slapd crash with pwdAccountLockedTime and stacked overlays

Bug #1866303 reported by Ryan Tandy on 2020-03-06
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Debian)
Fix Released
Unknown
openldap (Ubuntu)
Undecided
Andreas Hasenack
Xenial
Undecided
Andreas Hasenack
Bionic
Undecided
Andreas Hasenack
Disco
Undecided
Unassigned
Eoan
Undecided
Andreas Hasenack

Bug Description

[Impact]
In the configuration and conditions described below, slapd can crash:

1. ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control

[Test Case]

* get the files from the bug:
mkdir slapd-test-case; cd slapd-test-case
wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script

* run the script:
sudo apt update && sudo sh ./script

* With the bug, the result is:
ldap_bind: Invalid credentials (49)
slapd dead

* If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd"

* With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages):

sudo sh ./script
...
slapd running
ldap_bind: Invalid credentials (49)
slapd running

[Regression Potential]
The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap.

[Other Info]
This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+.

[Original Description]

Hello,

Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time.

Upstream: https://openldap.org/its/?findid=9171
Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150

The ingredients for the crash are:

1: ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control

The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash.

I will attach my test script and data for reproducing the crash.

Expected output (last lines):

[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd running

Actual output (last lines):

[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd dead

Related branches

Changed in openldap (Ubuntu):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Andreas Hasenack (ahasenack) wrote :

Thanks a lot for this Ryan, and awesome testing script!

Robie Basak (racb) on 2020-03-09
tags: added: server-next
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.49+dfsg-2ubuntu1

---------------
openldap (2.4.49+dfsg-2ubuntu1) focal; urgency=medium

  * Merge with Debian unstable (LP: #1866303). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
          principal
        [Dropped the ldap_gssapi_bind_s() hunk as that is already
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
      - d/rules:
        - Explicitly add -I/usr/include/heimdal to CFLAGS.
        - Explicitly add -I/usr/lib/<multiarch>/heimdal to LDFLAGS.
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/rules:
        - add nssov to CONTRIB_MODULES
        - add sysconfdir to CONTRIB_MAKEVARS
      - d/slapd.install:
        - install nssov overlay
      - d/slapd.manpages:
        - install slapo-nssov(5) man page
    - d/{rules,slapd.py}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
    - d/libldap-2.4-2.symbols: Add symbols not present in Debian.
      - CLDAP (UDP) was added in 2.4.17-1ubuntu2
      - GSSAPI support was enabled in 2.4.18-0ubuntu2
    - d/p/contrib-makefiles: given the change in 2.4.47+dfsg-3 regarding
      Debian bug #919136, we also have to patch the nssov makefile
      accordingly and thus update this patch.

openldap (2.4.49+dfsg-2) unstable; urgency=medium

  * slapd.README.Debian: Document the initial setup performed by slapd's
    maintainer scripts in more detail. Thanks to Karl O. Pinc.
    (Closes: #952501)
  * Import upstream patch to fix slapd crashing in certain configurations when
    a client attempts a login to a locked account.
    (ITS#9171) (Closes: #953150)

 -- Andreas Hasenack <email address hidden> Fri, 06 Mar 2020 11:39:12 -0300

Changed in openldap (Ubuntu):
status: In Progress → Fix Released
Bryce Harrington (bryce) wrote :

We're no longer looking at backporting fixes for disco.

This looks suitable for SRU so the other proposed series tasks are valid, and this is already in the server-next queue.

Changed in openldap (Ubuntu Disco):
status: New → Won't Fix
Changed in openldap (Debian):
status: Unknown → Fix Released
Andreas Hasenack (ahasenack) wrote :

This fix was added to focal, and we haven't received any crash reports about it as far as I know, so I'm proceeding with the SRU for the other ubuntu releases.

Changed in openldap (Ubuntu Xenial):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openldap (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in openldap (Ubuntu Eoan):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.