openldap-technical December 2016

openldap-technical@openldap.org

33 participants
61 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

How to enable memberOf overlay with posixGroup?
by MegaBrutal 16 Aug '17

16 Aug '17

Hi all, I've spent days trying to figure out how could I enable the memberOf overlay, and it doesn't seem to be easy for an LDAP-noob. I've read like 50+ tutorials which didn't help me get it working. Use case: I want to have 2 main groups which control access to different services on my network. A "unixusers" which is a minimum to log in to Linux servers (having a hostObject entry for the user is another requirement, which is irrelevant to this question, as I already solved that problem); and a "cloudusers" group which enables log in to my ownCloud instance. The groups should enforce the following rules: – Only users in "cloudusers" should be allowed to log in to ownCloud. – Users in "unixusers" are allowed to log in to a set of Linux servers controlled by "host" (hostObject) entries. – Users not in the "unixusers" group may not log in to any Linux systems, even if they have "host" entries. Problems: – ownCloud complains that the memberOf overlay is not enabled, hence it doesn't let me restrict access to the "cloudusers" group. It would allow any users regardless of any group memberships, which is not acceptable. – I have a similar problem on Linux with PAM: I can't really get it to consider "unixusers" membership for user logins, although I got the "host" entries working correctly, so at least I can already restrict access with that. My guess is that it all boils down to the lack of memberOf overlay. I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. But anyway, I can't enable memberOf even for groupOfNames. I can't enable memberOf by any means. My OpenLDAP uses the new configuration method and it completely ignores slapd.conf, so the config must be injected with ldapadd to cn=config. Could you please help me with this? Regards, MegaBrutal

5 6

[Q] "selective" ACL
by Zeus Panchenko 26 Jul '17

26 Jul '17

hi, I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties I have two posixGroup groups cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo my users resides in ou=People,dc=foo so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course) for example this works for me: access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo ) so, the question is: how? (if it is possible at all) :( please, advise -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 2

Re: help with ACL
by Quanah Gibson-Mount 04 Jan '17

04 Jan '17

--On Friday, December 23, 2016 11:16 AM +0100 Alberto Aldrigo <alberto.aldrigo(a)h-farm.com> wrote: > uid=user1 and uid=user6 are company1's administrators, so they can write > in whole o=company1 subtree Might be best to make an LDAP group with those users as members, and then write an ACL based off of that group for its specific privileges. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
by Quanah Gibson-Mount 02 Jan '17

02 Jan '17

--On Thursday, December 22, 2016 11:23 AM +0100 Matthieu Cerda <kegeruneku+openldap(a)ironflake.org> wrote: > Hello Howard and Ozgur, > > My answers are inlined in the following text. > > I attached a copy of the slapd.conf if you would like to take a look. Your slapd.conf has no rootdn configured. You need to configure it if you want ppolicy to function correctly. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount 02 Jan '17

02 Jan '17

Ok good to know! The issue I created occurred when deleting the group, which I believe is the original complaint in the ITS as well. So I will add individual membership deletes as a part of that test too. --Quanah > On Dec 30, 2016, at 9:31 PM, Paul B. Henson <henson(a)acm.org> wrote: > >> On Fri, Dec 30, 2016 at 02:41:06PM -0800, Quanah Gibson-Mount wrote: >> >> Well, it seems to be some sort of race condition. > > Yes, I'd agree; probably also load dependent as I never triggered it on > my dev systems which are mostly idle other than my test load. It only > showed up on my prod systems which tend to have continuous load from > various other things. > >> I did want to confirm that you see this on servers that are long running >> (I.e., they've been running for a long time, and had other group deletes >> that went through w/o issue during that time). If so, then I can modify >> the test to randomly add and delete groups as a part of the test, >> increasing the likelyhood of triggering the issue within the test. > > I don't have too many deletions of group objects themselves in > production, mostly just deletions of the members of groups. I didn't see > any issues with group deletions in dev, or during some basic initial > testing in prod. I'll go ahead and make a new test group, add some > members to it, and then delete it and see what happens now that I've > been running this code for about 3 weeks... > > I didn't see any errors deleting a group, although there were these > syncrepl messages that I don't believe used to show up: > > Dec 30 21:23:29 themis slapd[2607]: syncrepl_message_to_op: rid=001 be_delete uid=ldaptest5,ou=group,dc=cpp,dc=edu (32) > Dec 30 21:23:29 themis slapd[2607]: syncrepl_message_to_op: rid=003 be_delete uid=ldaptest5,ou=group,dc=cpp,dc=edu (32) > Dec 30 21:23:29 themis slapd[2607]: syncrepl_message_to_op: rid=002 be_delete uid=ldaptest5,ou=group,dc=cpp,dc=edu (32) > > The group and memberOf attributes are gone on all four servers, so other > than noise in the logs I'm not sure what these messages meant. > >

2 1

Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount 30 Dec '16

30 Dec '16

--On Thursday, December 29, 2016 7:55 PM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: > On Thu, Dec 29, 2016 at 04:48:42PM -0800, Quanah Gibson-Mount wrote: > >> I'm able to reproduce the problem with my test script, so I think things >> are set from here. > > Excellent; in that case please let me know when there is a fix available > :). Thanks much... Well, it seems to be some sort of race condition. I've only had it occur one time out of some 700+ attempts. I don't think it is really related to 4-way MMR at all, but it may be the larger the number of consumers of the accesslog, the more likely it is to occur (so you'll see it more often in 4-way MMR). I did want to confirm that you see this on servers that are long running (I.e., they've been running for a long time, and had other group deletes that went through w/o issue during that time). If so, then I can modify the test to randomly add and delete groups as a part of the test, increasing the likelyhood of triggering the issue within the test. Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount 29 Dec '16

29 Dec '16

--On Wednesday, December 28, 2016 4:44 PM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: > On Wed, Dec 28, 2016 at 09:53:23AM -0800, Quanah Gibson-Mount wrote: > >> I'm going to see if I can create a test that reproduces the issue. >> I've been working on expanding the test suite so we can ensure we >> avoid regressions etc. > > Cool, thanks. Let me know if there's anything I can do to help. I'm able to reproduce the problem with my test script, so I think things are set from here. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount 28 Dec '16

28 Dec '16

--On Thursday, December 22, 2016 6:12 PM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: >> Probably worth adding to ITS#8444. > > Ok, will do. Although it seems there's been no response to that ticket > for six months :(? Anything else I can provide to help debug this? > Unfortunately it doesn't seem to be a straight "always happens" bug, I > didn't see it all in my dev environment under a test load, it only > popped up in production under a full load. I'm going to see if I can create a test that reproduces the issue. I've been working on expanding the test suite so we can ensure we avoid regressions etc. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: 2.4.44 segfault in modify_add_values
by Quanah Gibson-Mount 28 Dec '16

28 Dec '16

--On Sunday, December 25, 2016 8:19 AM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: > Woke up this morning to an unwanted Christmas present :(, one of my ldap > servers had crashed with a segfault: > I restarted it and it synced right back up from the failover master and > seems to be ok now. Does this pop out as anything known and possibly > resolved in head? Thanks... Doesn't ring a bell, and unfortunately it looks like your binaries are stripped, so the backtrace doesn't contain useful information. :( --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2016