[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.9 --- openldap (2.4.42+dfsg-2ubuntu3.9) xenial; urgency=medium [ Andreas Hasenack ] * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream patch to fix slapd crashing in certain configurations when a client attempts a login to a locked account. (LP: #1866303) [ Sergio Durigan Junior] * d/apparmor-profile: Update apparmor profile to grant access to the saslauthd socket, so that SASL authentication works. (LP: #1557157) -- Andreas Hasenack Wed, 01 Jul 2020 16:33:08 -0300 ** Changed in: openldap (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Released Status in openldap source package in Bionic: Fix Released Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Released Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.6 --- openldap (2.4.45+dfsg-1ubuntu1.6) bionic; urgency=medium [ Andreas Hasenack ] * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream patch to fix slapd crashing in certain configurations when a client attempts a login to a locked account. (LP: #1866303) [ Sergio Durigan Junior ] * d/apparmor-profile: Update apparmor profile to grant access to the saslauthd socket, so that SASL authentication works. (LP: #1557157) -- Andreas Hasenack Wed, 01 Jul 2020 16:38:55 -0300 ** Changed in: openldap (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Released Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Released Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
This bug was fixed in the package openldap - 2.4.48+dfsg-1ubuntu1.2 --- openldap (2.4.48+dfsg-1ubuntu1.2) eoan; urgency=medium [ Andreas Hasenack ] * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream patch to fix slapd crashing in certain configurations when a client attempts a login to a locked account. (LP: #1866303) [ Sergio Durigan Junior ] * d/apparmor-profile: Update apparmor profile to grant access to the saslauthd socket, so that SASL authentication works. (LP: #1557157) -- Andreas Hasenack Wed, 01 Jul 2020 16:43:06 -0300 ** Changed in: openldap (Ubuntu Eoan) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Released Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Kopanocore armhf is the only persistent red, but this test/package is known to be flaky on armhf. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Eoan verification Reproducing the problem: Version table: *** 2.4.48+dfsg-1ubuntu1.1 500 500 http://br.archive.ubuntu.com/ubuntu eoan-updates/main amd64 Packages 500 http://br.archive.ubuntu.com/ubuntu eoan-security/main amd64 Packages 100 /var/lib/dpkg/status ubuntu@eoan-openldap-crash-1866303:~/slapd-test-case$ sudo sh ./script ... Closing DB... slapd running ldap_bind: Invalid credentials (49) slapd dead With the proposed packages: Version table: *** 2.4.48+dfsg-1ubuntu1.2 500 500 http://br.archive.ubuntu.com/ubuntu eoan-proposed/main amd64 Packages 100 /var/lib/dpkg/status slapd remains running: ubuntu@eoan-openldap-crash-1866303:~/slapd-test-case$ sudo sh ./script ... Closing DB... slapd running ldap_bind: Invalid credentials (49) slapd running Eoan verification succeeded. ** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
The asterisk DEP8 armhf test was retried and is now green. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Bionic verification Reproducing the bug: Version table: *** 2.4.45+dfsg-1ubuntu1.5 500 500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 500 http://br.archive.ubuntu.com/ubuntu bionic-security/main amd64 Packages 100 /var/lib/dpkg/status $ sudo sh ./script ... Closing DB... slapd running ldap_bind: Invalid credentials (49) slapd dead Updating to proposed: Version table: *** 2.4.45+dfsg-1ubuntu1.6 500 500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages 100 /var/lib/dpkg/status Now slapd remains running: $ sudo sh ./script ... Closing DB... slapd running ldap_bind: Invalid credentials (49) slapd running Bionic verification succeeded. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Xenial verification (for real) Reproducing the bug: Version table: *** 2.4.42+dfsg-2ubuntu3.8 500 500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://br.archive.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status $ sudo sh ./script ... Closing DB... slapd running ldap_bind: Invalid credentials (49) slapd dead With the packages from proposed, slapd remains running: Version table: *** 2.4.42+dfsg-2ubuntu3.9 500 500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages 100 /var/lib/dpkg/status $ sudo sh ./script ... Closing DB... slapd running ldap_bind: Invalid credentials (49) slapd running Xenial verification succeeded. ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
I'm sorry, the above verification was for the other bug that this upload is fixing. ** Tags removed: verification-done-xenial ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Xenial verification Reproducing the error: root@xenial-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: Password verification failed And dmesg: [qua jul 8 11:50:42 2020] audit: type=1400 audit(1594219843.513:405): apparmor="DENIED" operation="connect" namespace="root//lxd-xenial-openldap-saslauthd-1557157_" profile="/usr/sbin/slapd" name="/run/saslauthd/mux" pid=83468 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=1000112 ouid=100 With the updated packages, ldapsearch works: root@xenial-openldap-saslauthd-1557157:~# apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.9 Candidate: 2.4.42+dfsg-2ubuntu3.9 Version table: *** 2.4.42+dfsg-2ubuntu3.9 500 500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages 100 /var/lib/dpkg/status ... root@xenial-openldap-saslauthd-1557157:~# ldapsearch -H ldapi:/// -LLL -b 'dc=example,dc=com' -s base -U root -Y PLAIN SASL/PLAIN authentication started Please enter your password: SASL username: root SASL SSF: 0 dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example dc: example And no dmesg apparmor error. Xenial verification succeeded. ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Hello Ryan, or anyone else affected, Accepted openldap into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.48+dfsg- 1ubuntu1.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-eoan. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openldap (Ubuntu Eoan) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-eoan ** Changed in: openldap (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last line
