** Description changed: + [Impact] + In the configuration and conditions described below, slapd can crash: + + 1. ppolicy overlay configured with pwdLockout: TRUE + 2. smbk5pwd overlay stacked after ppolicy + 3. an account locked out via pwdAccountLockedTime + 4. a client binding to the locked-out account and also requesting the ppolicy control + + + [Test Case] + + * get the files from the bug: + mkdir slapd-test-case; cd slapd-test-case + wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script + + * run the script: + sudo apt update && sudo sh ./script + + * With the bug, the result is: + ldap_bind: Invalid credentials (49) + slapd dead + + * If when confirming the bug you don't see "slapd dead" like above, + check manually, as slapd might have been in the process of shutting down + when the script checked its status: "sudo systemctl status slapd" + + * With the fixed packages, you get a living slapd at the end (you can run the script again on the same system): + sudo add-apt-repository ppa:ahasenack/slapd-crash-bug-1866303 -y -u + sudo sh ./script + ... + slapd running + ldap_bind: Invalid credentials (49) + slapd running + + [Regression Potential] + The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap. + + [Other Info] + This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+. + + + [Original Description] + Hello, Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time. Upstream: https://openldap.org/its/?findid=9171 Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 The ingredients for the crash are: 1: ppolicy overlay configured with pwdLockout: TRUE 2. smbk5pwd overlay stacked after ppolicy 3. an account locked out via pwdAccountLockedTime 4. a client binding to the locked-out account and also requesting the ppolicy control The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash. I will attach my test script and data for reproducing the crash. Expected output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd running Actual output (last lines): [ ok ] Starting OpenLDAP: slapd. slapd running ldap_bind: Invalid credentials (49) slapd dead
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866303 Title: slapd crash with pwdAccountLockedTime and stacked overlays To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
