openldap-technical May 2018

openldap-technical@openldap.org

33 participants
32 discussions

.so version numbers for dlopen'd objects
by Paul B. Henson 23 May '18

23 May '18

I'm trying to get the OpenBSD openldap port updated to use modules, currently it just builds everything into a monolithic binary. They are objecting to the existence of the version number in the shared objects for the modules: -rwxr-xr-x 1 henson henson 1773576 May 21 12:54 back_bdb-2.4.so.2.10.7 -rwxr-xr-x 1 henson henson 864 May 21 12:54 back_bdb.la lrwxrwxrwx 1 henson henson 22 May 21 12:54 back_bdb.so -> back_bdb-2.4.so.2.10.7 They say that shared objects which are intended to be dlopen'd, as opposed to linked to, should not include version numbers, and it should look like: -rwxr-xr-x 1 henson henson 1773576 May 21 12:54 back_bdb-2.4.so -rwxr-xr-x 1 henson henson 864 May 21 12:54 back_bdb.la What is the openldap developer perspective on this? Thanks.

5 14

Understanding slapd connections
by Igor Zobin 22 May '18

22 May '18

Hello everyone! I am struggling to understand what exactly the command lsof -i tcp:389 is showing. What exactly is counted as an established connection here? Can I limit that amount somehow through slapd configuration? Can I monitor which of those connections shown by lsof are still in use and which just hang around doing nothing? Igor.

2 1

Re: pwdRESET not working
by Net Warrior 22 May '18

22 May '18

Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following: ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this? I was expecting something like this, this is from my old notes ( 2013 ) at that time it worked You are required to change your LDAP password immediately. Last login: Wed Feb 13 12:07:38 2013 from server.domain.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user pmorales. Enter login(LDAP) password: My sss configuration # sssd::config [sssd] domains = domain services = nss, pam, ssh, sudo config_file_version=2 [domain/zebra] # sssd::provider::ldap id_provider=ldap auth_provider=ldap chpass_provider=ldap ldap_uri=ldap://openldap.domain.com ldap_chpass_uri=ldap://openldap.domain.com ldap_search_base=dc=domain,dc=com ldap_tls_reqcert=never ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem ldap_tls_cacertdir=/etc/openldap/cacerts ldap_id_use_start_tls=false ldap_user_search_base=ou=Users,dc=domain,dc=com ldap_group_search_base=ou=Groups,dc=domain,dc=com debug_level=6 ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com ldap_chpass_update_last_change=true ldap_user_shadow_last_change=shadowLastChange ldap_pwd_policy=shadow nsswitch.conf passwd: files sss shadow: files sss group: files sss System-Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077 Password Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077 Thanks Regards 2018-05-10 11:45 GMT-03:00 Net Warrior <netwarrior863(a)gmail.com>: > Hi > > From time to time I need to reset user passwords when they forget it so I > want to force them to change it when they connect over ssh, as long as I > remember this worked before, ( do not remember which openldap version it was > a long time ) anyway , how can I force user to change their passwords upon > ssh connection? or is not possible anymore? > > > Thanks > Regards > > > On 05/08/2018 09:25 AM, Clément OUDOT wrote: >> >> >> Le 03/05/2018 à 16:23, Net Warrior a écrit : >>> >>> Hello there guys, when setting the pwsReset to TRUE I cannot login to >>> the system anymore, just get the permission denied, then I found this. >>> >>> https://github.com/pwm-project/pwm/issues/155 >>> >>> Did I face that bug or maybe it's something else? >> >> >> It's not a bug. If pwdReset is set to TRUE, the BIND will be successful >> but you will not be allowed to do another operation but changing >> password. If your application is doing a SEARCH just after the BIND, you >> will be denied. >> >> >> >

2 1

OTP or 2FA for Manager Account?
by Douglas Duckworth 18 May '18

18 May '18

Hi Does OpenLDAP support use of one time passwords or 2FA for the Manager account? Thanks Doug

7 11

ldapdelete: Invalid DN on an Accesslog generated DN
by Giuseppe Civitella 17 May '18

