Bug #66925 “admin password set by debconf during install is not ...” : Bugs : openldap2.2 package : Ubuntu

Revision history for this message

In Debian Bug tracker #343113, Max Bowsher (maxb) wrote on 2006-02-13:

#1

tags 347725 - patch
merge 347725 343113
thanks

It is true that the config/postinst script is causing an invalid
password to be stored in the directory, but not because of not using
slappasswd.

The perl snippet generates the same crypted password as slappasswd
would, but then bug #343113 interferes, and breaks things.

Max.

Revision history for this message

In Debian Bug tracker #343113, Max Bowsher (maxb) wrote on 2006-02-13: 343113 is serious

#2

retitle 343113 admin password set via debconf is not correctly set in
the ldap directory
severity 343113 serious
thanks

I've increased the severity of this bug, because it affects every fresh
installation of the current etch/sid version, and creates a
hard-to-debug problem for someone new to slapd trying to set up the package.

The problem is as Marian Andre describes above - config maintainer
scripts are called twice, once at preconfigure time, once at postinst time.

Fortunately, the server denies binds with an empty password, so this
doesn't result in a security exposure.

A quick bugfix, if not very elegant, would be to simply not re-hash the
password if slapd/password1 == slapd/password2 == "" and
slapd/internal/adminpw != "".

One method for users to work around this until it is fixed is to
temporarily set a rootdn and rootpw in slapd.conf, to log on to the
directory to fix the broken password.

Max.

Revision history for this message

In Debian Bug tracker #343113, Max Bowsher (maxb) wrote on 2006-02-13:

#3

retitle 343113 admin password set via debconf is not correctly set in the ldap directory

Revision history for this message

In Debian Bug tracker #343113, Shawn Willden (shawn-willden) wrote on 2006-04-13: slapd: Can someone provide a workaround?

#4

Package: slapd
Version: 2.2.26-5
Followup-For: Bug #343113

I was able to get to where I could start to use the
database by setting a rootdn and rootpw in slapd.conf,
but I'd like to correctly set the admin password in the
database. How do I do that?

Can someone post a detailed, step-by-step workaround to
this issue, until an actual fix is developed?

Thanks,

Shawn.

-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.1swsusp2
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages slapd depends on:
ii coreutils [fileutils] 5.94-1 The GNU core utilities
ii debconf 1.4.72 Debian configuration management sy
ii libc6 2.3.6-6 GNU C Library: Shared libraries
ii libdb4.2 4.2.52-24 Berkeley v4.2 Database Libraries [
ii libiodbc2 3.52.4-2 iODBC Driver Manager
ii libldap-2.2-7 2.2.26-5 OpenLDAP libraries
ii libltdl3 1.5.22-4 A system independent dlopen wrappe
ii libperl5.8 5.8.8-4 Shared Perl library
ii libsasl2 2.1.19.dfsg1-0.1 Authentication abstraction library
ii libslp1 1.2.1-5 OpenSLP libraries
ii libssl0.9.8 0.9.8a-8 SSL shared libraries
ii libwrap0 7.6.dbs-9 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-pe 5.8.8-4 Larry Wall's Practical Extraction
ii psmisc 22.2-1 Utilities that use the proc filesy

Versions of packages slapd recommends:
ii db4.2-util 4.2.52-24 Berkeley v4.2 Database Utilities
ii libsasl2-modules 2.1.19.dfsg1-0.1 Pluggable Authentication Modules f

-- debconf information excluded

Revision history for this message

In Debian Bug tracker #343113, Matthijs Mohlmann (matthijs) wrote on 2006-05-21: Bug#343113: fixed in openldap2.3 2.3.23-1

#5

Download full text (5.6 KiB)

