group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1866303@xxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Jul 2020 11:32:20 -0000
Reply-to: Bug 1866303 <1866303@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.6

---------------
openldap (2.4.45+dfsg-1ubuntu1.6) bionic; urgency=medium

  [ Andreas Hasenack ]
  * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
    patch to fix slapd crashing in certain configurations when a client
    attempts a login to a locked account. (LP: #1866303)

  [ Sergio Durigan Junior ]
  * d/apparmor-profile: Update apparmor profile to grant access to
    the saslauthd socket, so that SASL authentication works.  (LP: #1557157)

 -- Andreas Hasenack <andreas@xxxxxxxxxxxxx>  Wed, 01 Jul 2020 16:38:55
-0300

** Changed in: openldap (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1866303

Title:
  slapd crash with pwdAccountLockedTime and stacked overlays

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Xenial:
  Fix Committed
Status in openldap source package in Bionic:
  Fix Released
Status in openldap source package in Disco:
  Won't Fix
Status in openldap source package in Eoan:
  Fix Released
Status in openldap package in Debian:
  Fix Released

Bug description:
  [Impact]
  In the configuration and conditions described below, slapd can crash:

  1. ppolicy overlay configured with pwdLockout: TRUE
  2. smbk5pwd overlay stacked after ppolicy
  3. an account locked out via pwdAccountLockedTime
  4. a client binding to the locked-out account and also requesting the ppolicy control

  [Test Case]

  * get the files from the bug:
  mkdir slapd-test-case; cd slapd-test-case
  wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script

  * run the script:
  sudo apt update && sudo sh ./script

  * With the bug, the result is:
  ldap_bind: Invalid credentials (49)
  slapd dead

  * If when confirming the bug you don't see "slapd dead" like above,
  check manually, as slapd might have been in the process of shutting
  down when the script checked its status: "sudo systemctl status slapd"

  * With the fixed packages, you get a living slapd at the end (you can
  run the script again on the same system after updating the packages):

  sudo sh ./script
  ...
  slapd running
  ldap_bind: Invalid credentials (49)
  slapd running

  [Regression Potential]
  The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap.

  [Other Info]
  This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+.

  [Original Description]

  Hello,

  Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an
  issue in the ppolicy overlay that can crash slapd. Please also
  consider SRUing the patch after it has had some testing time.

  Upstream: https://openldap.org/its/?findid=9171
  Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150

  The ingredients for the crash are:

  1: ppolicy overlay configured with pwdLockout: TRUE
  2. smbk5pwd overlay stacked after ppolicy
  3. an account locked out via pwdAccountLockedTime
  4. a client binding to the locked-out account and also requesting the ppolicy control

  The buggy code is not as specific as the above steps, so I suspect
  there are probably other configurations or steps that can trigger the
  same crash.

  I will attach my test script and data for reproducing the crash.

  Expected output (last lines):

  [ ok ] Starting OpenLDAP: slapd.
  slapd running
  ldap_bind: Invalid credentials (49)
  slapd running

  Actual output (last lines):

  [ ok ] Starting OpenLDAP: slapd.
  slapd running
  ldap_bind: Invalid credentials (49)
  slapd dead

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions