openldap-technical May 2020

openldap-technical@openldap.org

30 participants
33 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl 22 Jul '20

22 Jul '20

Hi! After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389) (the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice) The server is one of three MM servers that all have the same configuration and the same version. The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation ) What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd? Regards, Ulrich

4 10

Remove/change replication partner
by Jean-Luc Chandezon 08 Jun '20

08 Jun '20

Hello, I'm trying to remove replication partner (olcSyncrepl overlay). Here are results for partner parameter(config): # ldapsearch -LLLY external -H ldapi:/// -b "olcDatabase={0}config,cn=config" olcSyncRepl SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={0}config,cn=config olcSyncrepl: {0}rid=01 provider=ldap://bea-olp-001.lan-explore.fr binddn=" cn=replication,dc= lan-explore,dc=fr" bindmethod=simple credentials=i2Df 0rXiQokb8HtYZemJ searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=02 provider=ldap://cdb-olp-001. lan-explore.fr binddn=" cn=replication,dc= lan-explore,dc=fr" bindmethod=simple credentials=i2Df 0rXiQokb8HtYZemJ searchbase="cn=config" type=refreshAndPersist retry="5 5 300 5" timeout=1 dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config dn: olcOverlay={1}syncprov,olcDatabase={0}config,cn=config dn: olcOverlay={2}syncprov,olcDatabase={0}config,cn=config I tested this query: dn: olcDatabase={0}config,cn=config changetype: modify delete: olcSyncrepl The result is: ldapmodify -Y EXTERNAL -H ldapi:/// -f removeConfigPartner.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral Please what I missed? Thanks, Jean-Luc

3 11

pwdChangedTime not defined when creating new entry
by Manuela Mandache 05 Jun '20

05 Jun '20

Hello all, We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires. The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp. The overlay is configured as follows: dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements? Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures. Thank you and regards, Manuela Sent with [ProtonMail](https://protonmail.com) Secure Email.

5 11

userPassword is not replicated
by razvanpopescu＠hotmail.com 04 Jun '20

04 Jun '20

Hi, I have set up a replication master/slave between 2 openldap 2.4.44 on rhel 7.x. On the slave server, the userPassword attribute is not replicated by syncrepl, all other attributes are replicated OK The replication has been set up as follow: On master server (provider), I have set up : # replication moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 On slave server (consumer), I've set up in the /etc/openldap/slapd.conf: # replication syncrepl rid=100 provider=ldaps://fr-te-ldap-x1.intra.commercial-union.fr type=refreshAndPersist searchbase="dc=aviva,dc=fr" scope=sub schemachecking=on bindmethod=simple filter="(objectClass=*)" binddn="cn=admin,dc=aviva,dc=fr" credentials=redhat retry="15 +" index entryUUID,entryCSN eq sizelimit 100000 On both server ( master, slave) , the ACL has been set up as follow : access to attrs=userPassword by self write by anonymous auth by * read access to * by self read by users read by anonymous read Please help me ! What is wrong in this configuration and why the userPassword attribute is not replicated on slave side ? Please advice me, Thank, Razvan

5 16

olcAccess from b64 to plaintext
by Giuseppe De Marco 31 May '20

31 May '20

Hi guys, I wrote this simple script to have human readable olaAccess lists https://github.com/peppelinux/slapd_acl hope you'll enjoy -- ____________________ Dott. Giuseppe De Marco CENTRO ICT DI ATENEO University of Calabria 87036 Rende (CS) - Italy Phone: +39 0984 496961 e-mail: giuseppe.demarco(a)unical.it -- ------------------------------------------------------------------------------------------------------------------ Il banner è generato automaticamente dal servizio di posta elettronica dell'Università della Calabria <https://www.unical.it/portale/portaltemplates/view/view.cfm?100061>

1 0

what does "error 131 (State not recoverable)" indicate?
by James Anderson 30 May '20

