openldap-technical February 2020

openldap-technical@openldap.org

26 participants
36 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl 22 Jul '20

22 Jul '20

Hi! After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389) (the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice) The server is one of three MM servers that all have the same configuration and the same version. The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd? Regards, Ulrich

4 10

back-ldap SASL proxy authorization
by Dieter Bocklandt 04 Mar '20

04 Mar '20

Hi! We have a fairly standard OpenLDAP setup (on 2.4.49) running well, where our replica instances chain writes back to the master using the chain overlay. Relevant bits of configuration we're using below: dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: TRUE dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbIDAssertBind: mode=self flags=override,prescriptive tls_reqcert=never bindmethod=sasl saslmech=plain authcID=proxy credentials=XXXXX olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcDbProxyWhoAmI: TRUE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 8 olcDbSessionTrackingRequest: TRUE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbIdleTimeout: 5 . . . dn: cn=proxy,ou=System,dc=example,dc=net cn: proxy objectClass: simpleSecurityObject objectClass: organizationalRole userPassword: XXXXX authzTo: {0}dn.regex:^uid=[^,],ou=People,dc=example,dc=net$ Above works great, with the client identity being authorized through the ProxyAuthz control. However, we also have a service using SASL proxy authorization, in which case the authcid is used in the ProxyAuthz instead of the authorized authzid. Ldapwhoami works as expected and the username mentioned in the session tracking request (visible in the producer's logs) is actually the authzdn (being cn=enduser,ou=People,dc=example,dc=net in this example, whereas cn=service,ou=system,dc=internal,dc=machines is the authcdn): ldapwhoami -H ldaps://$(cat /etc/service_hostname) -U service -X dn:cn=enduser,ou=People,dc=example,dc=net -Y PLAIN SASL/PLAIN authentication started Please enter your password: SASL username: dn:cn=enduser,ou=People,dc=example,dc=net SASL SSF: 0 dn:cn=enduser,ou=People,dc=example,dc=net Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 PROXYAUTHZ dn="cn=service,ou=system,dc=internal,dc=machines" Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 [IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] MOD dn="uid=sys.cp.test,ou=People,dc=internal,dc=machines" Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 [IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] MOD attr=klarnaItNote Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 [IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] RESULT tag=103 err=0 text= Am I misunderstanding how this is supposed to work, am I hitting a certain limitation or maybe a bug? Let me know if you need any more details! Thanks! Dieter Bocklandt

2 1

ldap_sasl_interactive_bind_s: Local error (-2) for SASL/GSS-SPNEGO
by Debashis Chaki 02 Mar '20

02 Mar '20

Hi , I have installed openldap but I am getting the following error while executing some basic command using SASL/GSS-SPNEGO authentication Where as SASL/EXTERNAL authentication working perfectly. [root@dtgldap103 LdapCfg]# ldapsearch SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate) [root@dtgldap103 LdapCfg]# ldapwhoami SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate) [root@dtgldap103 LdapCfg]# ldapsearch -LLL -s base -b '' '(objectClass=*)' + SASL/GSS-SPNEGO authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate) [root@dtgldap103 LdapCfg]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: olcDatabase=config # requesting: ALL # # {0}config, config dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * none # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@dtgldap103 openldap]# rpm -qa | grep ldap sssd-ldap-1.15.2-50.el7_4.2.x86_64 openldap-clients-2.4.44-5.el7.x86_64 openldap-servers-sql-2.4.44-5.el7.x86_64 openldap-servers-2.4.44-5.el7.x86_64 compat-openldap-2.3.43-5.el7.x86_64 openldap-devel-2.4.44-5.el7.x86_64 openldap-2.4.44-5.el7.x86_64 nss-pam-ldapd-0.8.13-8.0.1.el7.x86_64 Please help me how can I get out of this issue ? I am not able to proceed further for our openldap project without that. Please let me know if you need any more details. Thanks & Regards <http://www.proquest.com/> Debashis Chaki ProQuest | The Quorum, Barnwell Road | Cambridge | CB5 8SW | UK debashis.chaki(a)proquest.com tel: +44 (0)1223 271257 Better research. Better learning. Better insights.

