openldap-technical September 2018

openldap-technical@openldap.org

30 participants
24 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

role based authorization -> dynacl module?
by Daniel Tröder 11 Oct '18

11 Oct '18

Hello everyone, I am in the process of implementing a role concept via ACLs and hope for a hint so that I don't invent the wheel a second time. Specifically, it is about identity management for schools. A user (object) can have several roles in multiple schools. Permissions on other LDAP objects can thus differ depending on the role(s) the user and the object have in the same school(s). For example, a user could have been assigned the following roles that are scattered over several schools: → "Teacher" in school 1 → "School admin" in school 2 → "Parent" in school 3 → both "Teacher" and "Staff" in school 4 ACLs should now be defined accordingly, e.g. → the role "teacher" at school X can reset the password for the role "student" at school X → the role "teacher" at school X *cannot* reset the password for the role "student" of school Y → the role "school administrator" at school X can reset the password for the roles "student" and "teacher" at school X → ... So far I have not seen any way to map such a construct via groups or sets without including a separate ACL for each group, which is a performance issue. Is there another way to map the role concept besides implementing an own dynacl module? Greetings, Daniel

4 13

issues with equality matching and slapd death
by Christopher Paul 28 Sep '18

28 Sep '18

Hello Fellow OpenLDAP Techs, I'm having an issue with equality matching and slapd death (just another day in the life of an LDAP guy...). version info: OpenLDAP: slapd 2.4.44 Red Hat Enterprise Linux Server release 7.5 (Maipo) RH package: openldap-servers-2.4.44-15.el7_5.x86_64 While planning for a migration, I ran into the following error: $ ldapmodify -x -y ~/.ldappw dn: uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com changetype: modify add: mailAlternateAddress mailAlternateAddress: cs5555(a)test.com [CTRL-D] modifying entry "uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com" ldap_modify: Inappropriate matching (18) additional info: modify/add: mailAlternateAddress: no equality matching rule I tried to fix this by updating the schema to add "EQUALITY caseIgnoreMatch" to the attribute definition for mailAlternateAddress. dn: cn={5}inetLocalMailRecipient,cn=schema,cn=config objectClass: olcSchemaConfig cn: {5}inetLocalMailRecipient olcAttributeTypes: {0}( 2.16.840.1.113730.3.1.24 NAME 'mailRoutingAddress' DES C 'iPlanet defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORI GIN 'iPlanet Messaging Server' ) olcAttributeTypes: {1}( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC 'iPlanet defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'iPlan et Messaging Server' ) olcAttributeTypes: {2}( 2.16.840.1.113730.3.1.13 NAME 'mailAlternateAddress' D ESC 'iPlanet defined attribute type'EQUALITY caseIgnoreMatchSYNTAX 1.3.6.1. 4.1.1466.115.121.1.15 X-ORIGIN 'iPlanet Messaging Server' ) olcObjectClasses: {0}( 2.16.840.1.113730.3.2.4 NAME 'inetLocalMailRecipient' D ESC 'iPlanet defined objectclass' AUXILIARY MAY ( mailAlternateAddress $ mail Host $ mailRoutingAddress ) X-ORIGIN 'iPlanet Messaging Server' ) Now, after the schema change, the same ldapmodify kills slapd. $ ldapmodify -x -y ~/.ldappw dn: uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com changetype: modify add: mailAlternateAddress mailAlternateAddress: cs5555(a)test.com modifying entry "uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com" ldap_result: Can't contact LDAP server (-1) Trying this with slapd running with olcLogLevel=-1, I get the following output before slapd death: Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: connection_get(11) Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: connection_get(11): got connid=1008 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: connection_read(11): checking for input on id=1008 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: op tag 0x60, time 1537906659 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: conn=1008 op=0 do_bind Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: >>> dnPrettyNormal: <cn=manager,dc=test,dc=com> Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: <<< dnPrettyNormal: <cn=manager,dc=test,dc=com>, <cn=manager,dc=test,dc=com> Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: conn=1008 op=0 BIND dn="cn=manager,dc=test,dc=com" method=128 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: do_bind: version=3 dn="cn=manager,dc=test,dc=com" method=128 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: ==> hdb_bind: dn: cn=manager,dc=test,dc=com Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: conn=1008 op=0 BIND dn="cn=manager,dc=test,dc=com" mech=SIMPLE ssf=0 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: do_bind: v3 bind: "cn=manager,dc=test,dc=com" to "cn=manager,dc=test,dc=com" Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: send_ldap_result: conn=1008 op=0 p=3 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: send_ldap_result: err=0 matched="" text="" Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: send_ldap_response: msgid=1 tag=97 err=0 Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: conn=1008 op=0 RESULT tag=97 err=0 text= Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: daemon: activity on 1 descriptor Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: daemon: activity on: Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal systemd[1]: slapd.service: main process exited, code=killed, status=6/ABRT Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal systemd[1]: Unit slapd.service entered failed state. Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal systemd[1]: slapd.service failed. Does anyone have any insight into this issue? somehow I've never run into this one before. Many thanks, CP -- Rex ConsultingChris Paul Rex Consulting, Inc 5652 Florence Terrace, Oakland, CA 94611 email: chris.paul(a)rexconsulting.net web: http://www.rexconsulting.net phone, toll-free: +1 (888) 403-8996 ext 1 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Rex Consulting, Inc. has been a California Corporation since 2001.

