Your message dated Sun, 19 Oct 2014 22:19:56 +0000 with message-id <[email protected]> and subject line Bug#723957: fixed in openldap 2.4.40-1 has caused the Debian Bug report #723957, regarding slapd: commented olcDbDirectory config line causes unusable system and potential data loss on upgrade to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 723957: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=723957 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: slapd Version: 2.4.31-1+nmu2 Severity: critical Justification: breaks the whole system Additional Justification details: - Breaks whole system: slapd is used to provide accounts -> no user accounts available -> system unusable. - Data loss: database is physically on disk, but inaccessible due to upgraded software, slapd, slapcat, slapadd cannot use it. The get_directory method used in several maint scripts contains a bug that causes it to return multiple lines of output if a commented olcDbDirectory line also exists in the configuration file. The callers of get_directory use filesystem existence checks on the output of get_directory to determine whether to actually backup the database, and silently continue without backing up when multiple lines of output are returned. Exact failure mode: 1) Begin upgrade 2) 2.4.23-7.3 prerm script doesn't perform any backups (as expected) 3) 2.4.31-1+nmu2 preinst attempts to backup, but silently skips backups due to above bug 4) 2.4.31-1+nmu2 is unpacked (database now inaccessible due to format mismatch) 5) 2.4.31-1+nmu2 postinst attempts to move old db directory (skips move silently due to same bug as above) 6) 2.4.31-1+nmu2 postinst attempts to import ldif backup (fails as no ldif backup exists) 7) dpkg exits with error, slapd is unusable and not easily recoverable, system unusable. Output from step 3 and 4: Preparing to replace slapd 2.4.23-7.3 (using .../slapd_2.4.31-1+nmu2_i386.deb) ... Stopping OpenLDAP: slapd. Dumping to /var/backups/slapd-2.4.23-7.3: Unpacking replacement slapd ... Note the expected output from line 178 of the preinst is not printed after the "Dumping... " line, this is because the check on line 176 of the preinst script returns false when presented with multi-line input in the $dbdir variable. Output from steps 5, 6 and 7: Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.23-7.3... done. Moving old database directories to /var/backups: Loading from /var/backups/slapd-2.4.23-7.3: - directory dc=katalinabrown,dc=co,dc=nz... failed. Loading the database from the LDIF dump failed with the following error while running slapadd: /var/backups/slapd-2.4.23-7.3/dc=katalinabrown,dc=co,dc=nz.ldif: No such file or directory dpkg: error processing slapd (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing: slapd E: Sub-process /usr/bin/dpkg returned an error code (1) Again, the expected per suffix line is missing after the "Moving..." line, due to the check on line 384 of postinst returning false when presented with mutli-line input in the $databasedir variable. I believe the bug is found on line 293 of preinst and postinst: grep "olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^ *//g' the first grep is not anchored, so if a file contains content like: olcDbDirectory: "/var/lib/ldap" #olcDbDirectory: "/var/lib/ldap" both paths are returned, and the subsequent checks of the return value cause the failures described above. The following patch (anchoring the match to start of line) would be a minimal fix for