Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484244 - net-nds/openldap-2.4.35 - rfc2307bis.schema broken?
Summary: net-nds/openldap-2.4.35 - rfc2307bis.schema broken?
Status: IN_PROGRESS
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: LDAP Herd
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2013-09-08 14:48 UTC by Daniel Morlock
Modified: 2014-05-24 05:06 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Fixed schema file. (rfc2307bis.schema,11.58 KB, text/plain)
2013-09-08 14:48 UTC, Daniel Morlock
Details
emerge --config output (emerge-config,61 bytes, text/plain)
2013-09-08 14:49 UTC, Daniel Morlock
Details
emerge --info openldap (emerge-info-openldap.txt,5.44 KB, text/plain)
2013-09-09 18:10 UTC, Daniel Morlock
Details
Patch for the rfc2307bis schema (rfc2307bis.patch,3.81 KB, patch)
2014-05-23 19:01 UTC, Jorge Manuel B. S. Vicetto
Details | Diff
Patch for the rfc2307bis schema (complete) (rfc2307bis.patch,5.62 KB, patch)
2014-05-23 19:08 UTC, Jorge Manuel B. S. Vicetto
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Morlock 2013-09-08 14:48:37 UTC
Created attachment 358288 [details]
Fixed schema file.

After upgrading to openldap-2.4.35, slaptest complains about syntax errors and invalid attributes in schema file /etc/openldap/rfc2307bis.schema. Manually fixing the schema file (see attached) resolved the problem.

Steps to reproduce:

- Emerge openldap-2.4.35
- Add rfc2307bis.schema in slapd.conf
- Trying to start slapd via init-script results in the following:

$ /etc/init.d/slapd restart 
 * Stopping ldap-server ...                                                                                         [ ok ]
AttributeTypeDescription = "(" whsp
  numericoid whsp      ; AttributeType identifier
  [ "NAME" qdescrs ]             ; name used in AttributeType
  [ "DESC" qdstring ]            ; description
  [ "OBSOLETE" whsp ]
  [ "SUP" woid ]                 ; derived from this other
                                   ; AttributeType
  [ "EQUALITY" woid ]            ; Matching Rule name
  [ "ORDERING" woid ]            ; Matching Rule name
  [ "SUBSTR" woid ]              ; Matching Rule name
  [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3
  [ "SINGLE-VALUE" whsp ]        ; default multi-valued
  [ "COLLECTIVE" whsp ]          ; default not collective
  [ "NO-USER-MODIFICATION" whsp ]; default user modifiable
  [ "USAGE" whsp AttributeUsage ]; default userApplications
                                   ; userApplications
                                   ; directoryOperation
                                   ; distributedOperation
                                   ; dSAOperation
  whsp ")"
slaptest: bad configuration file!
 * There is a problem with your slapd.conf!
 * ERROR: slapd failed to start
Comment 1 Daniel Morlock 2013-09-08 14:49:12 UTC
Created attachment 358290 [details]
emerge --config output
Comment 2 Richard Ostrow 2013-09-09 13:46:51 UTC
Same here. Using attached schema file appears to get slapd to start, no issues yet...
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-09-09 16:35:49 UTC
1. please attach patches in future, not new copies of the file.
2. Why did you remove the authPassword attribute from OC posixAccount, shadowAccount, ipHost?
Comment 4 Daniel Morlock 2013-09-09 17:28:31 UTC
(In reply to Robin Johnson from comment #3)
> 1. please attach patches in future, not new copies of the file.
> 2. Why did you remove the authPassword attribute from OC posixAccount,
> shadowAccount, ipHost?

With authPassword attribute I get the error:

$ slaptest
522e04fc /etc/openldap/schema/rfc2307bis.schema: line 256 objectclass: AttributeType not found: "authPassword"
slaptest: bad configuration file!
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-09-09 17:53:22 UTC
authPassword is a built-in attribute of slapd w/ SASL, per RFC3112
Comment 6 Daniel Morlock 2013-09-09 18:09:57 UTC
(In reply to Robin Johnson from comment #5)
> authPassword is a built-in attribute of slapd w/ SASL, per RFC3112

Do you mean "with" or "without" SASL?

SASL is enabled, see emerge --info dump attached. But the attribute is not available. Is this correct behavior?
Comment 7 Daniel Morlock 2013-09-09 18:10:16 UTC
Created attachment 358390 [details]
emerge --info openldap
Comment 8 Daniel Morlock 2013-09-09 18:16:02 UTC
To explain not attaching a patch: I fixed the schema file by best knowledge of mine. I'm not an expert in LDAP schemata, so please don't use this schema in production since I don't know whether I fixed it correctly! It should be fixed by a maintainer or at least somebody that is more into that stuff ...
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2013-09-09 18:17:42 UTC
openldap-2.4.35/servers/slapd/schema_prep.c:
#ifdef SLAPD_AUTHPASSWD
    { "authPassword", "( 1.3.6.1.4.1.4203.1.3.4 "
            "NAME 'authPassword' "
            "DESC 'RFC3112: authentication password attribute' "
            "EQUALITY 1.3.6.1.4.1.4203.1.2.2 "
            "SYNTAX 1.3.6.1.4.1.4203.1.1.2 )",
        NULL, 0,
        NULL, NULL,
        NULL, NULL, NULL, NULL, NULL,
        offsetof(struct slap_internal_schema, si_ad_authPassword) },
    { "supportedAuthPasswordSchemes", "( 1.3.6.1.4.1.4203.1.3.3 "
            "NAME 'supportedAuthPasswordSchemes' "
            "DESC 'RFC3112: supported authPassword schemes' "
            "EQUALITY caseExactIA5Match "
            "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} "
            "USAGE dSAOperation )",
        subschemaAttribute, 0,
        NULL, NULL,
        NULL, NULL, NULL, NULL, NULL,
        offsetof(struct slap_internal_schema, si_ad_authPasswordSchemes) },
#endif
Comment 10 Daniel Morlock 2013-09-09 21:49:51 UTC
The interesting part is, where SLAPD_AUTHPASSWD is going to be defined:

