[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global modules and cn=config



--On Thursday, February 20, 2014 5:26 PM -0800 Quanah Gibson-Mount <quanah@zimbra.com> wrote:

Unfortunately, the current cn=config design makes it essentially
impossible to use global modules.  For example, the pw-sha2 global module
for adding addtional hashing schemes cannot be used with cn=config.  This
is because the olcPasswordHash value is loaded up when cn=config is
bootstrapped, prior to loading the global module.  This means that the
value fails sanity checking, and slapd aborts.  See also ITS#7802.

Ideas on how to address this chicken and egg issue welcome. ;)

Simple way to reproduce:

ldapmodify -x -H ldapi:/// -D cn=config -W
dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2.la


ldapmodify -x -H ldapi:/// -D cn=config -W
dn: cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA512}

After this point, things will work as long as you don't restart slapd. Once you restart slapd, slapd will abort because {SSHA512} is now no longer a known hash.

--Quanah



--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration