UNCLASSIFIED - NO CUI

Skip to content

Bug: SUFFIX populates with "dc=my,dc=domain,dc=com", causes container to be unhealthy

Summary

Container is unhealthy on startup. SUFFIX resolves to value "dc=my,dc=domain,dc=com" instead of the TLD value.

Steps to reproduce

docker compose up

What is the current bug behavior?

SUFFIX piping in default values causes container to exit, unhealthy.

What is the expected correct behavior?

Container is healthy on startup.

Relevant logs and/or screenshots

2023-09-27 13:27:21  ,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
2023-09-27 13:27:21 structuralObjectClass: olcDatabaseConfig
2023-09-27 13:27:21 entryUUID: 3a10c78e-f1a8-103d-9908-71aa57405306
2023-09-27 13:27:21 creatorsName: cn=config
2023-09-27 13:27:21 createTimestamp: 20230927173708Z
2023-09-27 13:27:21 entryCSN: 20230927173708.532794Z#000000#000#000000
2023-09-27 13:27:21 modifiersName: cn=config
2023-09-27 13:27:21 modifyTimestamp: 20230927173708Z
2023-09-27 13:27:21 "
2023-09-27 13:27:21 65148219.31848aca 0x7feeb62f8840 >>> dnPrettyNormal: <olcDatabase={1}monitor>
2023-09-27 13:27:21 65148219.3184926e 0x7feeb62f8840 => ldap_bv2dn(olcDatabase={1}monitor,0)
2023-09-27 13:27:21 65148219.31849b46 0x7feeb62f8840 <= ldap_bv2dn(olcDatabase={1}monitor)=0 
2023-09-27 13:27:21 65148219.3184a4e1 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3184ad48 0x7feeb62f8840 <= ldap_dn2bv(olcDatabase={1}monitor)=0 
2023-09-27 13:27:21 65148219.3184b4ee 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3184bc0f 0x7feeb62f8840 <= ldap_dn2bv(olcDatabase={1}monitor)=0 
2023-09-27 13:27:21 65148219.3184c307 0x7feeb62f8840 <<< dnPrettyNormal: <olcDatabase={1}monitor>, <olcDatabase={1}monitor>
2023-09-27 13:27:21 65148219.3184df2a 0x7feeb62f8840 >>> dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.3184e5a3 0x7feeb62f8840 => ldap_bv2dn(cn=config,0)
2023-09-27 13:27:21 65148219.3184ed78 0x7feeb62f8840 <= ldap_bv2dn(cn=config)=0 
2023-09-27 13:27:21 65148219.3184f55d 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3184fc76 0x7feeb62f8840 <= ldap_dn2bv(cn=config)=0 
2023-09-27 13:27:21 65148219.31850303 0x7feeb62f8840 <<< dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.318512d2 0x7feeb62f8840 >>> dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.3185193d 0x7feeb62f8840 => ldap_bv2dn(cn=config,0)
2023-09-27 13:27:21 65148219.31852057 0x7feeb62f8840 <= ldap_bv2dn(cn=config)=0 
2023-09-27 13:27:21 65148219.31852775 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.31852e0a 0x7feeb62f8840 <= ldap_dn2bv(cn=config)=0 
2023-09-27 13:27:21 65148219.318533fd 0x7feeb62f8840 <<< dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.318540cb 0x7feeb62f8840 <= str2entry(olcDatabase={1}monitor) -> 0x55edc8e797d8
2023-09-27 13:27:21 65148219.31854ab5 0x7feeb62f8840 => test_filter
2023-09-27 13:27:21 65148219.31855066 0x7feeb62f8840     PRESENT
2023-09-27 13:27:21 65148219.31855739 0x7feeb62f8840 => access_allowed: search access to "olcDatabase={1}monitor,cn=config" "objectClass" requested
2023-09-27 13:27:21 65148219.31855dc2 0x7feeb62f8840 <= root access granted
2023-09-27 13:27:21 65148219.31856514 0x7feeb62f8840 => access_allowed: search access granted by manage(=mwrscxd)
2023-09-27 13:27:21 65148219.31856b55 0x7feeb62f8840 <= test_filter 6
2023-09-27 13:27:21 65148219.31889206 0x7feeb62f8840 >>> dnPrettyNormal: <cn=Monitor>
2023-09-27 13:27:21 65148219.3188ae87 0x7feeb62f8840 => ldap_bv2dn(cn=Monitor,0)
2023-09-27 13:27:21 65148219.3188bc25 0x7feeb62f8840 <= ldap_bv2dn(cn=Monitor)=0 
2023-09-27 13:27:21 65148219.3188c862 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3188d104 0x7feeb62f8840 <= ldap_dn2bv(cn=Monitor)=0 
2023-09-27 13:27:21 65148219.3188d995 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3188dfd3 0x7feeb62f8840 <= ldap_dn2bv(cn=monitor)=0 
2023-09-27 13:27:21 65148219.3188e644 0x7feeb62f8840 <<< dnPrettyNormal: <cn=Monitor>, <cn=monitor>
2023-09-27 13:27:21 65148219.318900bb 0x7feeb62f8840 >>> dnNormalize: <gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth>
2023-09-27 13:27:21 65148219.318aaf6c 0x7feeb62f8840 => ldap_bv2dn(gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth,0)
2023-09-27 13:27:21 65148219.318ade4c 0x7feeb62f8840 <= ldap_bv2dn(gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth)=0 
