Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month, 1 week
slapd-meta
by Fr3ddie
Hello to the list,
I'm trying to configure the slapd-meta OpenLDAP backend on an online
cn=config
configuration with no luck. Slapd version is 2.4.39 (the maximum I can
achieve on the target machines building from vanilla source).
The documentation is clear but too concise for me so I will try to explain
what I'm trying to do to see if there is anybody that can help me.
Currently I have 3 slapd servers that share a common root for the DIT, i.e.:
dc=loc1,dc=root
dc=loc2,dc=root
dc=loc3,dc=root
What I would like to achieve is to obtain a fourth server that contains
the previous trees, along with its own tree, i.e. a server that contains:
dc=loc0,dc=root (locally hosted data)
dc=loc1,dc=root (coming from the first server, chasing referrals)
dc=loc2,dc=root (coming from the second server, chasing referrals)
dc=loc3,dc=root (coming from the third server, chasing referrals)
this way, all the clients connecting to this server will be able to
retrieve data also from the other three remote servers.
As far as I understood, I only need to configure the "loc0" server to access
the other three servers and get the data to serve to clients.
I have already configured the fourth server with its local DIT and this is
the configuration:
# cat 'cn=config.ldif'
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
structuralObjectClass: olcGlobal
creatorsName: cn=config
olcServerID: 1
olcThreads: 32
olcToolThreads: 8
olcRequires: LDAPv3
olcConnMaxPendingAuth: 100
olcTLSCACertificateFile: /etc/ssl/certs/my_ca_cert.pem
olcTLSCertificateFile: /etc/ssl/certs/this-host_x509_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/this-host_x509_key.key
olcTLSVerifyClient: try
olcTimeLimit: 600
olcLogLevel: stats2 sync
[...]
# cat 'cn=module{0}.ldif'
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}accesslog
structuralObjectClass: olcModuleList
[...]
Schema files are the following:
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}dyngroup.ldif
cn={5}kerberos.ldif
# cat 'olcDatabase={1}hdb.ldif'
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=loc0,dc=root
olcAccess: {0}to
attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn
=admin,dc=loc0,dc=root" write by anonymous auth by self write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=loc0,dc=root" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=loc0,dc=root
olcRootPW:: xxxxxxxxxxxxxxxxxxxx
olcDbCacheSize: 10000
olcDbCheckpoint: 512 10
olcDbConfig: {0}set_cachesize 0 524288000 1
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
olcDbIDLcacheSize: 30000
olcDbIndex: default pres,eq
[...]
structuralObjectClass: olcHdbConfig
olcSyncrepl: {0}rid=0 provider=ldap://second-host.loc0.root
bindmethod=s
imple binddn="cn=admin,dc=loc0,dc=root" credentials=xxxxxx
searchbase="dc=loc0,dc=root"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObj
ect)(reqResult=0))" schemachecking=on type=refreshAndPersist
retry="60 +" syn
cdata=accesslog starttls=yes
olcMirrorMode: TRUE
[...]
On top of this DB I have the "syncprov" and the "accesslog" overlays
configured
(these are two servers in "MirrorMode", configured following the
OpenLDAP admin documentation).
I believe this DB is the ones containing the actual "loc0" DIT data...
Then I have the accesslog DB for the replica (with the syncprov overlay
on top):
# cat 'olcDatabase={2}hdb.ldif'
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=loc0,dc=root
olcDbConfig: {0}set_cachesize 0 524288000 1
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
[...]
On top of this environment I start loading the needed modules with this
LDIF file:
version: 1
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_ldap
-
add: olcModuleLoad
olcModuleLoad: back_meta
-
add: olcModuleLoad
olcModuleLoad: rwm
and it seems I'm able to load the new modules without errors
into the configuration, thus I obtain:
# cat 'cn=module{0}.ldif'
dn: cn=module{0}
structuralObjectClass: olcModuleList
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}accesslog
olcModuleLoad: {3}back_ldap
olcModuleLoad: {4}back_meta
olcModuleLoad: {5}rwm
[...]
Now I try to load the slapd-meta directives into a new database using
this LDIF:
version: 1
dn: olcDatabase={3}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {3}meta
olcSuffix: dc=root
olcDbURI: "ldap://server-loc1.loc1.root/dc=loc1,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc1,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
olcDbURI: "ldap://server-loc2.loc2.root/dc=loc2,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc2,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
olcDbURI: "ldap://server-loc3.loc3.root/dc=loc3,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc3,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
but I obtain an error that sticks me trying various combinations without
success:
# ldapadd -Y EXTERNAL -H ldapi:/// -f slapd-META-DB-CREATION.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase={3}meta,cn=config"
ldap_add: Object class violation (65)
additional info: attribute 'olcDbURI' not allowed
and:
# tail /var/log/openldap/slapd.log
Nov 9 19:47:17 server01 slapd[32392]: conn=1025 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:47:29 server01 slapd[32392]: conn=1052 op=2 INTERM
oid=1.3.6.1.4.1.4203.1.9.1.4
Nov 9 19:49:47 server01 slapd[32392]: conn=1327 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:52:17 server01 slapd[32392]: conn=1628 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:54:46 server01 slapd[32392]: conn=1929 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:57:07 server01 slapd[32392]: Entry
(olcDatabase={3}meta,cn=config), attribute 'olcDbURI' not allowed
Into the slapd-meta documentation the "URI" directive is mentioned but
the "DbURI" seems to
raise a "better error", in fact if I try to modify the above LDIF file
using "URI" I obtain:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase={3}meta,cn=config"
ldap_add: Undefined attribute type (17)
additional info: olcUri: attribute type undefined
Moreover, it is not stated into the slapd-meta docs that the slapd-ldap
backend is needed by slapd-meta but,
anyway, I think its needed because if I try to load the slapd-meta alone
it raises an error (I don't remember exactly which one).