this critical issue, but a more proper fix would be for the preinst to bail out if it is unable to actually backup a database that it knows to exist from the config! --- slapd.preinst.orig 2013-09-21 16:59:18.000000000 +0100 +++ slapd.preinst 2013-09-21 16:58:25.000000000 +0100 @@ -290,7 +290,7 @@ get_directory() { # {{{ # Returns the db directory for a given suffix if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then - grep "olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^ *//g' + grep "^olcDbDirectory:" `grep -l "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif` | cut -d: -f 2 | sed 's/^ *//g' elif [ -f "${SLAPD_CONF}" ]; then # Extract the directory for the given suffix ($1) for f in `get_all_slapd_conf_files`; do The same fix would need to be made in postinst, and wherever else this command is used. Luckily, I'm testing this upgrade on my dev system... :) -- System Information: Debian Release: 6.0.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Shell: /bin/sh linked to /bin/dash Versions of packages slapd depends on: ii adduser 3.113+nmu3 add and remove users and groups ii coreutils 8.13-3.5 GNU core utilities ii debconf [debconf-2 1.5.49 Debian configuration management sy ii libc6 2.13-38 Embedded GNU C Library: Shared lib ii libdb5.1 5.1.29-5 Berkeley v5.1 Database Libraries [ ii libgcrypt11 1.5.0-5+deb7u1 LGPL Crypto library - runtime libr ii libgnutls26 2.12.20-7 GNU TLS library - runtime library ii libldap-2.4-2 2.4.31-1+nmu2 OpenLDAP libraries ii libltdl7 2.4.2-1.1 A system independent dlopen wrappe ii libodbc1 2.2.14p2-5 ODBC library for Unix ii libperl5.14 5.14.2-21 shared Perl library ii libsasl2-2 2.1.25.dfsg1-6+deb7u1 Cyrus SASL - authentication abstra ii libslp1 1.2.1-9 OpenSLP libraries ii libwrap0 7.6.q-24 Wietse Venema's TCP wrappers libra ii lsb-base 4.1+Debian8+deb7u1 Linux Standard Base 4.1 init scrip ii multiarch-support 2.13-38 Transitional package to ensure mul ii perl [libmime-base 5.14.2-21 Larry Wall's Practical Extraction ii psmisc 22.19-1+deb7u1 utilities that use the proc file s ii unixodbc 2.2.14p2-5 Basic ODBC tools Versions of packages slapd recommends: ii libsasl2-modules 2.1.25.dfsg1-6+deb7u1 Cyrus SASL - pluggable authenticat Versions of packages slapd suggests: ii ldap-utils 2.4.31-1+nmu2 OpenLDAP utilities -- debconf information: slapd/internal/adminpw: (password omitted) * slapd/password1: (password omitted) slapd/internal/generated_adminpw: (password omitted) * slapd/password2: (password omitted) slapd/allow_ldap_v2: false slapd/password_mismatch: slapd/invalid_config: true shared/organization: home.mattb.net.nz * slapd/upgrade_slapcat_failure: slapd/no_configuration: false slapd/move_old_database: true slapd/dump_database_destdir: /var/backups/slapd-VERSION slapd/purge_database: false slapd/domain: home.mattb.net.nz slapd/backend: HDB slapd/dump_database: when needed
--- End Message ---
--- Begin Message ---Source: openldap Source-Version: 2.4.40-1 We believe that the bug you reported is fixed in the latest version of openldap, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ryan Tandy <[email protected]> (supplier of updated openldap package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 17 Oct 2014 08:19:28 -0700 Source: openldap Binary: slapd slapd-smbk5pwd ldap-utils libldap-2.4-2 libldap-2.4-2-dbg libldap2-dev slapd-dbg Architecture: source amd64 Version: 2.4.40-1 Distribution: unstable Urgency: low Maintainer: Debian OpenLDAP Maintainers <[email