And also without the updated packages. It's a bit random. When exim4 is failing, it stays failing. Restart it, and it might or might not be in failing mode. Sometimes it works, and keeps working. It's not related to the openldap update. I think the migration-reference/0 run that succeeded was a fluke.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2000817 Title: Wrong SHA256-value computed on kinetic Status in openldap package in Ubuntu: Fix Released Status in openldap source package in Jammy: In Progress Status in openldap source package in Kinetic: Fix Committed Status in openldap source package in Lunar: Fix Released Status in openldap package in Debian: Fix Released Bug description: [ Impact ] OpenLDAP deployments using the contrib pw-sha2 module are not able to authenticate their users because the SHA2 calculation is done incorrectly. Even though this is a contrib module, from an upstream PoV, it is shipped in the Ubuntu (and Debian) OpenLDAP packages, and available for use. Some fix possibilities were discussed in comment #5, and we selected the one with the least impact to OpenLDAP users at large, which is to recompile that module only without the strict-aliasing optimization. This update makes that change, and also includes a DEP8 change to verify it. We didn't use a patch for the pw-sha2 Makefile because d/rules overrides the OPT variable in the make command line (https://git.launchpad.net/~ahasenack/ubuntu/+source/openldap/tree/debian/rules?h=lunar- slapd-sha2-2000817#n44) [ Test Plan ] # Install slapd and openssl $ sudo apt install slapd openssl # Run the following script #!/bin/bash reference_hash="{SHA256}$(echo -n secret | openssl dgst -sha256 -binary | openssl enc -base64)" test_hash=$(slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2) echo "Reference hash of \"secret\" (openssl): ${reference_hash}" echo "slapd's pw-sha2 hash: ${test_hash}" if [ "${reference_hash}" != "${test_hash}" ]; then echo "ERROR: hashes differ" exit 1 else echo "PASS: hashes are identical" fi With the affected openldap package installed, the script should print an error. With the packages from proposed, the hashes should be identical. [ Where problems could occur ] The fix is a change of a compiler option strictly when building only the pw-sha2 module, so it's very localized. It could affect the performance of this module (for the worse), but it's already not working correctly. [ Other Info ] Not at this time. [Original Description] The OpenLDAP-contrib module sha2 (located in contrib/slapd- modules/passwd/sha2/) computes a wrong SHA256/SSHA256-hash on Ubuntu kinetic. This breaks our current password-authentication in ldap. The problematic computation: $ slappasswd -s secret -h '{SHA256}' -o module-load=pw-sha2 {SHA256}WIrrpN3OjEVOUf6yrH1j+o+ODuUuNBo979Od4UXnu54= The (correct) reference-value on the same system (or older ubuntu Versions): $ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= We nailed the problem down to a bug in the gcc-optimizer for strict- aliasing. so most probably the gcc-version on kinetic (v12.2.0) is the reason. The workaround is to compile the sha2-Module with the flag "-fno-strict-aliasing". Then the correct value is computed. An example taken from a git-compiled version of OpenLDAP 2.5.13: $ ./servers/slapd/slappasswd -T passwd -s secret -h '{SHA256}' -o module-load=pw-sha2 -o module-path=contrib/slapd-modules/passwd/sha2/.libs {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= Ubuntu: Description: Ubuntu 22.10 Release: 22.10 OpenLDAP-Package: 2.5.13+dfsg-1ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2000817/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
