openldap-technical December 2020

openldap-technical@openldap.org

21 participants
22 discussions

Multiple memberOf overlays
by John C. Pfeifer 05 Aug '25

05 Aug '25

I am in the process of converting an existing LDAP infrastructure to OpenLDAP. I have a case where it would be convenient for two different objectClasses to map into the memberOf attribute. Is it possible to define two overlay configs or will they end up fighting each other over the memberOf attribute? For instance: dn: olcOverlay={5}memberofA,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {5}memberofA olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassA olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf dn: olcOverlay={6}memberofB,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {6}memberofB olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassB olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf // John Pfeifer Division of Information Technology University of Maryland, College Park

4 3

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27＠gmail.com 18 Aug '21

18 Aug '21

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

6 18

Use-case specific changes to LMDB
by martin＠urbackup.org 22 Jan '21

22 Jan '21

This post outlines a few changes to LMDB I had to do to make it work in a specific use case. I’d like to see those changes upstream, but I understand that they may be/are not relevant for e.g. OpenLDAP. The use case is multiple databases on disks with long running large write transactions. 1. Option to not use custom memory allocator/page pool LMDB has a custom malloc() implementation that re-uses pages (me_dpages). I understand that this improves the performance at bit (depending on the malloc implementation). But there should at least be the option to not do that (for many reasons). I would even make not using it the default. 2. Large transactions and spilling In a large write transaction, it will use a lot of memory per default (512MiB) which won’t get freed when the transaction commits (see 1.). If one has a lot of databases it uses a lot of memory that never gets freed. Alternatively, one can use MDB_WRITEMAP, but (i) per default Linux isn’t tuned to delay writing pages to disk and (ii) before commit LMDB has to remove a dirty bit, so each page is written twice. Both problems would be fixed by making when pages get spilled configurable (mt_dirty_room as MDB_IDL_UM_MAX currently) and reducing the default non-spill memory amount for at least the MDB_WRITEMAP case. If this memory amount is low mt_spill_pgs gets sorted often so maybe this needs to be converted to a different data structure (e.g. red-black tree). 3. LMDB causes crashes if database is corrupted If the database is corrupted it can cause the application to crash. I have fixed those cases when they (randomly) occurred. Properly fixing this would probably be best done with some fuzzing. 4. Allow LMDB to reside on a device I used dm-cache to improve LMDB read performance. It needed a bit of adjustment to get the correct size of the device via ioctl BLKGETSIZE64. -- I’ve fixed those issues w.r.t. my application. If there is interest in any of those application specific changes, I’ll clean them up and post them.

4 6

How to clear a certificate from openldap cache - Client Side
by divyachauhan01.dc＠gmail.com 28 Dec '20

28 Dec '20

Divyanshi Chauhan <divyachauhan01.dc(a)gmail.com> 1:33 PM (3 hours ago) to openldap-technical-owner, openldap-devel-owner, openldap-bugs-owner Hello, I have an ldaps client code which connects to the ldap server securely and does authentication. I have set the global option for ca cert directory. int res = ldap_set_option(0, LDAP_OPT_X_TLS_CACERTFILE, const_cast<char*>("path")); Correct certificate is present in the path and hence connection to the ldap server and authentication is successful in first attempt. Now, as per one of the requirements, the certificate is removed from the above client directory and authentication is attempted, we want it to fail as the certificate is deleted from the directory. But still the bind to ldap server and authentication is happening successfully. It should ideally fail as per my understanding. I did try removing the certificate from memory using following option: char * crt; ldap_get_option(0, LDAP_OPT_X_TLS_CACERTFILE, (void*)&crt); ldap_memfree(crt); I am not sure if the above way is correct or not, please advise. I also did try forcing to look for ca certificate using following option: int reqcert = LDAP_OPT_X_TLS_HARD; ldap_set_option(0, LDAP_OPT_X_TLS_REQUIRE_CERT, &reqcert); But this also did not help. Please suggest how a certificate, which is once loaded can be deleted from the openldap cache. Also please advise if I am doing something wrong in the above approach.