$ grep SLAPD_AUTHPASSWD openldap-2.4.35 -inR
servers/slapd/schema_init.c:6289:#ifdef SLAPD_AUTHPASSWD
servers/slapd/schema_init.c:6730:#ifdef SLAPD_AUTHPASSWD
servers/slapd/schema_prep.c:972:#ifdef SLAPD_AUTHPASSWD
servers/slapd/slap.h:971:#ifdef SLAPD_AUTHPASSWD

No #define or similar. So I guess SLAPD_AUTHPASSWD is set from command line via make: I found that USE flag "sasl" adds "--with-cyrus-sasl" and "--enable-spasswd" to mycon. This can be proved in the configure part:

--enable-ldap --enable-slapd --enable-bdb --enable-hdb --enable-dnssrv=mod --enable-ldap=mod --enable-meta=mod --enable-monitor=mod --enable-null=mod --enable-passwd=mod --enable-relay=mod --enable-shell=mod --enable-sock=mod --disable-perl --disable-sql --enable-crypt --disable-slp --disable-lmpasswd --enable-syslog --enable-aci --enable-cleartext --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-syncprov=yes --enable-ipv6 --with-cyrus-sasl --enable-spasswd --enable-wrappers --with-tls=openssl --enable-dynamic --enable-local --enable-proctitle --enable-shared --enable-static

If I fetch the gcc calls, I should be able to see whether such a call uses "-DSLAPD_AUTHPASSWD". Unfortunately, I did not found any "SLAPD_AUTHPASSWD" expression in the compiler output.

So I've no idea where SLAPD_AUTHPASSWD is defined. If it is not defined, it would explain slapd complaining about missing "authPassword" attributes.

Please correct me if I'm wrong or there is any other place, SLAPD_AUTHPASSWD could be defined.
Comment 11 Richard Ostrow 2013-10-22 18:44:20 UTC
A month later and still an issue. A minor revision update today gave me the same problem after having been using the attached schema file until this point. I can get by on this in my setup because I don't use passwords in my LDAP database (everything is in kerberos), but this really should be fixed...
Comment 12 Matthias Nagl 2013-11-06 18:50:13 UTC
For me it worked after replacing rfc2307bis.schema with this one:

http://svn.stylite.de/viewvc/egroupware/branches/1.6/phpgwapi/doc/ldap/rfc2307bis.schema?revision=26424&view=markup

In my case this makes sense because I am using this schema only for egroupware stuff. I do not know if it is a general solution.
Comment 13 Horst Prote 2013-11-21 14:08:15 UTC
(In reply to Daniel Morlock from comment #10)
> The interesting part is, where SLAPD_AUTHPASSWD is going to be defined:
Found this (http://www.openldap.org/lists/openldap-devel/200707/msg00030.html) thread "authPassword (RFC 3112) implemented?" from 2007 stating:
  AFAIK, the attribute and so is recognized, but it's
  not implemented (nor won't, as it is no longer needed).


Maybe it's still not (completely) implemented?
Comment 14 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-05-23 19:01:59 UTC
Created attachment 377532 [details, diff]
Patch for the rfc2307bis schema

This patch fixes some compatibility issues with the existing schema and corrects some fatal errors.

It removes the extraneous "'" characters, replaces SUBSTRINGS with SUBSTR and adds a missing MAY section to nisObject, based on nis.schema.
It also drops authPassword as it's still not supported by openldap and adds a SUBSTR matching rule for memberUid based on nis.schema.

Although some preliminary support for authPassword was added to openldap as listed by Robin, it seems it was never completed.

The initial commits in the openldap repository for adding authPassword support were done on Jan 10th, 2002:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=c80d93f2bb0d24da2919fa0994f7d1c4f6459897
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=f4336c895365857bc9ba4663024af58922bb85d7
Comment 15 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-05-23 19:08:41 UTC
Created attachment 377534 [details, diff]
Patch for the rfc2307bis schema (complete)

Correct patch. The previous source file had some fixes applied already.

This patch fixes some compatibility issues with the existing schema and corrects some fatal errors.

It removes the extraneous "'" characters, replaces SUBSTRINGS with SUBSTR and adds a missing MAY section to nisObject, based on nis.schema.
It also drops authPassword as it's still not supported by openldap and adds a SUBSTR matching rule for memberUid based on nis.schema.

Although some preliminary support for authPassword was added to openldap as listed by Robin, it seems it was never completed.

The initial commits in the openldap repository for adding authPassword support were done on Jan 10th, 2002:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=c80d93f2bb0d24da2919fa0994f7d1c4f6459897
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=f4336c895365857bc9ba4663024af58922bb85d7
Comment 16 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-05-23 22:08:02 UTC
While testing the patch, I've noticed I added a line with white space, that broke the schema. I'm fixing it now and pushing it to mirrors again.
I'll update the openldap ebuilds when the file gets mirrored.
Comment 17 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2014-05-24 05:06:30 UTC
05:03 < irker517> gentoo-x86: jmbsvicetto net-nds/openldap: Update rfc2307bis schema - fixes bug 484244.
05:03 < willikins> irker517: https://bugs.gentoo.org/484244 "net-nds/openldap-2.4.35 - rfc2307bis.schema broken?"; Gentoo Linux, Server; IN_P; daniel.morlock:ldap-bugs