https://bugs.openldap.org/show_bug.cgi?id=9794
Issue ID: 9794
Summary: Define behaviour for pwdChangedTime modifications
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
This issue applies to:
- draft-behera-ldap-password-policy
- openldap 2.5
- openldap 2.6
It is a proposition of behaviour for pwdChangedTime modifications.
modification of the draft:
--------------------------
In section: "8.2.7. Policy State Updates", change this paragraph:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
updates the pwdChangedTime attribute on the entry to the current
time.
into:
If the value of either pwdMaxAge or pwdMinAge is non-zero, the server
MUST update the pwdChangedTime attribute on the entry according to this
workflow:
Then insert a new paragraph:
- if the current operation (add or modify) on the password includes
adding or modifying a valid pwdChangedTime attribute, then use this
pwdChangedTime. A "Valid" pwdChangedTime means a syntactically
correct value, compliant with the schema, approved by access rules,
and MAY require a relax control according to the schema defined in
section 5.3.2.
See Relax control RFC for more information:
https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax
- an invalid pwdChangedTime value MUST result in an error, and the
pwdChangedTime MUST NOT be stored
- in any other case, compute the current date and store it in a
GeneralizedTime format
Feel free to comment or propose other ideas.
modification of the code:
--------------------------
If this behaviour makes a consensus, it would be useful to patch both OpenLDAP
2.5 and 2.6.
NOTE: current OpenLDAP 2.5 allows modifying pwdChangedTime alone, but fails to
add a user with both userPassword and pwdChangedTime (it results in a
duplicated pwdChangedTime error)
modification of the documentation:
----------------------------------
In slapo-ppolicy, it can be useful to add a comment in "OPERATIONAL ATTRIBUTES"
section:
Every attribute defined as "NO-USER-MODIFICATION" SHOULD not be
written by standard users.
If needed, an administrator MAY modify them with the relax control.
See Relax control RFC for more information:
https://datatracker.ietf.org/doc/html/draft-zeilenga-ldap-relax
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9825
Issue ID: 9825
Summary: MemberOf group in group search not working
Product: OpenLDAP
Version: 2.6.1
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: erikdewaard(a)gmail.com
Target Milestone: ---
Created attachment 891
--> https://bugs.openldap.org/attachment.cgi?id=891&action=edit
database ldif
dynlist group in group search not working correctly.
Multiple queries needed before returning correct answer.
ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com'
'(&(uid=user1)(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com))' uid
ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com'
'(&(uid=user1)(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com))' uid
ldapsearch -H ldap:/// -LLL -x -b 'dc=example,dc=com'
'(&(uid=user1)(memberOf=cn=groupingroup,ou=groups,dc=example,dc=com))' uid
dn: uid=user1,ou=People,dc=example,dc=com
uid: user1
-conf
# stand-alone slapd config
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/dyngroup.schema
# allow big PDUs from anonymous (for testing purposes)
sockbuf_max_incoming 4194303
moduleload back_ldap
moduleload dynlist
#######################################################################
# database definitions
#######################################################################
database config
database mdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap
lastbind off
overlay dynlist
dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames*
database monitor
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9834
Issue ID: 9834
Summary: Can not find admin user after setup openldap on debian
Product: OpenLDAP
Version: 2.4.57
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: sparktour(a)outlook.com
Target Milestone: ---
Created attachment 897
--> https://bugs.openldap.org/attachment.cgi?id=897&action=edit
the screenshot of phpldapadmin dashboard (doesn't have any entry under base)
After install the openldap (slapd) from Debian package repository (using the
version 2.4.57+dfsg-3~bpo10+1, database created by the dpkg configuration
script provide by apt), the admin user (cn=admin,dc=example,dc=com) in could
not be found either when performing ldapsearch or viewing the structure of the
organisation in phpldapadmin / Apache directory studio.
result of ldapsearch:
------------
root@ldap:~# ldapsearch -x -b "dc=example,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: exmaple
# search result
search: 2
result: 0 Success
------------
However, using ldapwhoami (ldapwhoami -vvv -h ldap.example.com -D
cn=admin,dc=example,dc=com -x -w password) can return a successful result.
result of ldapwhoami:
------------
ldap_initialize( ldap://localhost )
dn:cn=admin,dc=example,dc=com
Result: Success (0)
------------
A similar issue can be found here:
https://github.com/osixia/docker-openldap/issues/555 on Github. According to
the user in Github, this issue is first occurred in openldap 2.4.57
(https://github.com/osixia/docker-openldap/releases/tag/v1.5.0)
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=8882
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|needs_review |
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=8882
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.5.13
--- Comment #14 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
Ship in contrib for 2.5.13+
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=8882
Quanah Gibson-Mount <quanah(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |needs_review
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=8882
--- Comment #13 from Quanah Gibson-Mount <quanah(a)openldap.org> ---
Tamim provided me the source code previously referenced, now attached to the
ticket.
--
You are receiving this mail because:
You are on the CC list for the issue.
https://bugs.openldap.org/show_bug.cgi?id=9833
Issue ID: 9833
Summary: Backup Restore issue
Product: OpenLDAP
Version: 2.4.40
Hardware: x86_64
OS: Linux
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: akshay.jain(a)shopclues.com
Target Milestone: ---
I Have restored backup from running ldap. data is restored but i am not able to
login using directory manager account.
This is hampering my production.
Can anyone help in this.
--
You are receiving this mail because:
You are on the CC list for the issue.