Source: openldap2.3
Source-Version: 2.3.23-1

We believe that the bug you reported is fixed in the latest version of
openldap2.3, which is due to be installed in the Debian FTP archive:

ldap-utils_2.3.23-1_i386.deb
  to pool/main/o/openldap2.3/ldap-utils_2.3.23-1_i386.deb
libldap-2.3-0_2.3.23-1_i386.deb
  to pool/main/o/openldap2.3/libldap-2.3-0_2.3.23-1_i386.deb
openldap2.3_2.3.23-1.diff.gz
  to pool/main/o/openldap2.3/openldap2.3_2.3.23-1.diff.gz
openldap2.3_2.3.23-1.dsc
  to pool/main/o/openldap2.3/openldap2.3_2.3.23-1.dsc
openldap2.3_2.3.23.orig.tar.gz
  to pool/main/o/openldap2.3/openldap2.3_2.3.23.orig.tar.gz
slapd_2.3.23-1_i386.deb
  to pool/main/o/openldap2.3/slapd_2.3.23-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <email address hidden> (supplier of updated openldap2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 13 May 2006 00:28:11 +0200
Source: openldap2.3
Binary: slapd ldap-utils libldap-2.3-0
Architecture: source i386
Version: 2.3.23-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <email address hidden>
Changed-By: Matthijs Mohlmann <email address hidden>
Description:
ldap-utils - OpenLDAP utilities
libldap-2.3-0 - OpenLDAP libraries
slapd - OpenLDAP server (slapd)
Closes: 190165 195079 236097 294701 299100 301292 308416 308906 310282 310282 315158 319155 319596 319706 320739 327808 332053 335618 343113 347725 353877 353897 356554
Changes:
openldap2.3 (2.3.23-1) unstable; urgency=low
.
   [ Matthijs Mohlmann ]
   * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158)
     (Closes: #310282, #319155)
   * OpenLDAP checks database before starting up.
     (Closes: #190165, #195079, #294701, #308416)
   * move_old_database_away isn't called in a while loop anymore (which would
     kill debconf interaction) (Closes: #299100)
   * BDB_CONFIG file will be installed on new installations (Closes: #301292)
   * Move to dh_install.
   * Move to quilt patch system.
   * Fix manpage.
   * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings)
   * Wipe passwords after we created the initial configuration.
   * The config scripts is runned twice, this causes the password in
     slapd/internal/adminpw to be empty. This fixes the issue with having an
     empty password in the ldap database. (Closes: #343113, #347725)
   * Added #DEBHELPER# token to fix a lintian warning.
   * bdb has changed between major versions, so dump the database and import it
     again for versions before 2.3.19.
   * Remove comments from debian/control (The out commented control information
     is actually in debian/control.dev)
   * Enable a...

Source: openldap2.3
Source-Version: 2.3.23-1

We believe that the bug you reported is fixed in the latest version of
openldap2.3, which is due to be installed in the Debian FTP archive:

ldap-utils_2.3.23-1_i386.deb
  to pool/main/o/openldap2.3/ldap-utils_2.3.23-1_i386.deb
libldap-2.3-0_2.3.23-1_i386.deb
  to pool/main/o/openldap2.3/libldap-2.3-0_2.3.23-1_i386.deb
openldap2.3_2.3.23-1.diff.gz
  to pool/main/o/openldap2.3/openldap2.3_2.3.23-1.diff.gz
openldap2.3_2.3.23-1.dsc
  to pool/main/o/openldap2.3/openldap2.3_2.3.23-1.dsc
openldap2.3_2.3.23.orig.tar.gz
  to pool/main/o/openldap2.3/openldap2.3_2.3.23.orig.tar.gz
slapd_2.3.23-1_i386.deb
  to pool/main/o/openldap2.3/slapd_2.3.23-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 343113@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthijs Mohlmann <matthijs@cacholong.nl> (supplier of updated openldap2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 13 May 2006 00:28:11 +0200
Source: openldap2.3
Binary: slapd ldap-utils libldap-2.3-0
Architecture: source i386
Version: 2.3.23-1
Distribution: unstable
Urgency: low
Maintainer: Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Changed-By: Matthijs Mohlmann <matthijs@cacholong.nl>
Description: 
 ldap-utils - OpenLDAP utilities
 libldap-2.3-0 - OpenLDAP libraries
 slapd      - OpenLDAP server (slapd)
Closes: 190165 195079 236097 294701 299100 301292 308416 308906 310282 310282 315158 319155 319596 319706 320739 327808 332053 335618 343113 347725 353877 353897 356554
Changes: 
 openldap2.3 (2.3.23-1) unstable; urgency=low
 .
   [ Matthijs Mohlmann ]
   * New upstream release. (Closes: #308906, #310282, #353877, #335618, #315158)
     (Closes: #310282, #319155)
   * OpenLDAP checks database before starting up.
     (Closes: #190165, #195079, #294701, #308416)
   * move_old_database_away isn't called in a while loop anymore (which would
     kill debconf interaction) (Closes: #299100)
   * BDB_CONFIG file will be installed on new installations (Closes: #301292)
   * Move to dh_install.
   * Move to quilt patch system.
   * Fix manpage.
   * Make ldiftopasswd and fix_ldif executable. (fixes lintian warnings)
   * Wipe passwords after we created the initial configuration.
   * The config scripts is runned twice, this causes the password in
     slapd/internal/adminpw to be empty. This fixes the issue with having an
     empty password in the ldap database. (Closes: #343113, #347725)
   * Added #DEBHELPER# token to fix a lintian warning.
   * bdb has changed between major versions, so dump the database and import it
     again for versions before 2.3.19.
   * Remove comments from debian/control (The out commented control information
     is actually in debian/control.dev)
   * Enable all backends and overlays with: --enable-backends=mod and
     --enable-overlays=mod
   * Add | debconf-2.0 to unblock cdebconf transition (Closes: #332053)
   * Added Danish debconf translation (Closes: #353897)
   * Updated French debconf translation (Closes: #320739)
   * Updated Vietnamese debconf translation (Closes: #319706)
   * Updated Czech debconf translation (Closes: #356554)
   * Encode the organization to utf8 (Closes: #236097)
   * Disabled the LDBM backend. Break in preinstallation if user doesn't want
     to migrate to BDB backend.
   * Removed choice for LDBM backend from slapd templates. And some explanation
     in that question about the LDBM backend.
   * Add sizelimit and tool-threads and some documentation to slapd.conf
     (Closes: #327808)
   * slapd.scripts-common had two functions with the same name.
   * Don't return a error message if hostname fails.
   * Backup the config only once on upgrade.
   * For new installations do not install a DB_CONFIG file but use the
     slapd.conf as file for BDB/HDB configuration parameters. See: slapd-bdb(5)
   * Added various "exit 0" to the installation scripts.
   * Add configure.in patch to fix C comparison what should be bash (ITS#4416)
   * Raise debconf configuration level from low to medium for
     slapd/no_configuration.
   * Updated Standards-Version to 3.7.2.0
   * Added build-dependency on perl which is used in the debian/rules file.
     Considered by lintian.
   * Added lintian override for too-long-extended-description-in-templates, it
     is an explanation about the backends.
 .
   [ Steve Langasek ]
   * debian/slapd.templates: Fix typo durin -> during; re-run
     debconf-updatepo, fixing up the fuzzies (closes: #319596).
 .
   [ Torsten Landschoff ]
   * debian/slapd.scripts-common: Rename backend_supported to
     upgrade_supported_from_backend for more clarity.
Files: 
 86488a5e5fa100878ec20e128001c3a8 1161 net optional openldap2.3_2.3.23-1.dsc
 46b5a2f92c798d542f7bb545f118b04a 3755995 net optional openldap2.3_2.3.23.orig.tar.gz
 a8156d1c6bb10e57eca456ff4223f7a9 173993 net optional openldap2.3_2.3.23-1.diff.gz
 889e786d0ff9bd94a071f6e3a3c97338 1139104 net optional slapd_2.3.23-1_i386.deb
 64a97a9b2b0c3ecd4bad2d8bd4673d8b 150784 net optional ldap-utils_2.3.23-1_i386.deb
 55b72a1a97d0a6c77a3663e6128e3c5a 263674 libs important libldap-2.3-0_2.3.23-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEbwYydQgHtVUb5EcRArQqAJ9o5ocaBwJ1Ya6QpYk/YirgtsoNYgCZAcAR
TFbLgjcMnbzQPfe0LsZ1ic8=
=PeFU
-----END PGP SIGNATURE-----

Revision history for this message

Graham Williamson (gjwill) wrote on 2006-10-19:

#6

Binary package hint: slapd

The admin password entered during setup of the slapd package does not work. The workaround is to set the rootdn and rootpw in /etc/ldap/slapd.conf. After a look through the forums it appears that this is a known issue, however no bug report has been filed (that I could find).

This issue has been fixed upstream in slapd2.3. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343113

description:

updated

Bug Watch Updater (bug-watch-updater) on 2006-10-20

Changed in openldap:
status:	Unknown → Fix Released

Revision history for this message

Steve Kowalik (stevenk) wrote on 2007-07-24:

#7

This bug should be fixed by using openldap2.3 in Feisty, with openldap2.2 disappearing.

