News / announcements
2022-09-04 - Released aehostd 1.5.12 and ansible-aehostd 188.8.131.52
aehostd 1.5.12+ now uses
shutil.move()when moving exported sudoers file to also work in case source and target directories are on different file systems (see aehostd#19).
- Only restart service aehostd-ph in the notification handler on systems without systemd.
- Added more systemd sandboxing options (see ansible-aehostd#7).
2022-07-25 - Tagged ansible-ae-dir-server 0.34.9
Changes since 0.34.8:
- From now on only openSUSE Leap 15.4+ and SLE15SP4 are supported.
- Added new ansible variable apache_threadsperchild for setting Apache directive ThreadsPerChild.
Added tool script
ae-dir-slapd-debug.shwhich stops ae-slapd.service and starts a slapd instance writing debug information to console (see ansible-ae-dir-server#27).
- Added AppArmor profile for slapdcheck.service (see ansible-ae-dir-server#41).
- Fixed removing all systemd units for slapdcheck if disabled.
- Changed ownership and permissions of run-time directories for ae-slapd.service and ae-apache.service.
- The Python virtual env is now automatically re-initialized in case the currently installed Python version does not match expected aedir_python_version.
- Added new ansible variable aedir_zypper_state for setting state: value of zypper tasks (SLE and openSUSE).
- Re-factored restart notifications and the names to which handlers listen.
- Fixed restart notifications for EKCA services.
- Various other clean-ups/fixes in ansible code.
2022-07-14 - Tagged ansible-ae-dir-server 0.34.8
Changes since 0.34.7:
- Update to web2ldap 1.7.8+.
- Added new mtail counter metric slapd_tls_failure for counting "TLS negotiation failure" messages (see ansible-ae-dir-server#40).
2022-06-29 - Tagged ansible-ae-dir-server 0.34.7
Changes since 0.34.6:
- To more strictly follow need-to-know principle the msPwdResetObject attributes are not replicated to the read-only consumers anymore (see ansible-ae-dir-server#38).
- Added missing config params for service ae-dir-pwd to correctly configure logging and using the remote IP address (see ansible-ae-dir-server#39).
2022-06-21 - Tagged ansible-ae-dir-server 0.34.6
Changes since 0.34.5:
- Update to ekca-service 1.1.0+ which has new config setting PROXY_LEVEL to correctly read the client's IP address from HTTP header X-Forwarded-For (see also ekca-service#6).
- Update to ekca-plugin-aedir 0.1.3+ which now raises an exception in case the user entry could not be read (ekca-plugin-aedir#1) and sends the LDAP Session Tracking Control with the LDAP operations (ekca-plugin-aedir#2).
2022-06-19 - Tagged ansible-ae-dir-server 0.34.5
Changes since 0.34.4:
- Fixed Python version used by openSUSE Tumbleweed: Now Python 3.10.
- Update to ae-dir-tool 1.0.8+ which now displays the full DN of the entry found for password change (see ae-dir-tool#2).
- Instead of installing a global SASL configuration for slapd the environment variable SASL_CONF_PATH is set in ae-slapd.service to reference a custom SASL configuration file (see ansible-ae-dir-server#37).
2022-05-24 - Tagged ansible-ae-dir-server 0.34.4
Changes since 0.34.3:
- Fixed Python version used by Debian bookworm: Now Python 3.10.
Also ekca-service.service now uses alternative malloc library
All shell scripts now explicitly use
/bin/bashbecause of bash-isms used therein.
On Debian and Ubuntu the APT repo signing public key is now installed
/etc/apt/trusted.gpg.d/instead of using deprecated
apt-keytool (see ansible-ae-dir-server#36).
- The obsolete work-around for OpenLDAP ITS#8444 to configure slapo-syncprov also on the read-only consumers was removed (see ansible-ae-dir-server#30).
After=ae-slapd.serviceto service unit slapdcheck.service.
- Added new mtail counter metric slapd_ppolicy_expired for counting password expired messages (see ansible-ae-dir-server#26).
2022-04-20 - Tagged ansible-ae-dir-server 0.34.3
Changes since 0.34.2:
- Added support for installing on upcoming Ubuntu Server 22.04 LTS (Jammy Jellyfish) .