protected]> Changed-By: Ryan Tandy <[email protected]> Description: ldap-utils - OpenLDAP utilities libldap-2.4-2 - OpenLDAP libraries libldap-2.4-2-dbg - Debugging information for OpenLDAP libraries libldap2-dev - OpenLDAP development libraries slapd - OpenLDAP server (slapd) slapd-dbg - Debugging information for the OpenLDAP server (slapd) slapd-smbk5pwd - Keeps Samba and Kerberos passwords in sync within slapd. Closes: 465024 594711 599235 637996 640384 661641 666515 706123 723957 741248 742841 742862 745231 745356 750022 759596 760559 761406 761407 762111 762424 Changes: openldap (2.4.40-1) unstable; urgency=low . [ Ryan Tandy ] * New upstream release. - fixed ldap_get_dn(3) ldap_ava definition (ITS#7860) (Closes: #465024) - fixed slapcat with external schema (ITS#7895) (Closes: #599235) - fixed double free with invalid ciphersuite (ITS#7500) (Closes: #640384) - fixed modrdn crash on naming attr with no matching rule (ITS#7850) (Closes: #666515) - fixed slapacl causing unclean database (ITS#7827) (Closes: #741248) * slapd.scripts-common: - Anchor grep patterns to avoid matching commented lines in ldif files under cn=config. (Closes: #723957) - Don't silently ignore nonexistent directories that should be dumped. - Invoke find, chmod, and chown with -H in case /var/lib/ldap is a symlink. (Closes: #742862) - When upgrading a database, ignore extra nested directories as they might contain other databases. Patch from Kenny Millington. (LP: #1003854) - Fix dumping and reloading when multiple databases hold the same suffix, thanks Peder Stray. (Closes: #759596, LP: #1362481) - Remove trailing dot from slapd/domain. (Closes: #637996) * debian/rules: - Enable parallel building. - Copy libldap-2.4-2.shlibs into place manually, as a workaround for #676168. (Closes: #742841) * debian/slapd.README.Debian: Add a note about database format upgrades and the consequences of missing one. (Closes: #594711) * Build with GnuTLS 3 (Closes: #745231, #760559). * Drop debian/patches/fix-ftbfs-binutils-gold, no longer needed. * Drop debconf-utils from Build-Depends, no longer used (replaced by po-debconf). Thanks Johannes Schauer. * Acknowledge NMU fixing #729367, thanks to Michael Gilbert. * Offer the MDB backend as a choice during initial configuration. (Closes: #750022) * debian/slapd.init.ldif: - Disallow modifying one's own entry by default, except specific attributes. (Closes: #761406) - Index some more common search attributes by default. (Closes: #762111) * Introduce a symbols file for libldap-2.4-2. * debian/schema/pmi.schema: Add a copyright clarification. There does not appear to be any copyrighted text in this file, only ASN.1 assignments and LDAP schema definitions. Fixes a Lintian error on the original. * debian/schema/duaconf.schema: Strip Internet-Draft text from duaconf.schema. * Drop debian/patches/CVE-2013-4449.patch, applied upstream. * Update debian/patches/no-AM_INIT_AUTOMAKE with upstream changes. * debian/schema/ppolicy.schema: Update with ordering rules added in draft-behera-ldap-password-policy-11. * Suggest GSSAPI SASL modules. (Closes: #762424) * debian/patches/ITS6035-olcauthzregex-needs-restart.patch: Document in slapd-config.5 the fact that changes to olcAuthzRegexp only take effect after the server is restarted. (Closes: #761407) * Add myself to Uploaders. . [ Jelmer Vernooij ] * Depend on heimdal-multidev rather than heimdal-dev. (Closes: #745356, #706123) . [ Updated debconf translations ] * Turkish, thanks to Atila KOÇ <[email