2 3

commit vs abort
by Sam Dave 29 Feb '20

29 Feb '20

Hi,What is the difference between mdb_txn_commit() and mdb_txn_abort() for read-only transactions? Thank you, Samuel

2 1

With MDB Openldap seems to be pretty slower in Windows
by Vijay Kumar 28 Feb '20

28 Feb '20

Hi Team, Can you please share your inputs / suggestions on performance to increase the openldap with MDB in windows slowness.? We have a 110 users data by performance testing, where we observed slowness for windows 10 OS. If there any suggestions on tuning side, please let me know. Thank you. -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

2 2

Antw: [EXT] With MDB Openldap seems to be pretty slower in Windows
by Ulrich Windl 28 Feb '20

28 Feb '20

>>> Vijay Kumar <pasumarthivijaykumar(a)gmail.com> schrieb am 28.02.2020 um 07:45 in Nachricht <15622_1582872629_5E58B835_15622_1813_1_CAKgG+3fagqROY8n5q_gpUZtzK1R10PJ+N1H=Zhx Sx0-RzgrHg(a)mail.gmail.com>: > Hi Team, > > Can you please share your inputs / suggestions on performance to increase > the openldap with MDB in windows slowness.? > > We have a 110 users data by performance testing, where we observed slowness > for windows 10 OS. Actually I'm observing Windows 10 slowness all the time even without running OpenLDAP ;-) Booting alone is about five times as long as for Windows 7 and with classical hard disks it's effectively unusable. Regards, Ulrich

1 0

Re: Cannot configure TLS
by jean-christophe manciot 27 Feb '20

27 Feb '20

I have not mentioned that my let's encrypt certificate is not SAN but wildcard. On Thu, Feb 27, 2020 at 1:10 PM jean-christophe manciot <actionmystique(a)gmail.com> wrote: > > Hi everyone, > > On Ubuntu 20.04 > slapd 2.4.49+dfsg-1ubuntu1 > with /etc/ldap/tls.ldif: > -------------------------- > dn: cn=config > changetype: modify > add: olcTLSCertificateFile > olcTLSCertificateFile: /etc/ssl/domain.crt > - > add: olcTLSCertificateKeyFile > olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted > - > add: olcTLSCACertificateFile > olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem > > - All files are readable by openldap user. > - domain.crt is in pem format > - letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem + > letsencryptauthorityx3.pem > -------------------------- > Yet, if I run: > ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif > > I get in the logs: > -------------------------- > daemon: read active on 12 > daemon: epoll: listen=8 active_threads=0 tvp=zero > daemon: epoll: listen=9 active_threads=0 tvp=zero > daemon: epoll: listen=10 active_threads=0 tvp=zero > daemon: activity on 1 descriptor > conn=1001 op=1 MOD dn="cn=config" > daemon: activity on: > conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile > olcTLSCACertificateFile > > => access_allowed: result not in cache (olcTLSCertificateFile) > => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested > daemon: epoll: listen=8 active_threads=0 tvp=zero > => acl_get: [1] attr olcTLSCertificateFile > daemon: epoll: listen=9 active_threads=0 tvp=zero > => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested > daemon: epoll: listen=10 active_threads=0 tvp=zero > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: result not in cache (olcTLSCertificateKeyFile) > => access_allowed: add access to "cn=config" > "olcTLSCertificateKeyFile" requested > => acl_get: [1] attr olcTLSCertificateKeyFile > => acl_mask: access to entry "cn=config", attr > "olcTLSCertificateKeyFile" requested > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: result not in cache (olcTLSCACertificateFile) > => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested > => acl_get: [1] attr olcTLSCACertificateFile > => acl_mask: access to entry "cn=config", attr > "olcTLSCACertificateFile" requested > => acl_mask: to value by > "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) > <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > <= acl_mask: [1] applying manage(=mwrscxd) (stop) > <= acl_mask: [1] mask: manage(=mwrscxd) > => slap_access_allowed: add access granted by manage(=mwrscxd) > => access_allowed: add access granted by manage(=mwrscxd) > conn=1001 op=1 RESULT tag=103 err=80 text= > daemon: activity on 1 descriptor > daemon: activity on: > 12r > -------------------------- > > What is going on? > My logging attributes are: conns filter config acl stats stats2 shell parse > Is there a way to get more explicit logging? > - > Jean-Christophe -- Jean-Christophe

1 0

ldapsearch with DN in CN
by Möller Lioh 26 Feb '20

26 Feb '20

Hi all, I am trying to do a ldapsearch against our Active Directory LDAPS like: ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)' The domain controllers have certificates generated with CNs like this: subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01, and a SAN defined as ldap.mydomain.ch. Yet, I got an error like: TLS: hostname (ldap.mydomain.ch) does not match common name in certificate (DC01). An interesting fact is that if the CN is set to the fqdn like dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with ldap.mydomain.ch as SAN). Isn't ldapsearch 2.4.44 capable of working with DN in subject (CN) or does it fail to lookup the SAN in such case? Greetings Lioh

