June 2021 - openldap-technical

Index seems to return wrong amount of candidate causing really poor search performance

by chrichardso27＠gmail.com

Hi, Considering the following assumptions; - OpenLDAP version 2.4.51 - attributes objectClass and abc are indexed based on equality - the EQUALITY of attribute abc is based on distinguishedNameMatch - The database contains roughly 2 million entries - 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass - 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise). The issue started suddenly and wasn't a degradation of query performance over time. Few things I have tried - Rebuilt the whole database again - Reindex the existing database again - Testing with bdb and mdb as backends - Increased cache sizes for bdb to hold the whole database in cache - For bdb adjust the page size of the indexes according to suggestion by db_tuner - Change the order of the filters None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!

1 year, 9 months

6
18
0 / 0

Consumer Delta Sync Lost After Provider Restarted

by thomaswilliampritchard＠gmail.com

Hi, I'm experiencing an issue between my 3 providers and multiple consumer setup and delta sync repl. We manage a primary, or active, provider and send all writes to the primary as long as it's healthy letting the two others replicate and be standby providers ready to take over in the event of a failure. All consumers replicate from all providers and all providers replicate from all providers. After the system was running healthily for over a week a standby provider was restarted. This caused my consumers to re-establish the persistent sync connection. Upon re-establishing the connection, some consumers began a sync refresh with the following message. Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep1: rid=003 starting refresh (sending cookie=rid=003,csn=20210331192036.214412Z#000000#000#000000;20210119225955.133811Z#000000#001#000000;20210128213906.596429Z#000000#002#000000;20210226190704.219043Z#000000#005#000000;20210412181659.152626Z#000000#065#000000;20210610231714.990702Z#000000#066#000000;20210614191744.122968Z#000000#44d#000000;20210412175600.595586Z#000000#835#000000;20210423182110.684843Z#000000#836#000000;20210331193249.570935Z#000000#ce5#000000) Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 LDAP_RES_SEARCH_RESULT Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 delta-sync lost sync, switching to REFRESH Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 (4096) Content Sync Refresh Required This was re-establishing a connection with rid=003 which is "20210412175600.595586Z#000000#835#000000" (a standby system) however we have only been sending writes to server #44d# (the primary provider). We see 44d CSN is over 7 days old, beyond our providers access log period. On the consumer that did not trigger sync refresh we see Jun 28 18:32:55 openldap-hdb-consumer slapd[24439]: do_syncrep1: rid=003 starting refresh (sending cookie=rid=003,csn=20210331192036.214412Z#000000#000#000000;20210119225955.133811Z#000000#001#000000;20210128213906.596429Z#000000#002#000000;20210226190704.219043Z#000000#005#000000;20210412181659.152626Z#000000#065#000000;20210621212459.620195Z#000000#066#000000;20210621214400.407867Z#000000#44d#000000;20210412175600.595586Z#000000#835#000000;20210423182110.684843Z#000000#836#000000;20210331193249.570935Z#000000#ce5#000000) Here we see 20210621214400.407867Z#000000#44d#000000 is much more recent and did not trigger a full resync, although it is close to the 7 day threshold at this point. We notice the rid=003 835 csn is the same as the consumer experiencing the problem which makes me believe the #44d# csn being old is what causes this sync refresh. I am concerned why when the standby provider is restarted the connection is getting re-established with old provider CSNs, when I search the CSNs on the consumers they look newer than the ones used to reestablish the connection. If we restart slapd on the providers after running consumers for 7 days it seems like it will trigger a sync refresh. How can we make the consumers re-establish the connection with the most recent CSN? Replication is working as expected, just the CSNs seem to remain old in this connection message. The sync refresh behavior causes a large load on the consumers and providers spiking bind times and degrading service making this concerning for our production environment. Configuration details are below. Your insights are appreciated. @(#) $OpenLDAP: slapd 2.4.56 (Dec 14 2020 17:31:23) $ @57af0b7ce0ba:/root/rpmbuild/BUILD/openldap-2.4.56/openldap-2.4.56/servers/slapd Provider config Primary DB # {2}mdb, config dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {2}mdb olcDbDirectory: /var/lib/ldap ... olcSizeLimit: unlimited olcSyncrepl: {0}rid=1 provider=ldap://10.20.0.4 bindmethod=simple binddn ="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refresh AndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter=" (&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {1}rid=2 provider=ldap://10.20.1.151 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter ="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {2}rid=3 provider=ldap://10.20.2.240 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter ="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcMirrorMode: TRUE ... olcDbMaxSize: 15000000000 Sync Prov # {1}syncprov, {2}mdb, config dn: olcOverlay={1}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {1}syncprov olcSpCheckpoint: 1 1 Access Log # {3}accesslog, {2}mdb, config dn: olcOverlay={3}accesslog,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {3}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 07+00:00 01+00:00 olcAccessLogSuccess: TRUE # {3}mdb, config dn: olcDatabase={3}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {3}mdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=example,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart olcDbMaxSize: 15000000000 # {0}syncprov, {3}mdb, config dn: olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE Consumer Config: # {2}hdb, config dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcRootPW: {SSHA} olcSyncrepl: {0}rid=1 provider=ldap://10.20.0.4 bindmethod=simple binddn ="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refresh AndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited start tls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&(ob jectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {1}rid=2 provider=ldap://10.20.1.151 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited sta rttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&( objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcSyncrepl: {2}rid=3 provider=ldap://10.20.2.240 bindmethod=simple bind dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre shAndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited sta rttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&( objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog olcDbCheckpoint: 102400 10

