[Date Prev][Date Next] [Chronological] [Thread] [Top]

Security Deadlock?

Hi listers

this is on Fedora 17
running openldap-servers-2.4.31-2.fc17.x86_64

When trying to start slapd on this sysem, I run into the following deadlock:

[root@myws ~]# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
	  Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
Active: failed (Result: timeout) since Tue, 26 Jun 2012 14:23:02 +0200; 16s ago Process: 2531 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 2467 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/slapd.service

When I checked /var/log/localmessages, I found

Jun 26 13:08:21 casablanca slapd[838]: ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif"

I remembered, that this was exactly the file, where I had introduced the olcRootPW attribute for the cn=config subtree. So I removed the olcRootPW attribute from this file.

Then I could start slapd, no problem.

I tried to go into the cn=config subtree of the DIT on that slapd server. I tried it withoud password, since I had removed the password from this subtree.

I got:
Return Code from Bind: 48
Message: LDAP_INAPPROPRIATE_AUTH: The server requires the client which had attempted to bind anonymously or
without supplying credentials to provide some form of credentials

I tried to go into the cn=config subtree of the DIT on that slapd server using the password I had usually used at this point.

I got:
Return Code from Bind: 49
Message: LDAP_INVALID_CREDENTIALS: The wrong password was supplied or the SASL credentials could not be processed

I googled around and found the following:
Obvious approach:
  slapcat -n0 -F old/slapd.d > config.ldif
  edit config.ldif
  slapadd -n0 -F new/slapd.d -l config.ldif
  test using new/slapd.d
which I followed because I thought that such a clever approach can come only from a clever openldap guy.

But when I tried to introduce the edited config.ldif into the DIT, I got

[root@myws /etc/openldap]# slapadd -n0 -F slapd.d -l /tmp/slapd.config.ldif
slapadd: could not add entry dn="cn=config" (line=1):
_ 1.03% eta none elapsed none spd 4.5 M/s
Closing DB...
[root@myws /etc/openldap]#

I am now at the point, that I cannot access the cn=config subtree, because I cannot define the password to access this subtree and because, to access that subtree, I need to have defined the appropriate password. Looks very much kin'o like a deadlock.

Is there anybody out there who knows how to circumvent this deadlock or do I need to file a bug to openldap?

Thanks for your patience.