custom ldif file to change encryption to argon2 is ignored at startup, manually works

[jonathanmmm]

Hi, I followed the exampe shown in https://github.com/osixia/docker-openldap/issues/347

and have the following files

custom.ldif

``` #disable anonymous login dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon #enable argon2 dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {0}pw-argon2 dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {ARGON2} ```

docker-compose.yml

``` version: '3.9' services: openldap: container_name: openldap image: osixia/openldap-backup:stable volumes: - ./backup:/data/backup - ./data:/var/lib/ldap - ./config:/etc/ldap/slapd.d - ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom environment: - LDAP_LOG_LEVEL=256 - LDAP_ORGANISATION=My Website - LDAP_DOMAIN=my-website.com - LDAP_BASE_DN=dc=my-website,dc=com - LDAP_READONLY_USER=true - LDAP_READONLY_USER_USERNAME=cn=readonlyuser,dc=my-website,dc=com - LDAP_READONLY_USER_PASSWORD=longpasswordinplaintext - LDAP_ADMIN_PASSWORD=longpasswordinplaintext - LDAP_CONFIG_PASSWORDlongpasswordinplaintext - KEEP_EXISTING_CONFIG=false - LDAP_TLS=false - LDAP_REMOVE_CONFIG_AFTER_SETUP=false command: "--copy-service" networks: - openldap networks: openldap: name: openldap internal: true driver_opts: com.docker.network.bridge.name: openldap0 ```

The first strange thing is if I use docker-compose up and the config data and backup folder are not existing yet (just config, same happens without config folder) the container exits with *** ERROR | 2021-06-18 10:30:39 | /container/run/startup/slapd failed with status 32

I then just use docker-compose up again and it works, only happens when I first set it up, later when the data is there and so it does not happen.

The passwords in my container through ldapsearch that I set with a LDAPv3 Password Modify Client (Keycloak, enabled it there, when I disable it inside keycloak passwords get saved in plaintext, so it works). It always saves passwords for new users and even when I change them as SSHA (checked via echo passwordstringfromldapsearch | base64 -d)

do I have an error in the custom.ldif config file? Do I have to split it in multiple files? I don't know what I should try. I am using debian 10 docker-compose version 1.29.2 Docker version 20.10.7

If somebody could please help me, that would be great, thanks :)

I got it enabled through the following and changing passwords in keycloak work as intended:

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /container/service/slapd/assets/config/bootstrap/ldif/custom/custom.ldif

don't know if ldapmodify is better? I thought ldif files should be automatically been used in the custom folder. Does it have to do something with the exit 32 at the very first startup?

should I write something like: command: "--copy-service && ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /container/service/slapd/assets/config/bootstrap/ldif/custom/custom.ldif" into the docker-compose file to fix it?

[jonathanmmm]

Got it to work, if somebody wants to know I can help with what ldif I used.

[adrianplavka]

This happened to me as well, I was trying to enable Argon2 using the above syntax through LDIF and it failed on startup. Though on the next startup, everything worked fine, but the LDIF files after the failure were ignored.

What worked for me is that I haven't realized I had an older version of osixia/openldap image - updating it to the current version (1.5.0) resolved this issue, as the Argon2 was enabled somewhere in-between versions.