News / announcements

2022-11-17 - Tagged ansible-ae-dir-server 0.35.1

Changes since 0.35.0:

• Fixed creating directory for exported backup files in case openldap_backup_path points to a different directory as openldap_data (see ansible-ae-dir-server#49).
• Fixed ae-dir-fix-db-permissions.sh to not fail on non-existend MDB files (see ansible-ae-dir-server#50).
• Added new ansible variable openldap_systemd_service_type used to specify value of Type= in ae-slapd.service.

2022-11-10 - Tagged ansible-ae-dir-server 0.35.0

Changes since 0.34.10:

• Update to web2ldap 1.8.0+.

2022-11-07 - Tagged ansible-ae-dir-server 0.34.10

Changes since 0.34.9:

• Added new mtail counter metric slapd_tls_established for counting "TLS negotiation failure" messages (see ansible-ae-dir-server#44).
• Added more systemd sandboxing options:
  • ProcSubset=pid (all service units)
  • SocketBindDeny=any (all service units)
  • SocketBindAllow= in (ae-slapd.service and ae-apache.service)
• Added new ansible variable openldap_tcp_ports which must match all TCP ports defined in openldap_listen_uris.
• Added CLI option --upgrade-strategy eager to default value of aedir_pip_install_options.
• Added ExecStartPre=+/opt/ae-dir/sbin/ae-dir-fix-db-permissions.sh to systemd service unit ae-slapd.service for automatically fixing ownership/permissions of OpenLDAP database files (see ansible-ae-dir-server#48).
• Env var FLASK_ENV not set in systemd service units for web apps anymore because it is deprecated since Flask 2.2.0.

2022-09-04 - Released aehostd 1.5.12 and ansible-aehostd 1.5.12.1

• aehostd 1.5.12+ now uses shutil.move() when moving exported sudoers file to also work in case source and target directories are on different file systems (see aehostd#19).
• ansible-aehostd 1.5.12.1
  • Only restart service aehostd-ph in the notification handler on systems without systemd.
  • Added more systemd sandboxing options (see ansible-aehostd#7).

2022-07-25 - Tagged ansible-ae-dir-server 0.34.9

Changes since 0.34.8:

• From now on only openSUSE Leap 15.4+ and SLE15SP4 are supported.
• Added new ansible variable apache_threadsperchild for setting Apache directive ThreadsPerChild.
• Added tool script ae-dir-slapd-debug.sh which stops ae-slapd.service and starts a slapd instance writing debug information to console (see ansible-ae-dir-server#27).
• Added AppArmor profile for slapdcheck.service (see ansible-ae-dir-server#41).
• Fixed removing all systemd units for slapdcheck if disabled.
• Changed ownership and permissions of run-time directories for ae-slapd.service and ae-apache.service.
• The Python virtual env is now automatically re-initialized in case the currently installed Python version does not match expected aedir_python_version.
• Added new ansible variable aedir_zypper_state for setting state: value of zypper tasks (SLE and openSUSE).
• Re-factored restart notifications and the names to which handlers listen.
• Fixed restart notifications for EKCA services.
• Various other clean-ups/fixes in ansible code.

2022-07-14 - Tagged ansible-ae-dir-server 0.34.8

Changes since 0.34.7:

• Update to web2ldap 1.7.8+.
• Added new mtail counter metric slapd_tls_failure for counting "TLS negotiation failure" messages (see ansible-ae-dir-server#40).

2022-06-29 - Tagged ansible-ae-dir-server 0.34.7

Changes since 0.34.6:

• To more strictly follow need-to-know principle the msPwdResetObject attributes are not replicated to the read-only consumers anymore (see ansible-ae-dir-server#38).
• Added missing config params for service ae-dir-pwd to correctly configure logging and using the remote IP address (see ansible-ae-dir-server#39).

