search

majewsky / portunus

Self-contained user/group management and authentication service
GNU General Public License v3.0
75 stars 5 forks source link

OpenLDAP 2.6.3 -> 2.6.4 #14

Closed acarrico closed 1 year ago

acarrico commented 1 year ago

I've been experimenting with dovecot + portunus/openldap. The authentication works fine, except that the dovecot auth-worker process dumps core in libldap when slapd closes. As a result I tried against a newer OpenLDAP. Portunus seems to have trouble connecting to OpenLDAP 2.6.4:

Apr 05 14:42:14 silver systemd[1]: Started Self-contained authentication service.
Apr 05 14:42:14 silver portunus-orchestrator[2713016]: 2023/04/05 14:42:14 INFO: starting LDAP server
Apr 05 14:42:14 silver slapd[2713025]: @(#) $OpenLDAP: slapd 2.6.4 (Feb  8 2023 21:35:07) $
                                               openldap
Apr 05 14:42:14 silver portunus-orchestrator[2713024]: 2023/04/05 14:42:14 INFO: cannot connect to LDAP server (attempt 6/10): LDAP Result Code 200 "Network Error": dial tcp [::1]:636: connect: connection refused
Apr 05 14:42:15 silver slapd[2713025]: slapd starting
Apr 05 14:42:15 silver slapd[2713025]: conn=1000 fd=12 ACCEPT from IP=[::1]:51440 (IP=[::]:636)
Apr 05 14:42:15 silver slapd[2713025]: conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Apr 05 14:42:15 silver slapd[2713025]: conn=1000 op=0 BIND dn="cn=portunus,dc=silver" method=128
Apr 05 14:42:15 silver slapd[2713025]: conn=1000 op=0 RESULT tag=97 err=49 qtime=0.000032 etime=0.000336 text=
Apr 05 14:42:15 silver portunus-orchestrator[2713024]: 2023/04/05 14:42:15 INFO: cannot connect to LDAP server (attempt 7/10): LDAP Result Code 49 "Invalid Credentials":

The exact same Portunus configuration works fine with OpenLDAP 2.6.3:

Apr 05 14:51:52 silver systemd[1]: Started Self-contained authentication service.
Apr 05 14:51:52 silver portunus-orchestrator[2713590]: 2023/04/05 14:51:52 INFO: starting LDAP server
Apr 05 14:51:53 silver portunus-orchestrator[2713606]: 2023/04/05 14:51:53 INFO: cannot connect to LDAP server (attempt 6/10): LDAP Result Code 200 "Network Error": dial tcp [::1]:636: connect: connection refused
Apr 05 14:51:53 silver slapd[2713607]: @(#) $OpenLDAP: slapd 2.6.3 (Jul 14 2022 18:37:34) $
                                               openldap
Apr 05 14:51:53 silver portunus-orchestrator[2713606]: 2023/04/05 14:51:53 INFO: cannot connect to LDAP server (attempt 7/10): LDAP Result Code 200 "Network Error": dial tcp [::1]:636: connect: connection refused
Apr 05 14:51:53 silver slapd[2713607]: slapd starting
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 fd=12 ACCEPT from IP=[::1]:56278 (IP=[::]:636)
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=0 BIND dn="cn=portunus,dc=silver" method=128
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=0 BIND dn="cn=portunus,dc=silver" mech=SIMPLE bind_ssf=0 ssf=256
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000032 etime=0.028518 text=
Apr 05 14:51:54 silver portunus-orchestrator[2713606]: 2023/04/05 14:51:54 INFO: connected to LDAP server
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=1 ADD dn="dc=silver"
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=1 RESULT tag=105 err=0 qtime=0.000035 etime=0.000514 text=
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=2 ADD dn="ou=users,dc=silver"
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=2 RESULT tag=105 err=0 qtime=0.000030 etime=0.000349 text=
Apr 05 14:51:54 silver slapd[2713607]: conn=1000 op=3 ADD dn="ou=groups,dc=silver"
...

The OpenLDAP configuration doesn't seem to change from 2.6.3->2.6.4. I'm running out of time and energy to experiment with LDAP for now, but I thought I'd open this issue to give a heads up for anyone planning to try Portunus with 2.6.4.

acarrico commented 1 year ago

@SuperSandro2000 this may effect you.

SuperSandro2000 commented 1 year ago

I think this could be related to the recent libxcrypt changes. Can you give cherry-picking https://github.com/SuperSandro2000/nixpkgs/commit/8ad4889c165be2ac08f4a8476714574a16e36e7f a try?

I think portunus is inserting sha256 crypt hashes and that's why it is affected.

acarrico commented 1 year ago

Yes--your patch fixes the issue with Portunus (so I'm closing as it seems to be a NixOS issue). I still get a dovecot auth-worker core dump with 2.6.4, but that is as separate issue. Good work @SuperSandro2000.