openldap-technical June 2021

openldap-technical@openldap.org

24 participants
24 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27＠gmail.com 18 Aug '21

18 Aug '21

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

6 18

Consumer Delta Sync Lost After Provider Restarted
by thomaswilliampritchard＠gmail.com 06 Jul '21

06 Jul '21

Hi, I'm experiencing an issue between my 3 providers and multiple consumer setup and delta sync repl. We manage a primary, or active, provider and send all writes to the primary as long as it's healthy letting the two others replicate and be standby providers ready to take over in the event of a failure. All consumers replicate from all providers and all providers replicate from all providers. After the system was running healthily for over a week a standby provider was restarted. This caused my consumers to re-establish the persistent sync connection. Upon re-establishing the connection, some consumers began a sync refresh with the following message. Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep1: rid=003 starting refresh (sending cookie=rid=003,csn=20210331192036.214412Z#000000#000#000000;20210119225955.133811Z#000000#001#000000;20210128213906.596429Z#000000#002#000000;20210226190704.219043Z#000000#005#000000;20210412181659.152626Z#000000#065#000000;20210610231714.990702Z#000000#066#000000;20210614191744.122968Z#000000#44d#000000;20210412175600.595586Z#000000#835#000000;20210423182110.684843Z#000000#836#000000;20210331193249.570935Z#000000#ce5#000000) Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 LDAP_RES_SEARCH_RESULT Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 delta-sync lost sync, switching to REFRESH Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 (4096) Content Sync Refresh Required This was re-establishing a connection with rid=003 which is "20210412175600.595586Z#000000#835#000000" (a standby system) however we have only been sending writes to server #44d# (the primary provider). We see 44d CSN is over 7 days old, beyond our providers access log period. On the consumer that did not trigger sync refresh we see Jun 28 18:32:55 openldap-hdb-consumer slapd[24439]: do_syncrep1: rid=003 starting refresh (sending cookie=rid=003,csn=20210331192036.214412Z#000000#000#000000;20210119225955.133811Z#000000#001#000000;20210128213906.596429Z#000000#002#000000;20210226190704.219043Z#000000#005#000000;20210412181659.152626Z#000000#065#000000;20210621212459.620195Z#000000#066#000000;20210621214400.407867Z#000000#44d#000000;20210412175600.595586Z#000000#835#000000;20210423182110.684843Z#000000#836#000000;20210331193249.570935Z#000000#ce5#000000) Here we see 20210621214400.407867Z#000000#44d#000000 is much more recent and did not trigger a full resync, although it is close to the 7 day threshold at this point. We notice the rid=003 835 csn is the same as the consumer experiencing the problem which makes me believe the #44d# csn being old is what causes this sync refresh. I am concerned why when the standby provider is restarted the connection is getting re-established with old provider CSNs, when I search the CSNs on the consumers they look newer than the ones used to reestablish the connection. If we restart slapd on the providers after running consumers for 7 days it seems like it will trigger a sync refresh. How can we make the consumers re-establish the connection with the most recent CSN? Replication is working as expected, just the CSNs seem to remain old in this connection message. The sync refresh behavior causes a large load on the consumers and providers spiking bind times and degrading service making this concerning for our production environment. Configuration details are below. Your insights are appreciated. @(#) $OpenLDAP: slapd 2.4.56 (Dec 14 2020 17:31:23) $ @57af0b7ce0ba:/root/rpmbuild/BUILD/openldap-2.4.56/openldap-2.4.56/servers/slapd Provider config Primary DB # {2}mdb, config dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/lib/ldap ... olcSizeLimit: unlimited olcSyncrepl: {0}rid=1 provider=ldap://10.20.0.4 bindmethod=simple binddn ="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refresh AndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter=" (&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {1}rid=2 provider=ldap://10.20.1.151 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter ="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {2}rid=3 provider=ldap://10.20.2.240 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter ="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcMirrorMode: TRUE ... olcDbMaxSize: 15000000000 Sync Prov # {1}syncprov, {2}mdb, config dn: olcOverlay={1}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpCheckpoint: 1 1 Access Log # {3}accesslog, {2}mdb, config dn: olcOverlay={3}accesslog,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {3}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 07+00:00 01+00:00 olcAccessLogSuccess: TRUE # {3}mdb, config dn: olcDatabase={3}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {3}mdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=example,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart olcDbMaxSize: 15000000000 # {0}syncprov, {3}mdb, config dn: olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE Consumer Config: # {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcRootPW: {SSHA} olcSyncrepl: {0}rid=1 provider=ldap://10.20.0.4 bindmethod=simple binddn ="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refresh AndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited start tls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&(ob jectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {1}rid=2 provider=ldap://10.20.1.151 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited sta rttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&( objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {2}rid=3 provider=ldap://10.20.2.240 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited sta rttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&( objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcDbCheckpoint: 102400 10

2 4

Are Password Expired and Password Expiry warning (2.16.840.1.113730.3.4.5) controls supported in OpenLDAP
by cst labs 06 Jul '21

06 Jul '21

hello: I am currently evaluating the OpenLDAP version 2.4.58. I was told by someone that it does support the password expired control but I don't see that it is working. As per the RFC, the server should send this control as a part of response but it doesn't. I do see that the server returns the password policy state control that has expired and warning information. However, I am interested in the password expired control since I am looking to support an existing implementation that leverages that control. Can someone tell me how to configure openldap to return that control?

