openldap-technical April 2018

openldap-technical@openldap.org

26 participants
19 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

role based authorization -> dynacl module?
by Daniel Tröder 11 Oct '18

11 Oct '18

Hello everyone, I am in the process of implementing a role concept via ACLs and hope for a hint so that I don't invent the wheel a second time. Specifically, it is about identity management for schools. A user (object) can have several roles in multiple schools. Permissions on other LDAP objects can thus differ depending on the role(s) the user and the object have in the same school(s). For example, a user could have been assigned the following roles that are scattered over several schools: → "Teacher" in school 1 → "School admin" in school 2 → "Parent" in school 3 → both "Teacher" and "Staff" in school 4 ACLs should now be defined accordingly, e.g. → the role "teacher" at school X can reset the password for the role "student" at school X → the role "teacher" at school X *cannot* reset the password for the role "student" of school Y → the role "school administrator" at school X can reset the password for the roles "student" and "teacher" at school X → ... So far I have not seen any way to map such a construct via groups or sets without including a separate ACL for each group, which is a performance issue. Is there another way to map the role concept besides implementing an own dynacl module? Greetings, Daniel

4 13

Fixing slapo-nops (ITS#8759)
by manu＠netbsd.org 06 Jul '18

06 Jul '18

Hello Following ITS#8759, I am looking for ideas about how to fix slapo-nops. This overlays suppress nilpotent operations that replace an attribute values by the same values. The code is in contrib/slapd-modules/nops/nops.c The problem is that slapo-nops assumes it can free the nilpotent struct Modifications after removing them from the list, but for instande slapo-memberof uses struct Modifications allocated on the stack. Not freeing in slapo-nops is not a fix, since unlinked struct Modifications will not be freed anywhere else, and we will get a memory leak. Would it make sense to add a SLAP_MOD_ONSTACK flag in struct Modification's sm_flags so that we can tell the difference? Any other idea? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

2 1

Re: removing ppolicy overlay
by Frank Swasey 30 May '18

30 May '18

The lack of responses indicates that people either do not use ppolicy or once used, they never remove it. For future reference here's the procedure that I've worked up: shutdown slapd on all MMR members slapcat the database edit the database to remove all "pwd*" attributes and all entries that are pwd* objectClass edit the slapd.conf file (if you are using slapd.d you are on your own) replace the database (delete, and slapadd) Empty the accesslog database if you are using that start slapd Copy your edited database to the rest of your servers and use the tried and true "nuke & repave" process to delete the existing database, edit the config, slapadd the edited database - Frank > On Apr 16, 2018, at 11:09, Frank Swasey <Frank.Swasey(a)uvm.edu> wrote: > > Is there a recommended way to discontinue the use of the ppolicy overlay? > > The only way I've found that works is to stop the ldap server and using slapcat/edit/slapadd eradicate all the ppolicy attributes (combined with removing the ppolicy overlay and schema from the slapd.conf file). > > I'm attempting this on RHEL7 with OpenLDAP 2.4.46 (local built). > > Thanks, > - Frank

3 2

Separate trees openldap
by seguranca informacao 01 May '18

01 May '18

Hi guys, I'm trying to accomplish a configuration that I'm not aware of. I need to replicate several directories (AD, openldap, etc) to a unique repository (my openldap). The thing is I need to have completely separate trees for each domain (client). Any ideas in how to do that? bellow is an example what I'm thinking of: dc=example,dc=com cn=users cn=groups ------------------------------ complete separation dc=domain,dc=com cn=users cn=groups ------------------------------ complete separation dc=test,dc=ca cn=users cn=groups ------------------------------ complete separation thx, sergio

