I have one LDAP master server, a test server, which no one but me has access to (at least I think). Something really strange is happening, userPassword fields (they are in MD5 format) keep getting changed every 1 or 2 days. Sometimes they change after a mass add operation, or mass delete operation. It could be someone messing with me, but that would be unusual, since they also happen after I do mass operations on the server. I rechecked my "mass operation" scripts, and they do not seem to be breaking other entries while they operate on a given entry (add/delete entry and bind with that DN). I think maybe my BDB and cache settings may be causing it, it's just a thought, I really don't know what's going on:
I have about 15000 entries on my server, they will grown around 1000 each 6 months. My slapd.conf --- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/postfix.schema include /etc/openldap/schema/misc.schema include /etc/openldap/acl-ldap.conf schemacheck on allow bind_v2 pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules database bdb suffix "dc=organization,dc=com,dc=tld" cachesize 16500 rootdn "cn=donotusethisdn,dc=organization,dc=com,dc=tld" rootpw {MD5}blablabla checkpoint 1024 5 loglevel any lastmod on SIZELIMIT -1 directory /var/lib/ldap index objectClass eq,pres # 2008-07-25 index ou,cn,mail,sn,givenname eq,pres,sub # 2008-06-31 index uid,memberUid,mailacceptinggeneralid,maildrop pres,eq index mailroutingaddress pres,eq TLSCertificateFile /etc/openldap/cert.crt TLSCertificateKeyFile /etc/openldap/key.key TLSCACertificateFile /etc/openldap/cacert.crt
replica uri=ldap://ldapslave.organization.com.tld:389 binddn=cn=slavereplicator,ou=adm,dc=organization,dc=com,dc=tld bindmethod=simple credentials=blebleble starttls=critical
replogfile /var/lib/ldap/replog --- slapd.conf
--- /var/lib/ldap/DB_CONFIG set_cachesize 0 64781516 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_flags DB_LOG_AUTOREMOVE --- /var/lib/ldap/DB_CONFIG
--------------- server: # ls -lh /var/lib/ldap/*.bdb -rw------- 1 ldap ldap 6.2M Aug 28 08:58 /var/lib/ldap/cn.bdb -rw------- 1 ldap ldap 3.3M Aug 28 08:58 /var/lib/ldap/dn2id.bdb -rw------- 1 ldap ldap 4.8M Aug 28 08:58 /var/lib/ldap/givenName.bdb -rw------- 1 ldap ldap 20M Aug 28 08:58 /var/lib/ldap/id2entry.bdb -rw------- 1 ldap ldap 11M Aug 28 08:58 /var/lib/ldap/mail.bdb -rw------- 1 ldap ldap 816K Aug 28 08:58 /var/lib/ldap/mailRoutingAddress.bdb -rw------- 1 ldap ldap 8.0K Aug 22 15:55 /var/lib/ldap/memberUid.bdb -rw------- 1 ldap ldap 2.0M Aug 28 08:58 /var/lib/ldap/objectClass.bdb -rw------- 1 ldap ldap 8.0K Aug 22 15:55 /var/lib/ldap/ou.bdb -rw------- 1 ldap ldap 8.7M Aug 28 08:58 /var/lib/ldap/sn.bdb -rw------- 1 ldap ldap 804K Aug 28 08:58 /var/lib/ldap/uid.bdb
---------------
These cache settings make sense? The "corruptions", if I can call them that, are also happening on the slave, master and slave are exactly equal (slapcat's output is exact the same), so I rule out that the replication is causing this. Before "checkpoint 1024 5" on slapd.conf was "checkpoint 512 15". I'm turning replication off, and I'll see what happens.
I really don't understand what's going on, an attacker messing with me would be really strange, since he does not have access to anything with these passes, and he could do a lot of other more obvious things to mess with my work, I don't know, deleting something....but at the same time, it's strange to get data corrupted and _just_ this particular field. Other fields on the entries are not altered.
=
--On Thursday, August 28, 2008 8:21 PM +0800 k bah kbah@linuxmail.org wrote:
I have one LDAP master server, a test server, which no one but me has access to (at least I think). Something really strange is happening, userPassword fields (they are in MD5 format) keep getting changed every 1 or 2 days. Sometimes they change after a mass add operation, or mass delete operation. It could be someone messing with me, but that would be unusual, since they also happen after I do mass operations on the server. I rechecked my "mass operation" scripts, and they do not seem to be breaking other entries while they operate on a given entry (add/delete entry and bind with that DN). I think maybe my BDB and cache settings may be causing it, it's just a thought, I really don't know what's going on:
Have you audited the logs to see if perhaps the userPassword field for those entries is simply being modified in your updates?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Thu, Aug 28, 2008 at 10:21 PM, k bah kbah@linuxmail.org wrote:
I have one LDAP master server, a test server, which no one but me has access to (at least I think). Something really strange is happening, userPassword fields (they are in MD5 format) keep getting changed every 1 or 2 days. Sometimes they change after a mass add operation, or mass delete operation. It could be someone messing with me, but that would be unusual, since they also happen after I do mass operations on the server. I rechecked my "mass operation" scripts, and they do not seem to be breaking other entries while they operate on a given entry (add/delete entry and bind with that DN). I think maybe my BDB and cache settings may be causing it, it's just a thought, I really don't know what's going on:
You dont seem to have an explicit "password-hash" statement that specifies MD5 hash. Perhaps is defaulting to "password-hash {SSHA}" which is a salted hash (even if you hash the same value, you get a different string each time) unlike MD5 which usually gives you the same hash string output, where the input string is the same.
Probably best to state the password hash type explicitly (assuming you care), rather than rely on the default, which might change depending on openldap version / compile options / libraries in the build environment etc.,
Cheers Brett
Brett @Google wrote:
On Thu, Aug 28, 2008 at 10:21 PM, k bahkbah@linuxmail.org wrote:
I have one LDAP master server, a test server, which no one but me has access to (at least I think). Something really strange is happening, userPassword fields (they are in MD5 format) keep getting changed every 1 or 2 days. Sometimes they change after a mass add operation, or mass delete operation. It could be someone messing with me, but that would be unusual, since they also happen after I do mass operations on the server. I rechecked my "mass operation" scripts, and they do not seem to be breaking other entries while they operate on a given entry (add/delete entry and bind with that DN). I think maybe my BDB and cache settings may be causing it, it's just a thought, I really don't know what's going on:
You dont seem to have an explicit "password-hash" statement that specifies MD5 hash. Perhaps is defaulting to "password-hash {SSHA}" which is a salted hash (even if you hash the same value, you get a different string each time) unlike MD5 which usually gives you the same hash string output, where the input string is the same.
Probably best to state the password hash type explicitly (assuming you care), rather than rely on the default, which might change depending on openldap version / compile options / libraries in the build environment etc.,
The default hash has always been SSHA.
It sounds like the original poster just doesn't know about base64 values in LDIF...
openldap-software@openldap.org
-
Brett @Google -
Howard Chu -
k bah -
Quanah Gibson-Mount