3 2

enable WiredTiger not defaulting to no
by dbray925+openldap＠gmail.com 30 Jun '21

30 Jun '21

I'm currently testing out the 2.5.5 install, and during the configure process it fails with: configure: error: Package requirements (wiredtiger) were not met: Package 'wiredtiger', required by 'virtual:world', not found The documentation (--help) shows that this should be default to no: --enable-wt enable WiredTiger backend no|yes|mod [no] However, this is not the case, and I have to manually set: ./configure --enable-wt=no

3 4

OpenLDAP & IDN support
by trantorvega＠gmail.com 29 Jun '21

29 Jun '21

Hello everyone. I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general. I've been perusing IETF documents and all I could find was a couple of expired drafts, 18 and 20 years old, pertaining the topic. https://datatracker.ietf.org/doc/draft-hall-ldap-idn/ https://datatracker.ietf.org/doc/draft-zeilenga-ldap-idn/ Does anyone have more information on the topic and maybe on why those drafts went nowhere? Thanks in advance, Fulvio Scapin

4 5

How to delete entries from cn=config with openldap-2.5
by Francesco Malvezzi 29 Jun '21

29 Jun '21

hi all, does the "Better cn=config functionality" enhancement in openldap-2.5 include the deletability of entries (like a module)? Should this: sudo ldapdelete -H ldapi:/// -Y EXTERNAL cn=module{0},cn=config work and what am I missing? thank you, Francesco