Changed in openldap2.2:
status:	New → Fix Released

Revision history for this message

Soren Hansen (soren) wrote on 2007-07-25: Re: [Bug 66925] admin password set by debconf during install is not valid

#8

On Tue, Jul 24, 2007 at 09:54:46AM -0000, Graham Williamson wrote:
> The admin password entered during setup of the slapd package does not
> work. The workaround is to set the rootdn and rootpw in
> /etc/ldap/slapd.conf. After a look through the forums it appears that
> this is a known issue, however no bug report has been filed (that I
> could find).
>
> This issue has been fixed upstream in slapd2.3.

a) Please elaborate "does not work"

b) If you have forum references, please supply them so we don't have to
dig through the forums.

status incomplete

--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/

Changed in openldap2.3:
status:	Fix Released → Incomplete

Revision history for this message

ChristianUlbrich (christian-ulbrich) wrote on 2007-08-27:

#9

Well it is exactly like Steve said, the LDAP manager password which is queried by debconf during the install of slapd is simply not written to /etc/lapd/slapd.conf . Thus any authentication to the LDAP database with tools like ldap-account-manager will fail. Furthermore the base entries are also not written to the config file.

Revision history for this message

Soren Hansen (soren) wrote on 2007-08-27: Re: [Bug 66925] Re: admin password set by debconf during install is not valid

#10

On Mon, Aug 27, 2007 at 01:52:37PM -0000, ChristianUlbrich wrote:
> Well it is exactly like Steve said, the LDAP manager password which is
> queried by debconf during the install of slapd is simply not written
> to /etc/lapd/slapd.conf.

No, it's written to the ldap database instead.

> Thus any authentication to the LDAP database with tools like
> ldap-account-manager will fail.

It works for me. Could you be a bit more specific about what precisely
doesn't work?

> Furthermore the base entries are also not written to the config file.

Indeed. We only add the root dn and the admin to the ldap. This is on
purpose.

--
Soren Hansen
Ubuntu Server Team
http://www.ubuntu.com/

Revision history for this message

Tony Abbott (t-abbott) wrote on 2007-09-12:

#11

I have the same problem here with slapd 2.2.26-5ubuntu2.2 on Ubuntu 6.06.1 LTS. I am prompted for a password (and confirmation of the password) when installing the package, but this password does not work for the created admin user (cn=admin,dc=nodomain)

Using "strings" on id2entry.db I found and cracked the password that it stored for my admin user. Turns out it is a blank password. This is repeatable, happens every time I install the slapd package.

A workaround to get a usable directory:

The problem is that you cannot authenticate with a blank password. I get

ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed

To get around this, I added

rootdn "cn=admin,dc=nodomain"
rootpw "changeme"

to /etc/slapd.conf and restarted slapd. Then I used ldappasswd to set a new password for my admin user:

ldappasswd -x -D cn=admin,dc=nodomain -w changeme

Then I removed rootdn & rootpw from slapd.conf and restarted slapd again, and was able to continue with my new password.

-t

Revision history for this message

Mathias Gug (mathiaz) wrote on 2007-09-18:

#12

Thank you for taking the time to report this bug and helping to make Ubuntu better. However, I am closing it because the bug has been fixed in the latest development version of Ubuntu - the Gutsy Gibbon.

It has been fixed in version 2.3.23-1.

I'm also nominating the bug to be fixed in dapper.

Changed in openldap2.3:
status:	Incomplete → Fix Released

Revision history for this message

Mathias Gug (mathiaz) wrote on 2007-09-18:

#13

openldap2.2_2.2.26-5ubuntu2.3.debdiff Edit (1.2 KiB, text/plain)

I've added a debdiff that should fix the problem for dapper. I've extracted the change from debian svn repository.

Revision history for this message

Martin Pitt (pitti) wrote on 2007-09-28:

#14

Diff looks good, approved for SRU. For SRU verification, please include some monkey-proof recipe for reproducing the error and checking the fix.

