Index seems to return wrong amount of candidate causing really poor search performance
by chrichardso27@gmail.com
Hi,
Considering the following assumptions;
- OpenLDAP version 2.4.51
- attributes objectClass and abc are indexed based on equality
- the EQUALITY of attribute abc is based on distinguishedNameMatch
- The database contains roughly 2 million entries
- 2 entries have defined the attribute abc with a dn value cn=foo,dc=bar and objectClass=someClass
- 2 entries have defined the attribute abc with a dn value cn=bar,dc=baz and objectClass=someClass
Now, the issue started with really slow search performance using objectClass=someClass & abc=cn=foo,dc=bar as filter criteria. Debugging a while seems to indicate that the objectClass filter returns roughly 2 million entries as candidates. Now, one would expect that the second filter would return only the 2 potential candidates from the abc index, or a subset of the whole database but this is not the case. The second filter also returns nearly the whole database entries as potential candidates and causes really slow query performance. Interestingly, this only occurs when attribute abc has value cn=foo,dc=bar, but for some reason for the entry having attribute abc with value cn=bar,dc=baz the query returns immediately. In both cases, the actual entries matching the search return immediately but for the problematic search "(&(objectClass=someClass)(abc=cn=foo,dc=bar))", the completion of the search takes a long time (around 15 seconds to be precise).
The issue started suddenly and wasn't a degradation of query performance over time.
Few things I have tried
- Rebuilt the whole database again
- Reindex the existing database again
- Testing with bdb and mdb as backends
- Increased cache sizes for bdb to hold the whole database in cache
- For bdb adjust the page size of the indexes according to suggestion by db_tuner
- Change the order of the filters
None of these made any difference. At the moment, there does not seem to be any good options to try. Any ideas or help would be greatly appreciated!
1 year, 9 months
Consumer Delta Sync Lost After Provider Restarted
by thomaswilliampritchard@gmail.com
Hi,
I'm experiencing an issue between my 3 providers and multiple consumer setup and delta sync repl. We manage a primary, or active, provider and send all writes to the primary as long as it's healthy letting the two others replicate and be standby providers ready to take over in the event of a failure. All consumers replicate from all providers and all providers replicate from all providers. After the system was running healthily for over a week a standby provider was restarted. This caused my consumers to re-establish the persistent sync connection. Upon re-establishing the connection, some consumers began a sync refresh with the following message.
Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep1: rid=003 starting refresh (sending cookie=rid=003,csn=20210331192036.214412Z#000000#000#000000;20210119225955.133811Z#000000#001#000000;20210128213906.596429Z#000000#002#000000;20210226190704.219043Z#000000#005#000000;20210412181659.152626Z#000000#065#000000;20210610231714.990702Z#000000#066#000000;20210614191744.122968Z#000000#44d#000000;20210412175600.595586Z#000000#835#000000;20210423182110.684843Z#000000#836#000000;20210331193249.570935Z#000000#ce5#000000)
Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 LDAP_RES_SEARCH_RESULT
Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 delta-sync lost sync, switching to REFRESH
Jun 28 18:32:55 openldap-hdb-consumer slapd[15746]: do_syncrep2: rid=003 (4096) Content Sync Refresh Required
This was re-establishing a connection with rid=003 which is "20210412175600.595586Z#000000#835#000000" (a standby system)
however we have only been sending writes to server #44d# (the primary provider). We see 44d CSN is over 7 days old, beyond our providers access log period.
On the consumer that did not trigger sync refresh we see
Jun 28 18:32:55 openldap-hdb-consumer slapd[24439]: do_syncrep1: rid=003 starting refresh (sending cookie=rid=003,csn=20210331192036.214412Z#000000#000#000000;20210119225955.133811Z#000000#001#000000;20210128213906.596429Z#000000#002#000000;20210226190704.219043Z#000000#005#000000;20210412181659.152626Z#000000#065#000000;20210621212459.620195Z#000000#066#000000;20210621214400.407867Z#000000#44d#000000;20210412175600.595586Z#000000#835#000000;20210423182110.684843Z#000000#836#000000;20210331193249.570935Z#000000#ce5#000000)
Here we see 20210621214400.407867Z#000000#44d#000000 is much more recent and did not trigger a full resync, although it is close to the 7 day threshold at this point. We notice the rid=003 835 csn is the same as the consumer experiencing the problem which makes me believe the #44d# csn being old is what causes this sync refresh.