2 1

totp1andpw
by Stefan Kania 28 Jun '21

28 Jun '21

Hi to all, I'm still testing TOPT with OpenLDAP 2.5. I got TOTP1 running. So a user with an OTP can use the six-digit number from googleauthenticator (or freeOTP+) to authenticate while using ldapsearch. Then I switch to TOTP1ANDPW I generate a secretkey for the TOTP-part of userPassword. Then I create a password with "slappasswd" and put both TOTP1|password together in userPassword after decoding base64 I saw what I expected: ------------ dn: cn=u1,ou=users,dc=example,dc=net objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: autoCAuser loginShell: /bin/bash homeDirectory: /home/u1 uid: u1 uidNumber: 10010 gidNumber: 10000 sn: u givenName: 1 cn: u1 userPassword:: e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1N TSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc= ------------------ echo "e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1NTSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc=" | base64 -d {TOTP1ANDPW}MJAVMT3KMRUWISCPKJXHIYSZGY3DO4CL|{SSHA}EiBqR0PdxIIn1+0e3jE+51ypoZzu1JUG I then try to authenticate using ldapsearch with: 123456secret where 123456 is the six-digit key from googleauthenticator and "secret" is the password. But I always got an error 49 :-( I read this to set up the password: https://git.openldap.org/ondra/openldap/-/tree/dfe1f6494d69a885477e854944a6… Any hint? Anyone who got this running? I wrote a little bash-script to generate the shared-key, the password and write it into the users object: THIS SCRIPT IS FOR TESTING PURPOSE ONLY! ----------------------------- #!/bin/bash ########################################## # This script requires an OpenLDAP 2.5.x # # with the overlay pw-totp and autoca # # active and configured! # ########################################## # This script generats a TOTP1ANDPW password for a user # the script needs the full DN of the user # and an email address for the user. # The script will NOT check if the email address is valide # Ther will be a random string generated for the user # the user do not need the string. The string is only # to generate the sharedkey for the user. # At the end you will see the sharedkey, the user can enter # in an authenticator app like googleauthentiicator or freeOTP # and a png-file will be created with the QR-code for the sharedkey # # The script can be used via network or local only via the ldapi-socket if [ $# -ne 2 ] then echo "User-DN and User-Mail is needed" echo "usage: $0 userdn user@mail" exit 1 fi USER_DN=$1 USER_MAIL=$2 LDAP_SERVER=ldap://ldap25-p01.example.net USE_LDAPI=1 # set to "0" if userlogin is prefered USE_TLS=1 # if TLS should not be used set to "0" #LDAP_ADMIN="uid=ldap-admin,ou=users,dc=example,dc=net" LDAP_ADMIN="cn=admin,dc=example,dc=net" LDAP_ADMIN_PW="secret" TOPT_ISSUER=stka USER_PW_TOTP_BASE64="" USER_NAME="" USER_SHARED_KEY="" QR_TEXT="" USER_PASSWORD="" # Setting the varaible to use TLS if selected if [ "$USE_TLS" -eq 1 ] then ACTIVATE_TLS="-ZZ" else ACTIVATE_TLS="" fi if [ ! -f "/usr/bin/qrencode" ] then echo "qrencode is not installed!" exit 2 fi #First part of DN is USER_MANE USER_NAME=$(echo "$USER_DN" | cut -d "," -f 1) # Let's get shure that there is exactly one user present in database if [ $USE_LDAPI -eq 1 ] then USER_DN_IN_DB=$(ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:/// $USER_NAME dn 2>/dev/null | cut -d " " -f 2) else USER_DN_IN_DB=$(ldapsearch -xLLL "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -H "$LDAP_SERVER" "$USER_NAME" dn 2>/dev/null | cut -d " " -f 2) fi if [ "${USER_DN,,}" != "${USER_DN_IN_DB,,}" ] then echo "User $USER_DN not found in database" exit 3 fi #Create random 20 byte string: 160 bit is recommended (min 128 bit) USER_PW=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo '') #Create the password for 2fa USER_PASSWORD=$(slappasswd) #Set user password if [ $USE_LDAPI -eq 1 ] then ldappasswd -Q -Y EXTERNAL -H ldapi:/// -s "${USER_PW}|${USER_PASSWORD}" "$USER_DN" else ldappasswd -x "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -s "${USER_PW}|${USER_PASSWORD}" "$USER_DN" fi #Read user password from LDAP in TOTP1-format if [ $USE_LDAPI -eq 1 ] then PW_STEP_1=$(ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:/// "$USER_NAME" userpassword | grep -A1 userPassword) USER_PW_TOTP_BASE64=$(echo $PW_STEP_1 | awk '{print $2 $3}') else USER_PW_TOTP_BASE64=$(ldapsearch -x "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -LLL -H "$LDAP_SERVER" "$USER_NAME" userpassword | grep userPassword | cut -d " " -f 2 | cut -d '|' -f 1) fi #Create user shared key USER_SHARED_KEY=$(echo $USER_PW_TOTP_BASE64 | base64 -d) #cut the password hash type from shared key USER_SHARED_KEY=$(echo $USER_SHARED_KEY | cut -d "|" -f 1 | cut -d "}" -f 2) #Create the QR-text for the user QR_TEXT="otpauth://totp/$LDAP_SERVER:$USER_MAIL?secret=${USER_SHARED_KEY}a&issuer=${TOTP_ISSUER}&period=30&digits=6&algorithm=SHA1" #Generate the QR-code echo $QR_TEXT | qrencode -s9 -o ${USER_MAIL}.png echo "Shared key for User $USER_DN is $USER_SHARED_KEY" echo "You find the QR-code in file ${USER_MAIL}.png" -----------------------------

6 7

slapd does not start after upgrade
by BÖSCH Christian 22 Jun '21

22 Jun '21

Hi, I've upgraded openldap 2.4.57 to 2.4.59 on FreeBSD 12.2 using portmaster, what has always worked over the last few years. After upgrade the config seems to be bad which hasn't changed…? root@openldap2:/usr/local/etc/openldap # /usr/local/libexec/slapd -Tt -u 60d0a1cd PROXIED attributeDescription "O" inserted. 60d0a1cd UNKNOWN attributeDescription "OLCRWMTFSUPPORT" inserted. 60d0a1cd UNKNOWN attributeDescription "OLCRWMNORMALIZEMAPPED" inserted. 60d0a1cd UNKNOWN attributeDescription "OLCRWMREWRITE" inserted. 60d0a1cd config error processing olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config: slaptest: bad configuration file! dn: olcOverlay={0}rwm objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmNormalizeMapped: FALSE structuralObjectClass: olcRwmConfig olcRwmRewrite: {0}rwm-rewriteEngine "on" olcRwmRewrite: {1}rwm-rewriteMap "ldap" "attr2dn" "ldap://localhost/o=abc.org?dn?sub" olcRwmRewrite: {2}rwm-rewriteContext "bindDN" olcRwmRewrite: {3}rwm-rewriteRule "^eduPersonPrincipalName=[^,]+@[^,]+$" "${ attr2dn($0)}" ":@I" Does anyone have a hint what's going wrong? Thanks, Christian

3 2

avoid modifying /etc/sasl2/slapd.conf
by Michael Ströder 17 Jun '21

17 Jun '21

HI! Some automated tests of my Python module check SASL bind with various mechs. For this to work I normally have to add those SASL mechs to /etc/sasl2/slapd.conf. But this fails in the openSUSE build system with "permission denied". Is there a possibility to override SASL mechs used by slapd with an env var or similar? Ciao, Michael.

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2021