regression in back sql and ssh public key code paths #692
Description
Mega-Report: Critical Bugs in osixia/openldap with LDAP_BACKEND: sql Configuration
Based on the persistent failure to bootstrap a new schema and the inability to manually authenticate as the Configuration Admin, the following three bugs appear to be present in the latest versions of the image:
- Configuration Admin Password (LDAP_CONFIG_PASSWORD) is Ignored and Overridden
Problem: Despite explicitly setting LDAP_CONFIG_PASSWORD: abc123 in the docker-compose.yaml (and mounting persistent volumes), the OpenLDAP server consistently generates and uses a new, random {SSHA} hash for the Configuration Administrator (cn=admin,cn=config).
Evidence: All attempts to bind as cn=admin,cn=config using the plaintext abc123 failed with ldap_bind: Invalid credentials (49). This confirms the environment variable is being ignored or overridden by the OLC generation process.
Impact: Prevents secure, predictable, and automated management of the configuration database (OLC).
- Failure of Automated Schema Bootstrap when LDAP_BACKEND: sql is Set
Problem: When LDAP_BACKEND is set to sql, the bootstrap process appears to fail or abort before reaching the custom LDIFs intended for schema loading.
Files Affected: openssh-schema-load.ldif and the necessary backsql-config.ldif in the custom LDIF directory were not applied on startup.
Evidence: Manual intervention was required (and failed) to load the schema, proving the automated process did not complete its task despite the files being in the correct mounted location (/container/service/slapd/assets/config/bootstrap/ldif/custom).
Likely Cause: A race condition or dependency failure where the OLC configuration (specifically loading the back_sql module) blocks or terminates the subsequent custom LDIF loading process.
- Critical Client/Server Incompatibility (The Bind Failure Loop)
Problem: The OpenLDAP client utility (ldapadd) running inside the container is unable to authenticate as the Configuration Admin, even when given the server's own verified, live {SSHA} hashed password string.
Evidence:
The hash was retrieved directly from the server's running configuration files (e.g., grep '^olcRootPW').
Attempts to bind using the standard password flag (-w "HASH") failed with Invalid credentials (49).
Attempts to bind using the highly robust, internal password-file method (-y /tmp/hash.txt + chmod 600 + printf %s to prevent newlines) also failed with persistent Invalid credentials (49).
Impact: Makes manual schema modification impossible via standard LDAP tools, creating an unrecoverable state when the automated bootstrap fails. This points to a severe bug in how the client interprets the hash string provided by the server.
Summary for the Report
You can combine these into a single report, noting that Bug 1 (Password Ignored) forced you into the manual attempt, and the combination of Bug 2 (Bootstrap Failure) and Bug 3 (Client Incompatibility) resulted in the completely blocked state you experienced.