New slapd ACLs for ns7

I published in nethserver-testing an update to nethserver-directory that simplifies the slapd ACL configuration. I really need your help to test it properly: nethserver-directory-3.1.0-1.16.gc493c8d.ns7.noarch.rpm.

/cc @stef @transocean @areguera @quality_team

The previous nethserver-directory-3.1.0 update fixed an error in the configuration that potentially allowed clear-text password disclosure. Now I want to simplify ACLs for the 7 branch to ease troubleshooting and any kind of future adjustments (until v7 eol, 2024-06-30).

The ACLs update is automatic.

Also the testing package fixes the slapd SSL ciphers to upstream default, but a daemon restart is required to take it into effect.

I suggest this procedure to test the package:

  • create a configuration backup
  • yum --enablerepo=nethserver-testing update nethserver-directory
  • systemctl restart slapd
  • check ldap clients still connect (!) i.e. roundcube addressbook, sogo, ssh user login, external webapps…

If something goes wrong, restore the configuration backup. I tested it thoroughly on my VM, with an automated test suite. It is bundled in the RPM as documentation. You can find it with:

rpm -qd nethserver-directory

To run the tests:

yum install bats
cd /usr/share/doc/nethserver-directory-3.1.0/bats
bats *.bats

Now I need your help to validate it on your side!

4 Likes

have tried it but after systemctl restart slapd it says
Failed to restart slapd.service: Unit slapd.service failed to load: No such file or directory.

What does this command says?

rpm -V openldap-servers

package openldap-servers is not installed

Looks like you didn’t install nethserver-directory before! If you can, please test the package on an existing system.

6 posts were split to a new topic: Sogo LDAP bind failures after backup-config restore

Hi @davidep,

I found no access or authentication issue after installing nethserver-directory-3.1.0-1.16.gc493c8d.ns7.noarch.rpm and restarting slapd.service. I did this in a central openLDAP authentication server running NS 7rc2. Authentication from ejabberd, nextcloud, sogo, ssh and external webapps (trac and cacti) is working as expected. Address book access is also working as expected (both from sogo and thunderbird).

I also run your automated tests (after installing the package and restarting the slapd.service). The output is as follows:

[root@nethserver bats]# bats *.bats
βœ“ read userPassword field, anonymous builtin external TLS bind
βœ“ read userPassword field, anonymous domain external TLS bind
βœ“ read userPassword field, anonymous builtin local bind
βœ“ read userPassword field, anonymous domain local bind
βœ“ read userPassword field, anonymous builtin unix socket bind
βœ“ read userPassword field, anonymous domain unix socket bind
βœ“ bind with wrong suffix success, builtin domain tls remote
βœ“ bind with wrong suffix success, domain builtin tls remote
βœ“ bind with wrong suffix success, builtin domain localhost
βœ“ bind with wrong suffix success, domain builtin localhost
βœ“ read userPassword field, ldapservice builtin external TLS bind
βœ“ read userPassword field, ldapservice domain external TLS bind
βœ“ bind fail, ldapservice builtin external noTLS bind
βœ“ bind fail, ldapservice domain external noTLS bind
βœ“ read userPassword field, ldapservice builtin local bind
βœ“ read userPassword field, ldapservice domain local bind
βœ“ read userPassword field, ldapservice builtin unix socket bind
βœ“ read userPassword field, ldapservice domain unix socket bind
βœ“ read userPassword field fail, libuser builtin external TLS bind
βœ“ read userPassword field fail, libuser domain external TLS bind
βœ“ bind fail, libuser builtin external noTLS bind
βœ“ bind fail, libuser domain external noTLS bind
βœ“ read userPassword field, libuser builtin local bind
βœ“ read userPassword field, libuser domain local bind
βœ“ read userPassword field fail, libuser builtin unix socket bind
βœ“ read userPassword field fail, libuser domain unix socket bind
βœ“ libuser create user libuserunittest
βœ“ libuser delete user libuserunittest
βœ“ libuser create group libuserunittestg
βœ“ libuser delete group libuserunittestg
βœ“ rebind libuser builtin external TLS bind
βœ“ rebind libuser domain external TLS bind
βœ“ rebind bind fail, libuser builtin external, require TLS
βœ“ rebind bind fail, libuser domain external, require TLS
βœ“ rebind libuser builtin local bind
βœ“ rebind libuser domain local bind

36 tests, 0 failures

Thanks.

3 Likes

Thank you very much for your tests @areguera, @giacomo, @filippo_carletti, @hucky! We’re going to release this update soon!

3 Likes

Before this update, restoring the configuration errored and this link goes the message log:

https://drive.google.com/a/thebalesgroup.com/file/d/0BzXWUMaIvtgccDFZcExOS2U4Y00/view?usp=sharing

After the update it went fine :grinning: