2020-03-06 05:13:56 |
Ryan Tandy |
bug |
|
|
added bug |
2020-03-06 05:15:43 |
Ryan Tandy |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150 |
|
2020-03-06 05:15:43 |
Ryan Tandy |
bug task added |
|
openldap (Debian) |
|
2020-03-06 05:21:24 |
Ryan Tandy |
attachment added |
|
slapd.conf https://bugs.launchpad.net/bugs/1866303/+attachment/5334194/+files/slapd.conf |
|
2020-03-06 05:21:24 |
Ryan Tandy |
attachment added |
|
data.ldif https://bugs.launchpad.net/bugs/1866303/+attachment/5334195/+files/data.ldif |
|
2020-03-06 05:21:24 |
Ryan Tandy |
attachment added |
|
samba.schema https://bugs.launchpad.net/bugs/1866303/+attachment/5334196/+files/samba.schema |
|
2020-03-06 05:21:24 |
Ryan Tandy |
attachment added |
|
script https://bugs.launchpad.net/bugs/1866303/+attachment/5334197/+files/script |
|
2020-03-06 14:04:28 |
Andreas Hasenack |
openldap (Ubuntu): status |
New |
In Progress |
|
2020-03-06 14:04:29 |
Andreas Hasenack |
openldap (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Disco |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
bug task added |
|
openldap (Ubuntu Disco) |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Xenial |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
bug task added |
|
openldap (Ubuntu Xenial) |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Eoan |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
bug task added |
|
openldap (Ubuntu Eoan) |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
nominated for series |
|
Ubuntu Bionic |
|
2020-03-06 16:46:34 |
Andreas Hasenack |
bug task added |
|
openldap (Ubuntu Bionic) |
|
2020-03-06 17:01:28 |
Marko Preuss |
bug |
|
|
added subscriber Marko Preuss |
2020-03-06 17:14:40 |
Marko Preuss |
removed subscriber Marko Preuss |
|
|
|
2020-03-06 17:14:53 |
Marko Preuss |
bug |
|
|
added subscriber Marko Preuss |
2020-03-09 12:15:52 |
Robie Basak |
tags |
|
server-next |
|
2020-03-09 12:16:01 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server |
2020-03-09 12:48:29 |
Andreas Hasenack |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/380368 |
|
2020-03-14 01:47:25 |
Launchpad Janitor |
openldap (Ubuntu): status |
In Progress |
Fix Released |
|
2020-03-19 01:42:57 |
Bryce Harrington |
openldap (Ubuntu Disco): status |
New |
Won't Fix |
|
2020-03-31 03:39:48 |
Bug Watch Updater |
openldap (Debian): status |
Unknown |
Fix Released |
|
2020-07-01 19:50:40 |
Andreas Hasenack |
openldap (Ubuntu Xenial): status |
New |
In Progress |
|
2020-07-01 19:50:44 |
Andreas Hasenack |
openldap (Ubuntu Xenial): assignee |
|
Andreas Hasenack (ahasenack) |
|
2020-07-01 19:50:50 |
Andreas Hasenack |
openldap (Ubuntu Bionic): status |
New |
In Progress |
|
2020-07-01 19:50:53 |
Andreas Hasenack |
openldap (Ubuntu Bionic): assignee |
|
Andreas Hasenack (ahasenack) |
|
2020-07-01 19:50:59 |
Andreas Hasenack |
openldap (Ubuntu Eoan): status |
New |
In Progress |
|
2020-07-01 19:51:03 |
Andreas Hasenack |
openldap (Ubuntu Eoan): assignee |
|
Andreas Hasenack (ahasenack) |
|
2020-07-01 20:59:07 |
Andreas Hasenack |
description |
Hello,
Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time.
Upstream: https://openldap.org/its/?findid=9171
Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150
The ingredients for the crash are:
1: ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash.
I will attach my test script and data for reproducing the crash.
Expected output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd running
Actual output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd dead |
[Impact]
In the configuration and conditions described below, slapd can crash:
1. ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
[Test Case]
* get the files from the bug:
mkdir slapd-test-case; cd slapd-test-case
wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script
* run the script:
sudo apt update && sudo sh ./script
* With the bug, the result is:
ldap_bind: Invalid credentials (49)
slapd dead
* If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd"
* With the fixed packages, you get a living slapd at the end (you can run the script again on the same system):
sudo add-apt-repository ppa:ahasenack/slapd-crash-bug-1866303 -y -u
sudo sh ./script
...
slapd running
ldap_bind: Invalid credentials (49)
slapd running
[Regression Potential]
The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap.
[Other Info]
This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+.
[Original Description]
Hello,
Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time.
Upstream: https://openldap.org/its/?findid=9171
Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150
The ingredients for the crash are:
1: ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash.
I will attach my test script and data for reproducing the crash.
Expected output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd running
Actual output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd dead |
|
2020-07-01 21:07:21 |
Andreas Hasenack |
description |
[Impact]
In the configuration and conditions described below, slapd can crash:
1. ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
[Test Case]
* get the files from the bug:
mkdir slapd-test-case; cd slapd-test-case
wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script
* run the script:
sudo apt update && sudo sh ./script
* With the bug, the result is:
ldap_bind: Invalid credentials (49)
slapd dead
* If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd"
* With the fixed packages, you get a living slapd at the end (you can run the script again on the same system):
sudo add-apt-repository ppa:ahasenack/slapd-crash-bug-1866303 -y -u
sudo sh ./script
...
slapd running
ldap_bind: Invalid credentials (49)
slapd running
[Regression Potential]
The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap.