protected]>. (Closes: #661641) Checksums-Sha1: d6c256c02f78a2c9cbe97c51232b86578c6d3a21 2756 openldap_2.4.40-1.dsc 587baa8257d51f3908975b931f87c8c3e6a17e06 4799804 openldap_2.4.40.orig.tar.gz 15cc81377a6ad768f2245cd105dd489962ac4170 169835 openldap_2.4.40-1.diff.gz 17483c43a66aec3b9f6cc35db56f66a418961d80 1402408 slapd_2.4.40-1_amd64.deb 8cc4be49b008d07289c46b1b15517d5ad8bba551 82142 slapd-smbk5pwd_2.4.40-1_amd64.deb 3716e3ad77f9ac0c1feae26bfa61c107babe1ad8 187240 ldap-utils_2.4.40-1_amd64.deb 93bd1210a6ae88ac187d30b6b931f966f9f1a1ae 216892 libldap-2.4-2_2.4.40-1_amd64.deb a0f2d60759c5362106724dbc3f5657d9fe75a40d 440406 libldap-2.4-2-dbg_2.4.40-1_amd64.deb a0c669dc7135eeb82e53040fc03f832586f9e0d5 322004 libldap2-dev_2.4.40-1_amd64.deb 42372583cec6bc8060cd46e420374347a79be660 4867878 slapd-dbg_2.4.40-1_amd64.deb Checksums-Sha256: 431bda80fca16cbe6cfce206f4a8bcb3e39d042c1b76efba7e070c41a4fed0f9 2756 openldap_2.4.40-1.dsc 6d3e7ba688382bebca3410125d3f801a7fd2a5da6352b58b0663ef20bc3adbb3 4799804 openldap_2.4.40.orig.tar.gz 024d5553d530e0aa3223778ad75d680fe3d0bde3a2787c81c6c3396d998c5bfc 169835 openldap_2.4.40-1.diff.gz f6512e2db7fe3a3801520b85618c476a665d0705830249f9267ece6654b9f9fe 1402408 slapd_2.4.40-1_amd64.deb db9b4c61671385208fbaeca0d29cc20b8822c39e0e9934204968f75aed20206f 82142 slapd-smbk5pwd_2.4.40-1_amd64.deb 4c871b777b6f066bde2f1be24cda8a5ccf4edde0de075b89a81bc4ced92b5632 187240 ldap-utils_2.4.40-1_amd64.deb b9161aafa5b4cb57b4708de6d1a2dfccfec456216183a37dcedb3b68fa39f98b 216892 libldap-2.4-2_2.4.40-1_amd64.deb 65749fa729f2ac268d42df13283fcf91594803e68bf1d32df0502d8dbf90f26a 440406 libldap-2.4-2-dbg_2.4.40-1_amd64.deb 25f83faf530602073c67213ca727797466fe12ab1257c37c72a1f30d1230b44d 322004 libldap2-dev_2.4.40-1_amd64.deb 5ed3396db8827f77479a05366d526ac8d13000e7701b41aa8a0a1c3c3ff07258 4867878 slapd-dbg_2.4.40-1_amd64.deb Files: 1e0a323c13852342a69200c9e9b4902f 2756 net optional openldap_2.4.40-1.dsc 03a8658e62131c0cdbf85dd604e498db 4799804 net optional openldap_2.4.40.orig.tar.gz afd82110729ba7b4e49f44f28acaafd3 169835 net optional openldap_2.4.40-1.diff.gz bc1d89ce34b65533faa3d2575862e3d3 1402408 net optional slapd_2.4.40-1_amd64.deb 24642b3b7cc15344a2fda06ba08d9453 82142 net extra slapd-smbk5pwd_2.4.40-1_amd64.deb fd0cd57edd9eec1b8de9a85750da82cc 187240 net optional ldap-utils_2.4.40-1_amd64.deb fa9d0608ecd546945784d0d7eff2affb 216892 libs standard libldap-2.4-2_2.4.40-1_amd64.deb ed3ca41c6573254f6ef129601d963bf9 440406 debug extra libldap-2.4-2-dbg_2.4.40-1_amd64.deb 5d2fcee0e5cf2625126933529491ead5 322004 libdevel extra libldap2-dev_2.4.40-1_amd64.deb 68141e603c11f35295d672bf6032dbaf 4867878 debug extra slapd-dbg_2.4.40-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJURDYdAAoJEFC7AtTIpr9hIi0P/RL2VtIYKt9fZyJ192ErnC/W qEGwLaxaQ2v7eAWSpHraWQ6vmkkRxiQ/nHfukcrmZOEdPY+vqi/MEGBTD8KIiZlc YmkCwcxMPdhuzg2zVS7HZvJF6Pk2J2vy+6H8cCrYvwqY4ZBI2ZMQ2m0hc9hFKilq mG37elo++7psUBcEdDeZyGNK7CCew6+vbGkwKWqGoH+qkMWdO4dlG1LI1IDuLM00 F3Nc1ZXFFaJ4h1O19oR1HnwjkdOyY+o0EeoJxYrR3xUrQBF8RwVgIoPo5K4ctzYj mj97EhgOuztE4KuTtmW4Ww4uoFO9P2K7owFjVB00LeOGhR1IqfdlQLPXPA60uzu7 IjCKjyOllEbCdIKcd9GDshAL/PBeuFdXYLBQLynymDgj1IsARYB+uhSFlCaRZ7+y zEI9629wMN6u/y87PxIZJ+NO4sT6D0Eg6JF0DOFNKh4B/qRzkJMFrD0FVvKC8TXW HYJpLvPh4lDZIH1NeO1OVS9N8MPTn419ytlxFDKEh8NStg/Y86p0QIAOFbVHuIOT u308HwG31b4rPuuD6tuFqZAq18Iy+zuQ+aFqbYCvtVo4NaZPoPjuZx3co1GeI/vc NQI8RtJzT1wnZ45lmrOWlkj/kRXavbYqMbbNjcSlUWxMH12f55dfL63HDdL9Bj7C WfP33meWWpoiadQhH65p =jf4o -----END PGP SIGNATURE-----
--- End Message ---