6 22

Re: slapo-memberof and Replication
by Dave Macias 28 Sep '18

28 Sep '18

> > It means that you run it in a replicated environment at your own risk. > Unfortunately, there is no defined standard for the "memberOf" > functionality (it's a MS hack) and so there's nothing that details how it > should or shouldn't behave with replication. In general, things work fine > as long as: > Does the same apply to the rfc2307bis schema which gives your the groupOfMembers objectclass? Out of curiosity. Thanks!

2 1

olcTLSCACertificateFile and olcTLSCertificateFile displayed as encrypted?
by Jean-Francois Malouin 28 Sep '18

28 Sep '18

Hi, Not a very important question, just a little puzzled by this... Is there a reason why the olcTLSCACertificateFile and olcTLSCertificateFile paths show up as encrypted in this cn=config search? slapd 2.4.46 on Debian 9.5 (Stretch) ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b 'cn=config' -s base dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: stats olcLogLevel: sync olcPidFile: /var/run/slapd/slapd.pid olcServerID: 1 olcTLSCACertificateFile:: IC9ldGMvbGRhcC9zc2wvQ09NT0RPX0NBX2J1bmRsZS5jcnQ= olcTLSCertificateFile:: ICAgL2V0Yy9sZGFwL3NzbC9TVEFSX2JpY19tbmlfbWNnaWxsX2NhLmNydA== olcTLSCertificateKeyFile: /etc/ldap/ssl/STAR_bic_mni_mcgill_ca.key olcTLSCipherSuite: NORMAL olcTLSVerifyClient: allow olcToolThreads: 1 There is an extra ':' ... When I edit/display the cn=config with ldapvi (old fart here!) they show up as: olcTLSCACertificateFile:; /etc/ldap/ssl/COMODO_CA_bundle.crt olcTLSCertificateFile:; /etc/ldap/ssl/STAR_bic_mni_mcgill_ca.crt again, notice the ';' this time... Just curious! Thanks, jf

3 3

slapo-memberof and Replication
by Meike Stone 28 Sep '18

28 Sep '18

Hello, I need the memberof Attribute on users, and I configured it with the memberof overlay. Every thing ist working fine. I like to deploy a second server for redundancy reason., but the manual page of the overlay says: " .. Replica servers should be configured with their own instances of the memberOf overlay if it is desired to maintain these memberOf attributes on the replicas. Note that slapo-memberOf is not compatible with syncrepl based replication, and should not be used in a replicated environment. ..." That confuses me a little bit. All replication on openLDAP are based on syncreplication (slurpd is vanished a long time ago) So what kind of replication means the manual page (-> "Replica servers")? Thanks Meike

2 1

SASL EXTERNAL olcRootDN and ACLs
by linux nuse 27 Sep '18

27 Sep '18

https://www.openldap.org/doc/admin24/access-control.html says: Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything. As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses. "Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth. Then I've tried to add an entry with $ sudo ldapadd -Y EXTERNAL -H ldapi:/// .... and OpenLDAP told that I don't have permission to modify the DB. I had to grant gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth access to everything in the backend's ACL to make it working. Is it expected that gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth rootdn does not have full rights without explicit permission or I need to recheck because I could get something wrong (didn't restart slapd or something like that)?

