[Issue 10073] New: database monitor | slapd fails to start when "database ldap" without suffix exists
https://bugs.openldap.org/show_bug.cgi?id=10073
Issue ID: 10073 Summary: database monitor | slapd fails to start when "database ldap" without suffix exists Product: OpenLDAP Version: 2.5.14 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: backends Assignee: bugs@openldap.org Reporter: cyusedfzfb@gmail.com Target Milestone: ---
As requested on the mailinglist, I am filing an issue for this behaviour:
Today setup the cn=Monitor backend, and after doing so, openldap failed to start with:
backend_startup_one (type=monitor, suffix="cn=Monitor"): bi_db_open failed! (-1)
The reason turned out to be: we had configured one of our databases ("database ldap") without a suffix.
After I added a suffix, openldap started, and cn=Monitor worked as expected.
It would be nice if this error message could become a little bit more specific. :-)
Also: we've had the "database ldap" without a suffix in production working for many years. Perhaps cn=Monitor should be able to deal with that config as well..?
https://bugs.openldap.org/show_bug.cgi?id=10073
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Mon, Jun 26, 2023 at 07:34:34PM +0000, openldap-its@openldap.org wrote:
Today setup the cn=Monitor backend, and after doing so, openldap failed to start with:
backend_startup_one (type=monitor, suffix="cn=Monitor"): bi_db_open failed! (-1)
The reason turned out to be: we had configured one of our databases ("database ldap") without a suffix.
After I added a suffix, openldap started, and cn=Monitor worked as expected.
It would be nice if this error message could become a little bit more specific. :-)
Also: we've had the "database ldap" without a suffix in production working for many years. Perhaps cn=Monitor should be able to deal with that config as well..?
Hi, can you share why you configure it without any suffix (compared to a suffix of "")? I'd be tempted to introduce the same check that other backends employ and make sure a suffix is configured on the DB.
Pretty sure a lot of the code expects be_suffix to be non-NULL already and might crash otherwise.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=10073
--- Comment #2 from cYuSeDfZfb cyusedfzfb@gmail.com --- Hi! I'm sorry: I cannot tell *why*. This configuration has existed for 5+ years, and I only started working here a year ago. Actually: No one else seems here to know the exact details as well.
Are you saying that using suffix "" is considered more regular, and should we have used that instead?
Anyway: for our new LDAP we moved from master-slave to a 4-way MultiMaster, and hence we no longer need the "database ldap" backend. I've erased it from our config.
I would say: Add that check. :-)
https://bugs.openldap.org/show_bug.cgi?id=10073
--- Comment #3 from fkooman@tuxed.net --- I created a MR that switches the default to argon2id (for libargon2 builds) as recommended by OWASP:
https://git.openldap.org/openldap/openldap/-/merge_requests/643
https://bugs.openldap.org/show_bug.cgi?id=10073
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 39403c9d by Ondřej Kuzník at 2023-08-11T20:00:50+00:00 ITS#10073 back-ldap: Make sure we have a suffix configured
https://bugs.openldap.org/show_bug.cgi?id=10073
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Keywords|needs_review | Assignee|bugs@openldap.org |ondra@mistotebe.net Resolution|--- |TEST Target Milestone|--- |2.7.0
-
openldap-its@openldap.org