Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month
Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl
Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted:
slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was:
slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig):
( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
Regards,
Ulrich
3 years, 4 months
anonymize data
by Olivier -
Hi all,
I have a question anonymizing data.
My openldap have some confidential data inside and I would like this : if a person has a flag confidentiality set to 1 (or is in a special ou), openldap will replace or answer a different data.
For example :
if we request "sn" on this record , it will reply "Smith"
dn: cn=Smith,ou=public,c=com
confidentiality: 0
sn: Smith
if we request "sn" on this record , it will reply "XXX"
dn: cn=Bond,ou=public,c=com
confidentiality: 1
sn: Bond
I'm not sur Openldap can offer this kind of functionnality.
Thanks for your help !
3 years, 4 months
slapd 2.4.44 Performance problems
by daniel.zuniga@gmail.com
Hello,
We are running OpenLDAP with a relatively small user base (15K users) and the server does not seem to be able to keep up with demand when there are multiple concurrent logins (20 users X 70 searches each) during user login. When users login to the server all cores in the server (8) run at 100% utilization, sometimes for as long as 20 minutes (depending on how many users are logging in concurrently).
We have experimented and read and re-read the Tuning guidance but with very little success.
We have tried increasing the number of available cores to slapd, but it does not use more than 8. We have also increased the number of threads from 16 to 32, but that also does not seem to have an effect nor does it seem to allow slapd to use all 16 cores (slapd seems limited to 8 cores regardless of the number of threads defined).
The server has plenty of memory available and configured the db cache to use as much as in needs, but that does not seem to improve matters.
Can you offer any guidance? Thanks.
3 years, 5 months
Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul
Thank you for the pointers. I will setup delta syncrepl and test to verify
if I see the issue or not.
Thanks
Rahul
On Mon, Jun 29, 2020 at 4:02 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Monday, June 29, 2020 4:20 PM -0400 kumar rahul
> <rahul2002mit(a)gmail.com> wrote:
>
> > Thank you for creating the bug. I have added myself as CC. Based on
> > the configuration information I have provided, can you provide a set of
> > guidelines to configure my setup to use delta-syncrepl.
>
> The admin guide already provides information the configuration bits
> necessary to set up delta-syncrepl. Generally:
>
> a) You need a secondary DB to store the accesslog data from the accesslog
> overlay.
>
> b) You need to reconfigure the olcSyncrepl config to make use of the
> accesslog db.
>
> <https://www.openldap.org/doc/admin24/replication.html#Delta-syncrepl>
>
> And a blog post I wrote that gives some example configs:
>
> <
> https://mishikal.wordpress.com/2019/04/23/configuring-mmr-using-delta-syn...
> >
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 5 months
Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul
Hi Quanah
Thank you for creating the bug. I have added myself as CC. Based on the
configuration information I have provided, can you provide a set of
guidelines to configure my setup to use delta-syncrepl.
Thanks
Rahul
On Mon, Jun 29, 2020 at 3:10 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Monday, June 29, 2020 3:59 PM -0400 kumar rahul
> <rahul2002mit(a)gmail.com> wrote:
>
> >
> >
> > Hi Quanah
> >
> >
> > Thank you for reproducing the issue. What is the course of action
> > from here on? There will be an openldap release with the fix? or a patch
> > will be released? Also can you share the bug # once you raise it. How
> > will I get notified once the issue is fixed and is released?
>
> Hi Kumar,
>
> As was stated before, use delta-syncrepl as it avoids these types of
> issues
> with standard syncrepl. I'm guessing this is another variation of issue
> #8125 (<https://bugs.openldap.org/show_bug.cgi?id=8125>), although I'm
> initially filing a separate bug in case it is a different problem, issue
> #9282 (<https://bugs.openldap.org/show_bug.cgi?id=9282>).
>
> You can add yourself to the CC of the issue to track its status and
> resolution.
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 5 months
Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul
Hi Quanah
Thank you for reproducing the issue. What is the course of action from
here on? There will be an openldap release with the fix? or a patch will be
released? Also can you share the bug # once you raise it. How will I get
notified once the issue is fixed and is released?
Thanks
Rahul
On Mon, Jun 29, 2020 at 2:55 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Tuesday, June 23, 2020 5:04 PM -0400 kumar rahul
> <rahul2002mit(a)gmail.com> wrote:
>
> > Hi Quanah
>
> Hi Kumar,
>
> I was able to reproduce the issue, thanks for the report. I'll file a bug
> for it.
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 5 months
Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul
Hi Quanah
Please find my answers inline
a) Both servers have no DB, but are using these configs
[Rahul] Both servers are started with an empty database. Both servers are
in Provider and consumer mode. Our application is running on both servers
as well. To start with our application is active on Server A, which means
data will be written to server A database.and is synced/replicated to
server B
b) DB is added to server A and replicated to server B
[Rahul] Yes since server A has our application in active mode hence data is
written on server A and replicated to server B.
c) server A is stopped
[Rahul] yes we reboot the server A.
d) You say "data is removed", I'm not sure what this means. A single
entry? Multiple entries? The entire database?
[Rahul] Now our application is active on Server B. Using server B removed
"a Single Entry" which was removed from server B database as well.
e) S1 is restarted, and the deleted data is replicated back to both nodes.
[Rahul] Yes deleted data is replicated back to both nodes. when S1 is
restarted slapd is configured in provider/consumer mode but our application
is still active on server B which means writes will only happen at server B
and should be synced to server A.
Thank you for all the help so far. I have no intention of interrupting your
work. Please look at my issue based on your convenience.
Let me know if you have any other questions.
Thanks
Rahul
On Tue, Jun 23, 2020 at 3:43 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
>
>
> --On Tuesday, June 23, 2020 1:47 PM -0400 kumar rahul
> <rahul2002mit(a)gmail.com> wrote:
>
> > Both the servers are set up as master as well as consumer so that
> > sync works in both directions. So
> > the sync setup is like "A -> B",
> > and when A fails B is updated and the expectation is that "B -> A" should
> > work because a multi master setup is already in place. Let me know based
> > on the attached configuration files if my assumption is correct or not.
> >
> >
> > Also Add data works when A fails and B is updated then sync "B -> A"works
> > fine.
> >
> > After Delete data sync does not work when A fails and data is deleted
> > from B. Once A comes back both databases have data which was deleted on
> B.
>
> Hi,
>
> I'll see if I can reproduce your issue with the configs provided (Assuming
> they look correct after I finish reviewing them in full), but I want to
> confirm the exact steps:
>
> a) Both servers have no DB, but are using these configs
>
> b) DB is added to server A and replicated to server B
>
> c) server A is stopped
>
> d) You say "data is removed", I'm not sure what this means. A single
> entry? Multiple entries? The entire database?
>
> e) S1 is restarted, and the deleted data is replicated back to both nodes.
>
> Note that I do have a paid job that keeps me busy, so this is a best
> effort
> when I have time available to investigate.
>
> Thanks,
> Quanah
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
3 years, 5 months
LMDB transaction flags
by Stefano Cossu
Hello,
I'd like to be able to know if a LMDB transaction is active, valid, dirty, read-only, etc.
From the documentation I read that such information is in mt_flags of the mdb_txn structure, which is opaque. I don't see any function exposing mt_flags. Is there any other way to read that information?
3 years, 5 months