openldap-technical March 2018

openldap-technical@openldap.org

25 participants
28 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Fixing slapo-nops (ITS#8759)
by manu＠netbsd.org 06 Jul '18

06 Jul '18

Hello Following ITS#8759, I am looking for ideas about how to fix slapo-nops. This overlays suppress nilpotent operations that replace an attribute values by the same values. The code is in contrib/slapd-modules/nops/nops.c The problem is that slapo-nops assumes it can free the nilpotent struct Modifications after removing them from the list, but for instande slapo-memberof uses struct Modifications allocated on the stack. Not freeing in slapo-nops is not a fix, since unlinked struct Modifications will not be freed anywhere else, and we will get a memory leak. Would it make sense to add a SLAP_MOD_ONSTACK flag in struct Modification's sm_flags so that we can tell the difference? Any other idea? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

2 1

Syncrepl replication from multi-master OpenLDAP
by Simon ELBAZ 29 Mar '18

29 Mar '18

Hi, I am trying to setup data and cn=config replication on a syncrepl slave from an OpenLDAP multi-master. The replication is fine (data and config replicate). However, I want to override olcSyncrepl attributes on the syncrepl replica (particularly the provider value to use an IP address reachable from outside the multi-master LAN). I have tried exattrs=olcSyncrepl but as mentionned in (https://www.openldap.org/lists/openldap-technical/201508/msg00124.html), the olcSyncrepl attribute gets wiped: dn: olcDatabase={1}mdb,cn=config ..... olcSyncrepl: {0}rid=006 provider=ldap://<IP address> binddn="******" bindmethod=simple credentials="*****" searchbase="*****" type=refreshAndPersist interval=0 0:00:00:10 retry="5 5 300 5" timeout=1 Is there a way to achieve the overriding of olcSyncrepl attribute on the syncrepl server ? Thanks for your help Simon Elbaz

2 1

Re: openLDAP: LDAP and LDAP over TLS support at same time
by GOKUL G 28 Mar '18

28 Mar '18

Hi Quanah, Thanks for the response. Earlier, we tried to do a normal ldapsearch with a library compiled with HAVE_TLS, but what we got in the wireshark trace was ldap message over SSL without any encryption, instead of plain LDAP. So we thought it was not possible to get plain LDAP with library compiled with HAVE_TLS. As you said, we have missed out on something or probably misunderstood the APIs. I will try your suggestions. Thanks once again for your support. Regards, G Gokul On Thu, Mar 29, 2018 at 2:05 AM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Wednesday, March 28, 2018 10:29 PM +0100 Raf Czlonka < > rczlonka(a)gmail.com> wrote: > ^^^ > >> Hi Quanah, >> >> You obviously meant 636, right[0]? >> > > Heh, yes, 636. ;) > > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

openLDAP: LDAP and LDAP over TLS support at same time
by GOKUL G 28 Mar '18

28 Mar '18

Hi Team, We are developing a LDAP client in our application. For this we are using openLDAP software. One of our requirement is to support either LDAP or LDAPS (LDAP/TLS) , based on the end-user input at runtime. So, in our application we should have support for both LDAP & LDAPS APIs and we would be calling LDAPS API (ldap_tls_start_s) based on this runtime configuration or else normal LDAP API would be called. ISSUE: We are able to integrate openLDAP with our application and achieve LDAP or LDAP/TLS requirement separately. Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at compile time itself its decided whether LDAP or LDAPs . And we are not able to take this decision at run-time. If we compile openLDAP software with HAVE_TLS and use it for normal ldapsearch, this ldap command is seen in trace as ldap message over SSL without any encryption. But not as normal LDAP message. So, we understand to achieve our requirement, we would either be required to change the macro control of TLS to run-time control in the openLDAP code. (But we are feeling not to do this for maintainability purpose) (or) Try to use 2 openLDAP libraries, one compiled with HAVE_TLS and another without HAVE_TLS. And take care in application side to call the respective API without causing any resolution issue. Can you please suggest whether there is any other approach currently available in openLDAP to support both LDAP and LDAP/TLS at the sametime. Regards, G Gokul

3 4

Re: slapadd not adding some of the roleoccupent entries
by Quanah Gibson-Mount 26 Mar '18

26 Mar '18

--On Monday, March 26, 2018 9:16 AM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > When i try to import using slapadd -f hdb.ldif, some of the entries in > sysadmin role are not getting import, not sure what should be the reason. > Actually hdb backend to hdb backend import also same behaviour if i > pre-create with above root schema and keep the other server in cluster > is running. If i dont pre-create schema or if i dont keep the other > server running in a cluster i dont see this issue. slapadd by default outputs an error and will not continue (unless -c is specified) when it has a problem adding an entry. You should provide the error encountered. I'd also note that you appear to be adding LDIF that is missing operational attributes. That will not work well if you're running in MMR and expect replication to work. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

