openldap-technical March 2020

openldap-technical@openldap.org

22 participants
27 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl 22 Jul '20

22 Jul '20

Hi! After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389) (the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice) The server is one of three MM servers that all have the same configuration and the same version. The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd? Regards, Ulrich

4 10

pwdChangedTime not defined when creating new entry
by Manuela Mandache 05 Jun '20

05 Jun '20

Hello all, We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires. The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp. The overlay is configured as follows: dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements? Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures. Thank you and regards, Manuela Sent with [ProtonMail](https://protonmail.com) Secure Email.

5 11

Re: NetworkRadius CentOS pkg uses openldap-ltb which conflict with symas-openldap
by Dave Macias 02 Apr '20

02 Apr '20

On Thu, Mar 26, 2020 at 3:44 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Try it and see? I can't find any concrete documentation one way or the > other, although it seems BuildRequires generally follows what Requires > does. You may need to ask the people who maintain RPM. > > There are other issues in the spec file, however, like: > > --with-libfreeradius-ldap-include-dir=/usr/local/openldap/include \ > --with-libfreeradius-ldap-lib-dir=/usr/local/openldap/lib64 \ > > are specific to LTB, might want to do something like they did around line > 447 to only do this if the LTB openldap is in use. > Awesome! Thank you very much for the input! Will report how things go -Dave

2 2

AD proxy / CAPITAL letters in attributes
by Kevin Olbrich 31 Mar '20

31 Mar '20

Hi! How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW). Kind regards Kevin

3 6

NetworkRadius CentOS pkg uses openldap-ltb which conflict with symas-openldap
by Dave Macias 26 Mar '20

26 Mar '20

Good day Everyone, Back Story: We wanted to install the latest release of Freeradius from NetworkRadius and got a conflict. See post: http://lists.freeradius.org/pipermail/freeradius-users/2020-March/097718.ht… Their response was of course, figure it out and fix it yourself, which I have no problem with. I personally never compiled a rpm file before but i think i have an idea of what needs to be adjusted on their specs file. Wanted to run my changes by you guys, if you could please kindly review.... https://github.com/davama/freeradius-server/commit/7fa0f49e25de874bb5034584… https://github.com/davama/freeradius-server/commit/dab208186d440196c297821f… Not too sure if "BuildRequires" uses the same syntax but "Requires" does, at least what it says here: https://rpm.org/user_doc/boolean_dependencies.html Hope it's clear. Please let me know, if you need any info from me. Any input is much appreciated! Thank you, Dave

3 3

OpenLDAP-Proxy in front of AD - Non-DN bind
by Kevin Olbrich 26 Mar '20

26 Mar '20

Hi! I'm new to OpenLDAP / Slapd and try to integrate it into our AD setup. I followed this howto: https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD ... and ended up with this config: https://bitbucket.org/code-orange/django-cdstack-tpl-openldap-proxy/src/mas… Proxy mode works fine, I can bind with DN and password. So far so good. TLS works perfectly. On AD, I can bind using either domain\username or username(a)example.com. Can I enable this again for my proxy? Atm this does not work: Invalid DN-Syntax, invalid DN. I try to provide a secure way to connect a remove machine to our AD to read the contacts (a pbx). Using the DN worked for some devices but some have issues because of the length. If the DN is several OUs deep, the string is to long. Thats why I would like to allow the sAMAccountName as username (or USN, etc.). How can I solve this? Do I need SASL for this? Thank you very much! Kind regards Kevin

