Unfortunately, the current cn=config design makes it essentially impossible to use global modules. For example, the pw-sha2 global module for adding addtional hashing schemes cannot be used with cn=config. This is because the olcPasswordHash value is loaded up when cn=config is bootstrapped, prior to loading the global module. This means that the value fails sanity checking, and slapd aborts. See also ITS#7802.
Ideas on how to address this chicken and egg issue welcome. ;)
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Thursday, February 20, 2014 5:26 PM -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
Unfortunately, the current cn=config design makes it essentially impossible to use global modules. For example, the pw-sha2 global module for adding addtional hashing schemes cannot be used with cn=config. This is because the olcPasswordHash value is loaded up when cn=config is bootstrapped, prior to loading the global module. This means that the value fails sanity checking, and slapd aborts. See also ITS#7802.
Ideas on how to address this chicken and egg issue welcome. ;)
Simple way to reproduce:
ldapmodify -x -H ldapi:/// -D cn=config -W dn: cn=module{0}, cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pw-sha2.la
ldapmodify -x -H ldapi:/// -D cn=config -W dn: cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA512}
After this point, things will work as long as you don't restart slapd. Once you restart slapd, slapd will abort because {SSHA512} is now no longer a known hash.
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Thursday, February 20, 2014 5:26 PM -0800 Quanah Gibson-Mount quanah@zimbra.com wrote:
Unfortunately, the current cn=config design makes it essentially impossible to use global modules. For example, the pw-sha2 global module for adding addtional hashing schemes cannot be used with cn=config. This is because the olcPasswordHash value is loaded up when cn=config is bootstrapped, prior to loading the global module. This means that the value fails sanity checking, and slapd aborts. See also ITS#7802.
So, would it be possible to have a lazy-load of global config (so that the module gets loaded) followed by a strict reload of global config as a way around this?
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
-
Quanah Gibson-Mount