[Date Prev][Date Next] [Chronological] [Thread] [Top]

Security Deadlock?

To: openldap-technical@openldap.org
Subject: Security Deadlock?
From: suomi <anax@ayni.com>
Date: Tue, 26 Jun 2012 16:03:24 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1

Hi listers

this is on Fedora 17
running openldap-servers-2.4.31-2.fc17.x86_64

When trying to start slapd on this sysem, I run into the following deadlock:

1.
[root@myws ~]# systemctl status slapd.service
slapd.service - OpenLDAP Server Daemon
	  Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled)

Active: failed (Result: timeout) since Tue, 26 Jun 2012 14:23:02+0200; 16s agoProcess: 2531 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS}$SLAPD_OPTIONS (code=exited, status=0/SUCCESS)Process: 2467 ExecStartPre=/usr/libexec/openldap/check-config.sh(code=exited, status=0/SUCCESS)

	  CGroup: name=systemd:/system/slapd.service


When I checked /var/log/localmessages, I found

Jun 26 13:08:21 casablanca slapd[838]: ldif_read_file: checksum error on"/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif"

I remembered, that this was exactly the file, where I had introduced theolcRootPW attribute for the cn=config subtree. So I removed theolcRootPW attribute from this file.


2.
Then I could start slapd, no problem.

3.

I tried to go into the cn=config subtree of the DIT on that slapdserver. I tried it withoud password, since I had removed the passwordfrom this subtree.


I got:
Return Code from Bind: 48

Message: LDAP_INAPPROPRIATE_AUTH: The server requires the client whichhad attempted to bind anonymously or

without supplying credentials to provide some form of credentials


4.

I tried to go into the cn=config subtree of the DIT on that slapd serverusing the password I had usually used at this point.


I got:
Return Code from Bind: 49

Message: LDAP_INVALID_CREDENTIALS: The wrong password was supplied orthe SASL credentials could not be processed


5.
I googled around and found the following:
...
Obvious approach:
  slapcat -n0 -F old/slapd.d > config.ldif
  edit config.ldif
  slapadd -n0 -F new/slapd.d -l config.ldif
  test using new/slapd.d
  deploy
...

which I followed because I thought that such a clever approach can comeonly from a clever openldap guy.


But when I tried to introduce the edited config.ldif into the DIT, I got

[root@myws /etc/openldap]# slapadd -n0 -F slapd.d -l /tmp/slapd.config.ldif
slapadd: could not add entry dn="cn=config" (line=1):

_ 1.03% eta none elapsed none spd4.5 M/s

Closing DB...
[root@myws /etc/openldap]#


6.

I am now at the point, that I cannot access the cn=config subtree,because I cannot define the password to access this subtree and because,to access that subtree, I need to have defined the appropriate password.Looks very much kin'o like a deadlock.

Is there anybody out there who knows how to circumvent this deadlock ordo I need to file a bug to openldap?


Thanks for your patience.

suomi

Follow-Ups:
- Re: Security Deadlock?
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: Strange TLS issue while upgrading from openldap 2.3 to 2.4
Next by Date: Re: Security Deadlock?
Index(es):
- Chronological
- Thread