2022-04-11 - Tagged ansible-ae-dir-server 0.34.2
Changes since 0.34.1:
Support for using the Authorization Identity Request and Response Control (see RFC 3829):
- Added overlay slapo-authzid to Debian/Ubuntu package openldap-ms-contrib-overlays (see debian-openldap-ms#4).
- Enabled contrib overlay slapo-authzid in slapd.conf on platforms where this overlay is already available (openSUSE/SLE, Debian, Ubuntu) (see ansible-ae-dir-server#32).
- Install python-aedir 1.4.11+ which now uses the control in case of simple bind operation. This automatically saves one round-trip in aehostd because Who Am I? extended operation is then not needed.
2022-04-10 - Tagged ansible-ae-dir-server 0.34.1
Changes since 0.34.0:
- The new serialize option is now used for unique constraints defined in OpenLDAP configuration (see ansible-ae-dir-server#29).
- Re-factored invocation of Python interpreter to run in isolated mode (-I) and thus also all environment variables PYTHON* were removed (see ansible-ae-dir-server#31).
- Updates for OATH-LDAP:
- Fixed using MDB tools on openSUSE Leap.
- Some minor changes to systemd service units and AppArmor profiles.
2022-04-02 - Released aehostd 1.5.10
aehostd 1.5.8+ finally now really fixes a socket-reading bug
which caused failures when receiving PAM requests
(for details see aehostd#3).
Update is highly recommended!
- In case of password checking failure password policy information is extracted from ldap0.INVALID_CREDENTIALS and appropriate PAM result codes are returned to the caller (for details see aehostd#10).
- When checking user or host password the search base is now taken from the currently active LDAP connection which normally saves one round-trip for the LDAP search operation.
- Error handling was simplified when processing PAM authentication.
- If the user is not known PAM_USER_UNKNOWN is returned in PAM authentication response (without raising an exception like before).
- PAM authentication response is now always written to log with appropriate log level (DEBUG in case of PAM_SUCCESS, as WARNING in all other cases).
os.open()is now used to create new files immediately with correct permissions in a single call to avoid race-conditions (see aehostd#7).
- Only PAM_SUCCESS authentication results are stored in the PAM result cache.
2022-03-30 - Tagged ansible-ae-dir-server 0.34.0
Changes since 0.33.4:
Changed default of ansible variable aedir_rundir to
/run/ae-dirwhich nowadays is mounted as
tmpfson all currently supported Linux distributions.
Some minor changes to AppArmor profiles, mainly for reducing the
number of harmless
The quick search field in web2ldap now has attribute
2022-03-24 - Tagged ansible-ae-dir-server 0.33.4
Changes since 0.33.3:
Small changes to systemd sandboxing:
MemoryDenyWriteExecute=yesset unconditionally on all supported Linux distros
PrivateIPC=yesto all service units
2022-03-16 - Tagged ansible-ae-dir-server 0.33.3
Changes since 0.33.2:
- use specific Æ-DIR login settings for all backends
- set DB-specific descriptions
- Default value for openldap_syslog_level set to INFO to avoid double-logging with default syslog config on Debian.
splice()system call to block list (see also Dirty Pipe Vulnerability)
- Fixed using the correct values in slapdcheck.service
- Some internal refactoring
- Added unused
2022-03-08 - Tagged ansible-aehostd 1.5.5, new APT repo key!
Changes since 184.108.40.206:
- Updated APT repository signer key.
- Installs aehostd 1.5.5+.
On systems with systemd the service unit aehostd-ph.service
is now stopped/disabled and replaced by a
systemd path unit
ae-dir-sudoers-export.path which triggers a service unit
Type=oneshotfor moving the exported sudoers file to the right location (implements #2).
2022-03-07 - Tagged ansible-ae-dir-server 0.33.2, new APT repo key!
Changes since 0.33.1:
The old expired APT repository signer key was replaced with a new key pair!
EC3D AB76 0280 4CA6 19A5 76A7 540D A543 583C 3481
2022-03-02 - Tagged ansible-ae-dir-server 0.33.1
Changes since 0.33.0:
- Some small compability changes for supporting Debian bookworm (currently testing).
- Dropped support for Debian buster, see details in former announcement.