30 May '20

good evening; i am looking for an explanation for a situation which we encountered with an lmdb database and library version is 0.9.17-3. the database's condition was such that all attempts to open it for reading failed. in at least some cases the error appears to have occurred during the operation which looked for stale leaders. a problem was also evident when attempting to copy the database: @nl12:~# mdb_copy /srv/dydra/catalog/repositories/d2141030-9495-c040-b1a7-9e19edbeb491/ /srv/dydra/backups/public-data__rev mdb_copy: copying failed, error 131 (State not recoverable) it was first evident in running processes which had already had the database open, but of which new threads were reopening the database environment. the only thing remarkable about the circumstances involved might have been that while several dozen threads were preparing reading simultaneously and in the processes of opening the environment to read, a monitoring thread took a snapshot of the threads, which entailed interrupting each to generate its stack trace. once we identified and terminated all processes which had the environment open, successive open attempts succeeded. when we examined the content, however, although the space was still occupied on disk and the transaction id reflected the prior content, the indices were empty. - what condition does that message intend to describe? - what can cause that condition? - would there have been some way to have recovered the old state - despite that message?

3 6

Antw: [EXT] LMDB does not recover on restart.
by Ulrich Windl 29 May '20

29 May '20

>>> Vipul Jain <vipul5798(a)gmail.com> schrieb am 28.05.2020 um 15:51 in Nachricht <15586_1590677913_5ECFD199_15586_106_1_CALsDq61nAgNh1Z3eUK=CNk_b7uWXgQ6aZYOzQvsn G-DPXQd2g(a)mail.gmail.com>: > In standalone application, I have insert 10 key,value using LMDB. > but if application crash and restart, and then I am trying to access the > same LMDB DB file, I am not able to see any data. it give error violating > memory access. Did the application commit the data before crash? > Any solution for this? > > I am looking for LMDB persistence, On restart of application do not need to > push key value again in LMDB. > > -- > with regards:- > Vipul Jain

2 1

LMDB does not recover on restart.
by Vipul Jain 28 May '20

28 May '20

In standalone application, I have insert 10 key,value using LMDB. but if application crash and restart, and then I am trying to access the same LMDB DB file, I am not able to see any data. it give error violating memory access. Any solution for this? I am looking for LMDB persistence, On restart of application do not need to push key value again in LMDB. -- with regards:- Vipul Jain

1 0

ReviewBoard LDAP authentication issue
by Adam Weremczuk 26 May '20

26 May '20

Hi all, I'm running old samba4 DC and trying to set up LDAP authentication for https://www.reviewboard.org/docs/manual/3.0/admin/configuration/authenticat… These settings are almost working for me: -> Authentication Method: LDAP -> LDAP Server: ldap://192.168.x.x:389 -> Review Board LDAP Bind Account: cn=auth,cn=Users,dc=domain,dc=co,dc=uk -> Review Board LDAP Bind Password: ******** -> LDAP Base DN: cn=Users,dc=domain,dc=co,dc=uk -> Username Attribute: uid -> Given Name Attribute: givenName -> Surname Attribute: sn -> Full Name Attribute: cn -> E-Mail LDAP Attribute: mail -> E-Mail Domain: (blank) -> Custom LDAP User Search Filter: (blank) I have a weird problem with about half of users being able to log in: 2020-05-26 11:32:07,623 - DEBUG - - root - Attempting to authenticate user DN "CN=dummy1,CN=Users,DC=domain,DC=co,DC=uk" (username dummy1) in LDAP and half unable: 2020-05-26 11:40:57,671 - ERROR - - root - Unexpected error authenticating user "dummy2" in LDAP: 'NoneType' object has no attribute 'decode' After ruling out the obvious such as AD groups membership and primary groups I compared ldapsearch dumps: ldapsearch -D 'admin(a)domain.co.uk' -b 'cn=Users,dc=domain,dc=co,dc=uk' -H ldap://192.168.x.x -W sAMAccountName=dummy I've noticed that all of those who cannot log in are missing msSFU30Name and msDS-SupportedEncryptionTypes attributes. I've added them to match settings for the successful users as below: dummy2.ldif dn: CN=dummy2,CN=Users,DC=domain,DC=co,DC=uk changetype: modify add: msSFU30Name msSFU30Name: dummy2 add: msDS-SupportedEncryptionTypes msDS-SupportedEncryptionTypes: 0 ldbmodify -H /var/lib/samba/private/sam.ldb dummy2.ldif -U dummy2 Modified 1 records successfully Unfortunately it didn't help :( Any ideas why? Thanks, Adam

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2020