1 0

issues while modifying the LDAP on Production
by Guni Hanchate 25 Mar '20

25 Mar '20

Hi, we are getting some issues while modifying the LDAP on Production. We restarted LDAP instance but same issue persist. I request you to suggest on this . Let us know if you need any further information . I can read an entry From Cricetid via the VirtIP [u5356968@cricetid ~]$ldapsearch -x -LLL -h 192.168.154.33 -b "o=mobistar.be" "uid=u5356968" cn dn: uid=u5356968,ou=Techmahindra,ou=Partners,o=mobistar.be cn: DEMOULIN Philippe From Mousedeer to Mousedeer u5356968@mousedeer # ldapsearch -x -LLL -p 3898 -h 192.168.154.97 -b "o=mobistar.be" "uid=u5356968" cn dn: uid=u5356968,ou=Techmahindra,ou=Partners,o=mobistar.be cn: DEMOULIN Philippe But we cannot modify the entry. u5356968@mousedeer # ldapmodify -p 3898 -h 192.168.154.97 -D"cn=directory manager, o=mobistar.be" -w8ZQ7HUJS dn: uid=013tes3477,ou=Dealer Users,ou=Partners,o=mobistar.be changetype: add add: mail mail: 013test.test_osp_fr_hq(a)orange.be adding new entry "uid=013tes3477,ou=Dealer Users,ou=Partners,o=mobistar.be" ldap_add: Undefined attribute type (17) additional info: add: attribute type undefined This is the error I get: Error while executing LDIF - [LDAP: error code 17 - Undefined Attribute Type] java.lang.Exception: [LDAP: error code 17 - Undefined Attribute Type] at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1280) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:726) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1109) at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:748) at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:514) at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272) at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157) at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123) at org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59) at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:112) at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121) [LDAP: error code 17 - Undefined Attribute Type]

3 4

logging through systemd-journald is bottleneck
by Markus.Storm＠t-systems.com 20 Mar '20

20 Mar '20

Dear all, we're currently testing performance of OpenLDAP on Oracle/RedHat Linux and quite unexpected actually hit systemd-journald to be a bottleneck. While OpenLDAP happily makes use of all available CPUs, that one is single threaded, braking everything. The only way around I have found is to set olcLoglevel to 0, speeding up my test run by a factor of 6(!). That now of course is not an option to use in production. I'd happily directly write to a file as I did in the old days but I cannot get olcLogfile to work. And even if I was able to get there, how do I stop OpenLDAP from logging to syslogd (which is inevitably forwarding everything to system-journald ....) ? Can anyone give advice how to handle this ? Any hint appreciated (short of "get a decent OS" - that is not an option). Thanks, Markus

3 3

Antw: [EXT] Re: logging through systemd-journald is bottleneck
by Ulrich Windl 19 Mar '20

19 Mar '20

>>> Dieter Klünter <dieter(a)dkluenter.de> schrieb am 18.03.2020 um 19:57 in Nachricht <30206_1584557842_5E726F12_30206_1570_1_20200318195706.1d992aa0(a)pink.fritz.box>: > Am Wed, 18 Mar 2020 17:16:53 +0000 > schrieb <Markus.Storm(a)t-systems.com>: > >> Dear all, >> >> we're currently testing performance of OpenLDAP on Oracle/RedHat >> Linux and quite unexpected actually hit systemd-journald to be a >> bottleneck. While OpenLDAP happily makes use of all available CPUs, >> that one is single threaded, braking everything. The only way around >> I have found is to set olcLoglevel to 0, speeding up my test run by a >> factor of 6(!). That now of course is not an option to use in >> production. I'd happily directly write to a file as I did in the old >> days but I cannot get olcLogfile to work. And even if I was able to >> get there, how do I stop OpenLDAP from logging to syslogd (which is >> inevitably forwarding everything to system-journald ....) ? Can >> anyone give advice how to handle this ? Any hint appreciated (short >> of "get a decent OS" - that is not an option). > > I support Qanah's advice! > Beside this, consider a logging strategy based on required information > and neglected information, as well as min. and max. server load. > > Based on my experience I would disable logging as default, but enable > logging for a short given time, just a modify operation on atribute > olcLogLevel. > With regard to journald I advice to define filters, see man > journalctl(1). > If syslog is a requirement, change to rsyslog. Don't make use of > logstash! Can't openLDAP simply log to a different port than the default syslog port? If so, just set up some alternate local syslog server. Or, in case an external syslog server is supported, just use one that isn't using systemd-journald. Sorry, I neved had the need to use a different syslog mechanism... > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53°37'09,95"N > 10°08'02,42"E

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2020