(ITS#7839) openldap libdb5 support - openldap-bugs

17 Apr 2014


      Full_Name: Marc Schildt
Version: 2.4.24 - 2.4.39
OS: Debian wheezy
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.162.49.126)
Hello,
we identified problems with the slapd version provided with debian wheezy.
Our workstations are using sssd for auth against our openldap-server.
The setup works well with slapd 2.4.23-7.3 on Debian squeeze.
But, after building a new LDAP server on Debian wheezy, sssd stops working
correctly and authentification of the workstations is not working anymore.
Debian wheezy is using the slapd 2.4.31-1+nmu2.
The following sssd versions we had tested with on different OS:
sssd.x86_64                        1.9.2-129.el6_5.4      @rhel-6-server-rpms 
sssd-client.x86_64                 1.9.2-129.el6_5.4      @rhel-6-server-rpms
sssd                               1.8.6-0ubuntu0.3
We then tried to self compile openldap on debian wheezy (source from
openldap.org).
...
From openldap2.4.39 down to 2.4.24 the built packages still did not work
correctly with sssd.
Reaching 2.4.23, the source won't compile anymore.
So, after checking the change log, we saw that in 2.4.24 support for Berkley DB
5.1 was introduced in the source and for 2.4.23, db4.8 is needed.
We have then compiled the Berkley DB 4.8 source from debian squeeze on debian
wheezy and 2.4.23 was compiling cleanly.
And, surprise, the combination of openldap and sssd was working as expected.
After this success, we continued with a rebuild of openldap 2.4.31-1+nmu2
against the newly installed libdb4.8-dev libs.
And again, we happily seeing openldap 2.4.31-1+nmu2 (built against libdb4.8)
working like a charm together with sssd.
So, maybe there is a major problem with libdb5 support introduced in openldap
version 2.4.24 ?
slapd.conf:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#########################
# Global Directives     #
#########################
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/my.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args
# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      memberof
moduleload      refint
# The maximum number of entries that is returned for a search operation
sizelimit unlimited
loglevel stats
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
# Global ACL's
access to dn.base=""
        by * read
access to dn.base="cn=Subschema"
        by * read
access to *
        by * read
#########################
# DB Directives         #
#########################
database        hdb
cachesize       20000
suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"
rootpw          {SSHA}123456
directory       "/var/lib/ldap"
checkpoint      1024    5
# INDEXING
index   default                                                 eq
index   objectClass,memberUid,uidNumber,gidNumber               eq,pres
index   givenName,dc,displayName,distinguishedName              eq,pres
index   cn,sn,mail,uid                                          eq,pres,sub
index   member,memberOf,uniqueMember                            eq,pres
# syncprov
index   entryUUID,entryCSN,ou                                   eq
index   nisMapName,nisMapEntry                                  eq,pres,sub
# samba
index   sambaSID,sambaPrimaryGroupSID,sambaDomainName,sambaGroupType,sambaSIDList
      eq
syncrepl       rid="200"
               provider="ldaps://ldap-provider.example.com"
               searchbase="dc=example,dc=com"
               type="refreshAndPersist"
               retry="2 30 60 +"
               filter="objectClass=*"
               scope="sub"
               attrs="*,+"
               sizelimit="unlimited"
               timelimit="unlimited"
               binddn="cn=replicator.ldap-consumer2.example.com,dc=example,dc=com"
               bindmethod="simple"
               credentials="123456"
               tls_reqcert="allow"
# DB ACL's
access to *
        by dn.exact="cn=replicator.ldap-consumer2.example.com,dc=example,dc=com"
write
        by * break
limits dn.exact="cn=replicator.ldap-consumer2.example.com,dc=example,dc=com"
        size=unlimited time=unlimited
access to attrs=sambaNTPassword
        by dn.exact="cn=sambaconnect,dc=example,dc=com" read
        by self write
        by * none
limits dn.exact="cn=sambaconnect,dc=example,dc=com"
        size=unlimited time=unlimited
access to attrs=userPassword,userPKCS12
        by self write
        by * auth
access to *
        by dn.exact="cn=accessuser,dc=example,dc=com" read
        by * break
limits dn.exact="cn=accessuser,dc=example,dc=com"
        size=unlimited time=unlimited
# Overlay Config
overlay memberof
memberof-refint true
memberof-dangling error
memberof-dn cn=memberof-overlay
overlay refint
refint_attributes member memberOf manager owner seeAlso
refint_nothing cn=refinit.nothing,ou=system,dc=example,dc=com
TLSCACertificateFile      /etc/ldap/certs/ldap-ca.pem
TLSCertificateFile        /etc/ldap/certs/ldap-consumer2.example.com.pem
TLSCertificateKeyFile     /etc/ldap/certs/ldap-consumer2.example.com.key
TLSVerifyClient           allow
sssd.conf:
#
# RESET SSS cache:
# service sssd stop
# rm /var/lib/sss/db/cache_*
# service sssd start
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = INTERN
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 50
entry_negative_timeout = 15
[pam]
reconnection_retries = 3
offline_credentials_expiration = 30
offline_failed_login_attempts = 0
offline_failed_login_delay = 5
[domain/LDAP]
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap-consumer2.example.com
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/ssl/certs/ldap-ca.pem
slapd_sssd_request_succsess.log &#8594; slapd  2.4.23-7.3 / libdb 4.8.30-2:
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 fd=17 ACCEPT from
IP=172.30.2.191:49845 (IP=0.0.0.0:636)
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 fd=17 TLS established
tls_ssf=128 ssf=128
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=0 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=0 SRCH attr=* altServer
namingContexts supportedControl supportedExtension supportedFeatures
supportedLDAPVersion supportedSASLMechanisms defaultNamingContext lastUSN
highestCommittedUSN
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=0 SEARCH RESULT tag=101
err=0 nentries=1 text=
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=1 BIND dn="" method=128
Apr 15 17:43:45 ldap-slave slapd[1810]: slap_global_control: unrecognized
control: 1.3.6.1.4.1.42.2.27.8.5.1
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=1 RESULT tag=97 err=0
text=
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=2 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))"
