openldap-technical January 2017

openldap-technical@openldap.org

47 participants
80 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Re: Syncrepl and multipe values
by Quanah Gibson-Mount 24 Feb '18

24 Feb '18

--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio Morais <matheus_morais(a)sicredi.com.br> wrote: > > > > Issue 8559 opened. > > > > I'm trying to work on a patch but I'm not sure if the best solution is to > fix accesslog to avoid duplicated values or if the sample LDIF (in its > description) should result in a constraint violation. What do you think? The accesslog should never write an operation that can't be replicated. If the MOD is a valid LDAP operation (which I think it is), then it should be accepted at the frontend. The issue may be more in delta-syncrepl's handling of the write op than anything else. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

How to enable memberOf overlay with posixGroup?
by MegaBrutal 16 Aug '17

16 Aug '17

Hi all, I've spent days trying to figure out how could I enable the memberOf overlay, and it doesn't seem to be easy for an LDAP-noob. I've read like 50+ tutorials which didn't help me get it working. Use case: I want to have 2 main groups which control access to different services on my network. A "unixusers" which is a minimum to log in to Linux servers (having a hostObject entry for the user is another requirement, which is irrelevant to this question, as I already solved that problem); and a "cloudusers" group which enables log in to my ownCloud instance. The groups should enforce the following rules: – Only users in "cloudusers" should be allowed to log in to ownCloud. – Users in "unixusers" are allowed to log in to a set of Linux servers controlled by "host" (hostObject) entries. – Users not in the "unixusers" group may not log in to any Linux systems, even if they have "host" entries. Problems: – ownCloud complains that the memberOf overlay is not enabled, hence it doesn't let me restrict access to the "cloudusers" group. It would allow any users regardless of any group memberships, which is not acceptable. – I have a similar problem on Linux with PAM: I can't really get it to consider "unixusers" membership for user logins, although I got the "host" entries working correctly, so at least I can already restrict access with that. My guess is that it all boils down to the lack of memberOf overlay. I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. But anyway, I can't enable memberOf even for groupOfNames. I can't enable memberOf by any means. My OpenLDAP uses the new configuration method and it completely ignores slapd.conf, so the config must be injected with ldapadd to cn=config. Could you please help me with this? Regards, MegaBrutal

5 6

[Q] "selective" ACL
by Zeus Panchenko 26 Jul '17

26 Jul '17

hi, I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties I have two posixGroup groups cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo my users resides in ou=People,dc=foo so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course) for example this works for me: access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo ) so, the question is: how? (if it is possible at all) :( please, advise -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 2

RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount 14 Feb '17

14 Feb '17

For this testing call, we particularly need folks to test OpenLDAP with startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with the 1.1 series). There is currenly nothing in the test suite that covers encrypted connections (Although it's on my todo list). To build against OpenSSL 1.1 may also require cyrus-sasl HEAD out of the cyrus-sasl GIT repository, depending on your build options as the current cyrus-sasl release does not support the OpenSSL 1.1 series. It can be found at <https://github.com/cyrusimap/cyrus-sasl>. If you build with GSSAPI and use Heimdal, you will also need the Heimdal 7.1.0 or later release (as that is where OpenSSL 1.1 support was added). It can be obtained from <http://h5l.org/>. Also new with this release is the ability to run "make its" in the tests/ directory. This will run a specific set of tests around past bugs to ensure there are no regressions. While I've tested this with modular openldap builds, it has not been tested with the modules and backends built into slapd, so there could be some issues in that scenario. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its run through the regression suite. Thanks! OpenLDAP 2.4.45 Engineering Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533) Fixed libldap handling of Diffie-Hellman parameters (ITS#7506) Fixed libldap GnuTLS use after free (ITS#8385) Fixed slapd sasl SEGV rebind in same session (ITS#8568) Fixed slapd syncrepl filter handling (ITS#8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS#8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS#8435) Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794) Fixed slapd-meta uninitialized diagnostic message (ITS#8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS#8423) Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428) Build Environment Added test065 for proxyauthz (ITS#8571) Fix test008 to be portable (ITS#8414) Fix its4336 regression test (ITS#8534) Fix its4337 regression test (ITS#8535) Fix regression tests to execute on all backends (ITS#8539) Contrib Added slapo-autogroup(5) man page (ITS#8569) Added passwd missing conversion scripts for apr1 (ITS#6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS#8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS#8525) Documentation admin24 fixed tls_cipher_suite bindconf option (ITS#8099) admin24 fixed typo cn=config to be slapd.d (ITS#8449) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS#8538) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS#8565) Fixed various minor grammar issues in the man pages (ITS#8544) LMDB 0.9.20 Release Engineering Fix mdb_load with escaped plaintext (ITS#8558) Fix mdb_cursor_last / mdb_put interaction (ITS#8557) LMDB 0.9.19 Release (2016/12/28) Fix mdb_env_cwalk cursor init (ITS#8424) Fix robust mutexes on Solaris 10/11 (ITS#8339) Tweak Win32 error message buffer Fix MDB_GET_BOTH on non-dup record (ITS#8393) Optimize mdb_drop Fix xcursors after mdb_cursor_del (ITS#8406) Fix MDB_NEXT_DUP after mdb_cursor_del (ITS#8412) Fix mdb_cursor_put resetting C_EOF (ITS#8489) Fix mdb_env_copyfd2 to return EPIPE on SIGPIPE (ITS#8504) Fix mdb_env_copy with empty DB (ITS#8209) Fix behaviors with fork (ITS#8505) Fix mdb_dbi_open with mainDB cursors (ITS#8542) Fix robust mutexes on kFreeBSD (ITS#8554) Fix utf8_to_utf16 error checks (ITS#7992) Fix F_NOCACHE on MacOS, error is non-fatal (ITS#7682) Build Make shared lib suffix overridable (ITS#8481) Documentation Cleanup doxygen nits Note reserved vs actual mem/disk usage --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