2 3

RE: Restarting syncrepl based provider / consumer setup trawls through whole DIT - why?
by Ole Nomann Thomsen 25 Sep '18

25 Sep '18

> --On Monday, September 24, 2018 2:51 PM +0000 Ole Nomann Thomsen > <ole.nomann(a)stil.dk> wrote: > > > 2018-09-12T16:25:41.526574+02:00 nonpresent_callback: rid=001 present > > UUID 9b99ec5a-4cfe-1029-9a2e-80309636f032, dn > > ou=Authentication,o=UNI-C,c=DK > > This is the presence phase. > > > > I'm guessing that that the Consumer is looking up every entry to decide > > if it has changed. > > It is confirming each entry is still present (not deleted). > > > > But why is it not persistent? Am a missing some obvious explanation as to > > why this is not possible, or have I just misconfigured something? Any > > hints where I should look? > > > > Is there a better way to set up replication to avoid this? > > a) Use delta-syncrepl > b) Ensure you have a large sessionlog setting (See ITS#8125, ITS#8486) > > Warm regards, > Quanah Thanks - You too. In my case, the present-phase is not really useful, since this particulat ldap-instance only ever adds and modifies entries, never deletes. Would it then be possible to skip it ? - Ole.

2 1

Slapd generate SQL by PostgreSQL based syntax
by 横山善行 25 Sep '18

25 Sep '18

Hi I use openldap slapd 2.4.40 + MySQL5.5 as back-sql on CentoS 6.9 It seems slapd generate PostgreSQL based syntax SQL Here is the error message for ldapsearch -x -b "dc=example,dc=com" '(objectClass=*)' 5b70e25c <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,eduperson.id,text('inetOrgPerson') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,eduperson WHERE eduperson.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND 3=3 5b70e25c Constructed query: SELECT DISTINCT ldap_entries.id,eduperson.id,text('inetOrgPerson') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,eduperson WHERE eduperson.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND 3=3 5b70e25c id: '3' 5b70e25c backsql_oc_get_candidates(): error executing query 5b70e25c Return code: -1 5b70e25c nativeErrCode=1064 SQLengineState=37000 msg="[unixODBC][MySQL][ODBC 5.1 Driver][mysqld-5.5.57]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('inetOrgPerson') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,edupers' at line 1" 5b70e25c send_ldap_result: conn=1000 op=1 p=3 5b70e25c send_ldap_result: err=80 matched="" text="" 5b70e25c send_ldap_response: msgid=2 tag=101 err=80 I take same message as I execute below from MySQL console. I can see text('inetOrgPerson') in the SQL which was generated by slapd however,MySQL doesn’t support text() function in its SQL. When I use Postgeresql as back-sql it works properly Is it a bug or setting error for some directives? ######################################### 一般財団法人日本建設情報総合センター（JACIC:ジャシック）建設副産物・発生土情報交換システム担当　国際土木委員会　事務局担当　　システムエンジニアリング部　横山　善行　電話　03-3505-2661　 FAX 03-3589-6258 mail yokoyamy(a)jacic.or.jp ########################################

1 0

How to make ldap evaluate clear text password vs DES stored password
by yokoyamy＠jacic.or.jp 25 Sep '18

25 Sep '18

Hi. I have user information in RDB which include user-id and password set. I’ve been trying to use this RDB as backend database for openldap server. Now,I can find user information in RDB through openldap. However, I recognized I can’t use this user information for ldap login certification process. LDAP’s userPassowrd stored in the RDB has been already DES hashed by original app. On the other hand, input password from ldapseach command line is CREARTEXT. Now I’d like my openldap to change CREATEXT input password into DES hassed text so that they'll match for certification. I've asked this topic on stackoverflow web site how to do that by server settings.But I couldn’t find proper directives to set. How to make ldap evaluate clear text password vs DES stored password Since then,I’ve been searching LDAP source files which is matching input password from ldapsearch command line against userPassword stored in backend RDB for slapd. I’d like to change certification process of LDAP source file to make input password into DES hashed by using 2 characters of userPassword as its SALT. I've already known that 2 characters at the beginning of userPasswordwas used as its SALT when it was hashed. So the fact is ,my slapd can read userPassword from the RDB. I think I'll be able to find out what will be SALT to make input password into DES hashed text. If I can make opeldap to act this way,I can use user's infomation in the RDB to ldap login inforomation wiht seamless.

5 15

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2018