Changed in openldap2.2:
assignee:	nobody → mathiaz
status:	New → In Progress

Revision history for this message

Mathias Gug (mathiaz) wrote on 2007-09-28:

#15

To reproduce the error, install the slapd package with a debconf priority of medium. Enter an admin password and then try to connect to the server with the ldapsearch command:
ldapsearch -D cn=admin,dc=example,dc=com -x -w mypwd

You should get the following error:
ldap_bind: Invalid credentials (49)

To check the new version:

Purge and install the new slapd and libldap-2.2 library with debconf priority of medium. Enter an admin password and then try to connect to the server with the ldapsearch command:
ldapsearch -D cn=admin,dc=example,dc=com -x -w mypwd

You should be able to connect to the server correctly.

Revision history for this message

Mathias Gug (mathiaz) wrote on 2007-09-28:

#16

shell script to test the fix Edit (784 bytes, text/x-sh)

I've attached a script that test the fix. It should be run from a directory with the slapd libldap packages:

$ ls
libldap-2.2-7_2.2.26-5ubuntu2.2_i386.deb slapd_2.2.26-5ubuntu2.3_i386.deb
libldap-2.2-7_2.2.26-5ubuntu2.3_i386.deb test_fix.sh
slapd_2.2.26-5ubuntu2.2_i386.deb

The domain should be example.com and admin password mypwd.

Revision history for this message

Martin Pitt (pitti) wrote on 2007-10-01:

#17

Diff applied, package sponsored, accepted into dapper-proposed. Please test.

Changed in openldap2.2:
status:	In Progress → Fix Committed

Revision history for this message

Adam Sommer (asommer) wrote on 2007-11-29:

#18

test_output.txt Edit (439 bytes, text/plain)

Just wanted to report that I tested slapd_2.2.26-5ubuntu2.2_i386 and can confirm the bug.

I then tested Mathias' test script and the fix worked as advertised.

I've attached a text file of the last lines of output. The other output was masked by the configuration menu, and I wasn't sure how to capture it.

Please let me know if you need more information.

Thanks,
Adam

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2007-12-03:

#19

Needs security fixes now.

Revision history for this message

Martin Pitt (pitti) wrote on 2008-01-18:

#20

Mathias, please reapply the patch to the current security update in dapper.

Changed in openldap2.2:
status:	Fix Committed → In Progress

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-01-21:

#21

openldap2.2_2.2.26-5ubuntu2.5.debdiff Edit (1.2 KiB, text/plain)

I've attached a new debdiff.

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-01-21:

#22

test_fix_ubuntu2.5.sh Edit (784 bytes, text/plain)

Revision history for this message

Martin Pitt (pitti) wrote on 2008-01-28:

#23

Sponsored and accepted into gutsy-proposed. Please test.

Changed in openldap2.2:
status:	In Progress → Fix Committed

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-03-05:

#24

Please apply the latest security patches for dapper (2.2.26-5ubuntu2.6).

Revision history for this message

Martin Pitt (pitti) wrote on 2008-03-06:

#25

Setting back to 'in progress', since the -proposed version needs a reupload.

Changed in openldap2.2:
status:	Fix Committed → In Progress

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-05-05:

#26

openldap2.2_2.2.26-5ubuntu2.7.debdiff Edit (1.2 KiB, text/plain)

I've uploaded a new version to dapper-proposed.

Revision history for this message

Mathias Gug (mathiaz) wrote on 2008-05-05:

#27

test_fix_ubuntu2.7.sh Edit (788 bytes, text/x-sh)

Changed in openldap2.2:
assignee:	mathiaz → nobody

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-06:

#28

Accepted into dapper-proposed, please test.

Changed in openldap2.2:
status:	In Progress → Fix Committed

Revision history for this message

Brian Murray (brian-murray) wrote on 2008-05-12:

#29

Using slapd package version 2.2.26-5ubuntu2.6 I was able to recreate this bug. After freshly installing slapd package version 2.2.26-5ubuntu2.7 I was able to connect using the password I specified during the package installation process.

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-13:

#30

Copied to dapper-updates.

Changed in openldap2.2:
status:	Fix Committed → Fix Released

	Status	Importance	Assigned to
openldap	Fix Released	Unknown	debbugs #343113
openldap2.2 (Ubuntu)	Fix Released	Undecided	Unassigned
Dapper	Fix Released	Undecided	Unassigned

Ubuntu
openldap2.2 package

admin password set by debconf during install is not valid

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntuopenldap2.2 package

admin password set by debconf during install is not valid

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
openldap2.2 package