[Pkg-openldap-devel] Bug#717614: pwdpolicy pwdAttribute: userPassword broken
Brian May
brian at microcomaustralia.com.au
Tue Jul 23 00:53:04 UTC 2013
Package: slapd
Version: 2.4.31-1+nmu2
(note: some long command lines might be line wrapped, hopefully this isn't
a big problem)
If I do the following on a clean wheezy chroot:
PS1='# '
# debconf-set-selections debconf.conf
# apt-get install slapd ldap-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libslp1 libwrap0
psmisc
Suggested packages:
libmyodbc odbc-postgresql tdsodbc unixodbc-bin slpd openslp-doc
Recommended packages:
libsasl2-modules tcpd
The following NEW packages will be installed:
ldap-utils libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libslp1
libwrap0 psmisc slapd
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 3329 kB of archives.
After this operation, 7583 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://hq.in.vpac.org/debian/ wheezy/main libsasl2-2 amd64
2.1.25.dfsg1-6+deb7u1 [120 kB]
Get:2 http://hq.in.vpac.org/debian/ wheezy/main libldap-2.4-2 amd64
2.4.31-1+nmu2 [243 kB]
Get:3 http://hq.in.vpac.org/debian/ wheezy/main libwrap0 amd64 7.6.q-24
[62.4 kB]
Get:4 http://hq.in.vpac.org/debian/ wheezy/main libltdl7 amd64 2.4.2-1.1
[352 kB]
Get:5 http://hq.in.vpac.org/debian/ wheezy/main libodbc1 amd64 2.2.14p2-5
[252 kB]
Get:6 http://hq.in.vpac.org/debian/ wheezy/main libperl5.14 amd64 5.14.2-21
[1174 B]
Get:7 http://hq.in.vpac.org/debian/ wheezy/main libslp1 amd64 1.2.1-9 [50.8
kB]
Get:8 http://hq.in.vpac.org/debian/ wheezy/main psmisc amd64 22.19-1+deb7u1
[135 kB]
Get:9 http://hq.in.vpac.org/debian/ wheezy/main slapd amd64 2.4.31-1+nmu2
[1768 kB]
Get:10 http://hq.in.vpac.org/debian/ wheezy/main ldap-utils amd64
2.4.31-1+nmu2 [345 kB]
Fetched 3329 kB in 0s (16.1 MB/s)
Preconfiguring packages ...
Selecting previously unselected package libsasl2-2:amd64.
(Reading database ... 16497 files and directories currently installed.)
Unpacking libsasl2-2:amd64 (from
.../libsasl2-2_2.1.25.dfsg1-6+deb7u1_amd64.deb) ...
Selecting previously unselected package libldap-2.4-2:amd64.
Unpacking libldap-2.4-2:amd64 (from
.../libldap-2.4-2_2.4.31-1+nmu2_amd64.deb) ...
Selecting previously unselected package libwrap0:amd64.
Unpacking libwrap0:amd64 (from .../libwrap0_7.6.q-24_amd64.deb) ...
Selecting previously unselected package libltdl7:amd64.
Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.1_amd64.deb) ...
Selecting previously unselected package libodbc1:amd64.
Unpacking libodbc1:amd64 (from .../libodbc1_2.2.14p2-5_amd64.deb) ...
Selecting previously unselected package libperl5.14.
Unpacking libperl5.14 (from .../libperl5.14_5.14.2-21_amd64.deb) ...
Selecting previously unselected package libslp1.
Unpacking libslp1 (from .../libslp1_1.2.1-9_amd64.deb) ...
Selecting previously unselected package psmisc.
Unpacking psmisc (from .../psmisc_22.19-1+deb7u1_amd64.deb) ...
Selecting previously unselected package slapd.
Unpacking slapd (from .../slapd_2.4.31-1+nmu2_amd64.deb) ...
Selecting previously unselected package ldap-utils.
Unpacking ldap-utils (from .../ldap-utils_2.4.31-1+nmu2_amd64.deb) ...
Processing triggers for man-db ...
Setting up libsasl2-2:amd64 (2.1.25.dfsg1-6+deb7u1) ...
Setting up libldap-2.4-2:amd64 (2.4.31-1+nmu2) ...
Setting up libwrap0:amd64 (7.6.q-24) ...