1 year, 11 months

2
4
0 / 0

Are Password Expired and Password Expiry warning (2.16.840.1.113730.3.4.5) controls supported in OpenLDAP

by cst labs

hello: I am currently evaluating the OpenLDAP version 2.4.58. I was told by someone that it does support the password expired control but I don't see that it is working. As per the RFC, the server should send this control as a part of response but it doesn't. I do see that the server returns the password policy state control that has expired and warning information. However, I am interested in the password expired control since I am looking to support an existing implementation that leverages that control. Can someone tell me how to configure openldap to return that control?

1 year, 11 months

3
2
0 / 0

enable WiredTiger not defaulting to no

by dbray925+openldap＠gmail.com

I'm currently testing out the 2.5.5 install, and during the configure process it fails with: configure: error: Package requirements (wiredtiger) were not met: Package 'wiredtiger', required by 'virtual:world', not found The documentation (--help) shows that this should be default to no: --enable-wt enable WiredTiger backend no|yes|mod [no] However, this is not the case, and I have to manually set: ./configure --enable-wt=no

1 year, 11 months

3
4
0 / 0

OpenLDAP & IDN support

by trantorvega＠gmail.com

Hello everyone. I am writing here (hopefully it's the right list for the topic) to ask about IDN (Internationalized Domain Names) support in OpenLDAP and LDAP in general. I've been perusing IETF documents and all I could find was a couple of expired drafts, 18 and 20 years old, pertaining the topic. https://datatracker.ietf.org/doc/draft-hall-ldap-idn/ https://datatracker.ietf.org/doc/draft-zeilenga-ldap-idn/ Does anyone have more information on the topic and maybe on why those drafts went nowhere? Thanks in advance, Fulvio Scapin

1 year, 11 months

4
5
0 / 0

How to delete entries from cn=config with openldap-2.5

by Francesco Malvezzi

hi all, does the "Better cn=config functionality" enhancement in openldap-2.5 include the deletability of entries (like a module)? Should this: sudo ldapdelete -H ldapi:/// -Y EXTERNAL cn=module{0},cn=config work and what am I missing? thank you, Francesco

