[Issue 9793] New: Question regarding password dictionary rules for when a user changes their password.
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9793
Issue ID: 9793
Summary: Question regarding password dictionary rules for when
a user changes their password.
Product: OpenLDAP
Version: 2.6.1
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: alan_andrea(a)yahoo.com
Target Milestone: ---
I have a question regarding password rules that are enforced when a user
changes their password. We have a need to implement a dictionary rule whereby
words and phrases in a dictionary are not allowed in a users password. I am
not able to see currently where such functionality exists in OpenLDAP and am
wondering if there are any extensions to OPenLDAP that were developed to
support this or if it would be required to write code to support this feature.
If you can please give me some guidelines here, that would be really great !
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 1 week
[Issue 9742] New: syncprov-nopresent is harmful
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9742
Issue ID: 9742
Summary: syncprov-nopresent is harmful
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
If setting up a new delta-MPR environment such that:
- server A has been slapadd-ed the seed data
- accesslog is set to "logops all"
There is a sequence of events where servers are started and replicate from each
other before they get a chance to talk to A, they will each generate a CSN and
replicate it. Once they start talking to A, it will see that it has a CSN (its
own) that none of them have sent and "syncprov-nopresent" makes it just go
ahead where the only sane outcome is to send SYNC_REFRESH_REQUIRED.
Am I missing a usecase for this or should it just have been this way all along?
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 1 week
[Issue 9750] New: global vs. frontend config in slapd.conf - misleading warning message
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9750
Issue ID: 9750
Summary: global vs. frontend config in slapd.conf - misleading
warning message
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
Since the fix for ITS#9575 there is this misleading message even when invoking
slapcat:
/opt/openldap-ms/etc/openldap/slapd.conf: line 126: setting password scheme in
the global entry is deprecated. The server may refuse to start if it is
provided by a loadable module, please move it to the frontend database instead
There is currently no way to rearrange something in slapd.conf to make this
confusing message go away.
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks
[Issue 9738] New: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed.
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9738
Issue ID: 9738
Summary: entry_schema_check: Assertion `a->a_vals[0].bv_val !=
NULL' failed.
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
slapd 2.6.0 exits when an LDAP client sends an add operation with invalid data:
2021-11-04T22:07:36.790594+01:00 itn-dir-1 slapd[32415]: 61844b98.2ef8df5c
0x7fe42d9a6700 Entry (mail=michael(a)stroeder.com,ou=ext,ou=metadir,o=itn):
object class 'itnmetaPerson' requires attribute 'displayName'
2021-11-04T22:07:36.790694+01:00 itn-dir-1 slapd[32415]: slapd:
schema_check.c:89: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL'
failed.
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks
[Issue 9730] New: logfile-rotate directive fails in 2.6.0
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9730
Issue ID: 9730
Summary: logfile-rotate directive fails in 2.6.0
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
Hello,
When setting the logfile-rotate, I get:
617bc9ae.1b73de17 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf:
line 12 (logfile-rotate 10 100 24)
617bc9ae.1b759154 0x7f44f87c9740 /usr/local/openldap/etc/openldap/slapd.conf:
line 12: <logfile-rotate> handler exited with 16384!
My configuration file is below. I am using the 2.6.0 release.
The strange part is that the same configuration converted into cn=config seems
to work well.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/dyngroup.schema
logfile-rotate 10 100 24
logfile /var/log/slapd-ltb/slapd.log
logLevel 256
sasl-host ldap.my-domain.com
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
# Load dynamic backend modules:
# moduleload back_ldap.la
modulepath /usr/local/openldap/libexec/openldap
moduleload argon2.la
moduleload back_mdb.la
moduleload dynlist.la
moduleload memberof.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload unique.la
access to dn.base="" by * read
access to dn.base="cn=subschema" by * read
#######################################################################
# config database definitions
#######################################################################
database config
rootdn cn=config
rootpw secret
access to attrs="userPassword"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx
by * auth
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 4294967296
suffix dc=my-domain,dc=com
rootdn cn=Manager,dc=my-domain,dc=com
rootpw secret
directory /usr/local/openldap/var/openldap-data
index objectClass eq
index cn eq,sub
index uid pres,eq
index givenName pres,eq,sub
index l pres,eq
index employeeType pres,eq
index mail pres,eq,sub
index sn pres,eq,sub
limits group="cn=admin,ou=groups,dc=my-domain,dc=com" size=unlimited
time=unlimited
access to attrs="userPassword"
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth =wdx
by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" =wdx
by self =wdx
by * auth
access to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by group.exact="cn=admin,ou=groups,dc=my-domain,dc=com" write
by users read
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks
[Issue 9725] New: attribute olcLastBindPrecision redefined in slapo-lastbind
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9725
Issue ID: 9725
Summary: attribute olcLastBindPrecision redefined in
slapo-lastbind
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: michael(a)stroeder.com
Target Milestone: ---
An attribute type description for 'olcLastBindPrecision' is present in
servers/slapd/bconfig.c and contrib/slapd-modules/lastbind/lastbind.c.
Thus the migration of deployments using slapo-lastbind is not as smooth as it
should be. With release 2.6.0 one is forced to disable slapo-lastbind.
Removing the attribute type description for 'olcLastBindPrecision' from
contrib/slapd-modules/lastbind/lastbind.c should work.
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks
[Issue 9647] New: Glue entry creation doesn't replicate properly
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9647
Issue ID: 9647
Summary: Glue entry creation doesn't replicate properly
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
In plain syncrepl, when an entry is turned into glue (to remove it when it
still has children), it won't replicate correctly to its consumers - a
NEW_COOKIE intermediate message is sent instead.
Scenario:
- 4 servers (A, B, C, D) and a tree with two entries - cn=parent,cn=suffix and
its parent, the database suffix
- D replicates from C, C replicates from A and B, no other links set up for
this
Now:
1. add an entry "cn=child,cn=parent,cn=suffix" on A
2. remove "cn=parent,cn=suffix" from B
As things settle, cn=parent,cn=suffix is retained on D while being deleted from
C.
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks
[Issue 9758] New: slapd-sock cn=config issues
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9758
Issue ID: 9758
Summary: slapd-sock cn=config issues
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: ondra(a)mistotebe.net
Target Milestone: ---
This module has multiple issues with cn=config processing:
- empty/missing sockdnpat can trigger an assert
- adding multiple olcDbSocketExtensions/olcOvSocketOps/olcOvSocketResps does
not work as expected, deletes are also broken
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks
[Issue 9740] New: olcPPolicyCheckModule not working in 2.6.0
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9740
Issue ID: 9740
Summary: olcPPolicyCheckModule not working in 2.6.0
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the
olcPPolicyCheckModule directive in the overlay configuration, instead of the
pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy.
It prevents having multiple extension to password policies (one for each
policy)
2/ it does not seem to work. (ie the extended module is not launched). See
below for my config and data.
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I
can read:
( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )
Does pwdCheckModule and pwdUseCheckModule still have sense?
Here is my configuration:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-domain,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
olcPPolicyDisableWrite: FALSE
olcPPolicySendNetscapeControls: FALSE
olcPPolicyCheckModule: /usr/local/openldap/libexec/openldap/ppm.so
Here are my data:
dn: cn=default,ou=ppolicies,dc=my-domain,dc=com
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMaxAge: 7776000
pwdInHistory: 5
pwdLockout: TRUE
pwdMaxFailure: 5
pwdFailureCountInterval: 86400
pwdMinLength: 8
pwdMaxLength: 30
pwdExpireWarning: 432000
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdMaxIdle: 31536000
pwdCheckModuleArg:
bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ==
dn: uid=jack.oneill,ou=people,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jack O Neill
givenName: Jack
mail: jack.oneill(a)my-example.com
sn: O Neill
uid: jack.oneill
userPassword:
{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$LiSaGIqce9o2C6T8d2BOfg$BpPpokTfKY9/X7/jkvG1SXBcsNnm95UbTGSstc2aHKk
--
You are receiving this mail because:
You are on the CC list for the issue.
5 months, 2 weeks