and I need to set the breakpoint on the newly alloc'd object, but I do not know how to do that.

Comment 11 Matthias Andree 2014-08-03 10:13:11 UTC

OK, I dug a bit deeper.  

The problem appears that openvpn-auth-ldap's class hierarchy inherits from Object, and the newer clang/gcc (4.7+) stuff in FreeBSD no longer provides "deprecated" material such as the +alloc methods on Object.

Instead, some other framework like GNUStep that provides, for instance, NSObject, has to be used.  I'm not sure if there are lightweight alternatives, at any rate, I'm marking the port broken.

A fix for this issue is available:

http://code.google.com/p/openvpn-auth-ldap/issues/detail?id=31

I have one success in using it.  Unfortunately, my FreeBSD system is down.  Could someone incorporate the patch into the port.

On Mon, Dec 29, 2014 at 4:58 AM,  nindya_ayu_w@xxxxxx wrote:
> Hello again Sir,
>
> It's working again
> I did the step as you told me to
> It didn't work at first
> But then I comment out 'BROKEN' line in the port, and it running again
> Thanks you for your help
>
>
> Best Regard
>
> Nindya
>
> ----- Original Message -----
> From: Scot Hetzel
> To: nindya ayu w 
> Cc: FreeBSD Ports
> Sent: Sun, 28 Dec 2014 08:58:23 +0700 (WIB)
> Subject: Re: /security/openvpn-auth-ldap port
>
> On Sat, Dec 27, 2014 at 4:25 PM,  nindya_ayu_w@xxxxxxx wrote:
>> Good day, Sir
>>
>> I need to use security/openvpn-auth-ldap port which is currently unavailable
>> Can you help me with this problem ?
>>
> http://code.google.com/p/openvpn-auth-ldap/issues/detail?id=31
>
> Try the patch in Comment #16: auth-ldap-gnustep.patch
>
> You will need to change --with-objc-runtime=GNU to
> --with-objc-runtime=modern in the port.
>
> Then copy the auth-ldap-gnustep.patch to
> files/patch-auth-ldap-gnustep.  You would also need to remove
> files/patch-tests__Makefile.in, as the auth-ldap-gnustep.patch
> contains this fix.
>
> Also check out comment #22.
>
> I don't know if this will fix the issue on FreeBSD.
>

Comment 13 Matthias Andree 2015-01-02 19:29:52 UTC

It does not suffice to add the patch (I used the one from https://code.google.com/p/openvpn-auth-ldap/issues/detail?id=31#c16) and to add USE_AUTOTOOLS=autoconf - the configure script then complains that it does not find a working runtime. Even if I remove the =GNU stuff.

This needs assistance from someone skilled with Objective-C porting.

Comment 14 commit-hook 2015-01-05 23:04:38 UTC

A commit references this bug:

Author: mandree
Date: Mon Jan  5 23:03:42 UTC 2015
New revision: 376369
URL: https://svnweb.freebsd.org/changeset/ports/376369

Log:
  Update to upstream SVN revision 1379 and refresh patches.

  Needs real-world testing, so is still marked BROKEN.
  If there are positive test results from reporter or third parties,
  the BROKEN can be removed.

  PR:		190497

Changes:
  head/security/openvpn-auth-ldap/Makefile
  head/security/openvpn-auth-ldap/distinfo
  head/security/openvpn-auth-ldap/files/patch-src_TRLocalPacketFilter.m
  head/security/openvpn-auth-ldap/files/patch-src_TRString.h
  head/security/openvpn-auth-ldap/files/patch-tests_Makefile.in
  head/security/openvpn-auth-ldap/files/patch-tests__Makefile.in

Comment 15 Matthias Andree 2015-01-05 23:07:20 UTC

I have upgraded the port to SVN revision 1379, with assistance of bapt@ and Harrison Grundy. Note that the distcache files may not yet have propagated to the mirrors, this should happen in the next few hours.

Since I do not have real-world LDAP, a.ulasov (or others), please test and report back if it works now.

To build the port, you need to specify "make TRYBROKEN=yes" after upgrading.

Comment 16 Matthias Andree 2015-01-05 23:33:17 UTC

added https://code.google.com/p/openvpn-auth-ldap/issues/detail?id=43 where I have uploaded the FreeBSD patches as of r376369 for the upstream to integrate.