I am concerned why when the standby provider is restarted the connection is getting re-established with old provider CSNs, when I search the CSNs on the consumers they look newer than the ones used to reestablish the connection. If we restart slapd on the providers after running consumers for 7 days it seems like it will trigger a sync refresh. How can we make the consumers re-establish the connection with the most recent CSN? Replication is working as expected, just the CSNs seem to remain old in this connection message. The sync refresh behavior causes a large load on the consumers and providers spiking bind times and degrading service making this concerning for our production environment.
Configuration details are below.
Your insights are appreciated.
@(#) $OpenLDAP: slapd 2.4.56 (Dec 14 2020 17:31:23) $
@57af0b7ce0ba:/root/rpmbuild/BUILD/openldap-2.4.56/openldap-2.4.56/servers/slapd
Provider config
Primary DB
# {2}mdb, config
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /var/lib/ldap
...
olcSizeLimit: unlimited
olcSyncrepl: {0}rid=1 provider=ldap://10.20.0.4 bindmethod=simple binddn
="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refresh
AndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited
starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="
(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
olcSyncrepl: {1}rid=2 provider=ldap://10.20.1.151 bindmethod=simple bind
dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre
shAndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited
starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter
="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
olcSyncrepl: {2}rid=3 provider=ldap://10.20.2.240 bindmethod=simple bind
dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre
shAndPersist retry="5 10 60 +" sizelimit=unlimited timelimit=unlimited
starttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter
="(&(objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
olcMirrorMode: TRUE
...
olcDbMaxSize: 15000000000
Sync Prov
# {1}syncprov, {2}mdb, config
dn: olcOverlay={1}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {1}syncprov
olcSpCheckpoint: 1 1
Access Log
# {3}accesslog, {2}mdb, config
dn: olcOverlay={3}accesslog,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: {3}accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogPurge: 07+00:00 01+00:00
olcAccessLogSuccess: TRUE
# {3}mdb, config
dn: olcDatabase={3}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {3}mdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=example,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
olcDbMaxSize: 15000000000
# {0}syncprov, {3}mdb, config
dn: olcOverlay={0}syncprov,olcDatabase={3}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
Consumer Config:
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SSHA}
olcSyncrepl: {0}rid=1 provider=ldap://10.20.0.4 bindmethod=simple binddn
="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refresh
AndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited start
tls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&(ob
jectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
olcSyncrepl: {1}rid=2 provider=ldap://10.20.1.151 bindmethod=simple bind
dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre
shAndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited sta
rttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&(
objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
olcSyncrepl: {2}rid=3 provider=ldap://10.20.2.240 bindmethod=simple bind
dn="cn=replicant,dc=example,dc=com" credentials="" searchbase="dc=example,dc=com" schemachecking=on type=refre
shAndPersist retry="60 +" sizelimit=unlimited timelimit=unlimited sta
rttls=critical tls_reqcert=demand logbase="cn=accesslog" logfilter="(&(
objectClass=auditWriteObject)(reqResult=0))" syncdata=accesslog
olcDbCheckpoint: 102400 10
1 year, 11 months
Are Password Expired and Password Expiry warning (2.16.840.1.113730.3.4.5) controls supported in OpenLDAP
by cst labs
hello:
I am currently evaluating the OpenLDAP version 2.4.58. I was told by
someone that it does support the password expired control but I don't see
that it is working. As per the RFC, the server should send this control as
a part of response but it doesn't. I do see that the server returns the
password policy state control that has expired and warning information.