2022-02-17 - Tagged ansible-ae-dir-server 0.33.0
Changes since 0.32.12:
2022-02-14 - Tagged ansible-ae-dir-server 0.32.12
Changes since 0.32.11:
- Replication connections are now enforced to use TLSv1.3 (see ansible-ae-dir-server #21)
- Added new histogram metric slapd_search_result_size to mtail prog.
- Update to web2ldap 1.7.5+.
- Update to python-slapdsock 1.2.0+ and oath-ldap-srv 1.6.1+ with improved error handling.
- Cleaned up and fixed run-time directory for EKCA.
2022-02-09 - Tagged ansible-ae-dir-server 0.32.11
Changes since 0.32.10:
Small fix for systemd service unit
slapdcheck.serviceto also explicitly add the run-time directory to
2022-02-07 - Tagged ansible-ae-dir-server 0.32.10
Changes since 0.32.9:
- Background update process aedir_pproc.cron now runs as non-privileged user ae-dir-updater which is member of group ae-admins instead of running as rootdn (see ansible-ae-dir-server #14).
- Update to web2ldap 1.7.2+ with improved quick search field.
2022-02-04 - Tagged ansible-ae-dir-server 0.32.9
Changes since 0.32.8:
All systemd service units now use
ReadWritePaths=to also bind-mount non-standard directories, e.g.
/opt, as read-only to further reduce attack surface even in case AppArmor is not used.
- Added appropriate autocomplete attribute to input fields in login and change password forms.
2022-01-30 - Tagged ansible-ae-dir-server 0.32.8
Changes since 0.32.7:
- Update to web2ldap 1.7.0+. Because of HTML and CSS changes running an ansible play is required.
2022-01-24 - Tagged ansible-ae-dir-server 0.32.7
Changes since 0.32.6:
Re-factored use of slapdcheck:
Renamed ansible vars slapd_check_* to slapdcheck_*.
Please update your
If new ansible var slapdcheck_interval (seconds) is
greater than zero a systemd unit
slapdcheck.timeris installed which triggers
slapdcheck.servicebased on this interval.
- New ansible var slapdcheck_module is used to specify which sub-module is invoked. See file defaults/main.yml for details.
The old wrapper script
/opt/ae-dir/sbin/slapd_checkmk.shwas replaced by
/opt/ae-dir/sbin/slapdcheck.shwhich also invokes the module specified slapdcheck_module.
- Renamed ansible vars slapd_check_* to slapdcheck_*. Please update your
2022-01-18 - Released aehostd 1.5.4
aehostd 1.5.4 fixes a socket-reading bug which caused failures
when receiving PAM requests
(for details see aehostd#3).
Update is highly recommended!
2022-01-16 - Tagged ansible-ae-dir-server 0.32.6
Changes since 0.32.5:
Update to slapdcheck 3.10.0 with the following changes:
- generate HTML output
- generate JSON output
- send metrics to ZABBIX trapper
2022-01-06 - Tagged ansible-ae-dir-server 0.32.5
Changes since 0.32.4:
- Update to ae-dir-pproc 1.6.2:
- All attributes of object class msPwdResetPolicy are now declared as optional (MAY) because there are always config defaults available for all these attributes. This allows to overide configured defaults more easily per policy.
- Update to web2ldap 1.6.27+ including setting new config parameter web2ldapcnf.url_path.
- Re-factored checking whether the C wrapper modules are installed (ldap0 and psutil) before temporarily installing build tools on platforms using Python virtualenv. Hopefully this makes upgrading these modules more easy.
2021-12-23 - Tagged ansible-ae-dir-server 0.32.4
Changes since 0.32.3:
- Update to web2ldap 1.6.26+ with minor UX improvements when handling invalid entry input.
2021-12-22 - Tagged ansible-ae-dir-server 0.32.3
Changes since 0.32.2:
- Update to web2ldap 1.6.24+ with security fix!
2021-12-21 - Tagged ansible-ae-dir-server 0.32.2
Changes since 0.32.1:
Re-factored userPassword ACLs for providers:
- New ansible var aedir_aeuser_write_pw_restrictions is used to restrict all password changes to be accept only via LDAPI. In case any problem occurs with that simply set to empty list.
- Removed search privilege. You can search for pwdChangedTime instead.
- Moved up clause "by anonymous auth" for better performance of bind request processing.
Minor changes in systemd units:
- Use aedir_systemd_logging also in ekca-service.service.