2 3

Using supportedControl 1.3.6.1.4.1.4203.1.10.1 (Subentries) - critical extension is unavailable 12
by Gavin Henry 27 Dec '20

27 Dec '20

Hi all, I'm doing this for a supportControl subentry delete: https://metacpan.org/pod/Net::LDAP::Control like so: my $subentry_ctrl = Net::LDAP::Control->new( type => '1.3.6.1.4.1.4203.1.10.1', value => 'Subentries', critical => 1 ); my $deleted = $c->model('LDAPContacts')->delete( q{ou=Contacts,} . $user_dn, control => [ $subentry_ctrl ] ); if ( $deleted->code ) { $c->error( qq{Failed to delete LDAP contact entries for: $user_dn} . $deleted->error . q{ Code: } . $deleted->code ); return 0; } and I'm getting: Dec 22 12:53:57 gabriel slapd[31511]: conn=1110022 op=2 SRCH attr=dn Dec 22 12:53:57 gabriel slapd[31511]: conn=1110022 op=2 ENTRY dn="xxxx" Dec 22 12:53:57 gabriel slapd[31511]: conn=1110022 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000010 etime=0.001015 nentries=1 text= Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 fd=435 ACCEPT from IP=xxx:51082 (IP=0.0.0.0:389) Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=0 STARTTLS Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=0 RESULT oid= err=0 qtime=0.000007 etime=0.000038 text= Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 fd=435 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=1 BIND dn="xxx" method=128 Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=1 BIND dn="xxx" mech=SIMPLE ssf=0 Dec 22 12:53:57 gabriel slapd[31511]: conn=1110023 op=1 RESULT tag=97 err=0 qtime=0.000017 etime=0.000116 text= Dec 22 12:53:58 gabriel slapd[31511]: conn=1110023 op=2 RESULT tag=107 err=12 qtime=0.000014 etime=0.000274 text=critical extension is unavailable Dec 22 12:53:58 gabriel slapd[31511]: conn=1110023 op=2 do_delete: get_ctrls failed Any ideas? Using ldapdelete with -r works as the same user (so not my ACLs), but I note in the logs that it is doing a base search for subentries and deleting each one. What am I misunderstanding here? Thanks, Gavin.

1 1

Bind using External/Client certificate not working - slapd returns binding in progress..
by dumitru s 27 Dec '20

27 Dec '20

Hi all, I'm using openldap/slapd as a ldap server (using libsasl2-2 & related modules for sasl auth) on ubuntu and trying to get a client to authenticate/bind using external/client certificate. I'm using two clients - one is a native C client using windows winldap native library and one is based on a different client ldap library (i.e. not using winldap or openldap native libraries). The client based on winldap works fine, but not the other one. This is what I can see in the slapd logs for the two cases: - the one which works fine via winldap 5fe876d4 conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: 5fe876d4 >>> dnPrettyNormal: <> 5fe876d4 <<< dnPrettyNormal: <>, <> 5fe876d4 do_bind: dn () SASL mech EXTERNAL 5fe876d4 ==>slap_sasl2dn: converting SASL name email=test(a)test.com,cn=example,ou=example,o=example,st=anystate,c=us to a DN 5fe876d4 ==> rewrite_context_apply [depth=1] string='email=test(a)test.com,cn=example,ou=example,o=example,st=anystate,c=us' 5fe876d4 ==> rewrite_rule_apply rule='email=test(a)test.com,cn=example,ou=example,o=example,st=anystate,c=us' string='email=test(a)test.com,cn=example,ou=example,o=example,st=anystate,c=us' [1 pass(es)] 5fe876d4 ==> rewrite_context_apply [depth=1] res={0,'cn=test,dc=example,dc=com'} 5fe876d4 slap_parseURI: parsing cn=test,dc=example,dc=com ldap_url_parse_ext(cn=test,dc=example,dc=com) 5fe876d4 >>> dnNormalize: <cn=test,dc=example,dc=com> 5fe876d4 <<< dnNormalize: <cn=test,dc=example,dc=com> 5fe876d4 <==slap_sasl2dn: Converted SASL name to cn=test,dc=example,dc=com 5fe876d4 slap_sasl_getdn: dn:id converted to cn=test,dc=example,dc=com 5fe876d4 SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" 5fe876d4 send_ldap_sasl: err=0 len=-1 5fe876d4 do_bind: SASL/EXTERNAL bind: dn="cn=test,dc=example,dc=com" sasl_ssf=0 5fe876d4 send_ldap_response: msgid=1 tag=97 err=0 - the one which doesn't work 5fe87b50 conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber: 5fe87b50 >>> dnPrettyNormal: <> 5fe87b50 <<< dnPrettyNormal: <>, <> 5fe87b50 do_bind: dn () SASL mech EXTERNAL 5fe87b50 send_ldap_sasl: err=14 len=0 5fe87b50 send_ldap_response: msgid=1 tag=97 err=14 As can be seen, the second one stops at "do_bind: dn () SASL mech EXTERNAL" and slapd just returns the binding in progress result code. Of course, the same client certificate is used in both cases. The fact that one client works fine suggests that the slapd configuration is correct. Any idea what is wrong? Can I enable any additional logs (sasl one?) to be able to see more? Thanks, Dumitru

1 0

Migrate HDB to MDB
by Pete Ashdown 20 Dec '20

20 Dec '20

I'm looking for some assistance in converting a legacy LDAP from an HDB backend to MDB. I've been unable to find any resources in how this can be executed and my attempts at using ldapmodify have failed. I'm willing to pay consulting fees if someone is available to help, or otherwise be educated if is documented somewhere. Thanks in advance.