(In reply to Matthias Andree from comment #15)
I've got error when I try to start openvpn

#console output
Starting openvpn.
Assertion failed: (_limit - _cursor >= 0), function -[TRConfigLexer fill:], file TRConfigLexer.re, line 117.
Abort trap (core dumped)
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


openvpn-2.3.6_1                
openvpn-auth-ldap-2.0.4.0.s1379

Created attachment 151392 [details]
backtrace

backtrace openvpn.core

Comment 19 Matthias Andree 2015-01-06 20:29:29 UTC

(In reply to a.ulasov from comment #17)
Can you post the output of:

uname -a

freebsd-version

pkg info -R openvpn-auth-ldap

pkg info -E re2c


Does your system have all ports upgraded?  Are you building with poudriere, or live, or are you using pkg for binary packages?

The reason I am asking is that I have pasted the openvpn-auth-ldap.conf from your "How to reproduce the problem" attachment of 2014-07-30, on 9.3-RELEASE amd64 and I don't get a crash on OpenVPN start-up.  


I am using 
openldap24-client version 2.4.40_1, 
libobjc2 version 1.7_1, and I used 
re2c 0.13.6 for the build.

Notes:

1. I don't have FreeBSD 9.2 around any more, not sure if that makes any difference.  FreeBSD 9.2 is no longer supported, I'm not sure if that causes your trouble.

2. In order to debug ports, you need to rebuild them and set WITH_DEBUG=yes on the make command line, your backtrace lacks most symbols.

This would pertain to at least openvpn and openvpn-auth-ldap in your situation, and it would not hurt for libobjc2 either.
(I specifically made another fix to openvpn-auth-ldap to make sure that the WITH_DEBUG=yes does what it is meant to do.)

(In reply to Matthias Andree from comment #19)
I attached output.
All my ports are updated. I've used ports not binary packages.

I was advised to update system to 9.3 or newer. 
The reason is - 
"...The Objective-C runtime libraries changed some time ago, so the old auth-ldap 2.0.3 release no longer works because the new, lighter, run-time library lacks a few methods on the basic objects."

Created attachment 151467 [details]
pkg_version_output

I tried to start openvpn on FreeBSD 9.3-RELEASE-p7, but unfortunately I've got same error =(.

/usr/local/etc/rc.d/openvpn start              
Starting openvpn.
Assertion failed: (_limit - _cursor >= 0), function -[TRConfigLexer fill:], file TRConfigLexer.re, line 117.
Abort trap (core dumped)
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

I rebuilt all dependent ports WITH_DEBUG=yes and attached new backtrace output. Also I attached OS and packages info.

Created attachment 151535 [details]
backtrace_output

Created attachment 151536 [details]
os_ports_info

(In reply to Matthias Andree from comment #15)
I have upgrade the port and install it with the new one.
But it seems that the new port doesn't create openvpn-auth-ldap.so, I can't find it in lib file

Can you help me ?

Comment 26 Matthias Andree 2015-01-17 09:35:12 UTC

(In reply to Nindya Ayu Wulansari from comment #25)
Sorry - I can't help you without further information.

It certainly does create the .so file for me:
$ tar -tJvf /usr/ports/packages/All/openvpn-auth-ldap-2.0.4.0.s1379.txz 
-rw-r--r--  0 root   wheel     937  1 Jan  1970 +COMPACT_MANIFEST
-rw-r--r--  0 root   wheel    1706  1 Jan  1970 +MANIFEST
-rwxr-xr-x  0 root   wheel  223992 17 Jan 10:32 /usr/local/lib/openvpn-auth-ldap.so
-rw-r--r--  0 root   wheel     222 17 Jan 10:32 /usr/local/share/licenses/openvpn-auth-ldap-2.0.4.0.s1379/catalog.mk
-rw-r--r--  0 root   wheel      85 17 Jan 10:32 /usr/local/share/licenses/openvpn-auth-ldap-2.0.4.0.s1379/LICENSE
-rw-r--r--  0 root   wheel     101 17 Jan 10:32 /usr/local/share/licenses/openvpn-auth-ldap-2.0.4.0.s1379/BSD3CLAUSE
-rw-r--r--  0 root   wheel     981 17 Jan 10:32 /usr/local/share/doc/openvpn-auth-ldap/README
-rw-r--r--  0 root   wheel    1252 17 Jan 10:32 /usr/local/share/examples/openvpn-auth-ldap/auth-ldap.conf

Please see questions above for what I need, for instance build logs, and also:
http://www.catb.org/esr/faqs/smart-questions.html
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html

Comment 27 Matthias Andree 2015-01-17 11:14:41 UTC

(In reply to a.ulasov from comment #23)
Thank you, this helps a bit.

