openldap-technical June 2017

openldap-technical@openldap.org

34 participants
69 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Re: Syncrepl and multipe values
by Quanah Gibson-Mount 24 Feb '18

24 Feb '18

--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio Morais <matheus_morais(a)sicredi.com.br> wrote: > > > > Issue 8559 opened. > > > > I'm trying to work on a patch but I'm not sure if the best solution is to > fix accesslog to avoid duplicated values or if the sample LDIF (in its > description) should result in a constraint violation. What do you think? The accesslog should never write an operation that can't be replicated. If the MOD is a valid LDAP operation (which I think it is), then it should be accepted at the frontend. The issue may be more in delta-syncrepl's handling of the write op than anything else. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

How to enable memberOf overlay with posixGroup?
by MegaBrutal 16 Aug '17

16 Aug '17

Hi all, I've spent days trying to figure out how could I enable the memberOf overlay, and it doesn't seem to be easy for an LDAP-noob. I've read like 50+ tutorials which didn't help me get it working. Use case: I want to have 2 main groups which control access to different services on my network. A "unixusers" which is a minimum to log in to Linux servers (having a hostObject entry for the user is another requirement, which is irrelevant to this question, as I already solved that problem); and a "cloudusers" group which enables log in to my ownCloud instance. The groups should enforce the following rules: – Only users in "cloudusers" should be allowed to log in to ownCloud. – Users in "unixusers" are allowed to log in to a set of Linux servers controlled by "host" (hostObject) entries. – Users not in the "unixusers" group may not log in to any Linux systems, even if they have "host" entries. Problems: – ownCloud complains that the memberOf overlay is not enabled, hence it doesn't let me restrict access to the "cloudusers" group. It would allow any users regardless of any group memberships, which is not acceptable. – I have a similar problem on Linux with PAM: I can't really get it to consider "unixusers" membership for user logins, although I got the "host" entries working correctly, so at least I can already restrict access with that. My guess is that it all boils down to the lack of memberOf overlay. I also figured that memberOf would need groupOfNames groups, while I need posixGroup type groups. I evaluated the possibility to use groupOfNames, but it lacks the necessary gidNumber attribute which is a requirement for Unix groups. But anyway, I can't enable memberOf even for groupOfNames. I can't enable memberOf by any means. My OpenLDAP uses the new configuration method and it completely ignores slapd.conf, so the config must be injected with ldapadd to cn=config. Could you please help me with this? Regards, MegaBrutal

5 6

Re: problem with syncrepl and STARTTLS
by Quanah Gibson-Mount 09 Aug '17

09 Aug '17

--On Friday, June 02, 2017 11:01 AM +0200 r0m5 <r0m5(a)r0m5.eu> wrote: > > Hello, > > I am facing an issue with syncrepl and STARTTLS on 389 port. The kind of > problem happening only sometimes, and disappearing "by itself". I use > Debian Jessie, OpenLDAP 2.4.40+dfsg-1+deb8u2. 2.4.40 is 2.5 years old, 5 point releases behind, and had significant known replication issues. I believe there is a build of 2.4.44 in backports for Jessie. I would advise using that instead. As far as debug logging, you would need to use "-d -1" to slapd, rather than attempting to set the loglevel to -1, as some debug logging is only possible via the slapd daemon. But your first step is to move to a current release. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

4 6

Re: mdb_dbi_open and threads
by Howard Chu 03 Aug '17

03 Aug '17

Hallvard Breien Furuseth wrote: > On 22. mai 2017 14:00, Howard Chu wrote: >> Muhammed Muneer wrote: >>> Hallvard wrote >> >>> "With threads 1 and 2 coexisting? When thread 2 called mdb_dbi_open(), >>> thread 1's prospect of using mdb_dbi_open() at all was lost." >>> >>> Yeah with both coexisting. Thats what I thought. > > Sorry, I should have said with _transactions_ #1 and #2 coexisting, > _transaction_ #1's prospect of using mdb_dbi_open() at all was lost. > Transaction #3 in thread #1 can use it if it stared after txn#2 ended. > > Anyway, just forget about being clever with DBIs. LMDB does not support > DBI cleverness, that's one of its trade-offs for speed and simplicity. Exactly. >> If you want to use dbi_open in multiple threads then put it in your own >> wrapper function, protected by a mutex. > > Wait, what? mdb_dbi_open() isn't coded to handle concurrent txns > calling it, regardless of any mutexes the caller has. In particular, > it does not use nor update the environment's numdbs, so the two > transactions could end up creating the same DBI for different DBs. Yes. This is only safe if you also close the dbi in the same txn that opened it. Which you are probably doing, if you are opening and closing on the fly. > >> Naturally you will also have to wrap dbi_close the same way. > > If we did support this, txn_commit() of the txn which used dbi_open() > would also need the mutex. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 4

Re: [Q] can I replicate several branches to the same slave from one master?
by Quanah Gibson-Mount 27 Jul '17

27 Jul '17

--On Friday, June 30, 2017 8:32 AM +0300 Zeus Panchenko <zeus(a)ibs.dn.ua> wrote: >> And what does the master say? >> > > same thing: > > slapd[38004]: conn=30116 op=3 SEARCH RESULT tag=101 err=53 nentries=0 > text=consumer state is newer than provider! It sounds like your replica was not configured correctly initially and self-generated its own CSN that is newer than the one on the provider. It would be interesting to make a modification on the provider so that its CSN is updated (and thus has one newer than on the consumer). --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

[Q] "selective" ACL
by Zeus Panchenko 26 Jul '17

26 Jul '17

hi, I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties I have two posixGroup groups cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo my users resides in ou=People,dc=foo so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course) for example this works for me: access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo ) so, the question is: how? (if it is possible at all) :( please, advise -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 2

EXOPs for PHP LDAP
by Côme Chilliet 21 Jul '17

21 Jul '17

Hello, I’m currently working on a PHP RFC to add EXOP handling to php-ldap. The draft is here: https://wiki.php.net/rfc/ldap_exop You are welcome to comment on any aspect of the RFC, but I would especially want to know: - Which are the EXOPs actually used by people out there? - Is there any EXOP using the responseName field? In the RFCs I read there is always something like «an ExtendedResponse where the responseName field is absent» or «The responseName field contains the same string as that present in the request.» Côme

2 7

Re: Elliptic Curve support in 2.4 branch
by Howard Chu 14 Jul '17

14 Jul '17

Abdelkader Chelouah wrote: > Elliptic Curve support for OpenSSL was added in master branch 4 years ago > (ITS#7595). Is there any plan to backport EC support for OpenSSL in 2.4 branch ? OpenLDAP 2.4 is feature-frozen. All new features are 2.5 only. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 2

Re: Deleting old replicas on consumer?
by Quanah Gibson-Mount 10 Jul '17

10 Jul '17

--On Friday, June 30, 2017 2:44 PM -0400 Prentice Bisbal <pbisbal(a)pppl.gov> wrote: > If I delete a replication consumer, do I need to delete any > replication-related data for that consumer's replication on the producer? > If so, how? If you're talking about pure consumers (not multi-master consumers), there's nothing to do, as there's nothing stored on the provider. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2017