Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month
Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 9 months
Re: Upgrade from 2.4.40 to 2.4.44
by Quanah Gibson-Mount
--On Friday, September 15, 2017 9:18 AM -0700 Ryan Tandy <ryan(a)nardis.ca>
wrote:
> IIRC slapcat doesn't work in this case, because it fails to initialize
> the ppolicy module.
>
> The linked CentOS and RHEL bugs recommend downgrading slapd to the
> previously working version and using ldapmodify.
Yeah, that's ugly :/ Another reason we really need to get slapmodify out,
and some way to execute it with an option to not load modules or similar.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Re: slapd: null_callback : error code 0x14
by Quanah Gibson-Mount
--On Thursday, September 21, 2017 9:59 PM -0700 "Paul B. Henson"
<henson(a)acm.org> wrote:
> It seems there are updates for that group coming from rid 002
> (egeria.ldap.cpp.edu) and 003 (minerva.ldap.cpp.edu), but none from rid
> 001 (themis.ldap.cpp.edu) which is serverid 4, where the change was
> actually made?
Oh, I thought you had said you only had two masters. This could well be
ITS#8444 (ignore the ITS title, it has nothing to do with memberOf), where
there are out of sync problems with 3+ MMR nodes and delta-syncrepl when
syncprov checkpoints.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
country attribute
by richard lucassen
Hello list,
Just a newbie question: I try to create a simple addressbook in LDAP and
I just wondered why there is no country attribute in the standard
structure:
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Just an "st" attribute, but this should not be used for a country AFAIK.
Is there an easy way to add the country or friendlyCountryName as a MAY
attribute without having to create my own objectClass?
R.
--
richard lucassen
http://contact.xaq.nl/
6 years, 2 months
What is the current OLC way to replace the nis schema with the rfc2307bis schema?
by John Lewis
What is the current OLC way to replace the nis schema with the
rfc2307bis schema?
There are hacks published, but I couldn't find a document that takes
advantage of OLC, removes the nis schema, and installs the rfc2307bis
schema. It feels like something that I would do often enough that I
would want to be able to do it one ldapmodify operation.
There is a problem. There wasn't delete support in OLC 2.4 2012 in http
://www.openldap.org/lists/openldap-technical/201204/msg00245.html.
OLC does support delete in 2.5 as of 2013 https://www.slideshare.net/ld
apcon/whats-new-in-openldap.
Since that has been established, what is the least hacky way to replace
the nis schema with the rfc2307bis schema in 2.4?
6 years, 2 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount
--On Friday, September 29, 2017 2:50 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
>
> Quanah,
>
>
> Yes that is the plan but till i moved to latest version with mdb, i have
> to live with it. Regarding upgrading to latest with mdb, how can i
> migrate from hdb to mdb with out downtime? can i add latest openldap with
> mdb as replica to existing older/hdb instance?
Yes, you can have an mdb-based server that is a replica from an existing
back-hdb server.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by rammohan ganapavarapu
Quanah,
Yes that is the plan but till i moved to latest version with mdb, i have to
live with it. Regarding upgrading to latest with mdb, how can i migrate
from hdb to mdb with out downtime? can i add latest openldap with mdb as
replica to existing older/hdb instance?
Thanks for all you suggestions
Ram
On Fri, Sep 29, 2017 at 1:38 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu <
> rammohanganap(a)gmail.com> wrote:
>
>
>> Quanah,
>>
>>
>> Sorry i was searching for one attribute, i have close to 80mil entries.
>>
>
> Then these settings may be too low:
>
> cachesize 100000
> idlcachesize 300000
>
> Essentally, cachesize needs to hold your working set of data (active
> entries). So this is saying slapd will only cache 100,000 active entries.
> It will then be removing/adding entries in blocks of one (cachefree
> defaults to 1 if not set). idlcachesize generally is 3x cachesize.
>
> If your active set is > 100,000 users, then you need to increase the
> cachesize and idlcachesize parameters accordingly. You may also need to
> increase cachefree from its default of "1".
>
> Overall, you would likely be much better served to switch to back-mdb,
> where you do not have to set any of these parameters at all.
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
6 years, 2 months
Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Quanah Gibson-Mount
--On Friday, September 29, 2017 5:03 PM -0400 Robert Heller
<heller(a)deepsoft.com> wrote:
> At Fri, 29 Sep 2017 10:29:11 -0700 Quanah Gibson-Mount <quanah(a)symas.com>
> wrote:
>
>>
>> --On Friday, September 29, 2017 2:17 PM -0400 Robert Heller
>> <heller(a)deepsoft.com> wrote:
>>
>> > Signature Algorithm: sha1WithRSAEncryption
>>
>> The above is probably your problem. I believe MozNSS will no longer
>> accept SHA1 certs. This was in the link I sent you yesterday.
>> Generate a more secure cert (I.e., SHA256 or higher).
>
> I replaced the certs with SHA256 versions and it is still not working:
You need logs from SSSD detailing why it is failing to negotiate. As you
noted before, ldapsearch/ldapwhoami etc work for you. If that is still the
case now with your new certs, you will need to pursue support with RedHat,
as this clearly is not an OpenLDAP issue. Sorry I can't be of any more
help than that.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
Re: Openldap periodic cpu spikes in one of the servers in two node MMR
by Quanah Gibson-Mount
--On Friday, September 29, 2017 2:31 PM -0700 rammohan ganapavarapu
<rammohanganap(a)gmail.com> wrote:
>
> Quanah,
>
>
> Sorry i was searching for one attribute, i have close to 80mil entries.
Then these settings may be too low:
cachesize 100000
idlcachesize 300000
Essentally, cachesize needs to hold your working set of data (active
entries). So this is saying slapd will only cache 100,000 active entries.
It will then be removing/adding entries in blocks of one (cachefree
defaults to 1 if not set). idlcachesize generally is 3x cachesize.
If your active set is > 100,000 users, then you need to increase the
cachesize and idlcachesize parameters accordingly. You may also need to
increase cachefree from its default of "1".
Overall, you would likely be much better served to switch to back-mdb,
where you do not have to set any of these parameters at all.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