Now, the trouble seems to be in between your configuration file and the parser - and the latter is, in parts, generated code, from re2c (for the lexer) and lemon (for the parser). 

What I have done is: 
- download https://bugs.freebsd.org/bugzilla/attachment.cgi?id=145155
- make TRYBROKEN=1 WITH_DEBUG=yes
- cd `make -V WRKSRC`
- src/testplugin FILE-TO-YOUR_CONFIG
- src/testplugin auth-ldap.conf

This all works for me, both testplugin runs fail connecting to the LDAP server (because I do not have one, but the parsing is already done then).

Now, it appears that the configuration you have posted is not the one you are trying to use, and apparently something causes the lexer to read past somewhere it should not read.  I am not sure how to tackle this, I'm certainly not prepared to debug generated code, and I'm not an Objective-C programmer.

Can you encrypt it your original configuration to me and mail it directly? My GnuPG Key ID is 0xBE618339052E7D95, available on the key servers or in the FreeBSD handbook, mandree@FreeBSD.org. I can't promise anything beyond checking if testplugin can parse it for me, on FreeBSD 9.3 and 10.1.

(command line gpg -aer 0xBE618339052E7D95 your.conf, and mail me the resulting .asc file)

Created attachment 151796 [details]
Make configure output

Created attachment 151797 [details]
Make stage output

Created attachment 151798 [details]
Make check-orphans output

Created attachment 151799 [details]
pkg info and re2c output

(In reply to Matthias Andree from comment #26)
Here is my information

Make configure
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151796

Make stage
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151797

Make check-orphas
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151798

Make package
works as ussual

Make TRYBROKEN=yes
Make install clean
Works as ussual

But still, I can't find the openvpn-auth-ldap.so in /usr/lib and neither 'work' folder on the /usr/ports/.../openvpn-auth-ldap directory. Which I got them in the previous port version.

FreeBSD ninvpnadm 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

How is it ?

(In reply to Nindya Ayu Wulansari from comment #32)
Sorry, I just got it

Now I have the new issue
My VPN won't start with this error on the log

Sun Jan 18 16:17:27 2015 OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Dec 22 2014
Sun Jan 18 16:17:27 2015 library versions: OpenSSL 1.0.1j-freebsd 15 Oct 2014, LZO 2.08
Sun Jan 18 16:17:27 2015 PLUGIN_INIT: POST /usr/local/lib/openvpn-auth-ldap.so '[/usr/local/lib/openvpn-auth-ldap.so] [/usr/local/etc/openvpn/ldap-auth-siang.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Sun Jan 18 16:17:27 2015 Diffie-Hellman initialized with 2048 bit key
Sun Jan 18 16:17:27 2015 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Sun Jan 18 16:17:27 2015 Socket Buffers: R=[65536->65536] S=[32768->65536]
Sun Jan 18 16:17:27 2015 ROUTE_GATEWAY IP
Sun Jan 18 16:17:27 2015 TUN/TAP device /dev/tun0 opened
Sun Jan 18 16:17:27 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jan 18 16:17:27 2015 /sbin/ifconfig tun0 IP IP mtu 1500 netmask 255.255.255.255 up
Sun Jan 18 16:17:27 2015 /sbin/route add -net IP IP 255.255.255.0
add net IP: gateway IP
Sun Jan 18 16:17:27 2015 Listening for incoming TCP connection on [undef]
Sun Jan 18 16:17:27 2015 TCPv4_SERVER link local (bound): [undef]
Sun Jan 18 16:17:27 2015 TCPv4_SERVER link remote: [undef]
Sun Jan 18 16:17:27 2015 MULTI: multi_init called, r=256 v=256
Sun Jan 18 16:17:27 2015 IFCONFIG POOL: base=IP size=62, ipv6=0
Sun Jan 18 16:17:27 2015 IFCONFIG POOL LIST
Sun Jan 18 16:17:27 2015 MULTI: TCP INIT maxclients=1024 maxevents=1028
Sun Jan 18 16:17:27 2015 Initialization Sequence Completed
Sun Jan 18 17:01:00 2015 /sbin/route delete -net IP IP 255.255.255.0
delete net 167.205.29.0: gateway IP
Sun Jan 18 17:01:00 2015 Closing TUN/TAP interface
Sun Jan 18 17:01:00 2015 /sbin/ifconfig tun0 destroy
Sun Jan 18 17:01:00 2015 PLUGIN_CLOSE: /usr/local/lib/openvpn-auth-ldap.so
Sun Jan 18 17:01:00 2015 SIGTERM[hard,] received, process exiting
Sun Jan 18 17:03:55 2015 PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-ldap.so: Cannot open "/usr/local/lib/openvpn-auth-ldap.so"
Sun Jan 18 17:03:55 2015 Exiting due to fatal error

Thank you
(How to delete post in here by the owner ?)