However, I am interested in the password expired control since I am looking
to support an existing implementation that leverages that control. Can
someone tell me how to configure openldap to return that control?
1 year, 11 months
enable WiredTiger not defaulting to no
by dbray925+openldap@gmail.com
I'm currently testing out the 2.5.5 install, and during the configure process it fails with:
configure: error: Package requirements (wiredtiger) were not met:
Package 'wiredtiger', required by 'virtual:world', not found
The documentation (--help) shows that this should be default to no:
--enable-wt enable WiredTiger backend no|yes|mod [no]
However, this is not the case, and I have to manually set:
./configure --enable-wt=no
1 year, 11 months
How to delete entries from cn=config with openldap-2.5
by Francesco Malvezzi
hi all,
does the "Better cn=config functionality" enhancement in openldap-2.5
include the deletability of entries (like a module)?
Should this:
sudo ldapdelete -H ldapi:/// -Y EXTERNAL cn=module{0},cn=config
work and what am I missing?
thank you,
Francesco
1 year, 11 months
totp1andpw
by Stefan Kania
Hi to all,
I'm still testing TOPT with OpenLDAP 2.5. I got TOTP1 running. So a user
with an OTP can use the six-digit number from googleauthenticator (or
freeOTP+) to authenticate while using ldapsearch. Then I switch to
TOTP1ANDPW I generate a secretkey for the TOTP-part of userPassword.
Then I create a password with "slappasswd" and put both TOTP1|password
together in userPassword after decoding base64 I saw what I expected:
------------
dn: cn=u1,ou=users,dc=example,dc=net
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: autoCAuser
loginShell: /bin/bash
homeDirectory: /home/u1
uid: u1
uidNumber: 10010
gidNumber: 10000
sn: u
givenName: 1
cn: u1
userPassword::
e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1N
TSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc=
------------------
echo
"e1RPVFAxQU5EUFd9TUpBVk1UM0tNUlVXSVNDUEtKWEhJWVNaR1kzRE80Q0x8e1NTSEF9RWlCcVIwUGR4SUluMSswZTNqRSs1MXlwb1p6dTFKVUc="
| base64 -d
{TOTP1ANDPW}MJAVMT3KMRUWISCPKJXHIYSZGY3DO4CL|{SSHA}EiBqR0PdxIIn1+0e3jE+51ypoZzu1JUG
I then try to authenticate using ldapsearch with:
123456secret
where 123456 is the six-digit key from googleauthenticator and "secret"
is the password. But I always got an error 49 :-(
I read this to set up the password:
https://git.openldap.org/ondra/openldap/-/tree/dfe1f6494d69a885477e854944...
Any hint? Anyone who got this running?
I wrote a little bash-script to generate the shared-key, the password
and write it into the users object:
THIS SCRIPT IS FOR TESTING PURPOSE ONLY!
-----------------------------
#!/bin/bash
##########################################
# This script requires an OpenLDAP 2.5.x #
# with the overlay pw-totp and autoca #
# active and configured! #
##########################################
# This script generats a TOTP1ANDPW password for a user
# the script needs the full DN of the user
# and an email address for the user.
# The script will NOT check if the email address is valide
# Ther will be a random string generated for the user
# the user do not need the string. The string is only
# to generate the sharedkey for the user.
# At the end you will see the sharedkey, the user can enter
# in an authenticator app like googleauthentiicator or freeOTP
# and a png-file will be created with the QR-code for the sharedkey
#
# The script can be used via network or local only via the ldapi-socket
if [ $# -ne 2 ]
then
echo "User-DN and User-Mail is needed"
echo "usage: $0 userdn user@mail"
exit 1
fi
USER_DN=$1
USER_MAIL=$2
LDAP_SERVER=ldap://ldap25-p01.example.net
USE_LDAPI=1 # set to "0" if userlogin is prefered
USE_TLS=1 # if TLS should not be used set to "0"
#LDAP_ADMIN="uid=ldap-admin,ou=users,dc=example,dc=net"
LDAP_ADMIN="cn=admin,dc=example,dc=net"
LDAP_ADMIN_PW="secret"
TOPT_ISSUER=stka
USER_PW_TOTP_BASE64=""
USER_NAME=""
USER_SHARED_KEY=""
QR_TEXT=""
USER_PASSWORD=""
# Setting the varaible to use TLS if selected
if [ "$USE_TLS" -eq 1 ]
then
ACTIVATE_TLS="-ZZ"
else
ACTIVATE_TLS=""
fi
if [ ! -f "/usr/bin/qrencode" ]
then
echo "qrencode is not installed!"