2023-09-27 13:27:21 65148219.318af9c9 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318b05e6 0x7feeb62f8840 <= ldap_dn2bv(gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth)=0 
2023-09-27 13:27:21 65148219.318b0eca 0x7feeb62f8840 <<< dnNormalize: <gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth>
2023-09-27 13:27:21 65148219.318b2426 0x7feeb62f8840 >>> dnNormalize: <cn=Manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318b2b0c 0x7feeb62f8840 => ldap_bv2dn(cn=Manager,dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.318b3328 0x7feeb62f8840 <= ldap_bv2dn(cn=Manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318b4789 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318b4f76 0x7feeb62f8840 <= ldap_dn2bv(cn=manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318b562f 0x7feeb62f8840 <<< dnNormalize: <cn=manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 Backend ACL: access to *
2023-09-27 13:27:21     by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
2023-09-27 13:27:21     by dn.base="cn=manager,dc=my-domain,dc=com" read
2023-09-27 13:27:21     by * none
2023-09-27 13:27:21 
2023-09-27 13:27:21 65148219.318b81b1 0x7feeb62f8840 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
2023-09-27 13:27:21 65148219.318c5412 0x7feeb62f8840 ldif_read_file: read entry file: "/etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif"
2023-09-27 13:27:21 65148219.318c60b4 0x7feeb62f8840 => str2entry: "# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
2023-09-27 13:27:21 # CRC32 5b6fd400
2023-09-27 13:27:21 dn: olcDatabase={2}mdb
2023-09-27 13:27:21 objectClass: olcDatabaseConfig
2023-09-27 13:27:21 objectClass: olcMdbConfig
2023-09-27 13:27:21 olcDatabase: {2}mdb
2023-09-27 13:27:21 olcDbDirectory: /var/lib/ldap
2023-09-27 13:27:21 olcSuffix: dc=my-domain,dc=com
2023-09-27 13:27:21 olcRootDN: cn=Manager,dc=my-domain,dc=com
2023-09-27 13:27:21 olcDbIndex: objectClass eq,pres
2023-09-27 13:27:21 olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
2023-09-27 13:27:21 structuralObjectClass: olcMdbConfig
2023-09-27 13:27:21 entryUUID: 3a10c9d2-f1a8-103d-9909-71aa57405306
2023-09-27 13:27:21 creatorsName: cn=config
2023-09-27 13:27:21 createTimestamp: 20230927173708Z
2023-09-27 13:27:21 entryCSN: 20230927173708.532851Z#000000#000#000000
2023-09-27 13:27:21 modifiersName: cn=config
2023-09-27 13:27:21 modifyTimestamp: 20230927173708Z
2023-09-27 13:27:21 "
2023-09-27 13:27:21 65148219.318c6f1a 0x7feeb62f8840 >>> dnPrettyNormal: <olcDatabase={2}mdb>
2023-09-27 13:27:21 65148219.318c776a 0x7feeb62f8840 => ldap_bv2dn(olcDatabase={2}mdb,0)
2023-09-27 13:27:21 65148219.318c7fe1 0x7feeb62f8840 <= ldap_bv2dn(olcDatabase={2}mdb)=0 
2023-09-27 13:27:21 65148219.318c8bb4 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318c92ef 0x7feeb62f8840 <= ldap_dn2bv(olcDatabase={2}mdb)=0 
2023-09-27 13:27:21 65148219.318c9a4d 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318ca05b 0x7feeb62f8840 <= ldap_dn2bv(olcDatabase={2}mdb)=0 
2023-09-27 13:27:21 65148219.318ca746 0x7feeb62f8840 <<< dnPrettyNormal: <olcDatabase={2}mdb>, <olcDatabase={2}mdb>
2023-09-27 13:27:21 65148219.318cc6ad 0x7feeb62f8840 >>> dnNormalize: <dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318ccd24 0x7feeb62f8840 => ldap_bv2dn(dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.318cd4b5 0x7feeb62f8840 <= ldap_bv2dn(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318cded1 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318ce5ee 0x7feeb62f8840 <= ldap_dn2bv(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318cec55 0x7feeb62f8840 <<< dnNormalize: <dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318cf4ea 0x7feeb62f8840 >>> dnNormalize: <cn=Manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318cfb8d 0x7feeb62f8840 => ldap_bv2dn(cn=Manager,dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.318d0469 0x7feeb62f8840 <= ldap_bv2dn(cn=Manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318d0e6a 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318d179a 0x7feeb62f8840 <= ldap_dn2bv(cn=manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318d1edb 0x7feeb62f8840 <<< dnNormalize: <cn=manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318d34cd 0x7feeb62f8840 >>> dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.318d3b76 0x7feeb62f8840 => ldap_bv2dn(cn=config,0)
2023-09-27 13:27:21 65148219.318d4372 0x7feeb62f8840 <= ldap_bv2dn(cn=config)=0 
