"ldapadduser" adds the user and hangs

Bug #602540 reported by Zaphod on 2010-07-07
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ldapscripts (Debian)
Fix Released
Unknown
ldapscripts (Ubuntu)
Undecided
Dave Walker
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
openldap (Ubuntu)
Low
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned

Bug Description

I followed this guide
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

I have installed the ldapscripts package and when I use the command "ldapadduser <user> <group>"
It says the user has been added to LDAP but then it hangs if I press CTRL-C I can see the user has been added but the user has not been added to the group. I can then manually add the user to the group.

There seams to be some issue with the "ldapadduser" command.

Josejulio (josejulio) wrote :

I also have this problem. followed the guide as well.

Changed in openldap (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Serge Hallyn (serge-hallyn) wrote :

Could you try doing

   strace -f -o/tmp/strace.out ldapadduser <user> <group>

and see where it it hangs? Assuming it is the server and not the client
which hangs, then you'll probably want to do

    p=`pidof slapd`
    strace -f -o/tmp/strace2.out -p $p

and leave that running while you do the ldapadduser command in another
terminal. (Please make sure there is no sensitive information before
posting that, but I assume this is all test data?)

Changed in openldap (Ubuntu):
status: Confirmed → Incomplete
Simon Kelsall (simon-kelsall) wrote :

I get this to,

Dave Moore (d-moore) wrote :

I had the same issue and it was possible to work around by changing the password generation method.
In /etc/ldapscripts/ldapscripts.conf change to PASSWORDGEN="pwgen" and apt-get install pwgen. I'm sure other methods may work.
It would seem that the default password gen
PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
causes the hang for me.

Dave Walker (davewalker) wrote :

This seems to indicate that there isn't enough entropy to generate the password from /dev/random.

Changed in openldap (Ubuntu):
status: Incomplete → Confirmed
Dave Walker (davewalker) wrote :

Subscribing ~ubuntu-security for an 'ack'.

I imagine that on a well populated server, gaining the entropy isn't an issue. However, that isn't a clean default solution.

It seems to me that we have two options:
 * Use the /dev/urandom which seems less than ideal.
 * Use pwgen (main), with -s.

Security Team, can you comment on these proposed default settings?

Thanks.

Changed in openldap (Ubuntu):
assignee: nobody → Dave Walker (davewalker)
Marc Deslauriers (mdeslaur) wrote :

pwgen uses urandom, so you might as well simply switch to /dev/urandom. Although less ideal than using /dev/random, it is probably okay for generating initial 8-character passwords.

Dave Walker (davewalker) on 2010-08-09
Changed in openldap (Ubuntu):
status: Confirmed → Invalid
Changed in ldapscripts (Ubuntu):
status: New → Confirmed
assignee: nobody → Dave Walker (davewalker)
Changed in openldap (Ubuntu):
assignee: Dave Walker (davewalker) → nobody
Marc Deslauriers (mdeslaur) wrote :

As discussed on irc, I now recommend we use pwgen, so we don't drain the entropy, and we make sure we have a password that has the correct length.

Dave Walker (davewalker) wrote :

Attached is a debdiff for Maverick. Submitted patch to debian.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ldapscripts - 1.9.0-2ubuntu1

---------------
ldapscripts (1.9.0-2ubuntu1) maverick; urgency=low

  * etc/ldapscripts.conf: Changed default password generation for initial
    usage. Now uses "pwgen", as there is often not enough entropy to
    use the previous default, causing blocking/freezing. (LP: #602540)
  * debian/control:
    - Depend on pwgen.
    - Updated maintainer field to reflect policy.
 -- Dave Walker (Daviey) <email address hidden> Mon, 09 Aug 2010 17:18:37 +0100

Changed in ldapscripts (Ubuntu):
status: Confirmed → Fix Released
C de-Avillez (hggdh2) on 2010-08-10
tags: added: patch-forwarded-debian
removed: 10.04 error group hang ldapadduser lucid ubuntu
Changed in ldapscripts (Debian):
status: Unknown → New
Changed in ldapscripts (Debian):
status: New → Fix Released
Dave Walker (davewalker) on 2012-07-02
Changed in openldap (Ubuntu Lucid):
status: New → Invalid
Changed in openldap (Ubuntu Maverick):
status: New → Invalid
Changed in ldapscripts (Ubuntu Maverick):
status: New → Fix Released
Changed in ldapscripts (Ubuntu Lucid):
status: New → Triaged
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in ldapscripts (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.