openldap-technical September 2017

openldap-technical@openldap.org

54 participants
164 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Re: Syncrepl and multipe values
by Quanah Gibson-Mount 24 Feb '18

24 Feb '18

--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio Morais <matheus_morais(a)sicredi.com.br> wrote: > > > > Issue 8559 opened. > > > > I'm trying to work on a patch but I'm not sure if the best solution is to > fix accesslog to avoid duplicated values or if the sample LDIF (in its > description) should result in a constraint violation. What do you think? The accesslog should never write an operation that can't be replicated. If the MOD is a valid LDAP operation (which I think it is), then it should be accepted at the frontend. The issue may be more in delta-syncrepl's handling of the write op than anything else. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

Re: Upgrade from 2.4.40 to 2.4.44
by Quanah Gibson-Mount 11 Oct '17

11 Oct '17

--On Friday, September 15, 2017 9:18 AM -0700 Ryan Tandy <ryan(a)nardis.ca> wrote: > IIRC slapcat doesn't work in this case, because it fails to initialize > the ppolicy module. > > The linked CentOS and RHEL bugs recommend downgrading slapd to the > previously working version and using ldapmodify. Yeah, that's ugly :/ Another reason we really need to get slapmodify out, and some way to execute it with an option to not load modules or similar. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

4 3

Re: slapd: null_callback : error code 0x14
by Quanah Gibson-Mount 02 Oct '17

02 Oct '17

--On Thursday, September 21, 2017 9:59 PM -0700 "Paul B. Henson" <henson(a)acm.org> wrote: > It seems there are updates for that group coming from rid 002 > (egeria.ldap.cpp.edu) and 003 (minerva.ldap.cpp.edu), but none from rid > 001 (themis.ldap.cpp.edu) which is serverid 4, where the change was > actually made? Oh, I thought you had said you only had two masters. This could well be ITS#8444 (ignore the ITS title, it has nothing to do with memberOf), where there are out of sync problems with 3+ MMR nodes and delta-syncrepl when syncprov checkpoints. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

4 4

country attribute
by richard lucassen 02 Oct '17

02 Oct '17

Hello list, Just a newbie question: I try to create a simple addressbook in LDAP and I just wondered why there is no country attribute in the standard structure: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson Just an "st" attribute, but this should not be used for a country AFAIK. Is there an easy way to add the country or friendlyCountryName as a MAY attribute without having to create my own objectClass? R. -- richard lucassen http://contact.xaq.nl/

4 10

What is the current OLC way to replace the nis schema with the rfc2307bis schema?
by John Lewis 02 Oct '17

02 Oct '17

What is the current OLC way to replace the nis schema with the rfc2307bis schema? There are hacks published, but I couldn't find a document that takes advantage of OLC, removes the nis schema, and installs the rfc2307bis schema. It feels like something that I would do often enough that I would want to be able to do it one ldapmodify operation. There is a problem. There wasn't delete support in OLC 2.4 2012 in http ://www.openldap.org/lists/openldap-technical/201204/msg00245.html. OLC does support delete in 2.5 as of 2013 https://www.slideshare.net/ld apcon/whats-new-in-openldap. Since that has been established, what is the least hacky way to replace the nis schema with the rfc2307bis schema in 2.4?

2 1

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 2:50 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > Yes that is the plan but till i moved to latest version with mdb, i have > to live with it. Regarding upgrading to latest with mdb, how can i > migrate from hdb to mdb with out downtime? can i add latest openldap with > mdb as replica to existing older/hdb instance? Yes, you can have an mdb-based server that is a replica from an existing back-hdb server. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu 29 Sep '17

29 Sep '17

Quanah, Yes that is the plan but till i moved to latest version with mdb, i have to live with it. Regarding upgrading to latest with mdb, how can i migrate from hdb to mdb with out downtime? can i add latest openldap with mdb as replica to existing older/hdb instance? Thanks for all you suggestions Ram On Fri, Sep 29, 2017 at 1:38 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu < > rammohanganap(a)gmail.com> wrote: > > >> Quanah, >> >> >> Sorry i was searching for one attribute, i have close to 80mil entries. >> > > Then these settings may be too low: > > cachesize 100000 > idlcachesize 300000 > > Essentally, cachesize needs to hold your working set of data (active > entries). So this is saying slapd will only cache 100,000 active entries. > It will then be removing/adding entries in blocks of one (cachefree > defaults to 1 if not set). idlcachesize generally is 3x cachesize. > > If your active set is > 100,000 users, then you need to increase the > cachesize and idlcachesize parameters accordingly. You may also need to > increase cachefree from its default of "1". > > Overall, you would likely be much better served to switch to back-mdb, > where you do not have to set any of these parameters at all. > > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 5:03 PM -0400 Robert Heller <heller(a)deepsoft.com> wrote: > At Fri, 29 Sep 2017 10:29:11 -0700 Quanah Gibson-Mount <quanah(a)symas.com> > wrote: > >> >> --On Friday, September 29, 2017 2:17 PM -0400 Robert Heller >> <heller(a)deepsoft.com> wrote: >> >> > Signature Algorithm: sha1WithRSAEncryption >> >> The above is probably your problem. I believe MozNSS will no longer >> accept SHA1 certs. This was in the link I sent you yesterday. >> Generate a more secure cert (I.e., SHA256 or higher). > > I replaced the certs with SHA256 versions and it is still not working: You need logs from SSSD detailing why it is failing to negotiate. As you noted before, ldapsearch/ldapwhoami etc work for you. If that is still the case now with your new certs, you will need to pursue support with RedHat, as this clearly is not an OpenLDAP issue. Sorry I can't be of any more help than that. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount 29 Sep '17

29 Sep '17

--On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > Sorry i was searching for one attribute, i have close to 80mil entries. Then these settings may be too low: cachesize 100000 idlcachesize 300000 Essentally, cachesize needs to hold your working set of data (active entries). So this is saying slapd will only cache 100,000 active entries. It will then be removing/adding entries in blocks of one (cachefree defaults to 1 if not set). idlcachesize generally is 3x cachesize. If your active set is > 100,000 users, then you need to increase the cachesize and idlcachesize parameters accordingly. You may also need to increase cachefree from its default of "1". Overall, you would likely be much better served to switch to back-mdb, where you do not have to set any of these parameters at all. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2017