openldap-technical April 2017

openldap-technical@openldap.org

27 participants
45 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Re: Syncrepl and multipe values
by Quanah Gibson-Mount 24 Feb '18

24 Feb '18

--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio Morais <matheus_morais(a)sicredi.com.br> wrote: > > > > Issue 8559 opened. > > > > I'm trying to work on a patch but I'm not sure if the best solution is to > fix accesslog to avoid duplicated values or if the sample LDIF (in its > description) should result in a constraint violation. What do you think? The accesslog should never write an operation that can't be replicated. If the MOD is a valid LDAP operation (which I think it is), then it should be accepted at the frontend. The issue may be more in delta-syncrepl's handling of the write op than anything else. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

How to enable memberOf overlay with posixGroup?
by MegaBrutal 16 Aug '17

16 Aug '17

Hi all, I've spent days trying to figure out how could I enable the memberOf overlay, and it doesn't seem to be easy for an LDAP-noob. I've read like 50+ tutorials which didn't help me get it working. Use case: I want to have 2 main groups which control access to different services on my network. A "unixusers" which is a minimum to log in to Linux servers (having a hostObject entry for the user is another requirement, which is irrelevant to this question, as I already solved that problem); and a "cloudusers" group which enables log in to my ownCloud instance. The groups should enforce the following rules: – Only users in "cloudusers" should be allowed to log in to ownCloud. – Users in "unixusers" are allowed to log in to a set of Linux servers controlled by "host" (hostObject) entries. – Users not in the "unixusers" group may not log in to any Linux systems, even if they have "host" entries. Problems: – ownCloud complains that the memberOf overlay is not enabled, hence it doesn't let me restrict access to the "cloudusers" group. It would allow any users regardless of any group memberships, which is not acceptable. – I have a similar problem on Linux with PAM: I can't really get it to consider "unixusers" membership for user logins, although I got the "host" entries working correctly, so at least I can already restrict access with that. My guess is that it all boils down to the lack of memberOf overlay. I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. But anyway, I can't enable memberOf even for groupOfNames. I can't enable memberOf by any means. My OpenLDAP uses the new configuration method and it completely ignores slapd.conf, so the config must be injected with ldapadd to cn=config. Could you please help me with this? Regards, MegaBrutal

5 6

[Q] "selective" ACL
by Zeus Panchenko 26 Jul '17

26 Jul '17

hi, I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties I have two posixGroup groups cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo my users resides in ou=People,dc=foo so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course) for example this works for me: access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo ) so, the question is: how? (if it is possible at all) :( please, advise -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 2

Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by Howard Chu 05 May '17

05 May '17

mailing lists wrote: > Hello, > > I am testing the chain overlay from a read-only slave (consumer) slapd server > to a read-write master (provider), but what I am seeing is an anonymous bind > from the consumer to the provider instead of the authorization identity > configurated in the chain directive. Have you successfully run test032 in the test suite? Have you compared your config to the config used in that test? > > afaik, the bind dn in the provider must be the chain binddn configured in the > consumer, but it gets an anonymous bind. > > > any suggestion about what can be my mistake?? > > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 2

Unable to load the lastbind module with 2.4.44 (custom build)
by mailing lists 05 May '17

