enterprise-support team mailing list archive

Thread
Date

[Bug 1742123] [NEW] obscure slapd configuration

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Hadmut Danisch <hadmut@xxxxxxxxxx>
Date: Tue, 09 Jan 2018 11:37:57 -0000
Reply-to: Bug 1742123 <1742123@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Hi,

the openldap server slapd comes with two configuration options, the old
one based on slapd.conf, and a new one based on ldifs.

The debian/ubuntu package performs some obscure magic to generate a ldif
based config in /etc/slapd/slapd.d, but does not provide any hint or
documentation about how to change/adjust it. E.g. if the package was
installed non-interactively through puppet or ansible, it is not obvious
where the root password comes from or how to change it or how to re-
setup.

Furthermore it is a security gap to create something like

dn: dc=buero,dc=danisch,dc=de
objectClass: top
objectClass: dcObject
objectClass: organization
o: buero.danisch.de
dc: buero
structuralObjectClass: organization
entryUUID: 4f765744-85aa-1037-9ee9-1db94ae2a6d4
creatorsName: cn=admin,dc=buero,dc=danisch,dc=de
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.817411Z#000000#000#000000
modifiersName: cn=admin,dc=buero,dc=danisch,dc=de
modifyTimestamp: 20180104145011Z

dn: cn=admin,dc=buero,dc=danisch,dc=de
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y=
structuralObjectClass: organizationalRole
entryUUID: 4f79fd9a-85aa-1037-9eea-1db94ae2a6d4
creatorsName: cn=admin,dc=buero,dc=danisch,dc=de
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.841518Z#000000#000#000000
modifiersName: cn=admin,dc=buero,dc=danisch,dc=de
modifyTimestamp: 20180104145011Z

and

olcRootDN: cn=admin,dc=buero,dc=danisch,dc=de
olcRootPW:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y=


that contains an admin password without me ever having set it or having a randomly generated one.

Since I do not see how to cleanly change this with ldapmodify, I do not
see an option to remove this all and restart with an old-style
slapd.conf.


regards

** Affects: openldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1742123

Title:
  obscure slapd configuration

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1742123/+subscriptions

Follow ups

[Bug 1742123] Re: obscure slapd configuration
From: Launchpad Bug Tracker, 2018-03-12