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=2 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName
cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax
shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=2 SEARCH RESULT tag=101
err=0 nentries=1000 text=
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=3 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))"
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=3 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName
cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax
shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap
Apr 15 17:43:45 ldap-slave slapd[1810]: conn=1001 op=3 SEARCH RESULT tag=101
err=0 nentries=181 text=
Apr 15 17:43:46 ldap-slave slapd[1810]: conn=1001 op=4 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Apr 15 17:43:46 ldap-slave slapd[1810]: conn=1001 op=4 SRCH attr=objectClass cn
userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
Apr 15 17:43:46 ldap-slave slapd[1810]: conn=1001 op=4 SEARCH RESULT tag=101
err=0 nentries=253 text=
Apr 15 17:43:48 ldap-slave slapd[1810]: conn=1001 op=5 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))"
Apr 15 17:43:48 ldap-slave slapd[1810]: conn=1001 op=5 SRCH attr=objectClass cn
ipServicePort ipServiceProtocol modifyTimestamp
Apr 15 17:43:48 ldap-slave slapd[1810]: conn=1001 op=5 SEARCH RESULT tag=101
err=0 nentries=0 text=
Apr 15 17:43:58 ldap-slave slapd[1810]: conn=1001 op=6 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=test.user)(objectClass=posixAccount))"
Apr 15 17:43:58 ldap-slave slapd[1810]: conn=1001 op=6 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName
cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax
shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap
Apr 15 17:43:58 ldap-slave slapd[1810]: conn=1001 op=6 SEARCH RESULT tag=101
err=0 nentries=1 text=
Apr 15 17:43:58 ldap-slave slapd[1810]: conn=1001 op=7 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(memberUid=test.user)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Apr 15 17:43:58 ldap-slave slapd[1810]: conn=1001 op=7 SRCH attr=objectClass cn
userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
Apr 15 17:43:58 ldap-slave slapd[1810]: conn=1001 op=7 SEARCH RESULT tag=101
err=0 nentries=22 text=
Apr 15 17:46:14 ldap-slave slapd[1810]: conn=1001 op=8 UNBIND
Apr 15 17:46:14 ldap-slave slapd[1810]: conn=1001 fd=17 closed
slapd_sssd_request_no_succsess.log &#8594;  slapd 2.4.31-1+nmu2 / libdb
5.1.29-5:
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 fd=28 ACCEPT from
IP=172.30.2.191:58270 (IP=0.0.0.0:636)
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 fd=28 TLS established
tls_ssf=128 ssf=128
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=0 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=0 SRCH attr=*
altServer namingContexts supportedControl supportedExtension supportedFeatures
supportedLDAPVersion supportedSASLMechanisms defaultNamingContext lastUSN
highestCommittedUSN
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=0 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=1 BIND dn=""
method=128
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=1 RESULT tag=97 err=0
text=
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=2 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))"
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=2 SRCH
attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange
shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag
krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService
accountExpires userAccountControl nsAccountLock host loginDisabled
loginExpirationTime loginAllowedTimeMap
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=2 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=3 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=3 SRCH
attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp
modifyTimestamp
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=3 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=4 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))"
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=4 SRCH
attr=objectClass cn ipServicePort ipServiceProtocol modifyTimestamp
Apr 15 17:18:15 ldap-consumer2 slapd[16228]: conn=1116 op=4 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Apr 15 17:18:37 ldap-consumer2 slapd[16228]: conn=1116 op=5 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=test.user)(objectClass=posixAccount))"
Apr 15 17:18:37 ldap-consumer2 slapd[16228]: conn=1116 op=5 SRCH
attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange
shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag
krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService
accountExpires userAccountControl nsAccountLock host loginDisabled
loginExpirationTime loginAllowedTimeMap
Apr 15 17:18:37 ldap-consumer2 slapd[16228]: conn=1116 op=5 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=6 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(gidNumber=20001)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=6 SRCH
attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp
modifyTimestamp
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=6 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=7 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=test.user)(objectClass=posixAccount))"
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=7 SRCH
attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange
shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag
krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService
accountExpires userAccountControl nsAccountLock host loginDisabled
loginExpirationTime loginAllowedTimeMap
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=7 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=8 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(memberUid=test.user)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=8 SRCH
attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp
modifyTimestamp
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=8 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=9 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(gidNumber=20001)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=9 SRCH
attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp
modifyTimestamp
Apr 15 17:18:38 ldap-consumer2 slapd[16228]: conn=1116 op=9 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Apr 15 17:18:58 ldap-consumer2 slapd[16228]: conn=1116 op=10 UNBIND
Apr 15 17:18:58 ldap-consumer2 slapd[16228]: conn=1116 fd=28 closed