2023-09-27 13:27:21 65148219.318d4aea 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318d51f8 0x7feeb62f8840 <= ldap_dn2bv(cn=config)=0 
2023-09-27 13:27:21 65148219.318d5896 0x7feeb62f8840 <<< dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.318d6dde 0x7feeb62f8840 >>> dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.318d74e2 0x7feeb62f8840 => ldap_bv2dn(cn=config,0)
2023-09-27 13:27:21 65148219.318d7d57 0x7feeb62f8840 <= ldap_bv2dn(cn=config)=0 
2023-09-27 13:27:21 65148219.318d8527 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318d8c44 0x7feeb62f8840 <= ldap_dn2bv(cn=config)=0 
2023-09-27 13:27:21 65148219.318d92cf 0x7feeb62f8840 <<< dnNormalize: <cn=config>
2023-09-27 13:27:21 65148219.318da349 0x7feeb62f8840 <= str2entry(olcDatabase={2}mdb) -> 0x55edc8e797d8
2023-09-27 13:27:21 65148219.318db237 0x7feeb62f8840 => test_filter
2023-09-27 13:27:21 65148219.318db8a7 0x7feeb62f8840     PRESENT
2023-09-27 13:27:21 65148219.318dc132 0x7feeb62f8840 => access_allowed: search access to "olcDatabase={2}mdb,cn=config" "objectClass" requested
2023-09-27 13:27:21 65148219.318dc88f 0x7feeb62f8840 <= root access granted
2023-09-27 13:27:21 65148219.318dd084 0x7feeb62f8840 => access_allowed: search access granted by manage(=mwrscxd)
2023-09-27 13:27:21 65148219.318dd7b6 0x7feeb62f8840 <= test_filter 6
2023-09-27 13:27:21 65148219.318e24a5 0x7feeb62f8840 >>> dnPrettyNormal: <dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318e2dc3 0x7feeb62f8840 => ldap_bv2dn(dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.318e3797 0x7feeb62f8840 <= ldap_bv2dn(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318e411e 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318e4936 0x7feeb62f8840 <= ldap_dn2bv(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318e5196 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318e6152 0x7feeb62f8840 <= ldap_dn2bv(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318e692f 0x7feeb62f8840 <<< dnPrettyNormal: <dc=my-domain,dc=com>, <dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318e724a 0x7feeb62f8840 >>> dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318e7895 0x7feeb62f8840 => ldap_bv2dn(cn=Manager,dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.318e8194 0x7feeb62f8840 <= ldap_bv2dn(cn=Manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318e8aff 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318e92fa 0x7feeb62f8840 <= ldap_dn2bv(cn=Manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318e9b46 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.318ea1fe 0x7feeb62f8840 <= ldap_dn2bv(cn=manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.318ea876 0x7feeb62f8840 <<< dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>, <cn=manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.318ec3c5 0x7feeb62f8840 mdb_db_init: Initializing mdb database
2023-09-27 13:27:21 65148219.319481eb 0x7feeb62f8840 >>> dnPrettyNormal: <dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.31949420 0x7feeb62f8840 => ldap_bv2dn(dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.3194a226 0x7feeb62f8840 <= ldap_bv2dn(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.3194b14e 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3194ba60 0x7feeb62f8840 <= ldap_dn2bv(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.3194c352 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.3194c9d0 0x7feeb62f8840 <= ldap_dn2bv(dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.3194d0e4 0x7feeb62f8840 <<< dnPrettyNormal: <dc=my-domain,dc=com>, <dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.3194dcd6 0x7feeb62f8840 >>> dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>
2023-09-27 13:27:21 65148219.3194e5c5 0x7feeb62f8840 => ldap_bv2dn(cn=Manager,dc=my-domain,dc=com,0)
2023-09-27 13:27:21 65148219.3194ef14 0x7feeb62f8840 <= ldap_bv2dn(cn=Manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.3194f90a 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.31950075 0x7feeb62f8840 <= ldap_dn2bv(cn=Manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.319508e5 0x7feeb62f8840 => ldap_dn2bv(272)
2023-09-27 13:27:21 65148219.31950ff6 0x7feeb62f8840 <= ldap_dn2bv(cn=manager,dc=my-domain,dc=com)=0 
2023-09-27 13:27:21 65148219.3195167c 0x7feeb62f8840 <<< dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>, <cn=manager,dc=my-domain,dc=com>

