Re: openldap 2.4.43 keeps crashing
by Jephte Clain
2015-12-30 22:51 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Wednesday, December 30, 2015 10:36 PM +0400 Jephte Clain
> <jephte.clain(a)univ-reunion.fr> wrote:
>
>> 2015-12-29 20:47 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
>>>
>>> --On Monday, December 28, 2015 10:18 PM -0800 Quanah Gibson-Mount
>>> <quanah(a)zimbra.com> wrote:
>>>
>>>> David,
>>>>
>>>> Why haven't you reported this to the ITS?
>>>
>>>
>>>
>>> Discussed with Howard. It isn't in 0.9 yet because it hasn't been
>>> confirmed if the fix is good or not. David, if that fix has resolved
>>> the issue, *please* follow up with the ITS noting that to be the case.
>>>
>>
>> Hello,
>>
>> I can confirm this is the problem I have. Starting slapd in debug
>> mode, it dies after some time:
>>
>> /tmp/buildd/openldap-2.4.43/servers/slapd/back-mdb/../../../libraries/lib
>> lmdb/mdb.c:5276: Assertion 'NUMKEYS(mp) > 1' failed in
>> mdb_page_search_root()
>> /usr/local/slaptools/lib/functions: line 44: 30232 Abandon
>> /usr/sbin/slapd -h "$SLAPD_SERVICES" -g "$SLAPD_GROUP" -u
>> "$SLAPD_USER" -F "$SLAPDD" -d "$dlevel" "$@"
>>
>> I didn't notice it because it doesn't dump core. And somehow, the
>> initscript I use eats the stderr output of slapd (I'll fix it for
>> future errors)
>>
>> For now, I'll revert to the previous working version, but I'm willing
>> to test any fix
>> The funny part is only the replica dies regularly, not the master
>> although it is the one to receive the writes
>
>
> You can apply the patch that was made to mdb.master to the 2.4.43 source
> tree, and see if it resolves the problem or not. ;)
Hmmm... I really need some holidays... I couldn't manage to find the
commit today (too tired?) and now I remember grep is my friend
$ git checkout mdb.master
$ git log --pretty=oneline | grep 8336
58d1fd4c73c96ef3097816e975b3d421ead4d86e ITS#8336 fix page_search_root
assert on FreeDB
I'll have a look tomorrow. Thanks. Regards,
Jephté
--
Jephté CLAIN | Développeur, Intégrateur d'applications
Service Système d'Information
Direction des Systèmes d'Information
Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
7 years, 9 months
Re: users don't get prompt to change password (pwdMustChange attribute)
by Rajagopal Rc
Hi All,
Can any one help me on this please
Thanks
From: Rajagopal Rc/BLR/TCS
To: openldap-technical(a)openldap.org
Date: 12/24/2015 12:07 PM
Subject: users don't get prompt to change password (pwdMustChange
attribute)
Hello,
I am trying to force user to change their password at first logon and on
password reset.
OS RHEL7
Openldap version 2.4.39-7.el7_1.x86_64
I have tried the following
1) I have set the pwdMustChange attribute to TRUE in ppolicy, but
when user logon to client at first time or after resetting password, it
just allow suer to logon without prompting to change the
password,
2) I have set the pwdReset attribute to TRUE in user attribute for
particular user, this doesn't allow user to login at all and keep
prompting for password without allowing to login. Also i red in
blogs this is not correct way, but couldn't find more information on this.
is there any way to force users to change their password at first logon
and after resetting password by admin. ?
Current ppolicy
Thanks & Regards
Raj
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
7 years, 9 months
LDAP ACL for restricting applications with same user dn
by Geo P.C.
Currently we need to configure Group based LDAP login for our custom
applications. We have applications named app1, app2 etc.
For restricting users to login for a particular application for eg app1
then for that user it should have attribute named *allowedService = app1*,
for login to app2 that user need *allowedService = app2*
So in that way we created users.
Now for binding applications to ldap we created users like
*cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com
cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com*
Now we configured LDAP ACL as follows:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> filter="(allowedService=app1)" by
> dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by *
> break
> olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> filter="(allowedService=app2)" by
> dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by *
> break
> olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read
> by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break
> olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com"
> by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by
> users read
> olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by
> anonymous write
>
But when any application that doesn't support filter (Like suiteCRM) we
created rule *olcAccess: {5}* and bind it with *app3* user but then the
whole ACL is not working and all users can login to all application.
So can anyone please help us on it
Thanks
Geo
7 years, 9 months