3 2

(no subject)
by Chris Cardone 01 May '18

01 May '18

Hello All! I have started building a large scale OpenLDAP infrastructure for the company I work for and Im running into one issue i cant seem to resolve. The final architecture is 4 Master servers (each one in its own data center across the USA) We also want to have 2 slaves tied to each master. We deal with an incredibly high amount of authentication traffic. I currently have the 4 masters configured (n-master - using syncrepl) that is functioning as designed, cn=config and user databases are successfully replicated across the 4 servers no matter which server you use to update. What I am having issues with is getting the slaves to sync to the masters. I have the rpuser set up, the machines can talk to each other. I can run queries using the rpuser from any slave to any master and get data back. I can see the rpuser connecting to the master, and showing successful authentication in an attempt to replicate back to the slave. But this error comes up do_syncrep2: rid=010 got search entry without Sync State control and user data is not replicated back to the slave. some additional notes: On the slaves, i did NOT replicate the cn=config db {0) only the here is the LDIF file (with hostnames/passwd removed) dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=010 provider=ldap://master-1.example.com:389/ bindmethod=simple binddn="uid=rpuser,dc=example,dc=com" credentials=banana searchbase="dc=example,dc=com" type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 here is the applied config on the slave server # {1}mdb, config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=squaretrade,dc=com olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=example,dc=com olcSyncrepl: {0}rid=010 provider=ldap://master-1.example.com :389/ bindmethod=simple binddn="uid=rpuser,dc=example,dc=com" credentials =banana searchbase="dc=example,dc=com" type=refreshAndPersist retry="30 5 300 3" interval=00:00:05:00 olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 here is the syncprov config on the master it is communicating with # {0}syncprov, {1}mdb, config dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov My questions 1> does the slave also require the cn=config database replication? 2> do the masters need similar configs (i.e. like the n-master config) does RID=010 also need to be configured on the master? here is a section of logs from a sync attempt Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: =>do_syncrepl rid=010 Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=12 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=13 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: =>do_syncrep2 rid=010 Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: do_syncrep2: rid=010 got search entry without Sync State control (dc=example,dc=com) Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: do_syncrepl: rid=010 rc -1 retrying (1 retries left) Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: activity on 1 descriptor Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: activity on: Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=9 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=10 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=11 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=12 active_threads=0 tvp=zero Apr 18 09:27:36 la1-ldap-slave-prod-1 slapd[14543]: daemon: epoll: listen=13 active_threads=0 tvp=zero any assistance would be greatly appreciated! and if there is additional information that will help just ask! Christopher

2 1

OpenLDAP & Mysql backend
by Arianna Milazzo 01 May '18

01 May '18

Hello! I installed openLDAP on Debian 9 with mysql backend. I followed the guide and I used example database (http://www.openldap.org/faq/data/cache/978.html ) Now, I can connect to openldap with root credential (in slapd.conf) or with a "person" present in ldap_entries, but I don't see nothing: no search result. With Apache Directory Studio I see only organization. Even it's impossible add something: ldap_add: Server is unwilling to perform (53) additional info: operation not permitted within namingContext Please, someone can tell me why? Thanks, Arianna

2 3

mdb_del: MDB_MAP_FULL: Environment mapsize limit reached
by James Anderson 26 Apr '18

26 Apr '18

good morning; we recently observed a call to mdb_del had returned a mdb_map_full error for an environment which i believe to be configured when opened to permit 40G, while, currently stat indicates a size of roughly 1.7G on disk. i find no bug reports related to this. are there any secondary factors which would lead to this result? this is using the lmdb library at 0.9.21 --- james anderson | james(a)dydra.com | http://dydra.com

1 0

Re: slapadd not adding some of the roleoccupent entries
by Quanah Gibson-Mount 24 Apr '18

24 Apr '18

--On Tuesday, April 24, 2018 1:05 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > > Thank you for clarification, is it possible to share what are the missing > attributes? There are a number of them (such as entryUUID, entryCSN, etc). Regardless, for replication to work, the operational attr values must be the same across servers. This is generally why if you're bringing up replication in an environment where you already have an existing DB, you slapcat the DB off your "golden" master, and then use slapadd to import it to the other servers. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Migration Task from 2.3.x to 2.4.x
by Periko Support 24 Apr '18

24 Apr '18

Hi people. I got a centos 6.x server running openldap 2.3.x as backend or our samba domain. I need to move to centos 7 which came with openldap 2.4.x. I had read that the files settings change and need to upgrade to the new format for 2.4.x I got my ldap backups, is this the right way to do it? 1) Move my backup to the new server. 2) Remove slapd.d dir from /etc/openldap in the new installation. 3) Copy my openldap settings from the old server (/etc/openldap/) 4) run slapadd -l ldap.backup 5) create a empty directory called slapd.d /etc/openldap 6) convert to new format: slaptest -f ldap.backup -F /etc/openldap/slapd.d This is correct guys or I miss something? Thanks for your help and time!!!

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2018