OpenLDAP UTF8 values support
by Andre Rodier 23 Mar '18

23 Mar '18

Hello, I have started a small project to build a mail server, and the authentication / users list is based on OpenLDAP. I want to use international characters for the "secondary" email addresses but and OpenLDAP is complaining about it, as invalid syntax. I use the field otherMailBox field. I found a make-shift by storing the email address encoded in base64, but I therefore need to be sure any client will be able to read these base64 encoded email addresses. So far, Dovecot is fine, I am not sure yet about Postfix. Is there any limitation in OpenLDAP that would prevent some fields to be stored in UTF8 directly? I have noticed that the givenName and surname are automatically encoded in base64 when containing accents, so is it a standard practice? Thanks for your advices. https://github.com/progmaticltd/homebox Kind regards, André

4 5

LMDB on Ramdisk (tmpfs)
by Luca Foppiano 23 Mar '18

23 Mar '18

Dear everybody, I'm using one of your component (LMDB) via a java JNDI bindings implementation (https://github.com/deephacks/lmdbjni <https://github.com/deephacks/lmdbjni>) and I'm having an issue when I deploy my LMDB file on a tempfs filesystem in RAM. The issue do not occur when the LMDB files are stored on a "normal" filesystem. When the data is in the tempfs ramdisk all the allocated memory ends up being in the Dirty area (it has not been written back to the Filesytem). Here an example using the ramdisk: 7ce320000000-7cfc20000000 r--s 00000000 00:26 2459 /ramfs/nerd/data/db/db-en/entityEmbeddings/data.mdb Size: 104857600 kB Rss: 1255680 kB Pss: 1255680 kB Shared_Clean: 0 kB Shared_Dirty: 0 kB Private_Clean: 0 kB Private_Dirty: 1255680 kB <--- Referenced: 1255680 kB Anonymous: 0 kB AnonHugePages: 0 kB Shared_Hugetlb: 0 kB Private_Hugetlb: 0 kB Swap: 0 kB SwapPss: 0 kB KernelPageSize: 4 kB MMUPageSize: 4 kB Locked: 0 kB VmFlags: rd sh mr mw me ms sd and here an example without: 7ca4fc000000-7cbdfc000000 r--s 00000000 fd:00 11154951 /data/workspace/shared/nerd-data/db/db-en/entityEmbeddings/data.mdb Size: 104857600 kB Rss: 838124 kB Pss: 838124 kB Shared_Clean: 0 kB Shared_Dirty: 0 kB Private_Clean: 838124 kB <---- Private_Dirty: 0 kB Referenced: 764872 kB Anonymous: 0 kB AnonHugePages: 0 kB ShmemPmdMapped: 0 kB Shared_Hugetlb: 0 kB Private_Hugetlb: 0 kB Swap: 0 kB SwapPss: 0 kB KernelPageSize: 4 kB MMUPageSize: 4 kB Locked: 0 kB VmFlags: rd sh mr mw me ms sd According to my understanding the memory is dirty when 1)there are open transactions, 2) the data has not been written back to the filesystem What I don't understand is why there is a difference between filesystem and ramdisk? Is there any reason? The application (listed above) is not writing on the lmdb, but just reading (using reading transaction). Thank you Luca

3 5

Re: Migrate from hdb/bdb to mdb backend.
by Quanah Gibson-Mount 22 Mar '18

22 Mar '18

--On Thursday, March 22, 2018 3:59 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Thank you! As an aside, I would note that OpenLDAP 2.4.46 was released today, and it contains multiple fixes for replication. ;) Fixed slapd syncrepl deadlock when updating cookie (ITS#8752) Fixed slapd syncrepl callback to always be last in the stack (ITS#8752) Fixed slapd CSN queue processing (ITS#8801) Fixed slapo-accesslog cleanup to only occur on failed operations (ITS#8752) (delta-sync specific) Fixed slapo-syncprov memory leak with delete operations (ITS#8690) Fixed slapo-syncprov to not clear pending operation when checkpointing (ITS#8444) Fixed slapo-syncprov to correctly record contextCSN values in the accesslog (ITS#8100) (delta-sync specific) Fixed slapo-syncprov not to log checkpoints to accesslog db (ITS#8607) (delta-sync specific) Fixed slapo-syncprov to process changes from this SID on REFRESH (ITS#8800) Fixed slapo-syncprov session log parsing to not block other operations (ITS#8486) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Migrate from hdb/bdb to mdb backend.
by Quanah Gibson-Mount 22 Mar '18

22 Mar '18

--On Thursday, March 22, 2018 3:50 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Quanah, > > > Rest of the config looks OK right? also i can replicate from hdb/bdb to > mdb as i described in previous email right? I am using > openldap-servers-2.4.44-5.el7.x86_64 Replication is a function of protocol, so yes, you can replicate from hdb/bdb to mdb. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2018