Ubuntu
openldap package

obscure slapd configuration

Bug #1742123 reported by Hadmut Danisch
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Hi,

the openldap server slapd comes with two configuration options, the old one based on slapd.conf, and a new one based on ldifs.

The debian/ubuntu package performs some obscure magic to generate a ldif based config in /etc/slapd/slapd.d, but does not provide any hint or documentation about how to change/adjust it. E.g. if the package was installed non-interactively through puppet or ansible, it is not obvious where the root password comes from or how to change it or how to re-setup.

Furthermore it is a security gap to create something like

dn: dc=buero,dc=danisch,dc=de
objectClass: top
objectClass: dcObject
objectClass: organization
o: buero.danisch.de
dc: buero
structuralObjectClass: organization
entryUUID: 4f765744-85aa-1037-9ee9-1db94ae2a6d4
creatorsName: cn=admin,dc=buero,dc=danisch,dc=de
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.817411Z#000000#000#000000
modifiersName: cn=admin,dc=buero,dc=danisch,dc=de
modifyTimestamp: 20180104145011Z

dn: cn=admin,dc=buero,dc=danisch,dc=de
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y=
structuralObjectClass: organizationalRole
entryUUID: 4f79fd9a-85aa-1037-9eea-1db94ae2a6d4
creatorsName: cn=admin,dc=buero,dc=danisch,dc=de
createTimestamp: 20180104145011Z
entryCSN: 20180104145011.841518Z#000000#000#000000
modifiersName: cn=admin,dc=buero,dc=danisch,dc=de
modifyTimestamp: 20180104145011Z

and

olcRootDN: cn=admin,dc=buero,dc=danisch,dc=de
olcRootPW:: e1NTSEF9aUlUVXlxNE9ZWFFuZjA1ejhqem0yWnJpY09xaGxBc0Y=

that contains an admin password without me ever having set it or having a randomly generated one.

Since I do not see how to cleanly change this with ldapmodify, I do not see an option to remove this all and restart with an old-style slapd.conf.

regards

Revision history for this message
Joshua Powers (powersj) wrote :

Thanks for taking the time to file a bug

> E.g. if the package was installed non-interactively through puppet or
> ansible, it is not obvious where the root password comes from or how
> to change it or how to re-setup.

Per Debian bug #134774, a change was made to generate a random one if a password cannot be provided (e.g. non-interactive mode), here is the change log entry:

   * If can not get a password for the admin entry when installing slapd
     generate one randomly. Closes: Bug#134774

A "normal" cli install would involve the following:
$ apt update
$ apt install slapd
<user get's prompted for Administrator password and to confirm it>

To find your hashed password, but also RootDN info for use the following:
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW
dn: olcDatabase={1}mdb,cn=config
olcRootDN: cn=admin,dc=lxd
olcRootPW: {SSHA}6l+/PkFITcYX87C6RJ1sLAh8/CulOS78

To confirm the password:
$ ldapsearch -h localhost -D "cn=admin,dc=lxd" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

If your password was incorrect you would get the following instead:
ldap_bind: Invalid credentials (49)

Of course a random password, let alone hashed password does not do you any good. To allow the use of some non-interactive mode the selection can be set before hand using debconf-set-selections:
$ echo "slapd slapd/internal/adminpw password password" | debconf-set-selections
$ echo "slapd slapd/password1 password password" | debconf-set-selections
$ echo "slapd slapd/password2 password password" | debconf-set-selections
$ apt update
$ apt install slapd

Then repeated the above to verify that my password was in fact set correctly.

If instead you want to reset the admin password after the random one was generated you can do the following:
$ ldapsearch -H ldapi:// -LLL -Q -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" dn olcRootDN olcRootPW | tee password.ldif
$ slappasswd -h {SSHA}
New password:
Re-enter new password:
{SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT
# Modify the password.ldif by removing dn, add changetype and replace lines, and adding the new password
$ cat password.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}y/QP58Xotj6s38cVLOxZh/jsZ7W8scVT
$ ldapmodify -H ldapi:// -Y EXTERNAL -f ~/password.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"

Then confirm the password as stated previously.

Revision history for this message
Joshua Powers (powersj) wrote :

Since in the above I show you how to:

1) Why a random password gets set
2) Set the password non-interactively
3) Change the password

I am going to move this to incomplete and await your response as to if further action needs to be taken. Frankly, I don't see this as a bug in Ubuntu, other than the slight possibility of missing documentation.

Hope this all helps you,
Thanks!

Changed in openldap (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]

Changed in openldap (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.