1 year, 11 months

2
1
0 / 0

totp1andpw

by Stefan Kania

Hi to all, I'm still testing TOPT with OpenLDAP 2.5. I got TOTP1 running. So a user with an OTP can use the six-digit number from googleauthenticator (or freeOTP+) to authenticate while using ldapsearch. Then I switch to TOTP1ANDPW I generate a secretkey for the TOTP-part of userPassword. Then I create a password with "slappasswd" and put both TOTP1|password together in userPassword after decoding base64 I saw what I expected: ------------ dn: cn=u1,ou=users,dc=example,dc=net objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: autoCAuser loginShell: /bin/bash homeDirectory: /home/u1 uid: u1 uidNumber: 10010 gidNumber: 10000 sn: u givenName: 1 cn: u1 userPassword:: e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1N TSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc= ------------------ echo "e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1NTSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc=" | base64 -d {TOTP1ANDPW}MJAVMT3KMRUWISCPKJXHIYSZGY3DO4CL|{SSHA}EiBqR0PdxIIn1+0e3jE+51ypoZzu1JUG I then try to authenticate using ldapsearch with: 123456secret where 123456 is the six-digit key from googleauthenticator and "secret" is the password. But I always got an error 49 :-( I read this to set up the password: https://git.openldap.org/ondra/openldap/-/tree/dfe1f6494d69a885477e854944... Any hint? Anyone who got this running? I wrote a little bash-script to generate the shared-key, the password and write it into the users object: THIS SCRIPT IS FOR TESTING PURPOSE ONLY! ----------------------------- #!/bin/bash ########################################## # This script requires an OpenLDAP 2.5.x # # with the overlay pw-totp and autoca # # active and configured! # ########################################## # This script generats a TOTP1ANDPW password for a user # the script needs the full DN of the user # and an email address for the user. # The script will NOT check if the email address is valide # Ther will be a random string generated for the user # the user do not need the string. The string is only # to generate the sharedkey for the user. # At the end you will see the sharedkey, the user can enter # in an authenticator app like googleauthentiicator or freeOTP # and a png-file will be created with the QR-code for the sharedkey # # The script can be used via network or local only via the ldapi-socket if [ $# -ne 2 ] then echo "User-DN and User-Mail is needed" echo "usage: $0 userdn user@mail" exit 1 fi USER_DN=$1 USER_MAIL=$2 LDAP_SERVER=ldap://ldap25-p01.example.net USE_LDAPI=1 # set to "0" if userlogin is prefered USE_TLS=1 # if TLS should not be used set to "0" #LDAP_ADMIN="uid=ldap-admin,ou=users,dc=example,dc=net" LDAP_ADMIN="cn=admin,dc=example,dc=net" LDAP_ADMIN_PW="secret" TOPT_ISSUER=stka USER_PW_TOTP_BASE64="" USER_NAME="" USER_SHARED_KEY="" QR_TEXT="" USER_PASSWORD="" # Setting the varaible to use TLS if selected if [ "$USE_TLS" -eq 1 ] then ACTIVATE_TLS="-ZZ" else ACTIVATE_TLS="" fi if [ ! -f "/usr/bin/qrencode" ] then echo "qrencode is not installed!" exit 2 fi #First part of DN is USER_MANE USER_NAME=$(echo "$USER_DN" | cut -d "," -f 1) # Let's get shure that there is exactly one user present in database if [ $USE_LDAPI -eq 1 ] then USER_DN_IN_DB=$(ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:/// $USER_NAME dn 2>/dev/null | cut -d " " -f 2) else USER_DN_IN_DB=$(ldapsearch -xLLL "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -H "$LDAP_SERVER" "$USER_NAME" dn 2>/dev/null | cut -d " " -f 2) fi if [ "${USER_DN,,}" != "${USER_DN_IN_DB,,}" ] then echo "User $USER_DN not found in database" exit 3 fi #Create random 20 byte string: 160 bit is recommended (min 128 bit) USER_PW=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo '') #Create the password for 2fa USER_PASSWORD=$(slappasswd) #Set user password if [ $USE_LDAPI -eq 1 ] then ldappasswd -Q -Y EXTERNAL -H ldapi:/// -s "${USER_PW}|${USER_PASSWORD}" "$USER_DN" else ldappasswd -x "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -s "${USER_PW}|${USER_PASSWORD}" "$USER_DN" fi #Read user password from LDAP in TOTP1-format if [ $USE_LDAPI -eq 1 ] then PW_STEP_1=$(ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:/// "$USER_NAME" userpassword | grep -A1 userPassword) USER_PW_TOTP_BASE64=$(echo $PW_STEP_1 | awk '{print $2 $3}') else USER_PW_TOTP_BASE64=$(ldapsearch -x "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -LLL -H "$LDAP_SERVER" "$USER_NAME" userpassword | grep userPassword | cut -d " " -f 2 | cut -d '|' -f 1) fi #Create user shared key USER_SHARED_KEY=$(echo $USER_PW_TOTP_BASE64 | base64 -d) #cut the password hash type from shared key USER_SHARED_KEY=$(echo $USER_SHARED_KEY | cut -d "|" -f 1 | cut -d "}" -f 2) #Create the QR-text for the user QR_TEXT="otpauth://totp/$LDAP_SERVER:$USER_MAIL?secret=${USER_SHARED_KEY}a&issuer=${TOTP_ISSUER}&period=30&digits=6&algorithm=SHA1" #Generate the QR-code echo $QR_TEXT | qrencode -s9 -o ${USER_MAIL}.png echo "Shared key for User $USER_DN is $USER_SHARED_KEY" echo "You find the QR-code in file ${USER_MAIL}.png" -----------------------------

