docker-openldap icon indicating copy to clipboard operation
docker-openldap copied to clipboard
verified publisher icon osixia

regression in back sql and ssh public key code paths

Open lmaddox opened this issue 1 month ago • 0 comments

Mega-Report: Critical Bugs in osixia/openldap with LDAP_BACKEND: sql Configuration

Based on the persistent failure to bootstrap a new schema and the inability to manually authenticate as the Configuration Admin, the following three bugs appear to be present in the latest versions of the image:

  1. Configuration Admin Password (LDAP_CONFIG_PASSWORD) is Ignored and Overridden

Problem: Despite explicitly setting LDAP_CONFIG_PASSWORD: abc123 in the docker-compose.yaml (and mounting persistent volumes), the OpenLDAP server consistently generates and uses a new, random {SSHA} hash for the Configuration Administrator (cn=admin,cn=config).

Evidence: All attempts to bind as cn=admin,cn=config using the plaintext abc123 failed with ldap_bind: Invalid credentials (49). This confirms the environment variable is being ignored or overridden by the OLC generation process.

Impact: Prevents secure, predictable, and automated management of the configuration database (OLC).
  1. Failure of Automated Schema Bootstrap when LDAP_BACKEND: sql is Set

Problem: When LDAP_BACKEND is set to sql, the bootstrap process appears to fail or abort before reaching the custom LDIFs intended for schema loading.

Files Affected: openssh-schema-load.ldif and the necessary backsql-config.ldif in the custom LDIF directory were not applied on startup.

Evidence: Manual intervention was required (and failed) to load the schema, proving the automated process did not complete its task despite the files being in the correct mounted location (/container/service/slapd/assets/config/bootstrap/ldif/custom).

Likely Cause: A race condition or dependency failure where the OLC configuration (specifically loading the back_sql module) blocks or terminates the subsequent custom LDIF loading process.
  1. Critical Client/Server Incompatibility (The Bind Failure Loop)

Problem: The OpenLDAP client utility (ldapadd) running inside the container is unable to authenticate as the Configuration Admin, even when given the server's own verified, live {SSHA} hashed password string.

Evidence:

    The hash was retrieved directly from the server's running configuration files (e.g., grep '^olcRootPW').

    Attempts to bind using the standard password flag (-w "HASH") failed with Invalid credentials (49).

    Attempts to bind using the highly robust, internal password-file method (-y /tmp/hash.txt + chmod 600 + printf %s to prevent newlines) also failed with persistent Invalid credentials (49).

Impact: Makes manual schema modification impossible via standard LDAP tools, creating an unrecoverable state when the automated bootstrap fails. This points to a severe bug in how the client interprets the hash string provided by the server.

Summary for the Report

You can combine these into a single report, noting that Bug 1 (Password Ignored) forced you into the manual attempt, and the combination of Bug 2 (Bootstrap Failure) and Bug 3 (Client Incompatibility) resulted in the completely blocked state you experienced.

lmaddox avatar Dec 01 '25 23:12 lmaddox