Full_Name: Jan Synacek Version: 2.4.39 OS: URL: https://jsynacek.fedorapeople.org/openldap/jsynacek-20140908-fix-frontend-config.patch Submission from: (NULL) (209.132.186.34) The frontend database in slapd.ldif misses the olcFrontendConfig object class. The slapd-config reads: GLOBAL DATABASE OPTIONS Options in this section may be set in the special "frontend" database and inherited in all the other databases. These options may be altered by further settings in each specific database. The frontend entry must be named olcDatabase=frontend,cn=config and must have the olcFrontendConfig objectClass.
jsynacek@redhat.com wrote: > Full_Name: Jan Synacek > Version: 2.4.39 > OS: > URL: https://jsynacek.fedorapeople.org/openldap/jsynacek-20140908-fix-frontend-config.patch > Submission from: (NULL) (209.132.186.34) > > > The frontend database in slapd.ldif misses the olcFrontendConfig object class. Thanks, fixed in master. > The slapd-config reads: > > GLOBAL DATABASE OPTIONS > Options in this section may be set in the special "frontend" database and > inherited in all the other databases. These options may be altered by further > settings in each specific database. The frontend entry must be named > olcDatabase=frontend,cn=config and must have the olcFrontendConfig > objectClass. > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Build
changed notes changed state Test to Release
fixed in master fixed in RE25 fixed in RE24
changed notes changed state Release to Closed
Could this be the reason why I get `attribute 'olcPasswordHash' not allowed` when trying to apply an .ldif file such as: dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {CRYPT} This has popped up in Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=2061966) which seem to have copied the respective default frontend config file before this patch (see https://src.fedoraproject.org/rpms/openldap/blob/f37/f/slapd.ldif#_105).
(In reply to nilskemail+github from comment #6) > Could this be the reason why I get `attribute 'olcPasswordHash' not allowed` > when trying to apply an .ldif file such as: > > dn: olcDatabase={-1}frontend,cn=config > changetype: modify > add: olcPasswordHash > olcPasswordHash: {CRYPT} > > This has popped up in Fedora > (https://bugzilla.redhat.com/show_bug.cgi?id=2061966) which seem to have > copied the respective default frontend config file before this patch (see > https://src.fedoraproject.org/rpms/openldap/blob/f37/f/slapd.ldif#_105). I'd open a bug with redhat as to why they're doing this at all. {CRYPT} hashes are not portable. If they want to support secure hashes, they should use the ARGON2 module. You also fail to state what version of OpenLDAP you're reporting against. This bug was fixed in 2014, so unless RH is using an absolutely ancient version of OpenLDAP, this would not be related. You probably should describe the issue(s) you are encountering in a post to the openldap-technical email list (https://lists.openldap.org)
On Thu, Jan 26, 2023 at 01:53:22PM +0000, openldap-its@openldap.org wrote: > Could this be the reason why I get `attribute 'olcPasswordHash' not allowed` > when trying to apply an .ldif file such as: > > dn: olcDatabase={-1}frontend,cn=config > changetype: modify > add: olcPasswordHash > olcPasswordHash: {CRYPT} > > This has popped up in Fedora > (https://bugzilla.redhat.com/show_bug.cgi?id=2061966) which seem to have copied > the respective default frontend config file before this patch (see > https://src.fedoraproject.org/rpms/openldap/blob/f37/f/slapd.ldif#_105). As you suggest, this seems to be a Fedora packaging issue: them shipping an out of date ldif file where they might have been able to copy it from upstream source. Pretty sure in that case there's nothing that can be done on the OpenLDAP project side. Someone might need to step up and help Fedora package maintainers deal with it if they say the existing team don't have the capacity. Regards,