openldap-technical April 2021

openldap-technical@openldap.org

30 participants
36 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27＠gmail.com 18 Aug '21

18 Aug '21

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

6 18

multival member ...
by Michael Ströder 30 Apr '21

30 Apr '21

HI! Experimenting with 2.5.4 I wonder what are reasonable values for applying multival to attribute 'member' in group entries. I guess this depends on length of member DN values. Is there a clear way to calculate this? Or how to find out the effect of current settings. Ciao, Michael. P.S.: Yes, I know I have to reload the database when adding multival config option.

2 1

Groups and accesses
by Клеусов Владимир Сергеевич 27 Apr '21

27 Apr '21

Hi, there was an idea to use OpenLDAP as an address book for mail. Tell me the idea of how to make it so that there are two groups. The members of one see all of them (i.e. the general address book) and only the admin edits them. The members of the other are only seen and edited by the owner (i.e. the personal address book)

1 0

Unable to delete root entry
by Николай Данилов 26 Apr '21

26 Apr '21

When installing openldap with database mdb, root entry cannot be deleted. Tested on systems: OS Linux Debian 10, slapd 2.4.57+dfsg-2 Arch Linux, openldap 2.4.58-1 Oracle Linux 8, openldap 2.4.58 (from source) The root entry was created by the command: ldapadd -x -D 'cn=admin,dc=example,dc=org' -f root_entry.ldif Content of the root_entry.ldif file: dn: dc=example,dc=org objectClass: dcObject objectClass: organization dc: example o: Example description: Example directory dn: cn=root,dc=example,dc=org objectClass: organizationalRole cn: root description: Directory Manager Trying to delete the root entry: ldapdelete -x -r 'dc=example,dc=org' -D 'cn=admin,dc=example,dc=org' -w admin Output - ldap_delete: No such object (32) How can I delete the root entry and create a new one with other structural objectclasses?

3 9

OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)
by Quanah Gibson-Mount 24 Apr '21

24 Apr '21

This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP 2.5.4) Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Note that there are new features in 2.5, so please examine the options available with configure carefully. Some examples: The new load balancer, which can either be built as a module for slapd (--enable-balancer=mod) or as a standalone server (--enable-balancer=yes) The libargon2 password module (--enable-argon2). Systemd notification support (--with-systemd=yes). Thanks! Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

6 13

Best way to secure LDAP to public Server
by work＠seyboldt.org 19 Apr '21

19 Apr '21

Hey, i need to open my LDAP-Directory to a public available Server. What is the best secure way to connect my LDAP-Server to my Public server? I thought about a proxy to my Firewall there I could specify requests to my LDAP-Server, or is there a better or an official way to do this? Thanks, RMs3Q

2 3

[Open Source Experience] Call for Papers is open
by Clément OUDOT 19 Apr '21

19 Apr '21

Hello, there will be a big Open Source event in Paris in november. I am part of the program commitee and would like to know if some of you would be interested to submit talks: https://sessionize.com/opensource-experience/ You can reach me directly if you have some questions on the subject. Regards, -- Clément Oudot | Identity Solutions Manager clement.oudot(a)worteks.com Worteks | https://www.worteks.com

1 0

Config files & env vars not read when geteuid() != getuid()
by Norm Green 19 Apr '21

19 Apr '21

Hello LDAP users and maintainers, libraries/libldap/init.c has this code which bypasses read all LDAP config env vars when the exe loadlig libldap is running in setuid mode. This is causing problems for one of our customers who routinely run our product Linux executables (which load our libldap) in setuid mode for legitimate purposes. Since we have the source, we can and may change this code. In our case, customer wants to set env var LDAPCONF to point at a non-default conf file but is unable to do so. In fact this code bypasses almost all ways an alternate config file can be read. Even $HOME/ldap.conf is not read. My question here is should this code be considered a bug and changed to be less restrictive? I fully appreciate there should be restrictions when in setuid mode but the current code seems too restrictive. init.c: 686 687 openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); 688 689 #ifdef HAVE_GETEUID 690 if ( geteuid() != getuid() ) 691 goto done; 692 #endif 693 694 openldap_ldap_init_w_userconf(LDAP_USERRC_FILE); 695 Norm Green GemTalk Systems LLC

3 2

default config file
by Rallavagu Kon 17 Apr '21

17 Apr '21

Hello All, Noticing a difference in behavior of locating config file at the time of startup between 2.4.48 and 2.4.58. The 2.4.48 is a ubuntu supplied package while 2.4.58 is compiled with following options. ./configure --prefix=/opt/openldap \ --sysconfdir=/etc/ldap \ --localstatedir=/opt/openldap/var \ --libexecdir=/opt/openldap/lib \ --disable-static \ --enable-debug \ --with-tls=openssl \ --with-cyrus-sasl \ --enable-dynamic \ --enable-crypt \ --enable-spasswd \ --enable-slapd \ --enable-modules \ --enable-rlookups \ --enable-backends=mod \ --disable-ndb \ --disable-sql \ --disable-shell \ --disable-bdb \ --disable-hdb \ --enable-overlays=mod When started the slaps in debug mode, I see the following for 2.4.48 6077b590 backend_startup_one: starting "cn=config" 6077b590 ldif_read_file: read entry file: "/etc/ldap/slapd.d/cn=config.ldif” Essentially, looking for “cn=config”. However, after replacing the binaries with compiled version for 2.4.58, 6077b37d could not stat config file "/etc/ldap/slapd.d/slapd.conf": No such file or directory (2) I clearly notice that existing configuration file(s) are not considered with 2.4.58. Wondering what is the difference and how can I use the existing configuration files. Thanks

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2021