LDAP Server: crc32 checksum on ldif file not updated [#54178]

Submitted by streamlined.biz on Mon, 10/30/2017 - 04:12

Reproducing: Change the Webmin -> Servers -> "LDAP Server" -> "OpenLDAP Server Configuration" -> "New administration password". "Save" changes, then "Apply Configuration".

run slapcat -n 0,

Observed: stderr message about checksum:

59f6ec0c ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif"

Expected:

No error messages.

Alternatively check the content of the file /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif before and after password change.

Workaround: not yet.

Environment:

Operating system   Debian Linux 9
Webmin version  1.860
Virtualmin version   6.01 
slapd 2.4.44
Perl version   5.024001
BIND version  9.10
Postfix version   3.1.6
Apache version   2.4.25
PHP versions    7.0.19
Webalizer version   2.23-08
Logrotate version  3.11.0
MySQL version   10.1.26-MariaDB-0+deb9u1
SpamAssassin version  3.4.1
ClamAV version   0.99.2

Status:

Active

Comments

Submitted by streamlined.biz on Mon, 10/30/2017 - 04:13 Comment #1

Body:

View changes

Submitted by JamieCameron on Mon, 10/30/2017 - 17:18 Comment #2

Does /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif contain the password on your system?

Submitted by streamlined.biz on Tue, 10/31/2017 - 01:24 Comment #3

yes, this has password, password hash inside the file is changed, while the checksum is not.

Workaround: use ldapmodify to change the password, then the checksum is correctly updated.

Submitted by JamieCameron on Wed, 11/01/2017 - 18:36 Comment #4

Which file is the checksum in - is it a another attribute in that file, or stored separately?

Webmin intentionally doesn't use ldapmodify, as it may not have access to change the LDAP password.

Submitted by streamlined.biz on Thu, 11/02/2017 - 07:24 Comment #5

hi, both - passhash and checksum are in the ldif, here: /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif

please see the sample:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 aa2d7ad0
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
 e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: xxxxxxxxxxxxxxxxxxx secretly snipped xxxxxxxxxxxxxxxxxxxxx=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: uniqueMember eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: XXXXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxXXXXXXXXXXX
creatorsName: cn=admin,cn=config
createTimestamp: 20171030114340Z
entryCSN: 20171030130212.514030Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171030130212Z

Submitted by streamlined.biz on Thu, 11/02/2017 - 06:46 Comment #6

In any case, after manipulation from VMin GUI,the password is changed in this file, while the checksum is not. Cheers,

Submitted by JamieCameron on Sat, 11/04/2017 - 01:09 Comment #7

The checksum is the line # CRC32 aa2d7ad0 at the top, right?

Submitted by streamlined.biz on Sun, 11/05/2017 - 01:10 Comment #8

yes, this is the right line. After using ldapmodify it changes accordingly. I tried to generate the checksum for the rest of the file and place it here, with no good result so far. I think this might work, I did not try it hard enough before using ldapmodify.