5 8

help troubleshooting
by scar 01 Feb '17

01 Feb '17

I have inherited an LDAP server and admittedly do not have all the technical expertise to troubleshoot the problems we have. We are using slapd 2.4.40. The first problem is nobody but the rootdn can change passwords. We'd like to use "passwd" utility on our servers to change our passwords but the error is "LDAP password information update failed: Insufficient access" In slapd.conf we have (i have removed our dc for privacy): access to attrs=userPassword by self write by anonymous auth by dn="cn=Manager,dc=X,dc=Y,dc=Z" write by * none access to * by self write by dn="cn=Manager,dc=X,dc=Y,dc=Z" write by * read by * auth access to * by dn="uid=ldapadmin,dc=X,dc=Y,dc=Z" read "cn=Manager,dc=X,dc=Y,dc=Z" is our rootdn and i have enabled logleve 128 However, this brings me to the next problem: the contents of slapd.conf do not match the slapd.d/cn\=config.ldif file, so it seems the fixes i am trying to the ACL's don't have any effect, even when i restart slapd. If i try "ldapmodify -nv" it just hangs. When i try to stop slapd and remove slapd.d/* and then start slapd, the contents are recreated according to the config file, but then users can't login (all i see in the logfile is access_allowed and slap_access_allowed but no conn lines) So some basic troubleshooting help would be appreciated! Thanks

2 1

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount 31 Jan '17

31 Jan '17

--On Tuesday, January 31, 2017 12:05 PM -0800 Quanah Gibson-Mount <quanah(a)symas.com> wrote: >> ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! >> Error found after 1 of 1 iterations >>>>>>> test061-syncreplication-initiation failed for mdb >> (exit 1) >> Makefile:310: recipe for target 'mdb-yes' failed >> make: *** [mdb-yes] Error 1 > > Interesting -- Can you tar up the testrun directory, ftp it up, and file > an ITS with a pointer to the upload? I was able to reproduce this as well with back-mdb. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount 31 Jan '17

31 Jan '17

--On Tuesday, January 31, 2017 8:35 PM +0100 Dieter Klünter <dieter(a)dkluenter.de> wrote: > Am Mon, 30 Jan 2017 12:49:56 -0800 > schrieb Quanah Gibson-Mount <quanah(a)symas.com>: > [...] > >> Generally, get the code for RE24: >> >> <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=re >> fs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz> >> >> Configure & build. >> >> Execute the test suite (via make test) after it is built. >> Optionally, cd tests && make its run through the regression suite. > > [...] > > Starting test061-syncreplication-initiation for mdb... > Running defines.sh > ... > > ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)! > Error found after 1 of 1 iterations >>>>>> test061-syncreplication-initiation failed for mdb > (exit 1) > Makefile:310: recipe for target 'mdb-yes' failed > make: *** [mdb-yes] Error 1 Interesting -- Can you tar up the testrun directory, ftp it up, and file an ITS with a pointer to the upload? Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Mirror Inquiry
by Standalone Admin 31 Jan '17

31 Jan '17

Hi Is there a need for more mirrors for OpenLDAP? If so we can host it on our server in France @1GBPS connection. Thanks, Sam

1 0

How to add index for "member" of ldap groups
by Axel Birndt 27 Jan '17

27 Jan '17

Hi @All, i'am currently searching for a possibility to add an index in openldap (cn=config backend) for the "member" of groups. In my log i got the following message: > 475 admin slapd: <= bdb_equality_candidates: (member) not indexed I found, that "member" is an attribute from an ldap group. > # Entry 1: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de > dn: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de > cn: bind_users > member: cn=apachebind,ou=apache_technical,ou=users,dc=company,dc=de > member: cn=wordpressbind1,ou=wordpress_bind,ou=users,dc=company,dc=de > objectclass: groupOfNames > objectclass: top How could i add an index for this attribute? I searched with google and found: http://www.openldap.org/faq/data/cache/136.html https://wiki.debian.org/LDAP/OpenLDAPSetup http://www.openldap.org/doc/admin24/slapdconf2.html and so on... With this information i already added indices for > # Entry 1: olcDatabase={1}hdb,cn=config > dn: olcDatabase={1}hdb,cn=config > objectclass: olcDatabaseConfig > objectclass: olcHdbConfig > olcdbindex: objectClass eq > olcdbindex: cn pres,sub,eq > olcdbindex: sn pres,sub,eq > olcdbindex: uid pres,sub,eq > olcdbindex: displayName pres,sub,eq > olcdbindex: default sub > olcdbindex: uidNumber eq > olcdbindex: gidNumber eq > olcdbindex: mail,givenName eq,subinitial > olcdbindex: dc eq If i try to add a new index "olcdbindex: member pres,sub,eq" i got an failure Could not perform ldap_modify operation. LDAP said: Other (e.g., implementation specific) error Error number: 0x50 (LDAP_OTHER) Is anyone able to give me a hint, where i could find more information or help me to find the right search key words? -- Gruß/Kind regards Axel ------------------------------

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2017