I am trying to force users to change their password at first login or
password reset by administrator.
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
to change the password and didn't allow to login
i observe below messages in log
"slapd: connection restricted to password changing only
slapd: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
Please help me configure the option to force all users to change their
at first login or after pwd reset by administrator.
Thanks & Regards
Tata Consultancy Services
Experience certainty. IT Services
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted:
slapd: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was:
slapd: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig):
( 18.104.22.168.4.1.4203.622.214.171.124.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 126.96.36.199.4.1.14188.8.131.52.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
We have a directory running on OpenLDAP 2.4.44 with the ppolicy overlay on the main database. When a new entry with a userPassword defined is created, pwdChangedTime is not defined, so this initial userPassword never expires.
The directory has been migrated from its OpenLDAP 2.3.34 instance (yes, we missed some steps...), and there the pwdChangedTime is set, and naturally equal to createTimestamp.
The overlay is configured as follows:
Is there a parameter I missed which would switch on setting pwdChangedTime at entry creation? Do I have to provide some other configuration elements?
Or is it unreasonable to expect this initialisation of the attribute this way, and only a password change can set it? I think the setting at creation is rather handy... Using pwdMustChange would be difficult, we have a lot of client apps which would be forced to check and probably adapt their authentication procedures.
Thank you and regards,
Sent with [ProtonMail](https://protonmail.com) Secure Email.
I have set up a replication master/slave between 2 openldap 2.4.44 on rhel 7.x.
On the slave server, the userPassword attribute is not replicated by syncrepl, all other attributes are replicated OK
The replication has been set up as follow:
On master server (provider), I have set up :
syncprov-checkpoint 100 10
On slave server (consumer), I've set up in the /etc/openldap/slapd.conf:
index entryUUID,entryCSN eq
On both server ( master, slave) , the ACL has been set up as follow :
access to attrs=userPassword
by self write
by anonymous auth
by * read
access to *
by self read
by users read
by anonymous read
Please help me !
What is wrong in this configuration and why the userPassword attribute is not replicated on slave side ?
Please advice me,
I wrote this simple script to have human readable olaAccess lists
hope you'll enjoy
Dott. Giuseppe De Marco
CENTRO ICT DI ATENEO
University of Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
Il banner è generato automaticamente dal servizio di posta elettronica
dell'Università della Calabria
i am looking for an explanation for a situation which we encountered with an lmdb database and library version is 0.9.17-3.
the database's condition was such that all attempts to open it for reading failed.
in at least some cases the error appears to have occurred during the operation which looked for stale leaders.
a problem was also evident when attempting to copy the database:
@nl12:~# mdb_copy /srv/dydra/catalog/repositories/d2141030-9495-c040-b1a7-9e19edbeb491/ /srv/dydra/backups/public-data__rev
mdb_copy: copying failed, error 131 (State not recoverable)
it was first evident in running processes which had already had the database open, but of which new threads were reopening the database environment.
the only thing remarkable about the circumstances involved might have been that while several dozen threads were preparing reading simultaneously and in the processes of opening the environment to read, a monitoring thread took a snapshot of the threads, which entailed interrupting each to generate its stack trace.
once we identified and terminated all processes which had the environment open, successive open attempts succeeded.
when we examined the content, however, although the space was still occupied on disk and the transaction id reflected the prior content, the indices were empty.
- what condition does that message intend to describe?
- what can cause that condition?
- would there have been some way to have recovered the old state - despite that message?
>>> Vipul Jain <vipul5798(a)gmail.com> schrieb am 28.05.2020 um 15:51 in Nachricht
> In standalone application, I have insert 10 key,value using LMDB.
> but if application crash and restart, and then I am trying to access the
> same LMDB DB file, I am not able to see any data. it give error violating
> memory access.
Did the application commit the data before crash?
> Any solution for this?
> I am looking for LMDB persistence, On restart of application do not need to
> push key value again in LMDB.
> with regards:-
> Vipul Jain
In standalone application, I have insert 10 key,value using LMDB.
but if application crash and restart, and then I am trying to access the
same LMDB DB file, I am not able to see any data. it give error violating
Any solution for this?
I am looking for LMDB persistence, On restart of application do not need to
push key value again in LMDB.
I'm running old samba4 DC and trying to set up LDAP authentication for
These settings are almost working for me:
-> Authentication Method: LDAP
-> LDAP Server: ldap://192.168.x.x:389
-> Review Board LDAP Bind Account: cn=auth,cn=Users,dc=domain,dc=co,dc=uk
-> Review Board LDAP Bind Password: ********
-> LDAP Base DN: cn=Users,dc=domain,dc=co,dc=uk
-> Username Attribute: uid
-> Given Name Attribute: givenName
-> Surname Attribute: sn
-> Full Name Attribute: cn
-> E-Mail LDAP Attribute: mail
-> E-Mail Domain: (blank)
-> Custom LDAP User Search Filter: (blank)
I have a weird problem with about half of users being able to log in:
2020-05-26 11:32:07,623 - DEBUG - - root - Attempting to authenticate
user DN "CN=dummy1,CN=Users,DC=domain,DC=co,DC=uk" (username dummy1) in LDAP
and half unable:
2020-05-26 11:40:57,671 - ERROR - - root - Unexpected error
authenticating user "dummy2" in LDAP: 'NoneType' object has no attribute
After ruling out the obvious such as AD groups membership and primary
groups I compared ldapsearch dumps:
ldapsearch -D 'admin(a)domain.co.uk' -b 'cn=Users,dc=domain,dc=co,dc=uk'
-H ldap://192.168.x.x -W sAMAccountName=dummy
I've noticed that all of those who cannot log in are missing msSFU30Name
and msDS-SupportedEncryptionTypes attributes.
I've added them to match settings for the successful users as below:
ldbmodify -H /var/lib/samba/private/sam.ldb dummy2.ldif -U dummy2
Modified 1 records successfully
Unfortunately it didn't help :(
Any ideas why?