Marc,
I tested these patches against two scenarios: 1) single node with
default configuration and phpldapadmin, 2) a two nodes scenario, 1 node
configures a relay and translucent proxy and connects to the second one
which has a default configuration. For details of each configuration
please see at the end.
Is there any specific configuration that you would like me to test?.
Best,
SCENARIO 1, this is a single node configuration running a default
configuration and phpldapadmin
#+BEGIN_SRC shell
sudo apt-get install -y slapd ldap-utils
sudo dpkg-reconfigure slapd
# Omit OpenLDAP server configuration? No
# DNS domain? ldap.example.com
# Organization name? example
# Administrator password? ubuntu
# Database backend to use? HDB
# Remove the database when slapd is purged? No
# Move old database? Yes
# Allow LDAPv2 protocol? No
sudo apt-get install -y phpldapadmin
sudo sed -i s/127.0.0.1/10.0.3.196/ /etc/phpldapadmin/config.php
sudo sed -i s/dc=example,dc.com/dc=ldap,dc=example,dc=com/
/etc/phpldapadmin/config.php
sudo service apache2 restart
cat <<EOF > /tmp/foo.ldif
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
description: All people
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
description: All groups
objectClass: top
objectClass: organizationalUnit
dn: uid=user1,ou=People,dc=ldap,dc=example,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}Az/RBEIomiu0c
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/user1
dn: cn=user1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: {crypt}x
gidNumber: 1001
EOF
ldapadd -x -w ubuntu -D "cn=admin,dc=ldap,dc=example,dc=com" -f /tmp/foo.ldif
ldapsearch -x -w ubuntu -D "cn=admin,dc=ldap,dc=example,dc=com" -b
dc=ldap,dc=example,dc=com | tail -n1 | egrep -e '# numEntries: 6$' || echo
"ERROR adding ldif"
sensible-browser http://$IP/phpldapadmin
# login and check entries created with phpldapadmin
#+END_SRC
SCENARIO 2: this is a 2 nodes setup, one of the nodes configures a relay and a
translucent proxy.
node 1 config:
#+BEGIN_SRC shell
echo 10.0.3.240 ldap.example.com | sudo tee -a /etc/hosts # IP of node number
2
sudo apt-get install -y slapd ldap-utils
cat <<EOF > /etc/ldap/slapd.conf
pidfile /var/run/slapd.pid
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
modulepath /usr/lib/ldap
moduleload back_hdb.la
moduleload back_relay.la
moduleload back_ldap.la
moduleload rwm.la
moduleload translucent.la
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
access to attrs=userPassword by * auth
access to * by * read
backend hdb
backend relay
database hdb
directory /var/lib/ldap
suffix "dc=foo,dc=example,dc=com"
rootdn "cn=admin,dc=foo,dc=example,dc=com"
rootpw ubuntu
index objectClass eq
database relay
suffix "dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=foo,dc=example,dc=com"
overlay translucent
uri ldap://ldap.example.com
EOF
sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
sudo chown -R openldap: /etc/ldap/slapd.d
sudo touch /var/run/slapd.pid
sudo chown openldap: /var/run/slapd.pid
sudo service slapd restart
#+END_SRC
node 2 (ldap.example.com) configuration:
#+BEGIN_SRC shell
sudo apt-get install -y slapd ldap-utils
# Omit OpenLDAP server configuration? No
# DNS domain? example.com
# Organization name? example
# Administrator password? ubuntu
# Database backend to use? HDB
# Remove the database when slapd is purged? No
# Move old database? Yes
# Allow LDAPv2 protocol? No
sudo service slapd restart
cat <<EOF > /tmp/enable-debug
# config
dn: cn=config
changetype: modify
replace:olcLogLevel
olcLogLevel: 7
EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/enable-debug
# create a few records
cat <<EOF > /tmp/foo.ldif
dn: ou=People,dc=example,dc=com
ou: People
description: All people
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
description: All groups
objectClass: top
objectClass: organizationalUnit
dn: uid=user1,ou=People,dc=example,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}Az/RBEIomiu0c
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/user1
dn: cn=user1,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: {crypt}x
gidNumber: 1001
EOF
ldapadd -x -w ubuntu -D "cn=admin,dc=example,dc=com" -f /tmp/foo.ldif
#+END_SRC
Run on node 1 to check the relay is OK
#+BEGIN_SRC shell
ldapsearch -x -w ubuntu -D "cn=admin,dc=foo,dc=example,dc=com" -b
dc=example,dc=com | tail -n1 | egrep -e '# numEntries: 6$' || echo "ERROR
adding ldif"
#+END_SRC
** Branch linked: lp:~freyes/openldap/lp1446809
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1446809
Title:
[SRU] denial of service via an LDAP search query (CVE-2012-1164,
CVE-2013-4449, CVE-2015-1545)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
