Xenial verification
Reproducing the error:
root@xenial-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b
'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: Password verification failed
And dmesg:
[qua jul 8 11:50:42 2020] audit: type=1400 audit(1594219843.513:405):
apparmor="DENIED" operation="connect"
namespace="root//lxd-xenial-openldap-saslauthd-1557157_<var-snap-lxd-common-lxd>"
profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=83468 comm="slapd"
requested_mask="wr" denied_mask="wr" fsuid=1000112 ouid=1000000
With the updated packages, ldapsearch works:
root@xenial-openldap-saslauthd-1557157:~# apt-cache policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.9
Candidate: 2.4.42+dfsg-2ubuntu3.9
Version table:
*** 2.4.42+dfsg-2ubuntu3.9 500
500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64
Packages
100 /var/lib/dpkg/status
...
root@xenial-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b
'dc=example,dc=com' -s base -U root -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
SASL username: root
SASL SSF: 0
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example
dc: example
And no dmesg apparmor error.
Xenial verification succeeded.
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1866303
Title:
slapd crash with pwdAccountLockedTime and stacked overlays
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Fix Committed
Status in openldap source package in Bionic:
Fix Committed
Status in openldap source package in Disco:
Won't Fix
Status in openldap source package in Eoan:
Fix Committed
Status in openldap package in Debian:
Fix Released
Bug description:
[Impact]
In the configuration and conditions described below, slapd can crash:
1. ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy
control
[Test Case]
* get the files from the bug:
mkdir slapd-test-case; cd slapd-test-case
wget -ct0
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script
* run the script:
sudo apt update && sudo sh ./script
* With the bug, the result is:
ldap_bind: Invalid credentials (49)
slapd dead
* If when confirming the bug you don't see "slapd dead" like above,
check manually, as slapd might have been in the process of shutting
down when the script checked its status: "sudo systemctl status slapd"
* With the fixed packages, you get a living slapd at the end (you can
run the script again on the same system after updating the packages):
sudo sh ./script
...
slapd running
ldap_bind: Invalid credentials (49)
slapd running
[Regression Potential]
The fix is in the password policy overlay (not enabled by default), so any
regressions would be around that area and could potentially impact
authentication ("binding") to openldap.
[Other Info]
This was fixed in focal and "cooked" there for a long while, as suggested by
the Debian maintainer. We haven't received further bug reports about this in
focal+.
[Original Description]
Hello,
Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an
issue in the ppolicy overlay that can crash slapd. Please also
consider SRUing the patch after it has had some testing time.
Upstream: https://openldap.org/its/?findid=9171
Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150
The ingredients for the crash are:
1: ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy
control
The buggy code is not as specific as the above steps, so I suspect
there are probably other configurations or steps that can trigger the
same crash.
I will attach my test script and data for reproducing the crash.
Expected output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd running
Actual output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd dead
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
