Howard Chu wrote:
Pierangelo Masarati wrote:
That sounds like a bug. In fact, {K5KEY} is loaded by smbk5pwd, so if in slapd.conf you correctly load the module __before__ using password-hash things work as expected. However, when the configuration is loaded from the back-config database, modules are loaded __after__ the global entry, which contains password-hash. Apparently, checking the value of the password-hash attribute must be deferred to __after__ loading the entire configuration. This might be true in general. I suggest you file an ITS for this issue http://www.openldap.org/its/.
If it's a general problem, then we're going to need to re-shuffle the layout of the cn=config tree so that global directives are processed after any modules are loaded. But I think password mechs are the only item that can be registered at runtime that currently have a problem.
It seems to be so. I'm considering different approaches:
* force some sequentiality in parsing config entries; for example: - schema first - then modules (modules may rely on presence of schema) - then the rest but this is not ensuring the right ordering of thngs
* turn failed config parsing into a list of modifications to be recursively reapplied later until either success or a complete run thru the list results in no success This also does not ensure the right ordering
* change the layout so that config database parsing from LDIF is treated differently from slapd.conf, in two phases: - read-in - validation
In all the above cases there's no guarantee the original ordering is preserved, so the safest solution would be to keep a changelog of configuration to be rolled-in again at startup instead of relying on the configuration stored on disk.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------