openldap-technical January 2021

openldap-technical@openldap.org

25 participants
26 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27＠gmail.com 18 Aug '21

18 Aug '21

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

6 18

Best way two update a full OpenLDAP database from LDIF file
by Prunk Dump 06 Feb '21

06 Feb '21

Hello ! My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ. So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server. But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation). Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service. Thanks for the help. Regards, Baptiste.

5 6

Unable to bind with LDAP DN having encoded chars
by radiatejava 02 Feb '21

02 Feb '21

I am using openldap client library 2.4.44 on Centos 7.3, LDAP v3 setting. I am having an issue with LDAP bind when the DN has encoded representation of special characters like é (e acute). Actual DN is CN=mithun,OU=Groupes de Sécurité,DC=mytest,DC=net and when it is sent by the app (frontend) to our backend, it is coming as CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=insaaadev,DC=net. Basically, é comes encoded as \u00e9 which is as per the encoding mentioned here https://www.fileformat.info/info/unicode/char/e9/index.htm To further try out, I directly hardcoded the DN to CN=mithun,OU=Groupes de S\u00e9curit\u00e9,DC=mytest,DC=net and that worked fine. I want to understand why it fails when the DN in the same format comes from the frontend app. Appreciate your help, thanks.

3 4

Backup/Restore Overlays MemberOf
by Lars Päßler 02 Feb '21

02 Feb '21

Hello, I am running OpenLDAP 2.4.47 on Debian 10 for a while and now I enabled the overlay for memberOf. Is there any good option for backup and restore, because slapcat and slapadd aren't working. Thanks and kind regards Lars

3 2

Re: How to set credential to ldap_gssapi_bind_s?
by Árpád Nagy 29 Jan '21

29 Jan '21

Hello, Thanks for the answer! What function should I use if I must supply username/password and I want to bind using GSSAPI? Is it possible somehow with Open LDAP? Regards, Arpad Quanah Gibson-Mount <quanah(a)symas.com> ezt írta (időpont: 2021. jan. 27., Sze, 18:10): > > > --On Wednesday, January 27, 2021 4:16 PM +0100 Árpád Nagy > <arpadnagy.bp(a)gmail.com> wrote: > > > > > According this it is executed only if 'dn' and 'creds' is NULL. > > My question is how can I set the user name and password which I want to > > authenticate on LDAP server? > > Using GSSAPI implies that the connecting client already has access to a > kerberos5 ticket, which is used for the authentication step and thus there > is no username or password to be supplied. > > If you must supply a username/password, then you're using the wrong > function. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

2 1

OpenLDAP proxy to AD with client certificates
by David Cunningham 28 Jan '21

28 Jan '21

Hello, I would like to configure slaps.conf to proxy requests to an AD server. 1.) I want SLAPD to always connect to this AD server as a specific user 2.) I want SLAPD to run all queries including searches against this AD server using the defined user. 3.) I want clients connecting to SLAPD to query AD to be authenticated by revokable client certificate only. If the connecting client has a valid certificate that matches a CA, then it’s LDAP query is allowed and proxied to Active Directory. 4.) The client should also be able to rebind as user after doing a user DN search (to verify username/password). Does that make sense?

2 2

How to set credential to ldap_gssapi_bind_s?
by Árpád Nagy 27 Jan '21

27 Jan '21

Hello, I try to bind to LDAP server using GSSAPI. I try to use ldap_gssapi_bind_s method (gssapi.c): int ldap_gssapi_bind_s( LDAP *ld, LDAP_CONST char *dn, LDAP_CONST char *creds ) { if ( dn != NULL ) { return LDAP_NOT_SUPPORTED; } if ( creds != NULL ) { return LDAP_NOT_SUPPORTED; } return ldap_int_gss_spnego_bind_s(ld); } According this it is executed only if 'dn' and 'creds' is NULL. My question is how can I set the user name and password which I want to authenticate on LDAP server? Regards, Arpad

2 1

Read-only access on all the directory to a certain user
by Harri T. 26 Jan '21

26 Jan '21

Hi, Could someone please give an example of .ldif for granting *read-only* access on all the directory to the user "cn=query,dc=example,dc=com"? Kind regards, Harri

2 4

Syncprov shows issue with entry
by Nick Milas 25 Jan '21

25 Jan '21

Hello, I would like to ask you for your guidance regarding the following. We have an openldap (v2.4.56) master server syncing with three other openldap slaves. The master seems being unable to complete successfully syncing a particular entry and it keeps trying for ever. Logs follow. I have realized this only now, but it seems that this is happening for long. (It is recorded in all the logs I have available.) What is the suggested way to resolve this situation? ======================================================================================================= ... Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_search_response: Entry cn=thermo,ou=Aliases,dc=noa,dc=gr CSN 20200910151806.461875Z#000000#000#000000 older or equal to ctx 20200910151806.461875Z#000000#000#000000 Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_search_response: cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_sendinfo: refreshPresent cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:48:09 ldap.noa.gr slapd[1655]: conn=1048 op=1 syncprov_search_response: detaching op Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_op_search: got a persistent search with a cookie=rid=601,csn=20200910151806.461875Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findbase: searching Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_op_search: registered persistent search Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findcsn: mode=FIND_CSN csn=20200910151806.461875Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findcsn: csn==20200910151806.461875Z#000000#000#000000 found Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_findcsn: mode=FIND_PRESENT csn= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: present syncIdSet cookie= Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_search_response: Entry cn=thermo,ou=Aliases,dc=noa,dc=gr CSN 20200910151806.461875Z#000000#000#000000 older or equal to ctx 20200910151806.461875Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_search_response: cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_sendinfo: refreshPresent cookie=rid=601,csn=20210116055411.875566Z#000000#000#000000 Jan 16 14:51:09 ldap.noa.gr slapd[1655]: conn=1058 op=1 syncprov_search_response: detaching op ========================================================================================================= Thank you in advance for your advice! Cheers, Nick

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2021