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/386701 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/386702 ** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/386703 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: In Progress Status in openldap source package in Bionic: In Progress Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: In Progress Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Description changed: - [Impact] + [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control - [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" - * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system): - sudo add-apt-repository ppa:ahasenack/slapd-crash-bug-1866303 -y -u + * With the fixed packages, you get a living slapd at the end (you can + run the script again on the same system after updating the packages): + sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running - [Regression Potential] + [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. - [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: In Progress Status in openldap source package in Bionic: In Progress Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: In Progress Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Description changed: + [Impact] + In the configuration and conditions described below, slapd can crash: + + 1. ppolicy overlay configured with pwdLockout: TRUE + 2. smbk5pwd overlay stacked after ppolicy + 3. an account locked out via pwdAccountLockedTime + 4. a client binding to the locked-out account and also requesting the ppolicy control + + + [Test Case] + + * get the files from the bug: + mkdir slapd-test-case; cd slapd-test-case + wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script + + * run the script: + sudo apt update && sudo sh ./script + + * With the bug, the result is: + ldap_bind: Invalid credentials (49) + slapd dead + + * If when confirming the bug you don't see "slapd dead" like above, + check manually, as slapd might have been in the process of shutting down + when the script checked its status: "sudo systemctl status slapd" + + * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system): + sudo add-apt-repository ppa:ahasenack/slapd-crash-bug-1866303 -y -u + sudo sh ./script + ... + slapd running + ldap_bind: Invalid credentials (49) + slapd running + + [Regression Potential] + The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. + + [Other Info] + This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. + + + [Original Description] + Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: In Progress Status in openldap source package in Bionic: In Progress Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: In Progress Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system):
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
This fix was added to focal, and we haven't received any crash reports about it as far as I know, so I'm proceeding with the SRU for the other ubuntu releases. ** Changed in: openldap (Ubuntu Xenial) Status: New => In Progress ** Changed in: openldap (Ubuntu Xenial) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: openldap (Ubuntu Bionic) Status: New => In Progress ** Changed in: openldap (Ubuntu Bionic) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: openldap (Ubuntu Eoan) Status: New => In Progress ** Changed in: openldap (Ubuntu Eoan) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: In Progress Status in openldap source package in Bionic: In Progress Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: In Progress Status in openldap package in Debian: Fix Released Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Changed in: openldap (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: New Status in openldap package in Debian: Fix Released Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
We're no longer looking at backporting fixes for disco. This looks suitable for SRU so the other proposed series tasks are valid, and this is already in the server-next queue. ** Changed in: openldap (Ubuntu Disco) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: New Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
This bug was fixed in the package openldap - 2.4.49+dfsg-2ubuntu1 --- openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium * Merge with Debian unstable (LP: #1866303). Remaining changes: - Enable AppArmor support: - d/apparmor-profile: add AppArmor profile - d/rules: use dh_apparmor - d/control: Build-Depends on dh-apparmor - d/slapd.README.Debian: add note about AppArmor - Enable GSSAPI support: - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise): - Add --with-gssapi support - Make guess_service_principal() more robust when determining principal [Dropped the ldap_gssapi_bind_s() hunk as that is already - d/configure.options: Configure with --with-gssapi - d/control: Added heimdal-dev as a build depend - d/rules: - Explicitly add -I/usr/include/heimdal to CFLAGS. - Explicitly add -I/usr/lib//heimdal to LDFLAGS. - Enable ufw support: - d/control: suggest ufw. - d/rules: install ufw profile. - d/slapd.ufw.profile: add ufw profile. - Enable nss overlay: - d/rules: - add nssov to CONTRIB_MODULES - add sysconfdir to CONTRIB_MAKEVARS - d/slapd.install: - install nssov overlay - d/slapd.manpages: - install slapo-nssov(5) man page - d/{rules,slapd.py}: Add apport hook. - d/slapd.init.ldif: don't set olcRootDN since it's not defined in either the default DIT nor via an Authn mapping. - d/slapd.scripts-common: - add slapcat_opts to local variables. - Fix backup directory naming for multiple reconfiguration. - d/{slapd.default,slapd.README.Debian}: use the new configuration style. - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support in the openldap library, as required by Likewise-Open - Show distribution in version: - d/control: added lsb-release - d/patches/fix-ldap-distribution.patch: show distribution in version - d/libldap-2.4-2.symbols: Add symbols not present in Debian. - CLDAP (UDP) was added in 2.4.17-1ubuntu2 - GSSAPI support was enabled in 2.4.18-0ubuntu2 - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding Debian bug #919136, we also have to patch the nssov makefile accordingly and thus update this patch. openldap (2.4.49+dfsg-2) unstable; urgency=medium * slapd.README.Debian: Document the initial setup performed by slapd's maintainer scripts in more detail. Thanks to Karl O. Pinc. (Closes: #952501) * Import upstream patch to fix slapd crashing in certain configurations when a client attempts a login to a locked account. (ITS#9171) (Closes: #953150) -- Andreas Hasenack Fri, 06 Mar 2020 11:39:12 -0300 ** Changed in: openldap (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Status in openldap source package in Eoan: New Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/380368 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: In Progress Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Status in openldap source package in Eoan: New Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: In Progress Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Status in openldap source package in Eoan: New Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Also affects: openldap (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: openldap (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: In Progress Status in openldap source package in Xenial: New Status in openldap source package in Bionic: New Status in openldap source package in Disco: New Status in openldap source package in Eoan: New Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
Thanks a lot for this Ryan, and awesome testing script! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: In Progress Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1866303] Re: slapd crash with pwdAccountLockedTime and stacked overlays
** Changed in: openldap (Ubuntu) Status: New => In Progress ** Changed in: openldap (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: In Progress Status in openldap package in Debian: Unknown Bug description: Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp