5:26 p.m.
Unfortunately, the current cn=config design makes it essentially impossible
to use global modules. For example, the pw-sha2 global module for adding
addtional hashing schemes cannot be used with cn=config. This is because
the olcPasswordHash value is loaded up when cn=config is bootstrapped,
prior to loading the global module. This means that the value fails sanity
checking, and slapd aborts. See also ITS#7802.
Ideas on how to address this chicken and egg issue welcome. ;)
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
6:03 p.m.
--On Thursday, February 20, 2014 5:26 PM -0800 Quanah Gibson-Mount
<quanah(a)zimbra.com> wrote:
Unfortunately, the current cn=config design makes it essentially
impossible to use global modules. For example, the pw-sha2 global module
for adding addtional hashing schemes cannot be used with cn=config. This
is because the olcPasswordHash value is loaded up when cn=config is
bootstrapped, prior to loading the global module. This means that the
value fails sanity checking, and slapd aborts. See also ITS#7802.
Ideas on how to address this chicken and egg issue welcome. ;)
Simple way to reproduce:
ldapmodify -x -H ldapi:/// -D cn=config -W
dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-sha2.la
ldapmodify -x -H ldapi:/// -D cn=config -W
dn: cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA512}
After this point, things will work as long as you don't restart slapd.
Once you restart slapd, slapd will abort because {SSHA512} is now no longer
a known hash.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
2:46 p.m.
--On Thursday, February 20, 2014 5:26 PM -0800 Quanah Gibson-Mount
<quanah(a)zimbra.com> wrote:
Unfortunately, the current cn=config design makes it essentially
impossible to use global modules. For example, the pw-sha2 global module
for adding addtional hashing schemes cannot be used with cn=config. This
is because the olcPasswordHash value is loaded up when cn=config is
bootstrapped, prior to loading the global module. This means that the
value fails sanity checking, and slapd aborts. See also ITS#7802.
So, would it be possible to have a lazy-load of global config (so that the
module gets loaded) followed by a strict reload of global config as a way
around this?
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
3288
days inactive
3315
days old
2 comments
1 participants
participants (1)
-
Quanah Gibson-Mount