https://bugs.openldap.org/show_bug.cgi?id=9466
Issue ID: 9466 Summary: Since glibc 2.33 slapd shall initialize NSS before calling chroot Product: OpenLDAP Version: 2.4.57 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: dpa-openldap@aegee.org Target Milestone: ---
I use openldap 2.4 within chroot on a LFS. I call `slapd -r /home/openldap` .
With glibc 2.32 it worked fine without running nscd. Since I upgraded (on the host, thus outside the chrooted environment) slapd cannot work without running nscd (on the host, which socket is bind-mounted to /var/run/nscd/socket in the chrooted environment).
As outlined at https://sourceware.org/bugzilla/show_bug.cgi?id=27077 slapd shall first utilize NSS, e.g. by calling getpwuid or utilizing the host database, and then chroot(2).
https://bugs.openldap.org/show_bug.cgi?id=9466
--- Comment #1 from Howard Chu hyc@openldap.org --- Certainly sounds like a bug in glibc. Note the slapd(8) documentation:
-u user slapd will run slapd with the specified user name or id, and that user's supplementary group access list as set with init‐ groups(3). The group ID is also changed to this user's gid, un‐ less the -g option is used to override. Note when used with -r, slapd will use the user database in the change root environment. <<<
The workaround they've suggested is unacceptable. It is decades of standard practice for processes using chroot jails to use the security databases inside the chroot jail, not the databases of the host environment.
https://bugs.openldap.org/show_bug.cgi?id=9466
--- Comment #2 from dpa-openldap@aegee.org dpa-openldap@aegee.org --- As a matter of fact I think it is not the retrieval of UID that fails, but the DNS loopups: I run openldap in way, that syncs from another host and in order to do the sync, the hostname of the master process must be resolved by terms of DNS lookup.
Acceptable or not, this was reported also in https://sourceware.org/bugzilla/show_bug.cgi?id=27389 and whether the behaivour (regression) shall be reverted was raised today at https://sourceware.org/pipermail/libc-alpha/2021-February/122714.html .
https://bugs.openldap.org/show_bug.cgi?id=9466
--- Comment #3 from Michael Ströder michael@stroeder.com --- glibc 2.33 causes lots of issues e.g. in openSUSE Tumbleweed:
https://bugzilla.opensuse.org/buglist.cgi?quicksearch=glibc%202.33
https://bugs.openldap.org/show_bug.cgi?id=9466
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- I'm going to mark this bug as invalid as it is clearly a problem caused by breaking buggy behavior in glibc as opposed to being an OpenLDAP issue.
If something changes to indicate that is not the case feel free to reopen and it can be discussed further.
https://bugs.openldap.org/show_bug.cgi?id=9466
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org