17 May '18

Hi all, while doing some tests to enable accesslog in my directory, I did enable the overlay and then disabled it because of login problems. Once restored the directory, I found a few entries like this: dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify REQSESSION: 1679 REQAUTHZID: cn=admin,BASEDN REQDN: cn=gcivitella,ou=users,BASEDN REQRESULT: 0 REQMOD: description:= description utente gcivitella (update check accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000 REQMOD: modifiersName:= cn=admin,BASEDN REQMOD: modifyTimestamp:= 20180509102412Z REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3 creatorsName: cn=admin,BASEDN createTimestamp: 20180509102412Z entryCSN: 20180509102412.246481Z#000000#000#000000 modifiersName: cn=admin,BASEDN modifyTimestamp: 20180509102412Z Now I'm unable to delete them. I get an "invalid DN" error: ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v "reqStart=20180509102412.000000Z,BASEDN" ldap_initialize( ldap://127.0.0.1:389/??base ) Enter LDAP Password: deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN Is there a way to force the deletion or temporary disable the schema check? Best regards, Giuseppe

3 3

Schema for a sql->ldap server
by James Cloos 14 May '18

14 May '18

I wonder if anyone can offer some tips on how the ldap schema should look for the setup below. The docs for how to use openldap's sql backend are good; it is only the schema I'm unsure of. The data currently resides in a sql db, and some users have devices which can access data via ldap. One table has data similar to what would work for inetOrgPerson, except that email addresses and inet domains are not guaranteed. Another table has data specific to each device; we'd want the devices to use that name/pw tuple to access the ldap data. Not the person-specific name/pw tuple. The end-users will primarily be interested in contact details for people from the first table. Also, the sql covers multiple customers, and each device should only see the data from the customer with which it is associated. Generating a dn for each company is the first issue. Does it work to just use the company name w/o any hierarchy? I presume that the device's will also need a dn, to use their name/pw tuples for access, yes? I'm also unsure how to define those DNs. Is there any good references for doing ldap w/o using internet concepts for the naming? -JimC -- James Cloos <cloos(a)jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6

1 0

ldapdelete: Invalid DN on an Accesslog generated DN
by Giuseppe Civitella 14 May '18

14 May '18

1 0

Search only few subtrees under baseDN
by Ervin Hegedüs 14 May '18

14 May '18

Hi, may be the subject doesn't give back my real quastion... and may be this is a returned topic... sorry. Scenario: there is a database with several DC's, all DC's divided to several OU's, and most OU contains several other OU's. dc=hu + dc=company1 + dc=company2 + dc = sub-company21 + ou = orgunit1 + ou = orgunit2 + ou = orgunit3 and there are several users. Take a look two examples: uid=admin1,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to read the ou=orgunit1 and ou=orgunit2. uid=admin2,ou=some-org,dc=sub-company21,dc=company2,dc=hu needs to read full dc=sub-company21 subtree. All of them are WORKING now as well with ACL's. But now, the admin1 user needs to set up two different connections in GUI browser, because he can't set up the dc=sub-company21,dc=company2,dc=hu as baseDN. When he uses the search through API, then he needs to make 2 different lookup to collect all nodes from DB, and merge them. Is there any way to set up one or more ACL's, where admin1 user can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and can start to search from there, but he will see the entries only from ou=orgunit1 and ou=orgunit2? Hope that's clear... Thanks, a.

3 6

How to present the memberOf attribute in a syncrepl setup?
by Robert Minsk 14 May '18

14 May '18

/-----------------------------------\ | master1 <- mirror repl -> master2 | \-----------------------------------/ ^ ^ ^ | | | syncrepl syncrepl syncrepl | | | /-------\ /-------\ /-------\ |cache01| |cache02| ... |cache n| \-------/ \-------/ \-------/ The master servers are using mirror replication and are behind a load balancer setup for active/passive failover. All writes go to the active master where the "member" attribute is maintained for the groups. The cache servers get their data from the master servers using syncrepl replication. All the end clients connect to the cache servers. I need to be able to present the memberOf attribute on users on the cache servers. The man page for slapo-memberof states that it is not compatible with syncrepl. Because of this the cache servers are using slapo-dynlist to create the memberOf attribute. The problem is since I am using a dynamic list I can not search using the memberOf attribute only query its value. I need to be able to search by the memberOf attribute. What is the recommended way generate the memberOf attribute? Should I modify the schema for a user and somehow maintain the memberOf attribute on the masters? I am a bit worried about this since looking at the slapo-memberOf source the memberOf attribute it is flagged as a DSAOperation.

1 0

About Openldap's functional testing
by 郦旺 13 May '18

13 May '18

To whom it may concern, I am a student who is interested in software reliability. After read the Administrator's Guide, I only found the tests like “make test” to test the build before installation. For the reason that I need to do some experiments, I wonder if there are some official functional tests against an existing Installation of OpenLDAP. Thanks, Wang

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2018