openldap-technical October 2020

openldap-technical@openldap.org

19 participants
24 discussions

ACL not behaving as I would expect
by Scott Classen 03 Oct '20

03 Oct '20

Hello, I’m having trouble understanding why I can’t get a service account to reset a userPassword attribute. ACLs are: {0}to attrs=userPassword by self write by anonymous auth by * none {1}to * by self write by users read by dn.base="uid=pwreset,dc=example,dc=com" write by * none But when the password reset utility attempts to modify the password I see the following 50 error, indicating that the ACL is somehow preventing the pwreset account from modifying userPassword Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 fd=22 ACCEPT from IP=192.168.1.104:52888 (IP=0.0.0.0:389) Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=0 STARTTLS Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=0 RESULT oid= err=0 text= Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 fd=22 TLS established tls_ssf=256 ssf=256 Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=1 BIND dn="uid=pwreset,dc=example,dc=com" method=128 Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=1 BIND dn="uid=pwreset,dc=example,dc=com" mech=SIMPLE ssf=0 Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=1 RESULT tag=97 err=0 text= Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=2 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=username))" Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=3 MOD dn="uid=username,ou=People,dc=example,dc=com" Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=3 MOD attr=userPassword Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=3 RESULT tag=103 err=50 text= Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=4 UNBIND Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 fd=22 closed I’ve also tried with this ACL combination: {0}to attrs=userPassword by self write by anonymous auth by dn.base="uid=pwreset,dc=example,dc=com" write by * none {1}to * by self write by users read by * none Any advice would be greatly appreciated. Scott

3 7

Re: RE24 testing call #1 (OpenLDAP 2.4.54)
by Nick Folino 03 Oct '20

03 Oct '20

No problems noted on Fedora 32. On Thu, Oct 1, 2020 at 12:19 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > This is the first testing call for OpenLDAP 2.4.54. Depending on the > results, this may be the only testing call. > > Generally, get the code for RE24: > > < > https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_4/o… > > > > Extract, configure, and build. > > Execute the test suite (via make test) after it is built. Optionally, cd > tests && make its to run through the regression suite. > > Thanks! > > OpenLDAP 2.4.54 Engineering > Fixed slapd delta-syncrepl to ignore delete ops on deleted entry > (ITS#9342) > Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) > Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) > Fixed slapd sessionlog to use a TAVL tree (ITS#8486) > Fixed slapd syncrepl to be fully serialized (ITS#8102) > Fixed slapd syncrepl to call check_syncprov on fresh consumer > (ITS#9345) > Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov > (ITS#9355) > Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) > Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) > Fixed slapd-monitor fix monitor_back_register_database for empty > suffix > DB (ITS#9353) > Fixed slapo-accesslog normalizer for reqStart (ITS#9358) > Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

Re: RE24 testing call #1 (OpenLDAP 2.4.54)
by Nick Folino 02 Oct '20

02 Oct '20

oops. Yes I did. Sorry. Nick On Thu, Oct 1, 2020 at 1:27 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Thursday, October 1, 2020 2:21 PM -0400 Nick Folino <nick(a)folino.us> > wrote: > > > > > --enable-monitor is missing from configure > > > > > > configure: WARNING: unrecognized options: --enable-monitor > > It appears you grabbed openldap trunk and not the RE24 branch. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

Re: RE24 testing call #1 (OpenLDAP 2.4.54)
by Nick Folino 02 Oct '20

02 Oct '20

--enable-monitor is missing from configure configure: WARNING: unrecognized options: --enable-monitor Nick On Thu, Oct 1, 2020 at 12:19 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > This is the first testing call for OpenLDAP 2.4.54. Depending on the > results, this may be the only testing call. > > Generally, get the code for RE24: > > < > https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_4/o… > > > > Extract, configure, and build. > > Execute the test suite (via make test) after it is built. Optionally, cd > tests && make its to run through the regression suite. > > Thanks! > > OpenLDAP 2.4.54 Engineering > Fixed slapd delta-syncrepl to ignore delete ops on deleted entry > (ITS#9342) > Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) > Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) > Fixed slapd sessionlog to use a TAVL tree (ITS#8486) > Fixed slapd syncrepl to be fully serialized (ITS#8102) > Fixed slapd syncrepl to call check_syncprov on fresh consumer > (ITS#9345) > Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov > (ITS#9355) > Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) > Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) > Fixed slapd-monitor fix monitor_back_register_database for empty > suffix > DB (ITS#9353) > Fixed slapo-accesslog normalizer for reqStart (ITS#9358) > Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2020