Setting up libltdl7:amd64 (2.4.2-1.1) ...
Setting up libodbc1:amd64 (2.2.14p2-5) ...
Setting up libperl5.14 (5.14.2-21) ...
Setting up libslp1 (1.2.1-9) ...
Setting up psmisc (22.19-1+deb7u1) ...
Setting up slapd (2.4.31-1+nmu2) ...
Creating initial configuration... done.
Creating LDAP directory... done.
[ ok ] Starting OpenLDAP: slapd.
Setting up ldap-utils (2.4.31-1+nmu2) ...
# ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config"
# ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy1.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
# ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret <
slapd/ppolicy2.ldif
adding new entry "ou=People,dc=example,dc=org"
adding new entry "ou=Groups,dc=example,dc=org"
adding new entry "ou=policies,dc=example,dc=org"
adding new entry "cn=default,ou=policies,dc=example,dc=org"
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
It complains that it doesn't like:
pwdAttribute: userPassword
I have to change it to:
pwdAttribute: 2.5.4.35
Then it works. Once the default policy is loaded, I can change it back
again:
# ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret <
slapd/ppolicy2fixed.ldif
adding new entry "cn=default,ou=policies,dc=example,dc=org"
# ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy3.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config"
# ldapmodify -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret <
slapd/fixup.ldif
modifying entry "cn=default,ou=policies,dc=example,dc=org"
(This is a test chroot only, so, unfortunately, no, you can't
use slapdsecret to break into any of my production boxes.)
This makes it very difficult to import an ldap ldiff file with ppolicy. You
have to kludge the data first, because it won't accept *any* entries with
pwdAttribute: userPassword password until the default policy is installed
and configured, and the default policy is contained within the ldiff file
and won't install either because it also has pwdAttribute: userPassword
The pwdAttribute appears to be required by the schema, so I can't leave it
out either.
As far as I can tell pwdAttribute: userPassword is suppose to be the
correct value.
The data files concerned:
# cat debconf.conf
mysql-server-5.5 mysql-server/root_password string mysqlsecret
mysql-server-5.5 mysql-server/root_password_again string mysqlsecret
slapd shared/organization string example org
slapd slapd/domain string example.org
slapd slapd/password1 string slapdsecret
slapd slapd/password2 string slapdsecret
# cat slapd/ppolicy.ldif
[ ppolicy schema file omitted ]
# cat slapd/ppolicy1.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: ppolicy.so
# cat slapd/ppolicy2.ldif
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=org
objectClass: organizationalUnit
dn: ou=policies,dc=example,dc=org
objectClass: organizationalUnit
dn: cn=default,ou=policies,dc=example,dc=org
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
# cat slapd/ppolicy2fixed.ldif
dn: cn=default,ou=policies,dc=example,dc=org
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: 2.5.4.35
# cat slapd/ppolicy3.ldif
dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=org
# cat slapd/fixup.ldif
dn: cn=default,ou=policies,dc=example,dc=org
changetype: modify
replace: pwdAttribute
pwdAttribute: userPassword
-
For comparison, on a sid schroot (which has the same version of slapd, so
same results, no surprise here):
PS1='# '
# debconf-set-selections debconf.conf
# apt-get install slapd ldap-utils
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2 libsasl2-modules
libslp1 psmisc
Suggested packages:
libmyodbc odbc-postgresql tdsodbc unixodbc-bin libsasl2-modules-otp
libsasl2-modules-ldap libsasl2-modules-sql
libsasl2-modules-gssapi-mit libsasl2-modules-gssapi-heimdal slpd
openslp-doc
The following NEW packages will be installed:
ldap-utils libldap-2.4-2 libltdl7 libodbc1 libperl5.14 libsasl2-2
libsasl2-modules libslp1 psmisc slapd
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 3389 kB of archives.