2022-06-21 - Tagged ansible-ae-dir-server 0.34.6

Changes since 0.34.5:

EKCA fixes/improvements:

• Update to ekca-service 1.1.0+ which has new config setting PROXY_LEVEL to correctly read the client's IP address from HTTP header X-Forwarded-For (see also ekca-service#6).
• Update to ekca-plugin-aedir 0.1.3+ which now raises an exception in case the user entry could not be read (ekca-plugin-aedir#1) and sends the LDAP Session Tracking Control with the LDAP operations (ekca-plugin-aedir#2).

2022-06-19 - Tagged ansible-ae-dir-server 0.34.5

Changes since 0.34.4:

• Fixed Python version used by openSUSE Tumbleweed: Now Python 3.10.
• Update to ae-dir-tool 1.0.8+ which now displays the full DN of the entry found for password change (see ae-dir-tool#2).
• Instead of installing a global SASL configuration for slapd the environment variable SASL_CONF_PATH is set in ae-slapd.service to reference a custom SASL configuration file (see ansible-ae-dir-server#37).

2022-05-24 - Tagged ansible-ae-dir-server 0.34.4

Changes since 0.34.3:

• Fixed Python version used by Debian bookworm: Now Python 3.10.
• Also ekca-service.service now uses alternative malloc library (via LD_PRELOAD).
• All shell scripts now explicitly use /bin/bash because of bash-isms used therein.
• On Debian and Ubuntu the APT repo signing public key is now installed in directory /etc/apt/trusted.gpg.d/ instead of using deprecated apt-key tool (see ansible-ae-dir-server#36).
• The obsolete work-around for OpenLDAP ITS#8444 to configure slapo-syncprov also on the read-only consumers was removed (see ansible-ae-dir-server#30).
• Added After=ae-slapd.service to service unit slapdcheck.service.
• Added new mtail counter metric slapd_ppolicy_expired for counting password expired messages (see ansible-ae-dir-server#26).

2022-04-20 - Tagged ansible-ae-dir-server 0.34.3

Changes since 0.34.2:

• Added support for installing on upcoming Ubuntu Server 22.04 LTS (Jammy Jellyfish) .

2022-04-11 - Tagged ansible-ae-dir-server 0.34.2

Changes since 0.34.1:

Support for using the Authorization Identity Request and Response Control (see RFC 3829):

• Added overlay slapo-authzid to Debian/Ubuntu package openldap-ms-contrib-overlays (see debian-openldap-ms#4).
• Enabled contrib overlay slapo-authzid in slapd.conf on platforms where this overlay is already available (openSUSE/SLE, Debian, Ubuntu) (see ansible-ae-dir-server#32).
• Install python-aedir 1.4.11+ which now uses the control in case of simple bind operation. This automatically saves one round-trip in aehostd because Who Am I? extended operation is then not needed.

2022-04-10 - Tagged ansible-ae-dir-server 0.34.1

Changes since 0.34.0:

• The new serialize option is now used for unique constraints defined in OpenLDAP configuration (see ansible-ae-dir-server#29).
• Re-factored invocation of Python interpreter to run in isolated mode (-I) and thus also all environment variables PYTHON* were removed (see ansible-ae-dir-server#31).
• Updates for OATH-LDAP:
  • Fixed checking IPv6 addresses in bind_proxy (see oath-ldap-srv #8).
  • Always use thread-pooling in OATH-LDAP bind listeners, also for hotp_validator, and added new config parameter threads for defining the number of worker threads used (see oath-ldap-srv #10).
• Fixed using MDB tools on openSUSE Leap.
• Some minor changes to systemd service units and AppArmor profiles.

2022-04-02 - Released aehostd 1.5.10

• aehostd 1.5.8+ finally now really fixes a socket-reading bug which caused failures when receiving PAM requests (for details see aehostd#3).
  Update is highly recommended!
• In case of password checking failure password policy information is extracted from ldap0.INVALID_CREDENTIALS and appropriate PAM result codes are returned to the caller (for details see aehostd#10).
• When checking user or host password the search base is now taken from the currently active LDAP connection which normally saves one round-trip for the LDAP search operation.
• Error handling was simplified when processing PAM authentication.
• If the user is not known PAM_USER_UNKNOWN is returned in PAM authentication response (without raising an exception like before).
• PAM authentication response is now always written to log with appropriate log level (DEBUG in case of PAM_SUCCESS, as WARNING in all other cases).
• os.open() is now used to create new files immediately with correct permissions in a single call to avoid race-conditions (see aehostd#7).
• Only PAM_SUCCESS authentication results are stored in the PAM result cache.

