openldap-technical February 2017

openldap-technical@openldap.org

34 participants
62 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Re: Syncrepl and multipe values
by Quanah Gibson-Mount 24 Feb '18

24 Feb '18

--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio Morais <matheus_morais(a)sicredi.com.br> wrote: > > > > Issue 8559 opened. > > > > I'm trying to work on a patch but I'm not sure if the best solution is to > fix accesslog to avoid duplicated values or if the sample LDIF (in its > description) should result in a constraint violation. What do you think? The accesslog should never write an operation that can't be replicated. If the MOD is a valid LDAP operation (which I think it is), then it should be accepted at the frontend. The issue may be more in delta-syncrepl's handling of the write op than anything else. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

How to enable memberOf overlay with posixGroup?
by MegaBrutal 16 Aug '17

16 Aug '17

Hi all, I've spent days trying to figure out how could I enable the memberOf overlay, and it doesn't seem to be easy for an LDAP-noob. I've read like 50+ tutorials which didn't help me get it working. Use case: I want to have 2 main groups which control access to different services on my network. A "unixusers" which is a minimum to log in to Linux servers (having a hostObject entry for the user is another requirement, which is irrelevant to this question, as I already solved that problem); and a "cloudusers" group which enables log in to my ownCloud instance. The groups should enforce the following rules: – Only users in "cloudusers" should be allowed to log in to ownCloud. – Users in "unixusers" are allowed to log in to a set of Linux servers controlled by "host" (hostObject) entries. – Users not in the "unixusers" group may not log in to any Linux systems, even if they have "host" entries. Problems: – ownCloud complains that the memberOf overlay is not enabled, hence it doesn't let me restrict access to the "cloudusers" group. It would allow any users regardless of any group memberships, which is not acceptable. – I have a similar problem on Linux with PAM: I can't really get it to consider "unixusers" membership for user logins, although I got the "host" entries working correctly, so at least I can already restrict access with that. My guess is that it all boils down to the lack of memberOf overlay. I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. But anyway, I can't enable memberOf even for groupOfNames. I can't enable memberOf by any means. My OpenLDAP uses the new configuration method and it completely ignores slapd.conf, so the config must be injected with ldapadd to cn=config. Could you please help me with this? Regards, MegaBrutal

5 6

[Q] "selective" ACL
by Zeus Panchenko 26 Jul '17

26 Jul '17

hi, I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties I have two posixGroup groups cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo my users resides in ou=People,dc=foo so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course) for example this works for me: access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo ) so, the question is: how? (if it is possible at all) :( please, advise -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 2

Re: 2.4.44 + ITS 8432 patch segfault in modify_add_values
by Quanah Gibson-Mount 04 Mar '17

04 Mar '17

--On Wednesday, February 15, 2017 6:36 PM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: > On Wed, Feb 15, 2017 at 12:22:29PM -0800, Quanah Gibson-Mount wrote: > >> I would suggest filing an ITS with the full backtrace info, so I can >> track it. > > Ok, will do. > >> It could be useful to have the entry data from the accesslog as >> well for the failed replication op, as we can see the failed entry DN in >> the output of your backtrace. > > That would be in the accesslog on the server that crashed? Hmm, the > server that crashed is the master, and all updates were going to it. Am > I confused, or did the update that caused the crash come in via syncrepl > though, and hence originate from a different server? So the accesslog > entry you want would be from that server, not the server that crashed? > But given no other servers should have been receiving updates, how would > an update have been received via replication? Or is this another issue > like the memberOf problem where updates are being improperly replicated? It appears to be crashing while writing the change to the accesslog database. It's odd that the value for the attribute is NULL. Do we know for sure what the client doing the write op to the server is sending? > Hmm, looking at the logs that correspond with one of the crashes: > This operation appears to succeed? Then there's this: > > Feb 14 04:00:13 fosse slapd[12524]: conn=37859 op=806 MOD > dn="uid=vntruong,ou=user,dc=csupomona,dc=edu" Feb 14 04:00:13 fosse > slapd[12524]: conn=37859 op=806 MOD attr=csupomonaEduPersonExpiration Yeah, so this is the operation that actually failed... It'd be interesting to know if it succeeded in the primary DB, but failed when writing to the accesslog DB (I.e., the master and its consumers are now out of sync for that entry), or if the entire write op failed (master and consumers are in sync for the entry) > when I restarted the server. I guess I am confused; the entryCSN has > serverID 0, the ID of this server, so this isn't a replicated op, it's > an op from this server. So why does the backtrace show the change coming > in via syncrepl? It seems like it's getting applied twice. The change is > deleting the attribute, so the second time it's getting applied you > would get a no such attribute error... Hm, so I guess my question would be is it doing the op like this: dn: ... changetype: modify replace: csupomonaEduPersonExpiration csupomonaEduPersonExpiration: Or is it doing it like this: dn: ... changetype: modify delete: csupomonaEduPersonExpiration Because the NULL value seems to imply the former. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 4

