[Solved] Slapd broken after latest update

stef · November 10, 2016, 5:30pm

Hi all,

This is just an information for developpers, i don’t know if there’s a trick that could solve the problem ; anyway i can wait an update.

I updated my NS7.2.1511rc2 server today and openldap got broken. Users are still existing but nextcloud and all other services are unable to work.
Here are the packages updated which broke openldap :

Nov 10 00:01:34 Updated: nethserver-sssd-1.0.8-1.ns7.noarch
Nov 10 00:01:34 Updated: nethserver-directory-3.1.0-1.ns7.noarch
Nov 10 00:01:36 Updated: nethserver-httpd-admin-2.0.4-1.ns7.noarch
Nov 10 00:01:36 Updated: nethserver-release-7-0.5.ns7.noarch
Nov 10 00:01:37 Updated: nethserver-httpd-3.1.1-1.ns7.noarch

By the way, thanks to all developpers who contribute to NS

davidep · November 10, 2016, 5:37pm

Thank you @stef your contribution is important too!

Please send us the output of this command

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'

NethServer/nethserver-nextcloud/blob/master/root/etc/e-smith/events/actions/nethserver-nextcloud-occ-conf#L45


      
          
          sub list_system_groups
          {
              my ($systemName, $domainName) = split(/\./, Sys::Hostname::hostname(), 2);
              my $timeout = 10;
          
              my $ldap = NethServer::LdapClient::connect($sssd, 'timeout' => $timeout);
          
              if( ! $ldap) {
                  return;
              }
          
              NethServer::LdapClient::paged_search($sssd, $ldap,
                  'base' => $sssd->groupDN(),
                  'scope' => 'subtree',
                  'deref' => 'never',
                  'timelimit' => $timeout,
                  'filter' => $config{'filter'},
                  'callback' => \&_cb_group_push
              );

The line

ldapAgentName cn=libuser,dc=directory,dc=nh";

Should be

ldapAgentName ".$sssd->bindDN();

/cc @alep @dev_team

This is a regression due to

github.com/NethServer/dev

LDAP account with read-only privileges

opened 09:43AM - 08 Nov 16 UTC

closed 10:32AM - 14 Nov 16 UTC

DavidePrincipi

verified

One of the purposes of ``NethServer::SSSD`` Perl module is providing an API for …other NethServer modules to access the LDAP server with the right credentials. The LDAP server can be an Active Directory (use machine account credentials), builtin LDAP (``libuser`` credentials), other LDAP (read credentials from DB props). ``libuser`` has full read/write access to the LDAP tree. Instead, we must provide a restricted account credentials with read-only access to the LDAP tree.

transocean · November 11, 2016, 5:25pm

I changed the line, but the problem is the same.

Regards

Uwe

davidep · November 11, 2016, 5:29pm

Did you execute the action too?

/etc/e-smith/events/actions/nethserver-nextcloud-occ-conf ev

transocean · November 11, 2016, 5:46pm

Yes. And now i have the next problem. I cant send mails outside via Sogo. I can open the window to write a new mail. But whne i push the button send, nothing will go on. It looks like frozen and only closing of the window is possible.

Regards

Uwe

stef · November 11, 2016, 6:22pm

Hi

Other services are SOGo and Webmail.

@davidep

These are the results expected from the command :

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one
‘objectClass=olcDatabaseConfig’ olcAccess 2>/dev/null | perl
-MMIME::Base64 -MEncode=decode -n -00 -e ‘s/\n +//g;s/(?<=::
)(\S+)/decode(“UTF-8”,decode_base64($1))/eg;print’

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by
dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
manage by * none

dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by
dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.base=“cn=Manager,dc=my-domain,dc=com” read by * none

dn: olcDatabase={2}hdb,cn=config
olcAccess:: {0}to attrs=userPassword by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
manage by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous peername.ip=“127.0.0.1” auth by anonymous ssf=71 auth by
self write by * none by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous auth by self write by * none
olcAccess:: {1}to * by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
manage by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by dn.exact=“cn=ldapservice,dc=directory,dc=nh” read by users
peername.ip=“127.0.0.1” read by users ssf=71 read by anonymous read by

none by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by users ssf=71 read by anonymous read by * none

dn: olcDatabase={3}relay,cn=config
olcAccess:: {0}to attrs=userPassword by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
manage by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous peername.ip=“127.0.0.1” auth by anonymous ssf=71 auth by
self write by * none by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous auth by self write by * none
olcAccess:: {1}to * by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth”
manage by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by dn.exact=“cn=ldapservice,dc=directory,dc=nh” read by users
peername.ip=“127.0.0.1” read by users ssf=71 read by anonymous read by

none by dn.exact=“cn=pam,dc=directory,dc=nh”
peername.path=“/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by users ssf=71 read by anonymous read by * none