2023-09-27 13:27:22 6514821a.0fa52863 0x7feeb62f8840 backend_startup_one: starting "dc=my-domain,dc=com"
2023-09-27 13:27:22 6514821a.0fa5312e 0x7feeb62f8840 mdb_db_open: "dc=my-domain,dc=com"
2023-09-27 13:27:22 6514821a.0fa57095 0x7feeb62f8840 mdb_db_open: database "dc=my-domain,dc=com": dbenv_open(/var/lib/ldap).
2023-09-27 13:27:22 6514821a.0fd2d92a 0x7feeb62f8840 slapd starting
2023-09-27 13:27:22 6514821a.0fd6c40f 0x7fee88511640 daemon: added 3r listener=(nil)
2023-09-27 13:27:22 6514821a.0fd781e1 0x7fee88511640 daemon: added 6r listener=0x55edc8e053d0
2023-09-27 13:27:22 6514821a.0fd8c694 0x7fee88511640 daemon: epoll: listen=6 active_threads=0 tvp=NULL
2023-09-27 13:27:22 6514821a.0fd9162d 0x7fee88511640 daemon: activity on 1 descriptor
2023-09-27 13:27:22 6514821a.0fd92014 0x7fee88511640 daemon: activity on:6514821a.0fd925e6 0x7fee88511640 
2023-09-27 13:27:22 6514821a.0fd936dd 0x7fee88511640 daemon: epoll: listen=6 active_threads=0 tvp=NULL

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Possible fixes

SUFFIX referenced here

https://repo1.dso.mil/dsop/opensource/openldap/-/blob/development/config/base-domain.ldif#L1

https://repo1.dso.mil/dsop/opensource/openldap/-/blob/development/config/config.ldif#L5

https://repo1.dso.mil/dsop/opensource/openldap/-/blob/development/config/init.ldif#L2

https://repo1.dso.mil/dsop/opensource/openldap/-/blob/development/config/ldap.conf#L8

https://repo1.dso.mil/dsop/opensource/openldap/-/blob/development/config/slapd.ldif#L57

SUFFIX here could maybe be $SUFFIX so we can set both SUFFIX and TLD as env vars?

https://repo1.dso.mil/dsop/opensource/openldap/-/blob/development/scripts/entrypoint.sh#L12

Tasks

  • Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info

Edited by Charles Wilson
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI