7802 – Global overlays are unusable with cn=config

Issue 7802 - Global overlays are unusable with cn=config

Summary: Global overlays are unusable with cn=config

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.39
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-21 01:22 UTC by Quanah Gibson-Mount
Modified:	2014-08-01 21:03 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Quanah Gibson-Mount 2014-02-21 01:22:19 UTC

Full_Name: Quanah Gibson-Mount
Version: 2.4.39
OS: Linux 3.11
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.58.125)


Global overlays (such as pw-sha2 from contrib) are unusable with cn=config. 
This is because the module is loaded after the bootstrap of cn=config.ldif.

I.e., add the module as loaded:

olcModuleLoad: {7}pw-sha2.la to dn: cn=module{0}, cn=config

In cn=config.ldif, set:

olcPasswordHash: {SSHA512}

As long as slapd is not restarted, this works, because the module gets loaded,
and then the password hash gets set with the module loaded.

If you stop slapd and restart it, slapd will fail to load because it is loading
cn=config.ldif with the olcPasswordHash set to something it doesn't recognize
because it has not yet loaded the modules:

5306a920 >>> dnPrettyNormal: <cn=config>
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
5306a920 <<< dnPrettyNormal: <cn=config>, <cn=config>
5306a920 >>> dnNormalize: <cn=config>
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
5306a920 <<< dnNormalize: <cn=config>
5306a920 >>> dnNormalize: <cn=config>
=> ldap_bv2dn(cn=config,0)
<= ldap_bv2dn(cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=config)=0
5306a920 <<< dnNormalize: <cn=config>
5306a920 <= str2entry(cn=config) -> 0x1dd8008
5306a920 => test_filter
5306a920     PRESENT
5306a920 => access_allowed: search access to "cn=config" "objectClass"
requested
5306a920 <= root access granted
5306a920 => access_allowed: search access granted by manage(=mwrscxd)
5306a920 <= test_filter 6
5306a920 olcPasswordHash: value #0: <olcPasswordHash> scheme not available
({SSHA512})
5306a920 olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
5306a920 config error processing cn=config: <olcPasswordHash> no valid hashes
found
5306a920 send_ldap_result: conn=-1 op=0 p=0
5306a920 send_ldap_result: err=80 matched="" text=""
5306a920 slapd destroy: freeing system resources.
5306a920 slapd stopped.
5306a920 connections_destroy: nothing to destroy.

Comment 1 Quanah Gibson-Mount 2014-02-21 02:04:15 UTC

--On Friday, February 21, 2014 1:22 AM +0000 quanah@OpenLDAP.org wrote:

> Full_Name: Quanah Gibson-Mount
> Version: 2.4.39
> OS: Linux 3.11
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (75.111.58.125)

steps to reproduce:

[zimbra@fishfood ~]$ ldapmodify -x -H ldapi:/// -D cn=config -w zimbra123
dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {7}pw-sha2.la


[zimbra@fishfood config]$ ldapmodify -x -H ldapi:/// -D cn=config -w 
zimbra123
dn: cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA512}

--Quanah



--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 2 Quanah Gibson-Mount 2014-07-25 14:07:32 UTC

changed notes
changed state Open to Closed

Comment 3 OpenLDAP project 2014-08-01 21:03:48 UTC

Configuration error, olcPasswordHash must appear under cn=frontend, cn=config