Bug 17422

Summary: OpenLDAP upgrades using cn=config/back-config need to update schemas before becoming the default (over slapd.conf)
Product: Mageia Reporter: Buchan Milne <bgmilne>
Component: RPM PackagesAssignee: Buchan Milne <bgmilne>
Status: ASSIGNED --- QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, mageia, mageia, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: openldap CVE:
Status comment:

Description Buchan Milne 2015-12-30 15:32:57 CET 
After upgrading from 2.4.x, x<43, to 2.4.43, with a typical configuration, slapd would report errors, and not return data:


Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: Checking config dir /etc/openldap/slapd.d/: [FAILED]
Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: 5683e74a config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config:
Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: 5683e74a send_ldap_result: err=32 matched="" text=""
Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com ldap-config[14389]: slaptest: bad configuration directory!
Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com slapd[14411]: config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config:
Dec 30 16:16:42 buchan-laptop.ranger.dnsalias.com slapd[14419]: slapd starting


[root@buchan-laptop ~]# ldapsearch 2>/dev/null|tail -n3
result: 32 No such object

# numResponses: 1
[root@buchan-laptop ~]#


Searching for the error yields among others: http://www.openldap.org/its/index.cgi/Incoming?id=8326;selectid=8326


In order to address this, I had to:
[root@buchan-laptop ~]# slapcat -n0 -l /tmp/slapd-config.ldif
5683e79d config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config:
[root@buchan-laptop ~]# rm -Rf /etc/openldap/slapd.d/*
[root@buchan-laptop ~]# slapadd -c -F /etc/openldap/slapd.d -n0 -l /tmp/slapd-config.ldif 
slapadd: could not add entry dn="cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config" (line=2476): 
5683e917 User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
slapadd: could not add entry dn="olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config" (line=3588): 
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
[root@buchan-laptop ~]# slapadd -c -F /etc/openldap/slapd.d -n0 -l /usr/share/openldap/schema/ppolicy.ldif 
_#################### 100.00% eta   none elapsed            none fast!         
Closing DB...
[root@buchan-laptop ~]# chown -R ldap:ldap /etc/openldap/slapd.d
[root@buchan-laptop ~]# systemctl start slapd

That fixed it:

[root@buchan-laptop ~]# ldapsearch 2>/dev/null|tail -n3

# numResponses: 229
# numEntries: 228
[root@buchan-laptop ~]#


For users using cn=config, we probably need to see if we can fix this on upgrades, or at least cover it in release notes.

Users using slapd.conf should not be affected (as they should be using the provided ppolicy.schema).
Comment 1 Marja Van Waes 2015-12-31 22:00:03 CET 
(In reply to Buchan Milne from comment #0)
> After upgrading from 2.4.x, x<43, to 2.4.43, with a typical configuration,
> slapd would report errors, and not return data:
> 

Assigning to you, since you're the maintainer, but also CC'ing some others who've touched openldap and might want to help with openldap-2.4.43

CC: (none) => jani.valimaa, luigiwalser, mageia, mageia, marja11
Assignee: bugsquad => bgmilne
Source RPM: (none) => openldap

Comment 2 David Walser 2015-12-31 22:23:23 CET 
How were you even able to test this?  2.4.43 doesn't build.
Jani Välimaa 2016-01-03 09:16:35 CET

CC: jani.valimaa => (none)

Comment 3 Buchan Milne 2019-05-12 14:06:23 CEST 
The original summary was:
"OpenLDAP upgrade from 2.4.42 to 2.43 (Mageia 5 to cauldron or Mageia 6): config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config"

However, due to the last comment on the ITS referenced above, I am changing it to:
OpenLDAP upgrades using cn=config/back-config need to update schemas before becoming the default (over slapd.conf)

We should address this, or ensure it is addressed permanently upstream, before switching to cn=config/back-config by default.

(We do, as a mitigation, export the config using slapcat in %pre, but importing it in %post may not be desirable or sufficient)

Status: NEW => ASSIGNED
Summary: OpenLDAP upgrade from 2.4.42 to 2.43 (Mageia 5 to cauldron or Mageia 6): config error processing cn=ppolicy,cn=schema,cn=config,cn=schema,cn=config => OpenLDAP upgrades using cn=config/back-config need to update schemas before becoming the default (over slapd.conf)