LDAP Server: crc32 checksum on ldif file not updated

Reproducing: Change the Webmin -> Servers -> "LDAP Server" -> "OpenLDAP Server Configuration" -> "New administration password". "Save" changes, then "Apply Configuration".

run slapcat -n 0,

Observed: stderr message about checksum:

59f6ec0c ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif"

Expected:

No error messages.

Alternatively check the content of the file /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif before and after password change.

Workaround: not yet.

Environment:

Operating system Debian Linux 9
Webmin version 1.860
Virtualmin version 6.01
slapd 2.4.44
Perl version 5.024001
BIND version 9.10
Postfix version 3.1.6
Apache version 2.4.25
PHP versions 7.0.19
Webalizer version 2.23-08
Logrotate version 3.11.0
MySQL version 10.1.26-MariaDB-0+deb9u1
SpamAssassin version 3.4.1
ClamAV version 0.99.2
Status: 
Active

Comments

Does /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif contain the password on your system?

yes, this has password, password hash inside the file is changed, while the checksum is not.

Workaround: use ldapmodify to change the password, then the checksum is correctly updated.

Which file is the checksum in - is it a another attribute in that file, or stored separately?

Webmin intentionally doesn't use ldapmodify, as it may not have access to change the LDAP password.

hi, both - passhash and checksum are in the ldif, here: /etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif

please see the sample:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 aa2d7ad0
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * non
e
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: xxxxxxxxxxxxxxxxxxx secretly snipped xxxxxxxxxxxxxxxxxxxxx=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbIndex: uniqueMember eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: XXXXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxXXXXXXXXXXX
creatorsName: cn=admin,cn=config
createTimestamp: 20171030114340Z
entryCSN: 20171030130212.514030Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171030130212Z

In any case, after manipulation from VMin GUI,the password is changed in this file, while the checksum is not. Cheers,

The checksum is the line # CRC32 aa2d7ad0 at the top, right?

yes, this is the right line. After using ldapmodify it changes accordingly. I tried to generate the checksum for the rest of the file and place it here, with no good result so far. I think this might work, I did not try it hard enough before using ldapmodify.