[Other Info]
This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+.
[Original Description]
Hello,
Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time.
Upstream: https://openldap.org/its/?findid=9171
Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150
The ingredients for the crash are:
1: ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash.
I will attach my test script and data for reproducing the crash.
Expected output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd running
Actual output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd dead |
[Impact]
In the configuration and conditions described below, slapd can crash:
1. ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
[Test Case]
* get the files from the bug:
mkdir slapd-test-case; cd slapd-test-case
wget -ct0 https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334194/+files/slapd.conf https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334195/+files/data.ldif https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334196/+files/samba.schema https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1866303/+attachment/5334197/+files/script
* run the script:
sudo apt update && sudo sh ./script
* With the bug, the result is:
ldap_bind: Invalid credentials (49)
slapd dead
* If when confirming the bug you don't see "slapd dead" like above, check manually, as slapd might have been in the process of shutting down when the script checked its status: "sudo systemctl status slapd"
* With the fixed packages, you get a living slapd at the end (you can run the script again on the same system after updating the packages):
sudo sh ./script
...
slapd running
ldap_bind: Invalid credentials (49)
slapd running
[Regression Potential]
The fix is in the password policy overlay (not enabled by default), so any regressions would be around that area and could potentially impact authentication ("binding") to openldap.
[Other Info]
This was fixed in focal and "cooked" there for a long while, as suggested by the Debian maintainer. We haven't received further bug reports about this in focal+.
[Original Description]
Hello,
Please merge openldap 2.4.49+dfsg-2 from Debian unstable to fix an issue in the ppolicy overlay that can crash slapd. Please also consider SRUing the patch after it has had some testing time.
Upstream: https://openldap.org/its/?findid=9171
Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953150
The ingredients for the crash are:
1: ppolicy overlay configured with pwdLockout: TRUE
2. smbk5pwd overlay stacked after ppolicy
3. an account locked out via pwdAccountLockedTime
4. a client binding to the locked-out account and also requesting the ppolicy control
The buggy code is not as specific as the above steps, so I suspect there are probably other configurations or steps that can trigger the same crash.
I will attach my test script and data for reproducing the crash.
Expected output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd running
Actual output (last lines):
[ ok ] Starting OpenLDAP: slapd.
slapd running
ldap_bind: Invalid credentials (49)
slapd dead |
|
2020-07-01 21:16:37 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/386701 |
|
2020-07-01 21:18:12 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/386702 |
|
2020-07-01 21:19:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+merge/386703 |
|
2020-07-07 22:19:04 |
Brian Murray |
openldap (Ubuntu Eoan): status |
In Progress |
Fix Committed |
|
2020-07-07 22:19:06 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-07-07 22:19:08 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-07-07 22:19:13 |
Brian Murray |
tags |
server-next |
server-next verification-needed verification-needed-eoan |
|
2020-07-07 22:20:26 |
Brian Murray |
openldap (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2020-07-07 22:20:32 |
Brian Murray |
tags |
server-next verification-needed verification-needed-eoan |
server-next verification-needed verification-needed-bionic verification-needed-eoan |
|
2020-07-07 22:22:46 |
Brian Murray |
openldap (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2020-07-07 22:22:55 |
Brian Murray |
tags |
server-next verification-needed verification-needed-bionic verification-needed-eoan |
server-next verification-needed verification-needed-bionic verification-needed-eoan verification-needed-xenial |
|
2020-07-08 14:55:32 |
Andreas Hasenack |
tags |
server-next verification-needed verification-needed-bionic verification-needed-eoan verification-needed-xenial |
server-next verification-done-xenial verification-needed verification-needed-bionic verification-needed-eoan |
|
2020-07-08 17:35:08 |
Andreas Hasenack |
tags |
server-next verification-done-xenial verification-needed verification-needed-bionic verification-needed-eoan |
server-next verification-needed verification-needed-bionic verification-needed-eoan verification-needed-xenial |
|
2020-07-08 18:06:25 |
Andreas Hasenack |
tags |
server-next verification-needed verification-needed-bionic verification-needed-eoan verification-needed-xenial |
server-next verification-done-xenial verification-needed verification-needed-bionic verification-needed-eoan |
|
2020-07-08 18:15:09 |
Andreas Hasenack |
tags |
server-next verification-done-xenial verification-needed verification-needed-bionic verification-needed-eoan |
server-next verification-done-bionic verification-done-xenial verification-needed verification-needed-eoan |
|
2020-07-08 18:22:56 |
Andreas Hasenack |
tags |
server-next verification-done-bionic verification-done-xenial verification-needed verification-needed-eoan |
server-next verification-done-bionic verification-done-eoan verification-done-xenial verification-needed |
|
2020-07-16 10:24:14 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-07-16 10:24:12 |
Launchpad Janitor |
openldap (Ubuntu Eoan): status |
Fix Committed |
Fix Released |
|
2020-07-16 11:32:20 |
Launchpad Janitor |
openldap (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-07-16 12:07:28 |
Launchpad Janitor |
openldap (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2022-06-13 18:23:01 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341 |
|
2022-06-13 19:08:48 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~sergiodj/ubuntu/+source/openldap/+git/openldap/+merge/424341 |
|
|