openldap-technical April 2020

openldap-technical@openldap.org

33 participants
35 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl 22 Jul '20

22 Jul '20

Hi! After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389) (the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice) The server is one of three MM servers that all have the same configuration and the same version. The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd? Regards, Ulrich

4 10

pwdChangedTime not defined when creating new entry
by Manuela Mandache 05 Jun '20

05 Jun '20

Hello all, We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires. The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp. The overlay is configured as follows: dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements? Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures. Thank you and regards, Manuela Sent with [ProtonMail](https://protonmail.com) Secure Email.

5 11

MDB Backend database definition
by Beker 05 May '20

05 May '20

Hello I'm getting an error while trying to use MDB backend. The section that's giving issue is the following one: ####################################################################### # LMDB database definitions ####################################################################### # dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=test,dc=local olcRootDN: cn=mdbadm,test,dc=local # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /var/db/openldap-data # Indices to maintain olcDbIndex: objectClass eq with this section added to the end of slapd.ldif i get the error *5ea9641d <= str2entry: str2ad(olcDbMaxSize): attribute type undefined* while testing the import using *slapadd -v -n0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif* if i comment the offending line *olcDbMaxSize: 1073741824* then I just get an error with another line in the same section. This is a fresh install, the slapd.d folder is empty and I'm using the example slapd.ldif.sample that comes with the software (it has mdb lodaded as module by default) # # Load dynamic backend modules: # dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/openldap #olcModuleload: back_bdb.so #olcModuleload: back_hdb.so #olcModuleload: back_ldap.so olcModuleload: back_mdb.so #olcModuleload: back_passwd.so #olcModuleload: back_shell.so Thanks in dvance for any hint or help you can provide Best regards

3 3

LDAP performance
by Technology Server 30 Apr '20

30 Apr '20

Dears, How to get a response time curve showing how fast queries are answered by each instance of LDAP ? How can we measure LDAP performance based on all possible aspects ? Regards, Tech Sever.

3 2

2.4.50 and pw-argon2
by Michael Ströder 29 Apr '20

29 Apr '20

HI! Anything special with installing the man-page of pw-argon2? It fails in openSUSE Build Service: [ 112s] mkdir -p `grep -e "^prefix =" ../../../../Makefile | cut -d= -f2`/share/man/man5 [ 112s] /usr/bin/install -m 644 slapd-pw-argon2.5 `grep -e "^prefix =" ../../../../Makefile | cut -d= -f2`/share/man/man5 [ 112s] /usr/bin/install: cannot create regular file '/usr/share/man/man5/slapd-pw-argon2.5': Permission denied [ 112s] make: *** [Makefile:70: install-man] Error 1 [ 112s] make: *** Waiting for unfinished jobs.... Ciao, Michael.

4 6

-DLDAP_USE_NON_BLOCKING_TLS (was: OpenLDAP 2.4.50 available)
by Michael Ströder 28 Apr '20

28 Apr '20

On 4/28/20 7:16 PM, project(a)openldap.org wrote: > OpenLDAP 2.4.50 is now available for download as detailed on our download page: Building with -DLDAP_USE_NON_BLOCKING_TLS now fails. It worked with 2.4.49. Ciao, Michael. --------------------------------------------- cc -g -O0 -DNDEBUG -DSLAP_SCHEMA_EXPOSE -DLDAP_COLLECTIVE_ATTRIBUTES -DSLAP_CONFIG_DELETE -DLDAP_USE_NON_BLOCKING_TLS -Wl,-R/usr/lib -Wl,-R/usr/lib -Wl,-R/usr/lib -Wl,-R/usr/lib -o .libs/apitest apitest.o -L/usr/lib ./.libs/libldap.so /home/michael/src/openldap-git/re24/openldap/libraries/liblber/.libs/liblber.so ../../libraries/liblber/.libs/liblber.so ../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt -lresolv -Wl,--rpath -Wl,/opt/openldap-re24/lib64 /usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bin/ld: ./.libs/libldap.so: undefined reference to `Debug1' /usr/lib64/gcc/x86_64-suse-linux/9/../../../../x86_64-suse-linux/bin/ld: ./.libs/libldap.so: undefined reference to `Debug3' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:309: apitest] Error 1 make[2]: Leaving directory '/home/michael/src/openldap-git/re24/openldap/libraries/libldap' make[1]: *** [Makefile:296: all-common] Error 1 make[1]: Leaving directory '/home/michael/src/openldap-git/re24/openldap/libraries' make: *** [Makefile:312: all-common] Error 1