After this operation, 7805 kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://http.debian.net/debian/ sid/main libsasl2-modules amd64
2.1.25.dfsg1-13 [123 kB]
Get:2 http://http.debian.net/debian/ sid/main libsasl2-2 amd64
2.1.25.dfsg1-13 [109 kB]
Get:3 http://http.debian.net/debian/ sid/main libldap-2.4-2 amd64
2.4.31-1+nmu2 [243 kB]
Get:4 http://http.debian.net/debian/ sid/main libperl5.14 amd64 5.14.2-21
[1174 B]
Get:5 http://http.debian.net/debian/ sid/main libslp1 amd64 1.2.1-9 [50.8
kB]
Get:6 http://http.debian.net/debian/ sid/main libltdl7 amd64 2.4.2-1.3 [352
kB]
Get:7 http://http.debian.net/debian/ sid/main ldap-utils amd64
2.4.31-1+nmu2 [345 kB]
Get:8 http://http.debian.net/debian/ sid/main libodbc1 amd64 2.2.14p2-5
[252 kB]
Get:9 http://http.debian.net/debian/ sid/main psmisc amd64 22.20-1 [146 kB]
Get:10 http://http.debian.net/debian/ sid/main slapd amd64 2.4.31-1+nmu2
[1768 kB]
Fetched 3389 kB in 8s (382 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libsasl2-modules:amd64.
(Reading database ... 17453 files and directories currently installed.)
Unpacking libsasl2-modules:amd64 (from
.../libsasl2-modules_2.1.25.dfsg1-13_amd64.deb) ...
Selecting previously unselected package libsasl2-2:amd64.
Unpacking libsasl2-2:amd64 (from .../libsasl2-2_2.1.25.dfsg1-13_amd64.deb)
...
Selecting previously unselected package libldap-2.4-2:amd64.
Unpacking libldap-2.4-2:amd64 (from
.../libldap-2.4-2_2.4.31-1+nmu2_amd64.deb) ...
Selecting previously unselected package libltdl7:amd64.
Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.3_amd64.deb) ...
Selecting previously unselected package libodbc1:amd64.
Unpacking libodbc1:amd64 (from .../libodbc1_2.2.14p2-5_amd64.deb) ...
Selecting previously unselected package libperl5.14.
Unpacking libperl5.14 (from .../libperl5.14_5.14.2-21_amd64.deb) ...
Selecting previously unselected package libslp1.
Unpacking libslp1 (from .../libslp1_1.2.1-9_amd64.deb) ...
Selecting previously unselected package psmisc.
Unpacking psmisc (from .../psmisc_22.20-1_amd64.deb) ...
Selecting previously unselected package slapd.
Unpacking slapd (from .../slapd_2.4.31-1+nmu2_amd64.deb) ...
Selecting previously unselected package ldap-utils.
Unpacking ldap-utils (from .../ldap-utils_2.4.31-1+nmu2_amd64.deb) ...
Processing triggers for man-db ...
Setting up libsasl2-modules:amd64 (2.1.25.dfsg1-13) ...
Setting up libsasl2-2:amd64 (2.1.25.dfsg1-13) ...
Setting up libldap-2.4-2:amd64 (2.4.31-1+nmu2) ...
Setting up libltdl7:amd64 (2.4.2-1.3) ...
Setting up libodbc1:amd64 (2.2.14p2-5) ...
Setting up libperl5.14 (5.14.2-21) ...
Setting up libslp1 (1.2.1-9) ...
Setting up psmisc (22.20-1) ...
Setting up slapd (2.4.31-1+nmu2) ...
Creating initial configuration... done.
Creating LDAP directory... done.
[ ok ] Starting OpenLDAP: slapd.
Setting up ldap-utils (2.4.31-1+nmu2) ...
Processing triggers for libc-bin ...
# ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy1.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
# ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret <
slapd/ppolicy2.ldif
adding new entry "ou=People,dc=example,dc=org"
adding new entry "ou=Groups,dc=example,dc=org"
adding new entry "ou=policies,dc=example,dc=org"
adding new entry "cn=default,ou=policies,dc=example,dc=org"
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
# ldapadd -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret <
slapd/ppolicy2fixed.ldif
adding new entry "cn=default,ou=policies,dc=example,dc=org"
# ldapadd -Y EXTERNAL -H ldapi:/// < slapd/ppolicy3.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config"
# ldapmodify -x -H ldapi:/// -D cn=admin,dc=example,dc=org -w slapdsecret <
slapd/fixup.ldif
modifying entry "cn=default,ou=policies,dc=example,dc=org"
--
Brian May <brian at microcomaustralia.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20130723/3e5ebb91/attachment-0001.html>
More information about the Pkg-openldap-devel
mailing list