openldap-technical April 2020

openldap-technical@openldap.org

33 participants
36 discussions

Multiple memberOf overlays
by John C. Pfeifer 05 Aug '25

05 Aug '25

I am in the process of converting an existing LDAP infrastructure to OpenLDAP. I have a case where it would be convenient for two different objectClasses to map into the memberOf attribute. Is it possible to define two overlay configs or will they end up fighting each other over the memberOf attribute? For instance: dn: olcOverlay={5}memberofA,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {5}memberofA olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassA olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf dn: olcOverlay={6}memberofB,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {6}memberofB olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassB olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf // John Pfeifer Division of Information Technology University of Maryland, College Park

4 3

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl 22 Jul '20

22 Jul '20

Hi! After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389) (the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice) The server is one of three MM servers that all have the same configuration and the same version. The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd? Regards, Ulrich

4 10

pwdChangedTime not defined when creating new entry
by Manuela Mandache 05 Jun '20

05 Jun '20

Hello all, We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires. The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp. The overlay is configured as follows: dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements? Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures. Thank you and regards, Manuela Sent with [ProtonMail](https://protonmail.com) Secure Email.

5 11

MDB Backend database definition
by Beker 05 May '20

05 May '20

Hello I'm getting an error while trying to use MDB backend. The section that's giving issue is the following one: ####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=test,dc=local olcRootDN: cn=mdbadm,test,dc=local # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /var/db/openldap-data # Indices to maintain olcDbIndex: objectClass eq with this section added to the end of slapd.ldif i get the error *5ea9641d <= str2entry: str2ad(olcDbMaxSize): attribute type undefined* while testing the import using *slapadd -v -n0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif* if i comment the offending line *olcDbMaxSize: 1073741824* then I just get an error with another line in the same section. This is a fresh install, the slapd.d folder is empty and I'm using the example slapd.ldif.sample that comes with the software (it has mdb lodaded as module by default) # # Load dynamic backend modules: # dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/openldap #olcModuleload: back_bdb.so #olcModuleload: back_hdb.so #olcModuleload: back_ldap.so olcModuleload: back_mdb.so #olcModuleload: back_passwd.so #olcModuleload: back_shell.so Thanks in dvance for any hint or help you can provide Best regards

3 3

LDAP performance
by Technology Server 30 Apr '20

30 Apr '20

Dears, How to get a response time curve showing how fast queries are answered by each instance of LDAP ? How can we measure LDAP performance based on all possible aspects ? Regards, Tech Sever.

3 2

2.4.50 and pw-argon2
by Michael Ströder 29 Apr '20

29 Apr '20

HI! Anything special with installing the man-page of pw-argon2? It fails in openSUSE Build Service: [ 112s] mkdir -p `grep -e "^prefix =" ../../../../Makefile | cut -d= -f2`/share/man/man5 [ 112s] /usr/bin/install -m 644 slapd-pw-argon2.5 `grep -e "^prefix =" ../../../../Makefile | cut -d= -f2`/share/man/man5 [ 112s] /usr/bin/install: cannot create regular file '/usr/share/man/man5/slapd-pw-argon2.5': Permission denied [ 112s] make: *** [Makefile:70: install-man] Error 1 [ 112s] make: *** Waiting for unfinished jobs.... Ciao, Michael.

4 6

-DLDAP_USE_NON_BLOCKING_TLS (was: OpenLDAP 2.4.50 available)
by Michael Ströder 28 Apr '20

28 Apr '20

On 4/28/20 7:16 PM, project(a)openldap.org wrote: > OpenLDAP 2.4.50 is now available for download as detailed on our download page: Building with -DLDAP_USE_NON_BLOCKING_TLS now fails. It worked with 2.4.49. Ciao, Michael. --------------------------------------------- cc -g -O0 -DNDEBUG -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DSLAP_CONFIG_DELETE -DLDAP_USE_NON_BLOCKING_TLS -Wl,-R/usr/lib -Wl,-R/usr/lib -Wl,-R/usr/lib -Wl,-R/usr/lib -o .libs/apitest apitest.o -L/usr/lib ./.libs/libldap.so /home/michael/src/openldap-git/re24/openldap/libraries/liblber/.libs/liblber.so ../../libraries/liblber/.libs/liblber.so ../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt -lresolv -Wl,--rpath -Wl,/opt/openldap-re24/lib64 /usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bin/ld: ./.libs/libldap.so: undefined reference to `Debug1' /usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bin/ld: ./.libs/libldap.so: undefined reference to `Debug3' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:309: apitest] Error 1 make[2]: Leaving directory '/home/michael/src/openldap-git/re24/openldap/libraries/libldap' make[1]: *** [Makefile:296: all-common] Error 1 make[1]: Leaving directory '/home/michael/src/openldap-git/re24/openldap/libraries' make: *** [Makefile:312: all-common] Error 1

2 1

Can't delete olcAccess entries
by Gao 27 Apr '20

27 Apr '20

Hello, I am using OpenLDAP 2.4.40 on CentOS 7.6. I tried to remove 2 ACL entries and failed. I must missed something so please help me. I now have: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=van,dc=company,dc=com olcRootDN: cn=Manager,dc=van,dc=company,dc=com olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjNVSUl2enZz0sm1akt4Nnd6OTk= olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: 3b7e5722-d26f-1035-8835-91213c5bb357 creatorsName: cn=config createTimestamp: 20160629180122Z olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba se="cn=Manager,dc=van,dc=company,dc=com" write by * none olcAccess: {1}to * by self write by dn="cn=Manager,dc=van,dc=company,dc= com" write by * read entryCSN: 20200427230612.038641Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20200427230612Z Then I created a LDIF file: # cat delete_acl.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1} Now try to delete the ACL: # ldapmodify -Y EXTERNAL -H ldapi:/// -f delete_acl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" # When I check with "slapcat -n 0" I see the 2 olcAssess entires is still exist. Please help. Thanks. Gao

3 3

dn with space space in olcRefintNothing
by Sébastien Chaumat 24 Apr '20

24 Apr '20

Hello, When configuring refint on slapd 2.4.49 the following is accepted : dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {2}refint olcRefintAttribute: seeAlso olcRefintNothing: cn=admin,dc=test but olcRefintNothing: cn=admin space,dc=test is rejected when I ldapadd the configuration with the message : ldap_add: Constraint violation (19) additional info: <olcRefintNothing> extra cruft after <string> I tried various quoting : cn="admin space",dc=test cn=admin\20space "cn=admin space" Do I miss something ? THX Sébastien

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2020