4 4

Warnings in mdb.c generated by CodeSonar
by Christian Wendt 26 Feb '20

26 Feb '20

Dear List, I have run CodeSonar on a project using lmdb. I have downloaded lmdb-0.9.70.tar.gz. These warnings are a "Copy-Paste" error and "Use of memory after free". I would like to share the details to help find out whether these are real or false positives. The copy-paste warning is generated by code around lines 8870f in mdb.c. In the first block, csrc-> is used throughout, in the second block cdst-> is used, except in one line: /* Update the parent separators. */ if (csrc->mc_ki[csrc->mc_top] == 0) { if (csrc->mc_ki[csrc->mc_top-1] != 0) { if (IS_LEAF2(csrc->mc_pg[csrc->mc_top])) { key.mv_data = LEAF2KEY(csrc->mc_pg[csrc->mc_top], 0, key.mv_size); } else { srcnode = NODEPTR(csrc->mc_pg[csrc->mc_top], 0); key.mv_size = NODEKSZ(srcnode); key.mv_data = NODEKEY(srcnode); } DPRINTF(("update separator for source page %"Yu" to [%s]", csrc->mc_pg[csrc->mc_top]->mp_pgno, DKEY(&key))); mdb_cursor_copy(csrc, &mn); mn.mc_snum--; mn.mc_top--; /* We want mdb_rebalance to find mn when doing fixups */ WITH_CURSOR_TRACKING(mn, rc = mdb_update_key(&mn, &key)); if (rc) return rc; } if (IS_BRANCH(csrc->mc_pg[csrc->mc_top])) { MDB_val nullkey; indx_t ix = csrc->mc_ki[csrc->mc_top]; nullkey.mv_size = 0; csrc->mc_ki[csrc->mc_top] = 0; rc = mdb_update_key(csrc, &nullkey); csrc->mc_ki[csrc->mc_top] = ix; mdb_cassert(csrc, rc == MDB_SUCCESS); } } if (cdst->mc_ki[cdst->mc_top] == 0) { if (cdst->mc_ki[cdst->mc_top-1] != 0) { if (IS_LEAF2(csrc->mc_pg[csrc->mc_top])) { /* Copy-Paste Error [help] <http://codesonar.rd.skov.com:7340/install/codesonar/doc/html/CodeSonar.html…> This block of text appears to be a modified copy of the highlighted text. Did you intend to consistently change csrc to cdst, including here? */ key.mv_data = LEAF2KEY(cdst->mc_pg[cdst->mc_top], 0, key.mv_size); } else { srcnode = NODEPTR(cdst->mc_pg[cdst->mc_top], 0); key.mv_size = NODEKSZ(srcnode); key.mv_data = NODEKEY(srcnode); } DPRINTF(("update separator for destination page %"Yu" to [%s]", cdst->mc_pg[cdst->mc_top]->mp_pgno, DKEY(&key))); mdb_cursor_copy(cdst, &mn); mn.mc_snum--; mn.mc_top--; /* We want mdb_rebalance to find mn when doing fixups */ WITH_CURSOR_TRACKING(mn, rc = mdb_update_key(&mn, &key)); if (rc) return rc; } if (IS_BRANCH(cdst->mc_pg[cdst->mc_top])) { MDB_val nullkey; indx_t ix = cdst->mc_ki[cdst->mc_top]; nullkey.mv_size = 0; cdst->mc_ki[cdst->mc_top] = 0; rc = mdb_update_key(cdst, &nullkey); cdst->mc_ki[cdst->mc_top] = ix; mdb_cassert(cdst, rc == MDB_SUCCESS); } } The second error is triggered by the loop freeing loose pages at line 3451 in mdb.c: NEXT_LOOSE_PAGE(mp) would access memory that is freed before, if mp points to an overflow page with more than one page allocated. If this is never the case, then maybe mdb_page_free() should be called on mp directly? for (; mp; mp = NEXT_LOOSE_PAGE(mp)) { /* Use After Free [help] <http://codesonar.rd.skov.com:7340/install/codesonar/doc/html/CodeSonar.html…> The memory pointed to by mp was freed at mdb.c:2047 and is read from here. */ mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno); /* must also remove from dirty list */ if (txn->mt_flags & MDB_TXN_WRITEMAP) { for (x=1; x<=dl[0].mid; x++) if (dl[x].mid == mp->mp_pgno) break; mdb_tassert(txn, x <= dl[0].mid); } else { x = mdb_mid2l_search(dl, mp->mp_pgno); mdb_tassert(txn, dl[x].mid == mp->mp_pgno); } dl[x].mptr = NULL; mdb_dpage_free(env, mp); mdb_dpage_free(MDB_env *env, MDB_page *dp) { if (!IS_OVERFLOW(dp) || dp->mp_pages == 1) { mdb_page_free(env, dp); } else { /* large pages just get freed directly */ VGMEMP_FREE(env, dp); free(dp); } } I hope you can follow these descriptions, I can provide more detail if needed. I would like to get some help figuring out how to resolve these warnings. Best regards, Christian Wendt Software developer Ext: +45 7217 5943 ______________________________________ SKOV A/S Hedelund 4, Glyngoere, 7870 Roslev, Denmark Tel.: +45 7217 5555 - Fax: +45 7217 5959 www.skov.com<http://www.skov.com/>

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2020