2022-03-30 - Tagged ansible-ae-dir-server 0.34.0

Changes since 0.33.4:

• Changed default of ansible variable aedir_rundir to /run/ae-dir which nowadays is mounted as tmpfs on all currently supported Linux distributions.
• Some minor changes to AppArmor profiles, mainly for reducing the number of harmless DENIED messages.
• The quick search field in web2ldap now has attribute type="search".

2022-03-24 - Tagged ansible-ae-dir-server 0.33.4

Changes since 0.33.3:

Small changes to systemd sandboxing:

• MemoryDenyWriteExecute=yes set unconditionally on all supported Linux distros
• Added PrivateIPC=yes to all service units

2022-03-16 - Tagged ansible-ae-dir-server 0.33.3

Changes since 0.33.2:

• Improved web2ldapcnf.hosts:
  • use specific Æ-DIR login settings for all backends
  • set DB-specific descriptions
• Default value for openldap_syslog_level set to INFO to avoid double-logging with default syslog config on Debian.
• Changes to SystemCallFilter= :
  • Added unused splice() system call to block list (see also Dirty Pipe Vulnerability)
  • Fixed using the correct values in slapdcheck.service
  • Some internal refactoring

2022-03-08 - Tagged ansible-aehostd 1.5.5, new APT repo key!

Changes since 1.5.4.1:

• Updated APT repository signer key.
• Installs aehostd 1.5.5+.
• On systems with systemd the service unit aehostd-ph.service is now stopped/disabled and replaced by a systemd path unit ae-dir-sudoers-export.path which triggers a service unit ae-dir-sudoers-export.service with Type=oneshot for moving the exported sudoers file to the right location (implements #2).

2022-03-07 - Tagged ansible-ae-dir-server 0.33.2, new APT repo key!

Changes since 0.33.1:

The old expired APT repository signer key was replaced with a new key pair!

Download:

AE-DIR-project-2022-03-07.gpg.key

Key-ID:

EC3DAB7602804CA619A576A7540DA543583C3481

Fingerprint:

EC3D AB76 0280 4CA6 19A5 76A7 540D A543 583C 3481

2022-03-02 - Tagged ansible-ae-dir-server 0.33.1

Changes since 0.33.0:

• Some small compability changes for supporting Debian bookworm (currently testing).
• Dropped support for Debian buster, see details in former announcement.

2022-02-17 - Tagged ansible-ae-dir-server 0.33.0

Changes since 0.32.12:

• Added experimental support for installing on Arch Linux (see ansible-ae-dir-server #7)

2022-02-14 - Tagged ansible-ae-dir-server 0.32.12

Changes since 0.32.11:

• Replication connections are now enforced to use TLSv1.3 (see ansible-ae-dir-server #21)
• Added new histogram metric slapd_search_result_size to mtail prog.
• Update to web2ldap 1.7.5+.
• Update to python-slapdsock 1.2.0+ and oath-ldap-srv 1.6.1+ with improved error handling.
• Cleaned up and fixed run-time directory for EKCA.

2022-02-09 - Tagged ansible-ae-dir-server 0.32.11

Changes since 0.32.10:

• Small fix for systemd service unit slapdcheck.service to also explicitly add the run-time directory to ReadWritePaths=.

2022-02-07 - Tagged ansible-ae-dir-server 0.32.10

Changes since 0.32.9:

• Background update process aedir_pproc.cron now runs as non-privileged user ae-dir-updater which is member of group ae-admins instead of running as rootdn (see ansible-ae-dir-server #14).
• Update to web2ldap 1.7.2+ with improved quick search field.