1 year, 11 months

6
7
0 / 0

slapd does not start after upgrade

by BÖSCH Christian

Hi, I've upgraded openldap 2.4.57 to 2.4.59 on FreeBSD 12.2 using portmaster, what has always worked over the last few years. After upgrade the config seems to be bad which hasn't changed…? root@openldap2:/usr/local/etc/openldap # /usr/local/libexec/slapd -Tt -u 60d0a1cd PROXIED attributeDescription "O" inserted. 60d0a1cd UNKNOWN attributeDescription "OLCRWMTFSUPPORT" inserted. 60d0a1cd UNKNOWN attributeDescription "OLCRWMNORMALIZEMAPPED" inserted. 60d0a1cd UNKNOWN attributeDescription "OLCRWMREWRITE" inserted. 60d0a1cd config error processing olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config: slaptest: bad configuration file! dn: olcOverlay={0}rwm objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmNormalizeMapped: FALSE structuralObjectClass: olcRwmConfig olcRwmRewrite: {0}rwm-rewriteEngine "on" olcRwmRewrite: {1}rwm-rewriteMap "ldap" "attr2dn" "ldap://localhost/o=abc.org?dn?sub" olcRwmRewrite: {2}rwm-rewriteContext "bindDN" olcRwmRewrite: {3}rwm-rewriteRule "^eduPersonPrincipalName=[^,]+@[^,]+$" "${ attr2dn($0)}" ":@I" Does anyone have a hint what's going wrong? Thanks, Christian

1 year, 11 months

3
2
0 / 0

avoid modifying /etc/sasl2/slapd.conf

by Michael Ströder

HI! Some automated tests of my Python module check SASL bind with various mechs. For this to work I normally have to add those SASL mechs to /etc/sasl2/slapd.conf. But this fails in the openSUSE build system with "permission denied". Is there a possibility to override SASL mechs used by slapd with an env var or similar? Ciao, Michael.

1 year, 11 months

3
4
0 / 0

pw-totp

by Stefan Kania

Hello, I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10 with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up everything via Ansible. My configure-options are: ------------- ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod --enable-backends=mod --disable-perl --disable-ndb --enable-crypt --enable-modules --enable-dynamic --enable-syslog --enable-debug --enable-local --enable-spasswd --disable-sq l --prefix=/opt/openldap-current ------------- In addition I build: ------------ /opt/openldap-current/contrib/slapd-modules/passwd/sha2 /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2 /opt/openldap-current/contrib/slapd-modules/passwd/totp/ ------------ "make test" is runnning without any error. The setup is running without any error, here my cn=config: ------------ dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcLogLevel: sync olcLogLevel: stats olcLogLevel: stats olcPidFile: /opt/openldap-current/var/run/slapd.pid olcToolThreads: 1 olcTLSCertificateFile: /opt/openldap-current/etc/my_certificates/ldap25-p01-ce rt.pem olcTLSCertificateKeyFile: /opt/openldap-current/etc/my_certificates/ldap25-p01 -key.pem olcTLSCACertificateFile: /opt/openldap-current/etc/my_certificates/cacert.pem olcPasswordHash: {TOTP1} dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl dap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}back_monitor olcModuleLoad: {2}pw-totp.la olcModuleLoad: {3}autoca.la ... schema.... dn: olcBackend={0}mdb,cn=config objectClass: olcBackendConfig olcBackend: {0}mdb dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSizeLimit: 500 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex ternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by * break olcRootDN: cn=admin,cn=config olcRootPW: dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcmdbConfig olcDatabase: {2}mdb olcDbDirectory: /opt/openldap-current/var/lib/ldap olcSuffix: dc=example,dc=net olcAccess: {0} to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e xternal,cn=auth manage by dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcAccess: {3} to attrs=userPassword by anonymous auth by self write by * non e olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net" time=unl imited size=unlimited olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" time=unlim ited size=unlimited olcRootDN: cn=admin,dc=example,dc=net olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K olcSizeLimit: unlimited olcTimeLimit: unlimited olcDbCheckpoint: 512 30 olcDbIndex: default eq olcDbIndex: objectClass olcDbIndex: entryUUID olcDbIndex: entryCSN olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: mail pres,eq,sub olcDbIndex: sn pres,eq,sub olcDbIndex: description pres,eq,sub olcDbIndex: title pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbMaxSize: 85899345920 dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}totp dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutoCAConfig olcOverlay: {1}autoca olcAutoCAuserKeybits: 4096 olcAutoCAserverKeybits: 4096 olcAutoCAKeybits: 4096 ------------ After a few minutes or if I restart slapd I get the following error-message: --------------------- Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5 (Jun 5 2021 14:07:21) $ root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({TOTP1}) Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing cn=config: <olcPasswordHash> no valid hashes found --------------------- I used the documentation from symas for configuring TOTP. What's wrong and why is slapd starting after configuration but chrashes when I restart slapd? Stefan

1 year, 12 months

4
17
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2021