At this point I'm stuck to this error and I wasn't able to find any hint
on the web to solve this :(
The examples I was able to find were related with the static slapd.conf
configuration, I counldn't
find any "full" configuration example using the cn=config.
I'm wondering if I should create a "cn=root" actual DB first and then
link the sub-DITs to it,
or, maybe, add some other overlay... I really can't understand how it
should work :(
Can please anybody help me?
Thank you very much
7 years, 1 month
Documentation Feedback
by Tom Jay
Hello,
I would like to voice my frustration with the quality of the openLDAP documentation. I am compiling openLDAP from source on Debian 7, and have spent about 2-3 continuous days getting to the point where I can add an LDAP user with a UID. I have been close to giving up with the software, but need it for the LDAP functionality, and as very few viable alternatives exist, have been forced to continue with the installation. I have however almost lost confidence in the product, and am concerned that if there are any problems with it in the future, or I want to enable another feature, I will be almost helpless in getting it to work.
The main problem is the Quick-Start Guide. This is anything but quick, and forces the user to consult the less-than-succinct Admin guide. The two together are inconsistent, difficult to follow and do a poor job of explaining what each feature does. The accessibility of information is less than optimal, which means that the user has to look elsewhere, consuming even more time. Unfortunately, there is not much relevant information on the Internet, forcing the user to get stuck in an almost endless loop of checking documentation, testing, reading manuals, and searching on the Internet, in order to get some kind of idea how the software works and what needs to be done to get it working.
I would offer to contribute to the documentation, but due to its lack of usefulness, do not have an understanding of the basic concepts myself. The best I would be able to do is describe my experience and provide the steps that I followed to get a basic installation working.
Hopefully someone can volunteer the time to test the documentation, in the same way a new user would!
Tom
7 years, 2 months
Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
Re: Documentation
by Daniel Howard
My recent experience is OpenLDAP on Ubuntu. I thought I would go with
OpenLDAP's guide because they should know better, but the quick start was
for older versions or something and hadn't been updated.
I like documentation systems that allow for user feedback, comments, or
patches via github. If you want community improvements then maybe low
hanging fruit is a link in the doc template on how to interact with the
documentation.... If the current docs platform has no mechanism for
feedback and comments on a specific document, the source code/ build
process is obscure ... Maybe consider porting even a "fork " to github and
solicit community feedback (you can file issues in a familiar mechanism,
and take in patches from dudes like me...)
For what it's worth, the Ubuntu OpenLDAP quick start guide and only a few
minor hiccups, and I would recommend that resource for anyone looking to
implement or update a quickstart guide.
The Faq-o-Matic ... Man a modern stack overflow site might be nice but a
question in the back of my mind is whether the advice is still useful. I
don't know if the FoM does this but if the answers showed dates then I
could evaluate an answer that's say 2-4 years old with greater confidence
than say something 12 years old ... One of the challenges of a venerable,
old and mature project like OpenLDAP.
I guess what I'm trying to say, from my mobile phone, is if the
documentation were more "agile" in engaging the community for identifying
issues and taking in corrections, we may all be happier.
I would be open to volunteering to port docs...
Thanks,
-Danny
--
Sent from my Western Electric Model 500
On Apr 29, 2016 5:01 PM, "Gavin Henry" <ghenry(a)openldap.org> wrote:
Hi all,
List what you love about our docs:
List what you hate:
List what you'd love to see:
List what you can help with:
Thanks.
--
Kind Regards,
Gavin Henry.
7 years, 6 months
Re: Documentation
by Daniel Howard
On Apr 30, 2016 1:03 PM, "Quanah Gibson-Mount" <quanah(a)zimbra.com> wrote:
>
> --On Saturday, April 30, 2016 11:41 AM -0700 Daniel Howard <
dannyman(a)toldme.com> wrote:
>
>>
>> My recent experience is OpenLDAP on Ubuntu. I thought I would go with
>> OpenLDAP's guide because they should know better, but the quick start was
>> for older versions or something and hadn't been updated.
>
>
> Apparently you haven't read the quickstart guide in a while.
About March-April, if memory serves. Feels like longer.
-Danny
7 years, 7 months
Documentation
by Gavin Henry
Hi all,
List what you love about our docs:
List what you hate:
List what you'd love to see:
List what you can help with:
Thanks.
