[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Security Deadlock?
Hi listers
this is on Fedora 17
running openldap-servers-2.4.31-2.fc17.x86_64
When trying to start slapd on this sysem, I run into the following deadlock:
1.
[root@myws ~]# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)
Active: failed (Result: timeout) since Tue, 26 Jun 2012 14:23:02
+0200; 16s ago
Process: 2531 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS}
$SLAPD_OPTIONS (code=exited, status=0/SUCCESS)
Process: 2467 ExecStartPre=/usr/libexec/openldap/check-config.sh
(code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/slapd.service
When I checked /var/log/localmessages, I found
Jun 26 13:08:21 casablanca slapd[838]: ldif_read_file: checksum error on
"/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif"
I remembered, that this was exactly the file, where I had introduced the
olcRootPW attribute for the cn=config subtree. So I removed the
olcRootPW attribute from this file.
2.
Then I could start slapd, no problem.
3.
I tried to go into the cn=config subtree of the DIT on that slapd
server. I tried it withoud password, since I had removed the password
from this subtree.
I got:
Return Code from Bind: 48
Message: LDAP_INAPPROPRIATE_AUTH: The server requires the client which
had attempted to bind anonymously or
without supplying credentials to provide some form of credentials
4.
I tried to go into the cn=config subtree of the DIT on that slapd server
using the password I had usually used at this point.
I got:
Return Code from Bind: 49
Message: LDAP_INVALID_CREDENTIALS: The wrong password was supplied or
the SASL credentials could not be processed
5.
I googled around and found the following:
...
Obvious approach:
slapcat -n0 -F old/slapd.d > config.ldif
edit config.ldif
slapadd -n0 -F new/slapd.d -l config.ldif
test using new/slapd.d
deploy
...
which I followed because I thought that such a clever approach can come
only from a clever openldap guy.
But when I tried to introduce the edited config.ldif into the DIT, I got
[root@myws /etc/openldap]# slapadd -n0 -F slapd.d -l /tmp/slapd.config.ldif
slapadd: could not add entry dn="cn=config" (line=1):
_ 1.03% eta none elapsed none spd
4.5 M/s
Closing DB...
[root@myws /etc/openldap]#
6.
I am now at the point, that I cannot access the cn=config subtree,
because I cannot define the password to access this subtree and because,
to access that subtree, I need to have defined the appropriate password.
Looks very much kin'o like a deadlock.
Is there anybody out there who knows how to circumvent this deadlock or
do I need to file a bug to openldap?
Thanks for your patience.
suomi