jsynacek@redhat.com wrote:
> Full_Name: Jan Synacek
> Version: 2.4.39
> OS:
> URL: https://jsynacek.fedorapeople.org/openldap/jsynacek-20140908-fix-frontend-config.patch
> Submission from: (NULL) (209.132.186.34)
>
>
> The frontend database in slapd.ldif misses the olcFrontendConfig object class.

Thanks, fixed in master.

> The slapd-config reads:
>
> GLOBAL DATABASE OPTIONS
>         Options in this section may be set in the special "frontend" database and
> inherited in all the other databases. These options may be altered by further
> settings in each specific database. The  frontend  entry  must  be  named
>         olcDatabase=frontend,cn=config and must have the olcFrontendConfig
> objectClass.
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

changed notes
changed state Open to Test
moved from Incoming to Build

changed notes
changed state Test to Release

fixed in master
fixed in RE25
fixed in RE24

changed notes
changed state Release to Closed

Could this be the reason why I get `attribute 'olcPasswordHash' not allowed` when trying to apply an .ldif file such as:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {CRYPT}

This has popped up in Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=2061966) which seem to have copied the respective default frontend config file before this patch (see https://src.fedoraproject.org/rpms/openldap/blob/f37/f/slapd.ldif#_105).

(In reply to nilskemail+github from comment #6)
> Could this be the reason why I get `attribute 'olcPasswordHash' not allowed`
> when trying to apply an .ldif file such as:
> 
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> add: olcPasswordHash
> olcPasswordHash: {CRYPT}
> 
> This has popped up in Fedora
> (https://bugzilla.redhat.com/show_bug.cgi?id=2061966) which seem to have
> copied the respective default frontend config file before this patch (see
> https://src.fedoraproject.org/rpms/openldap/blob/f37/f/slapd.ldif#_105).

I'd open a bug with redhat as to why they're doing this at all. {CRYPT} hashes are not portable.  If they want to support secure hashes, they should use the ARGON2 module.

You also fail to state what version of OpenLDAP you're reporting against.  This bug was fixed in 2014, so unless RH is using an absolutely ancient version of OpenLDAP, this would not be related.  You probably should describe the issue(s) you are encountering in a post to the openldap-technical email list (https://lists.openldap.org)

On Thu, Jan 26, 2023 at 01:53:22PM +0000, openldap-its@openldap.org wrote:
> Could this be the reason why I get `attribute 'olcPasswordHash' not allowed`
> when trying to apply an .ldif file such as:
> 
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> add: olcPasswordHash
> olcPasswordHash: {CRYPT}
> 
> This has popped up in Fedora
> (https://bugzilla.redhat.com/show_bug.cgi?id=2061966) which seem to have copied
> the respective default frontend config file before this patch (see
> https://src.fedoraproject.org/rpms/openldap/blob/f37/f/slapd.ldif#_105).

As you suggest, this seems to be a Fedora packaging issue: them shipping
an out of date ldif file where they might have been able to copy it from
upstream source. Pretty sure in that case there's nothing that can be
done on the OpenLDAP project side.

Someone might need to step up and help Fedora package maintainers deal
with it if they say the existing team don't have the capacity.

Regards,