Ubuntu
openldap package

"ldapadduser" adds the user and hangs

Maverick (10.10)
Bug #602540

Bug #602540 reported by Zaphod on 2010-07-07

This bug affects 4 people

	Status	Importance	Assigned to
ldapscripts (Debian)	Fix Released	Unknown	debbugs #592369
ldapscripts (Ubuntu)	Fix Released	Undecided	Dave Walker
Lucid	Won't Fix	Undecided	Unassigned
Maverick	Fix Released	Undecided	Unassigned
openldap (Ubuntu)	Invalid	Low	Unassigned
Lucid	Invalid	Undecided	Unassigned
Maverick	Invalid	Undecided	Unassigned

Bug Description

I followed this guide
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

I have installed the ldapscripts package and when I use the command "ldapadduser <user> <group>"
It says the user has been added to LDAP but then it hangs if I press CTRL-C I can see the user has been added but the user has not been added to the group. I can then manually add the user to the group.

There seams to be some issue with the "ldapadduser" command.

Tags:

Related branches

lp:ubuntu/maverick/ldapscripts

Revision history for this message

Josejulio (josejulio) wrote on 2010-07-07:

I also have this problem. followed the guide as well.

Serge Hallyn (serge-hallyn) on 2010-07-07

Changed in openldap (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Low

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2010-07-07:

Could you try doing

strace -f -o/tmp/strace.out ldapadduser <user> <group>

and see where it it hangs? Assuming it is the server and not the client
which hangs, then you'll probably want to do

p=`pidof slapd`
strace -f -o/tmp/strace2.out -p $p

and leave that running while you do the ldapadduser command in another
terminal. (Please make sure there is no sensitive information before
posting that, but I assume this is all test data?)

Changed in openldap (Ubuntu):
status:	Confirmed → Incomplete

Revision history for this message

Simon Kelsall (simon-kelsall) wrote on 2010-07-30:

strace2.out Edit (18.8 KiB, text/plain)

I get this to,

Revision history for this message

Dave Moore (d-moore) wrote on 2010-08-09:

I had the same issue and it was possible to work around by changing the password generation method.
In /etc/ldapscripts/ldapscripts.conf change to PASSWORDGEN="pwgen" and apt-get install pwgen. I'm sure other methods may work.
It would seem that the default password gen
PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
causes the hang for me.

Revision history for this message

Dave Walker (davewalker) wrote on 2010-08-09:

This seems to indicate that there isn't enough entropy to generate the password from /dev/random.

Changed in openldap (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Dave Walker (davewalker) wrote on 2010-08-09:

Subscribing ~ubuntu-security for an 'ack'.

I imagine that on a well populated server, gaining the entropy isn't an issue. However, that isn't a clean default solution.

It seems to me that we have two options:
* Use the /dev/urandom which seems less than ideal.
* Use pwgen (main), with -s.

Security Team, can you comment on these proposed default settings?

Thanks.

Changed in openldap (Ubuntu):
assignee:	nobody → Dave Walker (davewalker)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-08-09:

pwgen uses urandom, so you might as well simply switch to /dev/urandom. Although less ideal than using /dev/random, it is probably okay for generating initial 8-character passwords.

Dave Walker (davewalker) on 2010-08-09

Changed in openldap (Ubuntu):
status:	Confirmed → Invalid
Changed in ldapscripts (Ubuntu):
status:	New → Confirmed
assignee:	nobody → Dave Walker (davewalker)
Changed in openldap (Ubuntu):
assignee:	Dave Walker (davewalker) → nobody

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-08-09:

As discussed on irc, I now recommend we use pwgen, so we don't drain the entropy, and we make sure we have a password that has the correct length.

Revision history for this message

Dave Walker (davewalker) wrote on 2010-08-09:

ldapscripts_1.9.0-2ubuntu1.debdiff Edit (3.5 KiB, text/plain)

Attached is a debdiff for Maverick. Submitted patch to debian.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-08-10:

#10

This bug was fixed in the package ldapscripts - 1.9.0-2ubuntu1

---------------
ldapscripts (1.9.0-2ubuntu1) maverick; urgency=low

  * etc/ldapscripts.conf: Changed default password generation for initial
    usage. Now uses "pwgen", as there is often not enough entropy to
    use the previous default, causing blocking/freezing. (LP: #602540)
  * debian/control:
    - Depend on pwgen.
    - Updated maintainer field to reflect policy.
-- Dave Walker (Daviey) <email address hidden> Mon, 09 Aug 2010 17:18:37 +0100

Changed in ldapscripts (Ubuntu):
status:	Confirmed → Fix Released

C de-Avillez (hggdh2) on 2010-08-10

tags:

added: patch-forwarded-debian
removed: 10.04 error group hang ldapadduser lucid ubuntu

Bug Watch Updater (bug-watch-updater) on 2010-10-11

Changed in ldapscripts (Debian):
status:	Unknown → New

Bug Watch Updater (bug-watch-updater) on 2011-01-10

Changed in ldapscripts (Debian):
status:	New → Fix Released

Dave Walker (davewalker) on 2012-07-02

Changed in openldap (Ubuntu Lucid):
status:	New → Invalid
Changed in openldap (Ubuntu Maverick):
status:	New → Invalid
Changed in ldapscripts (Ubuntu Maverick):
status:	New → Fix Released
Changed in ldapscripts (Ubuntu Lucid):
status:	New → Triaged