ZBUG-3120 : Upgrade Zimbra OpenLDAP to 2.5.13

[umagmrit]

No description provided.

[umagmrit]

@ghen2 Could you please review this ?

[ghen2]

This is now running in our lab, as a drop-in upgrade (no slapcat/slapadd performed), I will test further.

A few remarks:

• libssh2-devel is a missing build dependency (on centos7)
• zimbra-perl-net-ldapapi is linked to the OS openldap libs, not Zimbra's, so that rebuild is not needed
• need to reapply CAP_NET_BIND_SERVICE, maybe put this in the openldap package instead of relying on zmfixperms
• I rebased Build OpenLDAP pw-argon2 module for Argon2 key derivation function #117, please consider it as well

[umagmrit]

This is now running in our lab, as a drop-in upgrade (no slapcat/slapadd performed), I will test further.

A few remarks:

• libssh2-devel is a missing build dependency (on centos7)
• zimbra-perl-net-ldapapi is linked to the OS openldap libs, not Zimbra's, so that rebuild is not needed
• need to reapply CAP_NET_BIND_SERVICE, maybe put this in the openldap package instead of relying on zmfixperms
• I rebased Build OpenLDAP pw-argon2 module for Argon2 key derivation function #117, please consider it as well

@ghen2 Thank you for your review.
regarding zimbra-perl-net-ldapapi package, this is linked to zimbra openldap.

$ ldd /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Net/LDAPapi/LDAPapi.so
	linux-vdso.so.1 (0x00007ffd91fbc000)
	libldap-2.4.so.2 => /opt/zimbra/common/lib/libldap-2.4.so.2 (0x00007fcc6715f000)
	liblber-2.4.so.2 => /opt/zimbra/common/lib/liblber-2.4.so.2 (0x00007fcc66f4f000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcc66b5e000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fcc66944000)
	libsasl2.so.3 => /opt/zimbra/common/lib/libsasl2.so.3 (0x00007fcc66728000)
	libssl.so.1.1 => /opt/zimbra/common/lib/libssl.so.1.1 (0x00007fcc66499000)
	libcrypto.so.1.1 => /opt/zimbra/common/lib/libcrypto.so.1.1 (0x00007fcc65fb0000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fcc675d0000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcc65dac000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fcc65b8d000)
$ dpkg -S /opt/zimbra/common/lib/libldap-2.4.so.2
zimbra-openldap-lib:amd64: /opt/zimbra/common/lib/libldap-2.4.so.2

[ghen2]

Not on CentOS/RHEL 7:

$ rpm -q zimbra-perl-net-ldapapi
zimbra-perl-net-ldapapi-3.0.3-1zimbra8.7b1.el7.x86_64
$ ldd /opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi/auto/Net/LDAPapi/LDAPapi.so
        linux-vdso.so.1 =>  (0x00007ffce6ff3000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fe2fba95000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fe2fb886000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fe2fb4b8000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe2fb29e000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fe2fb081000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fe2fae0f000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe2fa9ac000)
        libssl3.so => /lib64/libssl3.so (0x00007fe2fa749000)
        libsmime3.so => /lib64/libsmime3.so (0x00007fe2fa521000)
        libnss3.so => /lib64/libnss3.so (0x00007fe2fa1e8000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007fe2f9fb8000)
        libplds4.so => /lib64/libplds4.so (0x00007fe2f9db4000)
        libplc4.so => /lib64/libplc4.so (0x00007fe2f9baf000)
        libnspr4.so => /lib64/libnspr4.so (0x00007fe2f9971000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe2f9755000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fe2f9551000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe2fbf02000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fe2f931a000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe2f90cd000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe2f8de4000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe2f8bb1000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe2f89ad000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe2f879d000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fe2f8587000)
        librt.so.1 => /lib64/librt.so.1 (0x00007fe2f837f000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007fe2f817c000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe2f7f78000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe2f7d51000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe2f7aef000)

[umagmrit]

Not on CentOS/RHEL 7:

$ rpm -q zimbra-perl-net-ldapapi
zimbra-perl-net-ldapapi-3.0.3-1zimbra8.7b1.el7.x86_64
$ ldd /opt/zimbra/common/lib/perl5/x86_64-linux-thread-multi/auto/Net/LDAPapi/LDAPapi.so
        linux-vdso.so.1 =>  (0x00007ffce6ff3000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007fe2fba95000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007fe2fb886000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fe2fb4b8000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fe2fb29e000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fe2fb081000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fe2fae0f000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007fe2fa9ac000)
        libssl3.so => /lib64/libssl3.so (0x00007fe2fa749000)
        libsmime3.so => /lib64/libsmime3.so (0x00007fe2fa521000)
        libnss3.so => /lib64/libnss3.so (0x00007fe2fa1e8000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007fe2f9fb8000)
        libplds4.so => /lib64/libplds4.so (0x00007fe2f9db4000)
        libplc4.so => /lib64/libplc4.so (0x00007fe2f9baf000)
        libnspr4.so => /lib64/libnspr4.so (0x00007fe2f9971000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe2f9755000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fe2f9551000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe2fbf02000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fe2f931a000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fe2f90cd000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fe2f8de4000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fe2f8bb1000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fe2f89ad000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fe2f879d000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fe2f8587000)
        librt.so.1 => /lib64/librt.so.1 (0x00007fe2f837f000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007fe2f817c000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fe2f7f78000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fe2f7d51000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fe2f7aef000)