2022-02-04 - Tagged ansible-ae-dir-server 0.32.9

Changes since 0.32.8:

• All systemd service units now use ProtectSystem=strict with appropriate ReadWritePaths= to also bind-mount non-standard directories, e.g. /opt, as read-only to further reduce attack surface even in case AppArmor is not used.
  See also:
  • ansible-ae-dir-server #17
  • systemd.exec(5)
• Added appropriate autocomplete attribute to input fields in login and change password forms.

2022-01-30 - Tagged ansible-ae-dir-server 0.32.8

Changes since 0.32.7:

• Update to web2ldap 1.7.0+. Because of HTML and CSS changes running an ansible play is required.

2022-01-24 - Tagged ansible-ae-dir-server 0.32.7

Changes since 0.32.6:

• Re-factored use of slapdcheck:
  • Renamed ansible vars slapd_check_* to slapdcheck_*. Please update your group_vars accordingly.
  • If new ansible var slapdcheck_interval (seconds) is greater than zero a systemd unit slapdcheck.timer is installed which triggers slapdcheck.service based on this interval.
  • New ansible var slapdcheck_module is used to specify which sub-module is invoked. See file defaults/main.yml for details.
  • The old wrapper script /opt/ae-dir/sbin/slapd_checkmk.sh was replaced by /opt/ae-dir/sbin/slapdcheck.sh which also invokes the module specified slapdcheck_module.

2022-01-18 - Released aehostd 1.5.4

aehostd 1.5.4 fixes a socket-reading bug which caused failures when receiving PAM requests (for details see aehostd#3).
Update is highly recommended!

2022-01-16 - Tagged ansible-ae-dir-server 0.32.6

Changes since 0.32.5:

• Update to slapdcheck 3.10.0 with the following changes:
  • generate HTML output
  • generate JSON output
  • send metrics to ZABBIX trapper

2022-01-06 - Tagged ansible-ae-dir-server 0.32.5

Changes since 0.32.4:

• Update to ae-dir-pproc 1.6.2:
  • When the user changes / resets own password an e-mail is sent to the user as additional notification (implements #2).
  • Removed old PyPI project aedir-pproc and renamed it to ae-dir-pproc.
• All attributes of object class msPwdResetPolicy are now declared as optional (MAY) because there are always config defaults available for all these attributes. This allows to overide configured defaults more easily per policy.
• Update to web2ldap 1.6.27+ including setting new config parameter web2ldapcnf.url_path.
• Re-factored checking whether the C wrapper modules are installed (ldap0 and psutil) before temporarily installing build tools on platforms using Python virtualenv. Hopefully this makes upgrading these modules more easy.

2021-12-23 - Tagged ansible-ae-dir-server 0.32.4

Changes since 0.32.3:

• Update to web2ldap 1.6.26+ with minor UX improvements when handling invalid entry input.

2021-12-22 - Tagged ansible-ae-dir-server 0.32.3

Changes since 0.32.2:

• Update to web2ldap 1.6.24+ with security fix!

2021-12-21 - Tagged ansible-ae-dir-server 0.32.2

Changes since 0.32.1:

• Re-factored userPassword ACLs for providers:
  • New ansible var aedir_aeuser_write_pw_restrictions is used to restrict all password changes to be accept only via LDAPI. In case any problem occurs with that simply set to empty list.
  • Removed search privilege. You can search for pwdChangedTime instead.
  • Moved up clause "by anonymous auth" for better performance of bind request processing.
• Minor changes in systemd units:
  • Added StandardInput=null and RemoveIPC=yes to aedir_systemd_hardening.
  • Use aedir_systemd_logging also in ekca-service.service.
• Added missing web2ldap HTML read template for OpenLDAProotDSE.html.

2021-12-19 - Tagged ansible-ae-dir-server 0.32.1

Changes since 0.32.0:

• Update to web2ldap 1.6.23+.
• New mtail-based metrics for ae-slapd counting replica connection errors: slapd_syncrepl_bind_failed and slapd_syncrepl_retrying.
• Added web2ldap HTML template for displaying OpenLDAProotDSE.
• Prepared using slapo-dds(5) for session database.

