puppet-openldap icon indicating copy to clipboard operation
puppet-openldap copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Unable to configure hashing with the pw-pbkdf2 module

Open amuckart opened this issue 1 year ago • 0 comments

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.30.0
  • Ruby: 2.7.5
  • Distribution: Ubuntu 22.04
  • Module version: 7.0.2

How to reproduce (e.g Puppet code you use)

Configure PasswordHash to PBKDF2-SHA512

    openldap::server::module { 'pw-pbkdf2':
      ensure => present,
    }

    openldap::server::globalconf { 'PasswordHash':
      ensure => present,
      value  => { 'PasswordHash' => '{PBKDF2-SHA512}' },
    }

What are you seeing

This happens because of this OpenLDAP not-a-bug

Puppet run fails:

Error: Could not prefetch openldap_global_conf provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(objectClass=olcGlobal)' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})

The problem is that there doesn't seem to be any other way to set olcPasswordHash with this puppet module, or to specify the hashing agorithm for {CRYPT}.

What behaviour did you expect instead

  • It would be good if this limitation were documented in the module docs.
  • It would be better if the PBKDF-SHA512 config could be added to the frontend database configuration with this module.
  • The ability to set password-crypt-salt-format as per slapd.conf(5) to allow people to select which hashing method to use would also be good.

Output log

Info: Using environment 'my-org'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from my-org-prod-puppet7.my-org.org:8140 (XXX.XXX.XXX.XXX)
Notice: Catalog compiled by puppet.my-org.org
Info: Caching catalog for my-org-ldapserver.mgmt.my-org.org
Info: Applying configuration version '1717466906'
Error: Could not prefetch openldap_global_conf provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(objectClass=olcGlobal)' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})
olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
config error processing cn=config: <olcPasswordHash> no valid hashes found
slapcat: bad configuration file!
Warning: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Globalconf[TLSCertificate]/Openldap_global_conf[TLSCertificate]: Skipping because provider prefetch failed
Warning: /Stage[main]/Openldap::Server::Slapdconf/Openldap::Server::Globalconf[TLSCACertificateFile]/Openldap_global_conf[TLSCACertificateFile]: Skipping because provider prefetch failed
Error: Could not prefetch openldap_database provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(|(olcDatabase=monitor)(olcDatabase={0}config)(&(objectClass=olcDatabaseConfig)(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig)(objectClass=olcMdbConfig)(objectClass=olcMonitorConfig)(objectClass=olcRelayConfig)(objectClass=olcLDAPConfig))))' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})
olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
config error processing cn=config: <olcPasswordHash> no valid hashes found
slapcat: bad configuration file!
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Database[dc=org-mgmt,dc=my-org,dc=org]/Openldap_database[dc=porwal-oob-mgmt,dc=my-org,dc=org]: Skipping because provider prefetch failed
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Globalconf[LocalSSF]/Openldap_global_conf[LocalSSF]: Skipping because provider prefetch failed
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Globalconf[Security]/Openldap_global_conf[Security]: Skipping because provider prefetch failed
Error: Could not prefetch openldap_module provider 'olc': Execution of '/usr/sbin/slapcat -b cn=config -o ldif-wrap=no -H ldap:///???(objectClass=olcModuleList)' returned 1: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({PBKDF2-SHA512})
olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
config error processing cn=config: <olcPasswordHash> no valid hashes found
slapcat: bad configuration file!
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Module[pw-pbkdf2]/Openldap_module[pw-pbkdf2]: Skipping because provider prefetch failed
Warning: /Stage[main]/Profiles::mgmt/Openldap::Server::Globalconf[PasswordHash]/Openldap_global_conf[PasswordHash]: Skipping because provider prefetch failed
Notice: Applied catalog in 14.09 seconds

Any additional information you'd like to impart

Not sure if this is technically a bug, or a feature request.

Thanks.

amuckart avatar Jun 04 '24 05:06 amuckart