https://bugs.openldap.org/show_bug.cgi?id=9656
Issue ID: 9656 Summary: slapd (2.5.7) crashes when ppm settings don't exist in the schema Product: OpenLDAP Version: unspecified Hardware: x86_64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: ktmdms@gmail.com Target Milestone: ---
using ppolicy with ppm causes slapd to crash (2.5.7. I would have selected that as the version but it's not available to be selected) when pwdCheckModuleArg doesn't exist in the schema and/or the full path to ppm.so isn't defined in pwdCheckModule. at the time slapd would crash, pwdCheckModule was set to ppm.so not the full path of /usr/local/libexec/openldap/ppm.so and the pwdCheckModuleArg attribute didn't exist at all. whenever I would attempt to change my user password, slapd would crash. setting the full path and creating and setting the Arg attribute has stopped that behavior but I'm unsure if it was simply added the attribute or some combination of setting the full path, creating the attribute, and populating the attribute. fwiw, the attribute is set as:
bWluUXVhbGl0eSA0Cm1heExlbmd0aCAwCmNoZWNrUkROIDEKZm9yYmlkZGVuQ2hhcnMgCmNsYXNz LXVwcGVyQ2FzZSBBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWiAxIDEKY2xhc3MtbG93ZXJDYXNl IGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6IDEgMQpjbGFzcy1kaWdpdCAwMTIzNDU2Nzg5IDEg MQpjbGFzcy1zcGVjaWFsIDw+LD87LjovIcKnw7klKsK1XsKoJMKjwrImw6l+IiMneyhbLXzDqGBf XMOnXsOgQCldwrA9fSsgMSAxCgo=
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_review
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|slapd |contrib
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #1 from David Coutadeur david.coutadeur@gmail.com --- Hello,
Setting correctly the full module path is a requirement of ppm. It is up to the admin to correctly set this, else the module and OpenLDAP would crash.
For information there is now a man page for ppm, please give a look at: https://github.com/ltb-project/ppm/blob/ppolicy10/ppm.md
The man page has also been included in OpenLDAP master branch, and is likely to be provided in next 2.5.8 version.
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|slapd (2.5.7) crashes when |slapd crashes when ppm |ppm settings don't exist in |settings don't exist in the |the schema |schema Target Milestone|--- |2.5.7
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|unspecified |2.5.7 Target Milestone|2.5.7 |2.6.1 Keywords|needs_review |
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Please provide the full configuration that caused the crash, as was requested on the technical list.
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.1 |2.5.8
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #3 from ktmdms@gmail.com ktmdms@gmail.com --- two things. when using ppm.so in OpenLDAP 2.4 the ppm.so,while included in the schema, didn't need the fully qualified pathname (I assume that the path was handled via the modulepath statement in the slapd.conf) and I don't know that that particular change is documented anywhere particularly succinctly. 2nd, there is a statement in the ppm.md that states: "If for some reasons, any parameter is not found, it will be given its default value." which would seem to indicate that there are some defaults coded into slapd to handle those times when someone doesn't set parameters, thereby keeping slapd from crashing. Either 1). slapd shouldn't start if these parameters are requirements when using ppolicy or 2). slapd shouldn't crash and should give a warning that default values are being used and one should verify if those defaults are valid or simply warn that ppolicy won't be used as necessary settings have not been populated.
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #4 from ktmdms@gmail.com ktmdms@gmail.com --- (In reply to Quanah Gibson-Mount from comment #2)
Please provide the full configuration that caused the crash, as was requested on the technical list.
slapd.conf?
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #5 from David Coutadeur david.coutadeur@gmail.com ---
"If for some reasons, any parameter is not found, it will be given its default value."
this is true for ppm parameters, not for password policy parameters. Especially, pwdCheckModule does not have default values.
when using ppm.so in OpenLDAP 2.4 the ppm.so,while included in the schema, didn't need the fully qualified pathname (I assume that the path was handled via the modulepath statement in the slapd.conf) and I don't know that that particular change is documented anywhere particularly succinctly.
I don't think ppolicy can guess any extension path... Neither in 2.4 nor in 2.5.
Either 1). slapd shouldn't start if these parameters are requirements when using ppolicy
These parameters can evolve while OpenLDAP is running. As I explained before, it is the responsability of the admin to ensure the pwdCheckModule parameter is set accordingly.
2). slapd shouldn't crash and should give a warning that default values are being used and one should verify if those defaults are valid or simply warn that ppolicy won't be used as necessary settings have not been populated.
slapd can't know any requirement about a given extended module.
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #6 from ktmdms@gmail.com ktmdms@gmail.com --- (In reply to David Coutadeur from comment #5)
"If for some reasons, any parameter is not found, it will be given its default value."
this is true for ppm parameters, not for password policy parameters. Especially, pwdCheckModule does not have default values.
when using ppm.so in OpenLDAP 2.4 the ppm.so,while included in the schema, didn't need the fully qualified pathname (I assume that the path was handled via the modulepath statement in the slapd.conf) and I don't know that that particular change is documented anywhere particularly succinctly.
I don't think ppolicy can guess any extension path... Neither in 2.4 nor in 2.5.
it worked as such in 2.4, doesn't work as such in 2.5. Don't know why but it did and is right now.
Either 1). slapd shouldn't start if these parameters are requirements when using ppolicy
These parameters can evolve while OpenLDAP is running. As I explained before, it is the responsability of the admin to ensure the pwdCheckModule parameter is set accordingly.
Granted, my resonsibility, but then it's your responsibility to make sure that changes from one version to the next are clearly documented so I know what I'm supposed to be doing. as I said, I didn't find the documentation particularly clear on this point.