3 3

ACL for authz-regexp
by Stefan Kania 20 Dec '20

20 Dec '20

Hello, I try to figure out which ACL I need to get the rewriting of the sasl-username working. I have in my slapd.conf the following lines: ---------- authz-regexp uid=(.+),cn=gssapi,cn=auth ldap:///dc=example,dc=net??sub?(uid=$1) ----------- If I do a "ldapwhoami" without any ACL I get what I want: ----------- ptau@provider-stat:~$ ldapwhoami SASL/GSSAPI authentication started SASL username: ptau(a)EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn:uid=ptau,ou=users,dc=example,dc=net ----------- As soon as I include my ACLs I get: ------------ ptau@provider-stat:~$ ldapwhoami SASL/GSSAPI authentication started SASL username: ptau(a)EXAMPLE.NET SASL SSF: 256 SASL data security layer installed. dn:uid=ptau,cn=gssapi,cn=auth ------------ So the rewrite of the DN is not working anymore with ACLs. Here are the relevant part of my ACLs. (It's at the beginning of the ACLs) ------------ limits dn.exact="uid=repl-user,ou=users,dc=example,dc=net" size=unlimited time=unlimited limits dn.exact="cn=kdc,ou=kerberos-adm,dc=example,dc=net" size=unlimited time=unlimited limits dn.exact="cn=kadmin,ou=kerberos-adm,dc=example,dc=net" size=unlimited time=unlimited access to dn.base="" by * read access to dn.base="cn=subSchema" by * read access to * by dn.exact="uid=sssd-user,ou=users,dc=example,dc=net" read by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" write by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read by dn.exact="cn=kdc,ou=kerberos-adm,dc=example,dc=net" write by dn.exact="cn=kadmin,ou=kerberos-adm,dc=example,dc=net" write by dn.regex="(.+),cn=gssapi,cn=auth" auth by * break ------------ As soon as I remove the line: ------------ by dn.regex="(.+),cn=gssapi,cn=auth" auth ------------ and change the last line to: ------------- by * auth ------------- But this will make all other ACLs, after this ACLs, useless. I tried so far: by ssf=256 auth by sasl_ssf=256 auth non of the above is working So it's definitely an ACL issue, but how do I solve it? The log-File is giving me the following output: -------------- Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 fd=20 ACCEPT from IP=192.168.56.81:50728 (IP=0.0.0.0:636) Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 1 Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 1 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 fd=20 TLS established tls_ssf=256 ssf=256 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=0 BIND dn="" method=163 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 1 Dez 20 19:22:46 provider-stat slapd[2038]: connection_input: conn=1004 deferring operation: binding Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=1 BIND dn="" method=163 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 2 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 BIND dn="" method=163 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 BIND authcid="ptau" authzid="ptau" Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 BIND dn="uid=ptau,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=256 ssf=256 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 RESULT tag=97 err=0 text= Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=3 EXT oid=1.3.6.1.4.1.4203.1.11.3 Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=3 WHOAMI Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=3 RESULT oid= err=0 text= Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=4 UNBIND Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 fd=20 closed Dez 20 19:22:46 provider-stat ldapwhoami[2047]: DIGEST-MD5 common mech free -------------- I think it had something to do with what I found in the manpage: ------------------- Some internal operations and some controls require specific access privileges. The authzID mapping and the proxyAuthz control require auth (=x) privileges on all the attributes that are present in the search filter of the URI regexp maps (the right-hand side of the authz-regexp directives). Auth (=x) privileges are also required on the authzTo attribute of the authorizing identity and/or on the au‐ thzFrom attribute of the authorized identity. In general, when an internal lookup is performed for authentication or authorization purposes, search-specific privileges (see the access requirements for the search operation illustrated above) are relaxed to auth. ------------------- But my problem here is, I'm not a native English speaker and it's hard for me to figure out what the write is telling me here :-( Any solution for the right ACL to solve the problem? Greetings Stefan

2 1

How to set cipher
by Puranjay Pradhan 17 Dec '20

17 Dec '20

I am trying to set cipher list as like below : std::string ciphers = "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA" returnCode = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, ciphers.c_str()); But, it returns an error : "TLS could not set cipher list ....." Can anyone suggest what is the right way of doing this?

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2020