2021-12-15 - Tagged ansible-ae-dir-server 0.32.0

Changes since 0.31.3:

• Update to web2ldap 1.6.22+.
• Fixed initialization tasks on ansible 4.0+ by always setting aedir_init_user to root as default. You likely want to over-ride this when invoking a play.
• OpenLDAP 2.6 is now also installed in RHEL8-alike systems.
• slapd.conf:
  Native lastbind directive is now used instead of obsolete contrib overlay slapo-lastbind.
  The time-stamp of last successful bind is now stored in attribute pwdLastSuccess (see also draft-behera-ldap-password-policy ).
  For now the module lastbind is still loaded to preserve the attribute type description for authTimestamp in the subschema to avoid schema violations.
• Added COEP/COOP/CORP headers to web2ldap's http_headers.
• APT repo files are now created with a copy task to completely remove obsolete entries.

2021-12-06 - Tagged ansible-ae-dir-server 0.31.3

Changes since 0.31.2:

• Update to ae-dir-pproc 1.5.9 which fixes a minor templating issue in the welcome e-mail sent to new users.

2021-12-05 - Support for Debian buster ends 2022-02-28

Tested free support for Debian buster (10.x) will be ceased by end of February 2022:

• The ansible roles, especially new features, are not guaranteed to work on Debian buster anymore.
• The apt repository for buster will be available until 2022-08 to match Debian's production support but packages will not be updated anymore.
• The builds of Debian packages openldap-ms and aehostd-modules are not guaranteed to work on Debian buster anymore.
• Pull requests with specific backward-compability fixes for Debian buster will likely not be accepted.

2021-12-04 - New web content

There are two new sub-pages available:

• List of project announcements / news
• Information about development resources / issue tracker

2021-12-03 - Tagged ansible-ae-dir-server 0.31.2

Changes since 0.31.1:

• Dropped support for running with accesslog database on read-only consumers. With OpenLDAP 2.6 there is no useful data (e.g. authTimestamp-updates) therein anymore.
• Renamed mis-named var to correct name openldap_slapo_allowed.
• Use aedir_db_params for generating AppArmor profile for ae-slapd.
• ae-dir-replica-reset.sh is now also generated based on ansible var aedir_db_params.

2021-12-03 - Tagged ansible-ae-dir-server 0.31.1

Changes since 0.30.0:

• Attribute sudoOrder can now be used in sudoers entries.
• Heavy re-factoring of specifying database parameters. Applying the changes to existing deployments should work without issues, except some custom HTML templates for web2ldap might need tweaking.
• The maintenance scripts were re-factored to not require a running slapd instance which should help to recover from issues more quickly. The scripts are now listed in the CLI usage docs.
• ae-dir-slapcat.sh now uses the simple database names (accesslog, um) instead of the suffix in the filename of exported LDIF files to avoid equal signs which are special chars in a shell.

2021-12-02 - git repos moved

All git repos of Æ-DIR's code were moved to a new location where you can also file tickets (and submit pull requests):

https://code.stroeder.com/AE-DIR

Some Python module packages are now in a more generic org:

https://code.stroeder.com/pymod

The repos are still mirrored at gitlab.com for automated testing but without using anything like ticket queues or similar:

https://gitlab.com/ae-dir

2021-11-25 - Tagged ansible-ae-dir-server 0.30.0

Changes since 0.29.1:

• slapo-allowed was activated which enables web2ldap to show whether the user has write access to an attribute. If the user is not allowed to change an attribute only the value will be shown, no input field.
• New tool scripts:
  • /opt/ae-dir/sbin/ae-dir-slapindex.sh re-indexes all databases
  • /opt/ae-dir/sbin/ae-dir-reload.sh exports and re-imports all databases
• Several software updates: web2ldap, python-ldap0, ae-dir-pproc, slapdcheck
• mtail now extracts etime for slapd_result metric into a bucket.
• Code-cleaning:
  • Removed various obsolete stuff
  • Fixed ansible syntax
• openSUSE/SLE repos:
  • Dropped support for openSUSE Leap 15.2 and SLE15SP2
  • now same Leap and SLE repo used
  • Added repo URL for upcoming Leap 15.4 and SLE15SP4