--
Kind Regards,
Gavin Henry.
7 years, 7 months
Re: Export issue after an DN change
by mdii
Thanks for the reply.
The OpenLDAP version is *2.4.35*.
For the backend, I'm not really sure where to look at, but I found the
attribute *olcDbDirectory *in the *olcDatabase={1}mdb,cn=config* entry. It
points at the folder */custom/data/openldap-data-oldschema*, where I saw
two .mdb files (*lock.mdb* and *data.mdb*).
Is it possible that this two MSAccess (?) files are my OpenLDAP backend ?
It is running over a Red Hat 6 system.
I did an ldapsearch and a slapcat and both of then returned all entries.
When I use the Java unboundID framework, if I do a "large" search, some
entries doesn't show up, but if I do a specific search, the missing entry
is found. Both queries were made par the same framework method...
2016-04-22 21:33 GMT+02:00 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Friday, April 22, 2016 4:57 PM +0200 mdii <mdii.alias(a)gmail.com>
> wrote:
>
>
>> I'm having a weird issue with my OpenLDAP directory, maybe some of you
>> had a similar issue in the past and can point me in the right direction,
>> at the moment I have no idea where to start looking...
>>
>
> OpenLDAP version? OpenLDAP backend? What results do you get from slapcat?
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
> A division of Synacor, Inc
>
7 years, 7 months
Q: "dn: cn=Uptime,cn=Time,cn=Monitor" non-monotonic occasionally?
by Ulrich Windl
Hi!
I'm running a NRPE monitor that monitors openLDAP. To compute delta values, the NRPE plugin stores the "dn: cn=Uptime,cn=Time,cn=Monitor" reported by openLDAP to compare it with the current value (to build the time difference). If the time difference is negative, the plugin reports a "server restart" event.
So far, so good...
However, very rarely (once every few weeks) a false server restart is reported. Viewing the historic logs, I can only assume that openLDAP reports a bad uptime value now and then. Could this be?
Example plugin logs:
2016/04/28 10:25:14 LDAP: Operations Rate OK HARD 1 OK: [Lock.Delay=0.246], [3 searches with 12 entries in 0.057s], 2340577, 0.10084, 0.07563, 0.35294, 0, 0, 0, 0, 0, 0, 0.08403, 0.61345
2016/04/28 10:23:14 LDAP: Operations Rate OK HARD 1 OK: [Lock.Delay=0.288], [3 searches with 12 entries in 0.052s], 2340458, 0.09917, 0.08264, 0.32231, 0, 0, 0, 0, 0, 0, 0.08264, 0.58678
2016/04/28 10:21:14 LDAP: Operations Rate UNKNOWN HARD 1 UNKNOWN: [Lock.Delay=0.221], [3 searches with 12 entries in 0.052s], 2340337, [Operations.Bind.i: restart detected (2340337 - 2340341 == -4)], 284553, [Operations.Unbind.i: restart detected (2340337 - 2340341 == -4)], 205927, [Operations.Search.i: restart detected (2340337 - 2340341 == -4)], 985106, [Operations.Compare.i: restart detected (2340337 - 2340341 == -4)], 0, [Operations.Modify.i: restart detected (2340337 - 2340341 == -4)], 0, [Operations.Modrdn.i: restart detected (2340337 - 2340341 == -4)], 0, [Operations.Add.i: restart detected (2340337 - 2340341 == -4)], 0, [Operations.Delete.i: restart detected (2340337 - 2340341 == -4)], 0, [Operations.Abandon.i: restart detected (2340337 - 2340341 == -4)], 4, [Operations.Extended.i: restart detected (2340337 - 2340341 == -4)], 245199, [Operations.i: restart detected (2340337 - 2340341 == -4)], 1720790
2016/04/28 10:19:14 LDAP: Operations Rate OK HARD 1 OK: [Lock.Delay=0.501], [3 searches with 12 entries in 0.060s], 2340341, 0.13333, 0.09167, 0.65000, 0, 0, 0, 0, 0, 0, 0.11667, 0.99167
(The first number after the messages in square brackets is the uptime, then come the operations rate for several LDAP operations)
At 10:19:14 the uptime was 2340341, and at 10:25:14 the uptime was 2340577. That could be OK, but at 10:21:14 the uptime was reported as 2340337 which is less than reported at 10:19:14.
Has there ever been such an issue with uptime?
Regards,
Ulrich
7 years, 7 months
ACLs: restrict by IP and user
by Janne Peltonen
Hi!
I was thinking about giving the users a different set of their own attributes,
depending on whether they accessed the server from a well-known IP address or
not. Is this possible using OpenLDAP? I know how to form a WHO clause to grant
access to self; I know how to form a WHO clause to grant access from a certain
IP address; what I don't know is how to grant access to "self if and only if it
hails from a certain IP address", i.e. so that the given rights would require
both that we're considering "self" and "IP address" at the same time, but if
either doesn't match, then the clause wouldn't apply.
I'be glad if anybody could provide any help upon this. Also a simple "can't be
done" would be appreciated.
--Janne Peltonen
University of Helsinki
7 years, 7 months