05 May '17

Hello all, What I'm trying to do is enable the lastbind module in a centos7 server, so I applied this patch to the rpmbuild process: # cat /root/rpmbuild/SOURCES/openldap-lastbind-overlay.patch --- a/servers/slapd/overlays/Makefile.in 2017-04-12 12:14:46.617978071 +0100 +++ b/servers/slapd/overlays/Makefile.in 2017-04-12 12:21:12.569292484 +0100 @@ -36,6 +36,7 @@ valsort.c \ smbk5pwd.c \ allop.c \ + lastbind.c \ sha2.c slapd-sha2.c OBJS = statover.o \ @SLAPD_STATIC_OVERLAYS@ \ @@ -56,7 +57,7 @@ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) LIBRARY = ../liboverlays.a -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la lastbind.la XINCPATH = -I.. -I$(srcdir)/.. XDEFS = $(MODULES_CPPFLAGS) @@ -140,6 +141,12 @@ allop.la : allop.lo $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) +lastbind.lo : lastbind.c + $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< + +lastbind.la : lastbind.lo + $(LTLINK_MOD) -module -o $@ lastbind.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + sha2.lo : sha2.c $(LTCOMPILE_MOD) $< the resulting package contains the module: # rpm -qpl /root/rpmbuild/RPMS/x86_64/openldap-servers-2.4.44-1.x86_64.rpm | grep lastbind /usr/lib64/openldap/lastbind-2.4.so.2 /usr/lib64/openldap/lastbind-2.4.so.2.10.7 /usr/lib64/openldap/lastbind.la /usr/share/man/man5/slapo-lastbind.5.gz but a configuration file as simple as the following one, fails to load: # cat test.conf modulepath /usr/lib64/openldap/ moduleload back_bdb.la moduleload back_hdb.la moduleload back_ldap.la moduleload unique.la moduleload ppolicy.la moduleload dynlist.la moduleload memberof.la moduleload syncprov.la moduleload accesslog.la moduleload lastbind.la moduleload auditlog.la # slaptest -d -1 -f ./test.conf 58ee0ebd slaptest init: initiated tool. 58ee0ebd slap_sasl_init: initialized! 58ee0ebd bdb_back_initialize: initialize BDB backend 58ee0ebd bdb_back_initialize: Berkeley DB 5.3.21: (May 11, 2012) 58ee0ebd hdb_back_initialize: initialize HDB backend 58ee0ebd hdb_back_initialize: Berkeley DB 5.3.21: (May 11, 2012) 58ee0ebd mdb_back_initialize: initialize MDB backend 58ee0ebd mdb_back_initialize: LMDB 0.9.18: (February 5, 2016) 58ee0ebd reading config file ./test.conf 58ee0ebd ./test.conf: line 1 (modulepath /usr/lib64/openldap/) 58ee0ebd ./test.conf: line 2 (moduleload back_bdb.la) 58ee0ebd module_load: (back_bdb.la) already present (static) 58ee0ebd ./test.conf: line 3 (moduleload back_hdb.la) 58ee0ebd module_load: (back_hdb.la) already present (static) 58ee0ebd ./test.conf: line 4 (moduleload back_ldap.la) 58ee0ebd loaded module back_ldap.la 58ee0ebd module back_ldap.la: null module registered 58ee0ebd ./test.conf: line 5 (moduleload unique.la) 58ee0ebd loaded module unique.la 58ee0ebd module unique.la: null module registered 58ee0ebd ./test.conf: line 6 (moduleload ppolicy.la) 58ee0ebd loaded module ppolicy.la 58ee0ebd module ppolicy.la: null module registered 58ee0ebd ./test.conf: line 7 (moduleload dynlist.la) 58ee0ebd loaded module dynlist.la 58ee0ebd module dynlist.la: null module registered 58ee0ebd ./test.conf: line 8 (moduleload memberof.la) 58ee0ebd loaded module memberof.la 58ee0ebd module memberof.la: null module registered 58ee0ebd ./test.conf: line 9 (moduleload syncprov.la) 58ee0ebd loaded module syncprov.la 58ee0ebd module syncprov.la: null module registered 58ee0ebd ./test.conf: line 10 (moduleload accesslog.la) 58ee0ebd loaded module accesslog.la 58ee0ebd module accesslog.la: null module registered 58ee0ebd ./test.conf: line 11 (moduleload lastbind.la) 58ee0ebd loaded module lastbind.la 58ee0ebd module lastbind.la: init_module() failed 58ee0ebd ./test.conf: line 11: <moduleload> handler exited with 1! slaptest: bad configuration file! any idea about where I make the mistake?

2 2

password change interception overlay
by Michael Ströder 02 May '17

02 May '17

HI! Does anybody know a publicly available overlay which intercepts userPassword changes and grabs the new password for password syncing? Ciao, Michael.

2 2

Re: Multi Master replication with many 'nonpresent_callback' lines
by Quanah Gibson-Mount 02 May '17

02 May '17

--On Sunday, April 23, 2017 12:38 AM +0000 Jesper Grøndahl <grondahl(a)ruc.dk> wrote: > Our log level is stats and sync. > > The logs look like this, for the user being modified > ----- > nonpresent_callback: rid=005 present UUID > 528929d6-acaa-1036-922a-a3f5c9285d9d, dn uid=xxx,ou=users,dc=ruc,dc=dk > Entry uid=xxx,ou=users,dc=ruc,dc=dk CSN > 20170406140323.504919Z#000000#002#000000 greater than snapshot > 20170403102309.253881Z#000000#002#000000 It would appear you have serious issues with your installation, since the CSNs are off by 3 days. I would note that 2.4.40 is not stable for MMR as well. I would ensure you aren't suffering from clock skew across your servers, and upgrade to the current OpenLDAP release as well. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

detect LDAPI support
by Michael Ströder 27 Apr '17

27 Apr '17

HI! Is there an reliable way to detect whether LDAPI support is enabled in the OpenLDAP build on a particular platform? I vaguely remember the developer discussions about disabling LDAPI on platforms where the peer credentials are not secure. Background: I'd like to detect with python-ldap whether to enable LDAPI in automatic testing or not. Ciao, Michael.

2 2

test program for ldap_int_sasl_init issue
by Ryan Tandy 26 Apr '17

26 Apr '17

I'm looking into a Debian bug report: https://bugs.debian.org/860947 ldap_int_sasl_init says: /* XXX not threadsafe */ static int sasl_initialized = 0; I'm not yet sure whether it's the cause of that report, but it does seem to be problematic. I'm seeing spurious "no such mechanism" results and/or crashes in mutiple environments performing SASL binds in parallel: - slapd with multiple syncrepl clients all using SASL binds, - the ldclt tool from the 389-ds project, and - the test program I'm about to describe below. I wrote a test program for this issue, and I'd like to ask the list to check the code before I submit an ITS, in case I've made a mistake that renders my test invalid. gcc -g sasltest.c -pthread -llber -lldap -lsasl2 -DSASL As I understand it, -lldap_r should not be needed here since each thread creates its own LDAP instance. (It doesn't seem to change the results, anyway.) Built without -DSASL, it uses simple binds, and appears to work fine, but again, I'm not confident my code is correct. Thanks! Ryan

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2017