- Added missing web2ldap HTML read template for OpenLDAProotDSE.html.
2021-12-19 - Tagged ansible-ae-dir-server 0.32.1
Changes since 0.32.0:
- Update to web2ldap 1.6.23+.
- New mtail-based metrics for ae-slapd counting replica connection errors: slapd_syncrepl_bind_failed and slapd_syncrepl_retrying.
- Added web2ldap HTML template for displaying OpenLDAProotDSE.
- Prepared using slapo-dds(5) for session database.
2021-12-15 - Tagged ansible-ae-dir-server 0.32.0
Changes since 0.31.3:
- Update to web2ldap 1.6.22+.
- Fixed initialization tasks on ansible 4.0+ by always setting aedir_init_user to root as default. You likely want to over-ride this when invoking a play.
- OpenLDAP 2.6 is now also installed in RHEL8-alike systems.
Native lastbind directive is now used instead of obsolete contrib overlay slapo-lastbind.
The time-stamp of last successful bind is now stored in attribute pwdLastSuccess (see also draft-behera-ldap-password-policy ).
For now the module lastbind is still loaded to preserve the attribute type description for authTimestamp in the subschema to avoid schema violations.
- Added COEP/COOP/CORP headers to web2ldap's http_headers.
- APT repo files are now created with a copy task to completely remove obsolete entries.
2021-12-06 - Tagged ansible-ae-dir-server 0.31.3
Changes since 0.31.2:
- Update to ae-dir-pproc 1.5.9 which fixes a minor templating issue in the welcome e-mail sent to new users.
2021-12-05 - Support for Debian buster ends 2022-02-28
Tested free support for Debian buster (10.x) will be ceased by end of February 2022:
- The ansible roles, especially new features, are not guaranteed to work on Debian buster anymore.
- The apt repository for buster will be available until 2022-08 to match Debian's production support but packages will not be updated anymore.
- The builds of Debian packages openldap-ms and aehostd-modules are not guaranteed to work on Debian buster anymore.
- Pull requests with specific backward-compability fixes for Debian buster will likely not be accepted.
2021-12-04 - New web content
There are two new sub-pages available:
2021-12-03 - Tagged ansible-ae-dir-server 0.31.2
Changes since 0.31.1:
- Dropped support for running with accesslog database on read-only consumers. With OpenLDAP 2.6 there is no useful data (e.g. authTimestamp-updates) therein anymore.
Renamed mis-named var to correct name
aedir_db_paramsfor generating AppArmor profile for ae-slapd.
ae-dir-replica-reset.shis now also generated based on ansible var
2021-12-03 - Tagged ansible-ae-dir-server 0.31.1
Changes since 0.30.0:
- Attribute sudoOrder can now be used in sudoers entries.
- Heavy re-factoring of specifying database parameters. Applying the changes to existing deployments should work without issues, except some custom HTML templates for web2ldap might need tweaking.
- The maintenance scripts were re-factored to not require a running slapd instance which should help to recover from issues more quickly. The scripts are now listed in the CLI usage docs.
ae-dir-slapcat.shnow uses the simple database names (accesslog, um) instead of the suffix in the filename of exported LDIF files to avoid equal signs which are special chars in a shell.
2021-12-02 - git repos moved
All git repos of Æ-DIR's code were moved to a new location where you can also file tickets (and submit pull requests):
Some Python module packages are now in a more generic org:
The repos are still mirrored at gitlab.com for automated testing but without using anything like ticket queues or similar:
2021-11-25 - Tagged ansible-ae-dir-server 0.30.0
Changes since 0.29.1:
- slapo-allowed was activated which enables web2ldap to show whether the user has write access to an attribute. If the user is not allowed to change an attribute only the value will be shown, no input field.
New tool scripts:
/opt/ae-dir/sbin/ae-dir-slapindex.shre-indexes all databases
/opt/ae-dir/sbin/ae-dir-reload.shexports and re-imports all databases
- Several software updates: web2ldap, python-ldap0, ae-dir-pproc, slapdcheck
- mtail now extracts etime for slapd_result metric into a bucket.
- Removed various obsolete stuff
- Fixed ansible syntax
- Dropped support for openSUSE Leap 15.2 and SLE15SP2
- now same Leap and SLE repo used
- Added repo URL for upcoming Leap 15.4 and SLE15SP4