yes correct, need to check why zimbra-perl-net-ldapapi is not linked to zimbra openldap on CentOS/RHEL 7

[umagmrit]

@quanah can you please review this ?

[ghen2]

Best do the chown root:zimbra and chmod 750 here as well (first), or it will revert the setcap later (see comments in zmfixperms).

[umagmrit]

This is now running in our lab, as a drop-in upgrade (no slapcat/slapadd performed), I will test further.

A few remarks:

• libssh2-devel is a missing build dependency (on centos7)
• zimbra-perl-net-ldapapi is linked to the OS openldap libs, not Zimbra's, so that rebuild is not needed
• need to reapply CAP_NET_BIND_SERVICE, maybe put this in the openldap package instead of relying on zmfixperms
• I rebased Build OpenLDAP pw-argon2 module for Argon2 key derivation function #117, please consider it as well

@ghen2 have you tested this by enabling olcIndexHash64 ( 64 bit hash for indexing ) ?

[ghen2]

@ghen2 have you tested this by enabling olcIndexHash64 ( 64 bit hash for indexing ) ?

No, we use default 32 bit index hashes (I did not know this option).

[quanah]

@ghen2 have you tested this by enabling olcIndexHash64 ( 64 bit hash for indexing ) ?

No, we use default 32 bit index hashes (I did not know this option).

It's a fairly new option but will become the default in the future. Setting it requires a full DB reload. I'd strongly advise that a full review of the features and changes in OpenLDAP 2.5 is done prior to 2.5 being integrated, as there likely should be a one-time database export/import as a part of the upgrade process. Some upgrade items would likely require a zmlocalconfig key, but I wouldn't suggest one for the 64 bit index hashes, there's no reason to go backwards to 32-bit ones.

[ghen2]

as there likely should be a one-time database export/import as a part of the upgrade process.

Hi Quanah

Previously you said an export/import is not required: #118 (comment), and we are indeed running this 2.5.13 Zimbra build as a drop-in replacement for 2.4 in our non-prod environments.

Or are you only suggesting this as part of a broader upgrade that also changes database configuration, like index_hash64 (and possibly others) ? But such changes could be done separately from the 2.5 upgrade itself?

Geert

[quanah]

as there likely should be a one-time database export/import as a part of the upgrade process.

Hi Quanah

Previously you said an export/import is not required: #118 (comment), and we are indeed running this 2.5.13 Zimbra build as a drop-in replacement for 2.4 in our non-prod environments.

Or are you only suggesting this as part of a broader upgrade that also changes database configuration, like index_hash64 (and possibly others) ? But such changes could be done separately from the 2.5 upgrade itself?

Geert

Hi Geert! I'm saying that it may be worthwhile where this is done for the Zimbra product as a whole, to take advantage of the new tuning options and do the necessary one time database reload. I'd also ensure the new feature to slapo-unique to serialize mod ops is implemented. The DB reload is certainly not required now, but will be at some point in the future when the 64-bit index hashes are turned on by default. It would help with very large customer bases in particular.

[quanah]

The ARGON2 change would only affect new password changes though, so nothing would break for existing users as long as they haven't changed their passwords. Since LDAP nodes are the first things that must be upgraded in a deployment, I think the risk there is relatively low (i.e., should only be a spate of minutes where it's even possible that someone who just changed their password would run the risk of not being able to authenticate).

[ghen2]

Only if all LDAP's are upgraded in the same maintenance window - which I wasn't assuming, but could indeed be considered a requirement.

[quanah]

I don't know how Zimbra's changed vs the past, but IIRC it was always a documented requirement that all LDAP nodes be updated during the same window.

[silentsakky]

If possible squash and reduce number of commits before merging this PR

[ghen2]

Hi

Any idea when this will be merged?

(it has been running in our lab for months without issues, as a drop-in replacement for 2.4)

[ghen2]

Can you please rebase this on OpenSSL 3.0.9 ?

[ghen2]

I created a separate PR #192 for the libsodium upgrade, so we can more easily add Argon2 support to either OpenLDAP 2.4 or 2.5, independent of this PR (as we're already using this).

[ghen2]

@silentsakky @umagmrit Can you please consider the separate libsodium upgrade already? Makes our local argon2 build easier to maintain.