Comment 34 Matthias Andree 2015-01-18 23:57:47 UTC

(In reply to Nindya Ayu Wulansari from comment #33)
You can't delete former comments.

From the log you posted in the latest comment, it does not look like a plugin error to me, but a trouble restarting it.  Depending on your configuration, OpenVPN may have dropped privileges, and can then no longer access /usr/local/lib/openvpn-auth-ldap.so or more likely /usr/local/etc/openvpn/ovpn-oldap.conf. Chances are that it is misreporting the error.

There are 44 minutes between these two log lines:

Sun Jan 18 16:17:27 2015 Initialization Sequence Completed

and

Sun Jan 18 17:01:00 2015 /sbin/route delete -net IP IP 255.255.255.0
delete net 167.205.29.0: gateway IP

So is it hitting some timeout?  LDAP timeout, or no client connecting, can you try to find that out?

(In reply to Matthias Andree from comment #34)
Sorry, I have no idea why the first log happen to be completed. My VPN doesn't start at all. And because of it, so there is no client connected.

And when I try to start it again, it only shows this error

Sun Jan 18 17:03:55 2015 PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-ldap.so: Cannot open "/usr/local/lib/openvpn-auth-ldap.so"
Sun Jan 18 17:03:55 2015 Exiting due to fatal error

(In reply to Matthias Andree from comment #34)
I've figured it out
It's my FreeBSD configuration problem, it has crash a bit when I reboot it

This port have working with no problem. I haven't try it with LDAP account yet cause my port is still being closed by my admin, anyway. I will report it if I found any further error.

Thanks

But maybe you should do something with this
===> making install in docs
true /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/stage/usr/local/lib/openvpn-auth-ldap.so
/bin/mkdir -p /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/stage/usr/local/share/doc/openvpn-auth-ldap
install  -o root -g wheel -m 0644 /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/auth-ldap-2.0.4.0.s1379/README /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/stage/usr/local/share/doc/openvpn-auth-ldap
/bin/mkdir -p /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/stage/usr/local/share/examples/openvpn-auth-ldap
install  -o root -g wheel -m 0644 /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/auth-ldap-2.0.4.0.s1379/auth-ldap.conf /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/stage/usr/local/share/examples/openvpn-auth-ldap

It's my previous problem where I said I can't find the plugin in /usr/local/lib. It installed the plugin in /wrkdirs/usr/ports/security/openvpn-auth-ldap/work/stage/usr/local/lib/openvpn-auth-ldap.so, so I need to copy it on /usr/local/lib manually

Comment 37 Matthias Andree 2015-01-19 16:23:58 UTC

(In reply to Nindya Ayu Wulansari from comment #36)
You need to install the port after building it (unless you made special arrangements, run this as root):

make install TRYBROKEN=1

Then it should be in the right place.

Comment 38 Matthias Andree 2015-01-19 17:41:52 UTC

(In reply to Nindya Ayu Wulansari from comment #36)

Details in https://www.freebsd.org/doc/handbook/ports-using.html

Comment 39 commit-hook 2015-01-19 20:37:43 UTC

A commit references this bug:

Author: mandree
Date: Mon Jan 19 20:37:33 UTC 2015
New revision: 377475
URL: https://svnweb.freebsd.org/changeset/ports/377475

Log:
  Grab maintainership and unmark BROKEN.
  Bump PORTREVISION for the benefit of those that used TRYBROKEN=*.

  PR: 190497

Changes:
  head/security/openvpn-auth-ldap/Makefile

Comment 40 Matthias Andree 2015-01-19 20:44:48 UTC

I think this concludes the bugfixing. r377475 (first to have PORTREVISION=1) now parses Mr. Ulasov's configuration file (provided outside this tracker) properly. 

The problem was that the configuration file lexer fell of the end of the mmap()ed input file due to CHECK_EOI bugs.  I've simplified the code.