[Solved] Slapd broken after latest update

Hi all,

This is just an information for developpers, i don’t know if there’s a trick that could solve the problem ; anyway i can wait an update.

I updated my NS7.2.1511rc2 server today and openldap got broken. Users are still existing but nextcloud and all other services are unable to work.
Here are the packages updated which broke openldap :

Nov 10 00:01:34 Updated: nethserver-sssd-1.0.8-1.ns7.noarch
Nov 10 00:01:34 Updated: nethserver-directory-3.1.0-1.ns7.noarch
Nov 10 00:01:36 Updated: nethserver-httpd-admin-2.0.4-1.ns7.noarch
Nov 10 00:01:36 Updated: nethserver-release-7-0.5.ns7.noarch
Nov 10 00:01:37 Updated: nethserver-httpd-3.1.1-1.ns7.noarch

By the way, thanks to all developpers who contribute to NS :slight_smile:

2 Likes

Thank you @stef your contribution is important too!

Please send us the output of this command

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'

See also

http://docs.nethserver.org/projects/nethserver-devel/en/v7rc/nethserver-directory.html#inspect-openldap-acls

Hi davidep,

Thanks for taking time to share your knowledge.

The result of the command is rather long ; how can i paste it so that it could be easier to read for you ?

Stef

For instance, I like https://gist.github.com

Hi Davide,

maybe it is the same problem. Sogo is also installed and it works without problems.
It is not possible to get access to nextcloud as a normal user. When i will do this i received the next error what means the password of the user is incorrect. But it is correct. Hier is the output of the command:

Regards

Uwe

What are the other services?

The Nextcloud configuration should be fixed here

The line

ldapAgentName cn=libuser,dc=directory,dc=nh";

Should be

ldapAgentName ".$sssd->bindDN();

/cc @alep @dev_team

This is a regression due to

3 Likes

I changed the line, but the problem is the same.

Regards

Uwe

Did you execute the action too?

/etc/e-smith/events/actions/nethserver-nextcloud-occ-conf ev

Yes. And now i have the next problem. I cant send mails outside via Sogo. I can open the window to write a new mail. But whne i push the button send, nothing will go on. It looks like frozen and only closing of the window is possible.

Regards

Uwe

Hi

Other services are SOGo and Webmail.

@davidep

These are the results expected from the command :

ldapsearch -LLL -Y EXTERNAL -b cn=config -s one
’objectClass=olcDatabaseConfig’ olcAccess 2>/dev/null | perl
-MMIME::Base64 -MEncode=decode -n -00 -e ‘s/\n +//g;s/(?<=::
)(\S+)/decode(“UTF-8”,decode_base64($1))/eg;print’

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage by * none

dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by
dn.base=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth” read
by dn.base=“cn=Manager,dc=my-domain,dc=com” read by * none

dn: olcDatabase={2}hdb,cn=config
olcAccess:: {0}to attrs=userPassword by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage by dn.exact=“cn=pam,dc=directory,dc=nh"
peername.path=”/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous peername.ip=“127.0.0.1” auth by anonymous ssf=71 auth by
self write by * none by dn.exact=“cn=pam,dc=directory,dc=nh"
peername.path=”/var/run/ldapi" write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous auth by self write by * none
olcAccess:: {1}to * by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage by dn.exact=“cn=pam,dc=directory,dc=nh"
peername.path=”/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by dn.exact=“cn=ldapservice,dc=directory,dc=nh” read by users
peername.ip=“127.0.0.1” read by users ssf=71 read by anonymous read by

  • none by dn.exact=“cn=pam,dc=directory,dc=nh"
    peername.path=”/var/run/ldapi" write by
    dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
    by users ssf=71 read by anonymous read by * none

dn: olcDatabase={3}relay,cn=config
olcAccess:: {0}to attrs=userPassword by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage by dn.exact=“cn=pam,dc=directory,dc=nh"
peername.path=”/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous peername.ip=“127.0.0.1” auth by anonymous ssf=71 auth by
self write by * none by dn.exact=“cn=pam,dc=directory,dc=nh"
peername.path=”/var/run/ldapi" write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by anonymous auth by self write by * none
olcAccess:: {1}to * by
dn.exact=“gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage by dn.exact=“cn=pam,dc=directory,dc=nh"
peername.path=”/var/run/ldapi” write by
dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
by dn.exact=“cn=ldapservice,dc=directory,dc=nh” read by users
peername.ip=“127.0.0.1” read by users ssf=71 read by anonymous read by

