Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDIF bootstraping fails when LDAP_TLS_ENFORCE=true #402

Open
ldealmei opened this issue Feb 6, 2020 · 1 comment
Open

LDIF bootstraping fails when LDAP_TLS_ENFORCE=true #402

ldealmei opened this issue Feb 6, 2020 · 1 comment

Comments

@ldealmei
Copy link

ldealmei commented Feb 6, 2020
edited
Loading

I've been trying to use the bootstraping using a custom ldif file but without success. I would always get the following error:

[...]
2020-02-06 12:17:42
Start OpenLDAP...
2020-02-06 12:17:42
Waiting for OpenLDAP to start...
2020-02-06 12:17:42
Add bootstrap schemas...
2020-02-06 12:17:42
config file testing succeeded
2020-02-06 12:17:43
Add image bootstrap ldif...
2020-02-06 12:17:43
*** /container/run/startup/slapd failed with status 32
2020-02-06 12:17:43
[...]

I dug into what the failing script does and it seems the culprit is the ldap_add_or_modify function:

  function ldap_add_or_modify (){
    local LDIF_FILE=$1

    log-helper debug "Processing file ${LDIF_FILE}"
    # ...
    if grep -iq changetype $LDIF_FILE ; then
        ( ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug
    else
        ( ldapadd -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1 || ldapadd -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) | log-helper debug
    fi
  }

Basically it tries to process the .LDIF file in two ways.
The first one (ldapmodify -Y EXTERNAL -Q -H ldapi:/// -f $LDIF_FILE 2>&1) fails by throwing:

adding new entry "cn=...,dc=...,dc=..."
ldap_add: Insufficient access (50)
	additional info: no write access to parent

The second (ldapmodify -h localhost -p 389 -D cn=admin,$LDAP_BASE_DN -w "$LDAP_ADMIN_PASSWORD" -f $LDIF_FILE 2>&1 ) fails with:

ldap_bind: Confidentiality required (13)
	additional info: confidentiality required

This is because I've enforced TLS on the server which is not taken into account by this script.
I confirmed that running the query over TLS works:

> ldapmodify -x -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" -H ldaps://localhost:636 -f /container/service/slapd/assets/config/bootstrap/ldif/custom/10-custom.ldif

adding new entry "cn=alpha,dc=example,dc=com"

adding new entry "cn=beta,dc=example,dc=com"

adding new entry "cn=gamma,dc=example,dc=com"

A fix could be to add this command after the others to take into account this case as well.
olia-dev added a commit to olia-dev/docker-openldap that referenced this issue Apr 19, 2020
@olia-dev
[FIX] osixia#402: grant root manage access to database
4142834 
ldapmodify with ldapi:/// fails otherwise
@olia-dev olia-dev mentioned this issue Apr 19, 2020
Merged
@dkowis
Copy link

dkowis commented Jun 12, 2020

I'm trying out your container, and I'm still seeing the problem when updating the password:

dark_ldap | Processing file /container/run/service/slapd/assets/config/admin-pw/ldif/07-admin-pw-change.ldif
dark_ldap | 5ee2cf4e conn=1005 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
dark_ldap | 5ee2cf4e conn=1005 op=0 BIND dn="" method=163
dark_ldap | 5ee2cf4e conn=1005 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
dark_ldap | 5ee2cf4e conn=1005 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=128
dark_ldap | 5ee2cf4e conn=1005 op=0 RESULT tag=97 err=0 text=
dark_ldap | 5ee2cf4e conn=1005 op=1 MOD dn="cn=admin,dc=dark,dc=kow,dc=is"
dark_ldap | 5ee2cf4e conn=1005 op=1 MOD attr=userPassword
dark_ldap | 5ee2cf4e conn=1005 op=1 RESULT tag=103 err=50 text=
dark_ldap | 5ee2cf4e conn=1005 op=2 UNBIND
dark_ldap | 5ee2cf4e conn=1005 fd=12 closed
dark_ldap | 5ee2cf4e conn=1006 fd=12 ACCEPT from IP=127.0.0.1:37166 (IP=127.0.0.1:389)
dark_ldap | 5ee2cf4e conn=1006 op=0 BIND dn="cn=admin,dc=dark,dc=kow,dc=is" method=128
dark_ldap | 5ee2cf4e conn=1006 op=0 RESULT tag=97 err=13 text=confidentiality required
dark_ldap | 5ee2cf4e conn=1006 op=1 UNBIND
dark_ldap | 5ee2cf4e conn=1006 fd=12 closed
dark_ldap | ldap_modify: Insufficient access (50)
dark_ldap | modifying entry "cn=admin,dc=dark,dc=kow,dc=is"
dark_ldap |
dark_ldap | ldap_bind: Confidentiality required (13)
dark_ldap | 	additional info: confidentiality required
dark_ldap | *** /container/run/startup/slapd failed with status 13
dark_ldap |
dark_ldap | *** Run commands before finish...
dark_ldap | *** Killing all processes...
dark_ldap | 5ee2cf4e daemon: shutdown requested and initiated.
dark_ldap | 5ee2cf4e slapd shutdown: waiting for 0 operations/tasks to finish
dark_ldap | 5ee2cf4e slapd stopped.

@mckenziec mckenziec mentioned this issue Jun 23, 2020
Open
@NoxInmortus NoxInmortus mentioned this issue Mar 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dkowis @ldealmei