I tried these two solutions : this link, first

github.com

NethServer/nethserver-nextcloud/blob/master/root/etc/e-smith/events/actions/nethserver-nextcloud-occ-conf#L45


      
          
          sub list_system_groups
          {
              my ($systemName, $domainName) = split(/\./, Sys::Hostname::hostname(), 2);
              my $timeout = 10;
          
              my $ldap = NethServer::LdapClient::connect($sssd, 'timeout' => $timeout);
          
              if( ! $ldap) {
                  return;
              }
          
              NethServer::LdapClient::paged_search($sssd, $ldap,
                  'base' => $sssd->groupDN(),
                  'scope' => 'subtree',
                  'deref' => 'never',
                  'timelimit' => $timeout,
                  'filter' => $config{'filter'},
                  'callback' => \&_cb_group_push
              );

…and this :

/etc/e-smith/events/actions/nethserver-nextcloud-occ-conf ev

I think the problem is rather different and may be linked with ACLs
because when i try to detect the base DN, i still get an error : “the
base DN could not be automatically detected. Check the informations of
authentification…” which i get from the dashboard Status > Domain accounts

I must say i made two mistakes :

first, as the server as been build recently i didn’t make any backup
yet (too late…) ;
the second one is that i deleted the original OpenLDAP config from
nextcloud and tried to create a new one after the updates broke it. Bad
idea.

So don’t loose too many time dealing with it : i’m responsible if it
can’t be solved.

Thanks & i follow the other topic too,

Stef

davidep · November 11, 2016, 9:44pm

Did you run the command as explained in the release-notes?

http://docs.nethserver.org/en/v7rc/release_notes.html#upgrading-rc1-to-rc2

signal-event nethserver-sssd-save

davidep · November 11, 2016, 9:49pm

Sorry, I don’t get you! Did it fix nextcloud?

stef · November 11, 2016, 10:15pm

Hello,

No, i didn’t had done this command

signal-event nethserver-sssd-save

Now it’s successfully done, but didn’t solve the problem.

Regards

transocean · November 12, 2016, 9:34am

[quote=“davidep, post:12, topic:4932, full:true”]

No. Problem is the same.

transocean · November 12, 2016, 4:27pm

Hi,

after fresh install of NS7 RC2 and changing from OpenLDAP to Samba Active Directory everything works good. I have access to Nextcloud and SOGo, can send mails without problems and have also access to the user administration in Nextcloud.

Regards

Uwe

areguera · November 14, 2016, 3:33am

After updating to rc2 I presented the same authentication issue with nextcloud but thank to your tunning, Nextcloud authenticated again. In the same server I am running squid, sogo, ejabberd and nextclound but none of them, except nextcloud, presented authentication issues after updating to rc2. However, remote applications (like Apache and Cacti) configured to use openLDAP authentication from a central nethserver (the same where sogo, ejabberd and nextcloud are in) stopped authenticating. Such remote applications did authenticate before the rc2 update but no longer now.

Have you any suggestion?

Best regards.

giacomo · November 14, 2016, 8:08am

We wanted to harden the system, but sometimes more security = more problems

Execute the following command and use the obtained credentials:

perl -MNethServer::SSSD -MJSON -e '$o = NethServer::SSSD->new();
    print JSON::to_json({"BaseDN" => $o->baseDN(), 'BindDN' => $o->bindDN(),
         "BindPassword" => $o->bindPassword(), "UserDN" => $o->userDN(),
         "GroupDN" => $o->groupDN()});' | python -mjson.tool

But I think we should fix the ACLs.

I will try the following today:

sogo
nextcloud

Let me know if there is any other service with problems.

davidep · November 14, 2016, 10:20am

Confirmed. My latest updates to sssd and directory are broken.

issue 0: nextcloud config does not use NethServer::SSSD. The fix is trivial and @alep already prepared it.

issue 1: the NethServer::SSSD library returns "BindDN": "cn=ldapservice,dc=dpnet,dc=nethesis,dc=it", but ACLs on slapd are configured by dn.exact="cn=ldapservice,dc=directory,dc=nh" read. The suffix is wrong. Luckily subsequent ACLs grant access anyway and this permits apps to work, as @areguera claims.

issue 2: libuser binds from external hosts; I tried to reproduce the problem without success. Still digging…

As these issues are regressions of this one

LDAP account with read-only privileges · Issue #5145 · NethServer/dev · GitHub

davidep · November 14, 2016, 10:35am

What credentials did the remote applications provide to bind?

giacomo · November 14, 2016, 11:12am

I just released a new package for nextcloud.
It should be available shortly in all mirrors.