Hello Ryan, or anyone else affected, Accepted openldap into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.45 +dfsg-1ubuntu1.6 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: openldap (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Xenial: Fix Committed Status in openldap source package in Bionic: Fix Committed Status in openldap source package in Disco: Won't Fix Status in openldap source package in Eoan: Fix Committed Status in openldap package in Debian: Fix Released Bug description: [Impact] In the configuration and conditions described below, slapd can crash: 1. ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control [Test Case] * get the files from the bug: mkdir slapd-test-case; cd slapd-test-case wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script * run the script: sudo apt update && sudo sh ./script * With the bug, the result is: ldap_bind: Invalid credentials (49) slapd dead * If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd" * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages): sudo sh ./script ... slapd running ldap_bind: Invalid credentials (49) slapd running [Regression Potential] The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. [Other Info] This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. [Original Description] Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
