https://bugs.openldap.org/show_bug.cgi?id=9575
Issue ID: 9575 Summary: Object class olcGlobal should not allow olcPasswordHash Product: OpenLDAP Version: 2.5.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: michael@stroeder.com Target Milestone: ---
Object class olcGlobal should not allow olcPasswordHash because slapd will crash during start if attribute is set.
Reported in this thread:
https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/m...
https://bugs.openldap.org/show_bug.cgi?id=9575
--- Comment #1 from Quanah Gibson-Mount quanah@openldap.org --- commit 2437abac38f99d314aa0886dcacefa6ee35505bf Author: Howard Chu hyc@openldap.org Date: Sun Sep 2 13:24:14 2007 +0000
ITS#5082 RE23 compatibility, allow olcPasswordHash in global entry
is why this is there.
https://bugs.openldap.org/show_bug.cgi?id=9575
--- Comment #2 from Michael Ströder michael@stroeder.com --- On 6/7/21 10:39 PM, openldap-its@openldap.org wrote:
ITS#5082 RE23 compatibility, allow olcPasswordHash in global entryis why this is there.
So it's time to drop it, isn't it?
Ciao, Michael.
https://bugs.openldap.org/show_bug.cgi?id=9575
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Michael Ströder from comment #2)
On 6/7/21 10:39 PM, openldap-its@openldap.org wrote:
ITS#5082 RE23 compatibility, allow olcPasswordHash in global entryis why this is there.
So it's time to drop it, isn't it?
No. If you actually read the full code associated with the commit, slapd is supposed to correctly handle the value existing in the global location. Clearly there's a bug there that needs to be fixed, but the 2.3 compatibility should remain. We still have people show up with 2.0 systems...
https://bugs.openldap.org/show_bug.cgi?id=9575
--- Comment #4 from Howard Chu hyc@openldap.org --- (In reply to Quanah Gibson-Mount from comment #3)
(In reply to Michael Ströder from comment #2)
On 6/7/21 10:39 PM, openldap-its@openldap.org wrote:
ITS#5082 RE23 compatibility, allow olcPasswordHash in global entryis why this is there.
So it's time to drop it, isn't it?
No. If you actually read the full code associated with the commit, slapd is supposed to correctly handle the value existing in the global location. Clearly there's a bug there that needs to be fixed, but the 2.3 compatibility should remain. We still have people show up with 2.0 systems...
No bug. cn=config is read before cn=module,cn=config so you obviously can't refer to a hash mechanism in cn=config that's dynamically loaded.
This ticket is invalid.
https://bugs.openldap.org/show_bug.cgi?id=9575
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Howard Chu from comment #4)
No bug. cn=config is read before cn=module,cn=config so you obviously can't refer to a hash mechanism in cn=config that's dynamically loaded.
This ticket is invalid.
The ticket is definitely not invalid. If what you say is the case, then the attribute should not be allowed in global config, and 2437abac38f99d314aa0886dcacefa6ee35505bf likely should be reverted in its entirety.
https://bugs.openldap.org/show_bug.cgi?id=9575
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Target Milestone|--- |2.6.0
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- olcPasswordHash works in the global section for built in mechanisms such as {SSHA}.
Man page needs to be updated to note this (vs must be in frontend for external modules).
slaptest should be able to catch this and report it as an error if misconfigured.
https://bugs.openldap.org/show_bug.cgi?id=9575
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • f016d887 by Ondřej Kuzník at 2021-06-21T15:32:03+00:00 ITS#9575 Warn when specifying olcPasswordHash in the cn=config entry
https://bugs.openldap.org/show_bug.cgi?id=9575
--- Comment #8 from Quanah Gibson-Mount quanah@openldap.org --- note: man page already explicitly says to configure this in the frontend db.
https://bugs.openldap.org/show_bug.cgi?id=9575
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org