  • none by dn.exact=“cn=pam,dc=directory,dc=nh"
    peername.path=”/var/run/ldapi" write by
    dn.exact=“cn=libuser,dc=directory,dc=nh” peername.ip=“127.0.0.1” write
    by users ssf=71 read by anonymous read by * none

I tried these two solutions : this link, first

…and this :

/etc/e-smith/events/actions/nethserver-nextcloud-occ-conf ev

I think the problem is rather different and may be linked with ACLs
because when i try to detect the base DN, i still get an error : “the
base DN could not be automatically detected. Check the informations of
authentification…” which i get from the dashboard Status > Domain accounts

I must say i made two mistakes :

  • first, as the server as been build recently i didn’t make any backup
    yet (too late…) ;

  • the second one is that i deleted the original OpenLDAP config from
    nextcloud and tried to create a new one after the updates broke it. Bad
    idea.

So don’t loose too many time dealing with it : i’m responsible if it
can’t be solved.

Thanks & i follow the other topic too,

Stef

Did you run the command as explained in the release-notes?

http://docs.nethserver.org/en/v7rc/release_notes.html#upgrading-rc1-to-rc2

signal-event nethserver-sssd-save

Sorry, I don’t get you! Did it fix nextcloud? :confused:

Hello,

No, i didn’t had done this command

signal-event nethserver-sssd-save

Now it’s successfully done, but didn’t solve the problem.

Regards

1 Like

[quote=“davidep, post:12, topic:4932, full:true”]

No. Problem is the same.

1 Like

Hi,

after fresh install of NS7 RC2 and changing from OpenLDAP to Samba Active Directory everything works good. I have access to Nextcloud and SOGo, can send mails without problems and have also access to the user administration in Nextcloud.

Regards

Uwe

After updating to rc2 I presented the same authentication issue with nextcloud but thank to your tunning, Nextcloud authenticated again. In the same server I am running squid, sogo, ejabberd and nextclound but none of them, except nextcloud, presented authentication issues after updating to rc2. However, remote applications (like Apache and Cacti) configured to use openLDAP authentication from a central nethserver (the same where sogo, ejabberd and nextcloud are in) stopped authenticating. Such remote applications did authenticate before the rc2 update but no longer now.

Have you any suggestion?

Best regards.

1 Like

We wanted to harden the system, but sometimes more security = more problems :frowning:

Execute the following command and use the obtained credentials:

perl -MNethServer::SSSD -MJSON -e '$o = NethServer::SSSD->new();
    print JSON::to_json({"BaseDN" => $o->baseDN(), 'BindDN' => $o->bindDN(),
         "BindPassword" => $o->bindPassword(), "UserDN" => $o->userDN(),
         "GroupDN" => $o->groupDN()});' | python -mjson.tool

But I think we should fix the ACLs.

I will try the following today:

  • sogo
  • nextcloud

Let me know if there is any other service with problems.

2 Likes

Confirmed. My latest updates to sssd and directory are broken.

issue 0: nextcloud config does not use NethServer::SSSD. The fix is trivial and @alep already prepared it.

issue 1: the NethServer::SSSD library returns "BindDN": "cn=ldapservice,dc=dpnet,dc=nethesis,dc=it", but ACLs on slapd are configured by dn.exact="cn=ldapservice,dc=directory,dc=nh" read. The suffix is wrong. Luckily subsequent ACLs grant access anyway and this permits apps to work, as @areguera claims.

issue 2: libuser binds from external hosts; I tried to reproduce the problem without success. Still digging…

As these issues are regressions of this one

https://github.com/NethServer/dev/issues/5145

What credentials did the remote applications provide to bind?

I just released a new package for nextcloud.
It should be available shortly in all mirrors.

2 Likes