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount 02 Mar '17

02 Mar '17

--On Tuesday, February 14, 2017 5:04 PM -0800 "Paul B. Henson" <henson(a)acm.org> wrote: > On Tue, Feb 14, 2017 at 04:13:17PM -0800, Quanah Gibson-Mount wrote: > >> I have a test setup from a coworker who managed to trigger this to >> examine and see if I can push it into the test script. :) > > Cool, good to hear; it will be nice to track this down and quash it. I > don't know what it is about my environment that triggers it so often, > perhaps because we add/remove group members frequently. Hi Paul, In the ITS, you didn't provide your configuration -- I'm curious to see the order in which you load the overlays. In the initial report from Mark, he loads them in this order (on the primary data db): dynlist memberof syncprov accesslog So I'd like to know the order in which your overlays are loaded. Thanks, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

How correctly convert ldif dump size to mdb olcDbMaxSize value
by Ikonta 28 Feb '17

28 Feb '17

Hi everybody, I use simple OpenLDAP installation (two servers in mirror mode, something above 30000 leafs tree). Some time ago I've migrated it to mdb backend. The database dump in ldif weight about 300M. Initially I've set olcDbMaxSize to 2147483648 bytes (2G). Imported into directory it became about 450M data.mdb on node1 and after mirror synced — 1.5G replicated data.mdb on node2. Why instances database sizes are so different? Am I right guessing olcDbMaxSize is maximum size of data.mdb file? And how should I, starting with present and perspective ldif dump size, count proper value of olcDbMaxSize? For example, if I expect ldif dump may grow up to 500 M? WBR

1 0

Dynamic groups/lists
by Saša-Stjepan Bakša 27 Feb '17

27 Feb '17

Hi, I have access to LDAP server which doesn't have any groups defined. All users have only attributes which are used to distinguish to which type of users they belong and for application which I have intention to use groups are necessary. I don't have authority to change that but I can create my own LDAP proxy server and direct my application to it. Question is, can I create dynamic groups which will reside only on that proxy server. I am already familiar with translucent and ordinary proxy servers. Br Sasa

2 2

user removed from ldap group but Linux groups command still shows user as member of the group
by Bernard Fay 24 Feb '17

24 Feb '17

Hi, I removed a user from an LDAP group about a week ago. Today, this user still shows as member of the group with the Linux command groups. Also, the group (Administrators) appears twice in the output of the command id: uid=10000(username) gid=10000(Administrators) groups=10001(users),10005(devel),10011(video),10015(ansible),10000(Administrators) The command getent though shows the proper group assignation: getent group | grep username | cut -d: -f1 users devel video ansible All of those groups are LDAP group. Does someone knows why and would know how to fix this? Thanks,

5 14

Fwd: user removed from ldap group but Linux groups command still shows user as member of the group
by Bernard Fay 24 Feb '17

24 Feb '17

On Fri, Feb 24, 2017 at 9:08 AM, Dan White <dwhite(a)cafedemocracy.org> wrote: > On 02/24/17 08:55 -0500, Bernard Fay wrote: > >> I removed a user from an LDAP group about a week ago. Today, this user >> still shows as member of the group with the Linux command groups. Also, >> the >> group (Administrators) appears twice in the output of the command id: >> uid=10000(username) gid=10000(Administrators) >> groups=10001(users),10005(devel),10011(video),10015(ansible) >> ,10000(Administrators) >> >> The command getent though shows the proper group assignation: >> getent group | grep username | cut -d: -f1 >> users >> devel >> video >> ansible >> >> All of those groups are LDAP group. >> > > Is this from a long running shell? If so, start a new shell or > run newgrp. > > Otherwise, verify that it is not cached (such as with nscd), and trouble > shoot as an nss ldap problem. > > No, it is not from a long running shell. I logged out and logged back in since I remove this user from the group. By the way the group in question is Administrators. How can I verify it is not cached? My guess is that it is cached. I tried to use "nscd -i group" but that did not change anything.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2017