2 1

Can't delete olcAccess entries
by Gao 27 Apr '20

27 Apr '20

Hello, I am using OpenLDAP 2.4.40 on CentOS 7.6. I tried to remove 2 ACL entries and failed. I must missed something so please help me. I now have: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=van,dc=company,dc=com olcRootDN: cn=Manager,dc=van,dc=company,dc=com olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjNVSUl2enZz0sm1akt4Nnd6OTk= olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: 3b7e5722-d26f-1035-8835-91213c5bb357 creatorsName: cn=config createTimestamp: 20160629180122Z olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba se="cn=Manager,dc=van,dc=company,dc=com" write by * none olcAccess: {1}to * by self write by dn="cn=Manager,dc=van,dc=company,dc= com" write by * read entryCSN: 20200427230612.038641Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20200427230612Z Then I created a LDIF file: # cat delete_acl.ldif dn: olcDatabase={2}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} olcAccess: {1} Now try to delete the ACL: # ldapmodify -Y EXTERNAL -H ldapi:/// -f delete_acl.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={2}hdb,cn=config" # When I check with "slapcat -n 0" I see the 2 olcAssess entires is still exist. Please help. Thanks. Gao

3 3

dn with space space in olcRefintNothing
by Sébastien Chaumat 24 Apr '20

24 Apr '20

Hello, When configuring refint on slapd 2.4.49 the following is accepted : dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {2}refint olcRefintAttribute: seeAlso olcRefintNothing: cn=admin,dc=test but olcRefintNothing: cn=admin space,dc=test is rejected when I ldapadd the configuration with the message : ldap_add: Constraint violation (19) additional info: <olcRefintNothing> extra cruft after <string> I tried various quoting : cn="admin space",dc=test cn=admin\20space "cn=admin space" Do I miss something ? THX Sébastien

2 1

Re: Openldap Master-Slave setup
by Quanah Gibson-Mount 24 Apr '20

24 Apr '20

--On Thursday, April 23, 2020 9:41 PM -0700 rammohan ganapavarapu <rammohanganap(a)gmail.com> wrote: > olcDatabase={2}bdb,cn=config: BDB is deprecated. I'd advise using a non-deprecated backend. > olcReadOnly: TRUE > olcSyncrepl: {0}rid=001 provider=ldap://10.126.0.21:10389/ > binddn="cn=manager,dc=example,dc=com" bindmethod=simple > credentials=TopSecret searchbase="dc=example,dc=com" attrs="*,+" > type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1 > olcUpdateRef: ldap://10.126.0.21:10389 > olcMirrorMode: TRUE Is it a consumer or a multimaster node? You have enabled multiprovider (which is horribly misnamed as "mirrormode", and really just means you're defining it as part of a multiprovider cluster). > Chain overlay on frontendDB: > > > dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config > objectClass: olcOverlayConfig > objectClass: olcChainConfig > olcOverlay: {0}chain > olcChainReturnError: TRUE > > dn: > olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config > objectClass: olcLDAPConfig > objectClass: olcChainDatabase > olcDatabase: {0}ldap > olcDbURI: ldap://10.126.0.21:10389/ > olcDbIDAssertBind: bindmethod=simple > binddn="cn=manager,dc=example,dc=com" credentials=TopSecret mode=self > olcDbRebindAsUser: TRUE Why would chaning on the frontend database affect the ability of your dc=example,dc=com database to forward updates? You've clearly misconfigured your system. > So with the above config, if i add entry in master it is replicating to > slave but when i try to add entry in slave its not allowing write as > expected but its not forwarding request to referral ( its because of > ldapadd doesnt follow referral) is it expected? How do i make sure if > updatereferral is working properly? Configure your system correctly? You may also want to examine test032 in the test suite which specifically configures this. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2020