2). slapd shouldn't crash and should give a warning that default values are being used and one should verify if those defaults are valid or simply warn that ppolicy won't be used as necessary settings have not been populated.
slapd can't know any requirement about a given extended module.
Essentially, what I'm reading here is "too bad, so sad, we're not going to make slapd handle this gracefully".
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to ktmdms@gmail.com from comment #6)
Essentially, what I'm reading here is "too bad, so sad, we're not going to make slapd handle this gracefully".
False. It's literally been assigned to 2.5.8.
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #8 from ktmdms@gmail.com ktmdms@gmail.com --- (In reply to Quanah Gibson-Mount from comment #7)
(In reply to ktmdms@gmail.com from comment #6)
Essentially, what I'm reading here is "too bad, so sad, we're not going to make slapd handle this gracefully".
False. It's literally been assigned to 2.5.8.
Cool. What more do you need as far as config is concerned? Slapd.conf, the ppolicy setup in the schema that now works?
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #9 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to ktmdms@gmail.com from comment #8)
(In reply to Quanah Gibson-Mount from comment #7)
(In reply to ktmdms@gmail.com from comment #6)
Essentially, what I'm reading here is "too bad, so sad, we're not going to make slapd handle this gracefully".
False. It's literally been assigned to 2.5.8.
Cool. What more do you need as far as config is concerned? Slapd.conf, the ppolicy setup in the schema that now works?
slapd.conf, the ppolicy configuration for the default policy. We want the configuration that didn't work, not a working config.
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #10 from ktmdms@gmail.com ktmdms@gmail.com --- slapd.conf: loglevel 0xffff include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/sudo.schema include /usr/local/etc/openldap/schema/openssh-lpk-openldap.schema allow bind_v2 pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args modulepath /usr/local/libexec/openldap moduleload syncprov.la moduleload accesslog.la moduleload pw-sha2.la serverID 1 password-hash {SHA512} TLSCACertificateFile /etc/pki/CA/certs/CAcert.pem TLSCertificateFile /etc/pki/CA/certs/newldap0.mgt.cert.pem TLSCertificateKeyFile /etc/pki/CA/private/newldap0.mgt.key.pem TLSVerifyClient demand access to dn.base="" by * read access to attrs=userPassword,shadowLastChange access to * database config rootdn "cn=admin,cn=config" rootpw {SHA512}<obfuscated> access to attrs=userPassword,shadowLastChange access to * database monitor access to * database mdb maxsize 1073741824 suffix "dc=lecpq,dc=com" rootdn "cn=Manager,dc=lecpq,dc=com" rootpw {SHA512}<obfuscated> directory /usr/local/var/openldap-data index objectClass eq,pres index sudoUser eq index sudoHost eq index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 500 access to attrs=userPassword,shadowLastChange access to * overlay ppolicy ppolicy_default "cn=DefaultPassword,ou=Policies,dc=lecpq,dc=com" ppolicy_use_lockout checkpoint 10240 720
policy in schema: dn: cn=DefaultPassword,ou=Policies,dc=lecpq,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 0 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxFailure: 5 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: TRUE structuralObjectClass: device entryUUID: cdc64442-6617-1035-98aa-075e3d1a7c2f creatorsName: cn=Manager,dc=lecpq,dc=com createTimestamp: 20160212210326Z pwdMinAge: 86400 pwdMaxAge: 5184000 pwdMinLength: 15 pwdInHistory: 4 pwdCheckModule: ppm.so entryCSN: 20210830143808.705188Z#000000#001#000000 modifiersName: cn=Manager,dc=lecpq,dc=com modifyTimestamp: 20210830143808Z
This is the setup that failed. adding the full path to pwdCheckModule and the attribute pwdCheckModuleArg (populated) caused it to work.
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #11 from Quanah Gibson-Mount quanah@openldap.org --- Thanks!
https://bugs.openldap.org/show_bug.cgi?id=9656
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |IN_PROGRESS Ever confirmed|0 |1
--- Comment #12 from Ondřej Kuzník ondra@mistotebe.net --- Hi, you can find a fix for the crash when pwdCheckModuleArg is not provided in here: https://git.openldap.org/openldap/openldap/-/merge_requests/391
This targets 2.6, there is a slight tweak you'd have to make for it to compile with 2.5, just adjust the arguments to realloc_error_message() as seen elsewhere in the file.
It is possible that using "ppm.so" verbatim (a relative path), some version of ppm was found and loaded, but this is not always going to work for you (depending on how slapd is built and started) so it's discouraged. Also from 2.6 onward, this option is moved into ppolicy configuration and checked when it's set.
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #13 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • fd5b6a17 by Ondřej Kuzník at 2021-09-04T21:19:39+00:00 ITS#9656 Check we got configuration from policy
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #14 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
Commits: • d453a9b0 by Ondřej Kuzník at 2021-09-06T15:59:29+00:00 ITS#9656 Check we got configuration from policy
https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #15 from Quanah Gibson-Mount quanah@openldap.org --- 2.5 MR:
https://git.openldap.org/openldap/openldap/-/merge_requests/399
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED
--- Comment #16 from Quanah Gibson-Mount quanah@openldap.org --- RE25:
Commits: • ea7d9cf3 by Ondřej Kuzník at 2021-09-07T15:10:45+00:00 ITS#9656 Check we got configuration from policy
https://bugs.openldap.org/show_bug.cgi?id=9656
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|slapd crashes when ppm |slapd crashes when ppm |settings don't exist in the |settings don't exist in the |schema |policy
https://bugs.openldap.org/show_bug.cgi?id=9656
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org