exit 2
fi
#First part of DN is USER_MANE
USER_NAME=$(echo "$USER_DN" | cut -d "," -f 1)
# Let's get shure that there is exactly one user present in database
if [ $USE_LDAPI -eq 1 ]
then
USER_DN_IN_DB=$(ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:///
$USER_NAME dn 2>/dev/null | cut -d " " -f 2)
else
USER_DN_IN_DB=$(ldapsearch -xLLL "$ACTIVATE_TLS" -D
"$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -H "$LDAP_SERVER" "$USER_NAME" dn
2>/dev/null | cut -d " " -f 2)
fi
if [ "${USER_DN,,}" != "${USER_DN_IN_DB,,}" ]
then
echo "User $USER_DN not found in database"
exit 3
fi
#Create random 20 byte string: 160 bit is recommended (min 128 bit)
USER_PW=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo '')
#Create the password for 2fa
USER_PASSWORD=$(slappasswd)
#Set user password
if [ $USE_LDAPI -eq 1 ]
then
ldappasswd -Q -Y EXTERNAL -H ldapi:/// -s
"${USER_PW}|${USER_PASSWORD}" "$USER_DN"
else
ldappasswd -x "$ACTIVATE_TLS" -D "$LDAP_ADMIN" -w
"$LDAP_ADMIN_PW" -s "${USER_PW}|${USER_PASSWORD}" "$USER_DN"
fi
#Read user password from LDAP in TOTP1-format
if [ $USE_LDAPI -eq 1 ]
then
PW_STEP_1=$(ldapsearch -Q -Y EXTERNAL -LLL -H ldapi:///
"$USER_NAME" userpassword | grep -A1 userPassword)
USER_PW_TOTP_BASE64=$(echo $PW_STEP_1 | awk '{print $2 $3}')
else
USER_PW_TOTP_BASE64=$(ldapsearch -x "$ACTIVATE_TLS" -D
"$LDAP_ADMIN" -w "$LDAP_ADMIN_PW" -LLL -H "$LDAP_SERVER" "$USER_NAME"
userpassword | grep userPassword | cut -d " " -f 2 | cut -d '|' -f 1)
fi
#Create user shared key
USER_SHARED_KEY=$(echo $USER_PW_TOTP_BASE64 | base64 -d)
#cut the password hash type from shared key
USER_SHARED_KEY=$(echo $USER_SHARED_KEY | cut -d "|" -f 1 | cut -d "}" -f 2)
#Create the QR-text for the user
QR_TEXT="otpauth://totp/$LDAP_SERVER:$USER_MAIL?secret=${USER_SHARED_KEY}a&issuer=${TOTP_ISSUER}&period=30&digits=6&algorithm=SHA1"
#Generate the QR-code
echo $QR_TEXT | qrencode -s9 -o ${USER_MAIL}.png
echo "Shared key for User $USER_DN is $USER_SHARED_KEY"
echo "You find the QR-code in file ${USER_MAIL}.png"
-----------------------------
1 year, 11 months
slapd does not start after upgrade
by BÖSCH Christian
Hi,
I've upgraded openldap 2.4.57 to 2.4.59 on FreeBSD 12.2 using portmaster,
what has always worked over the last few years.
After upgrade the config seems to be bad which hasn't changed…?
root@openldap2:/usr/local/etc/openldap # /usr/local/libexec/slapd -Tt -u
60d0a1cd PROXIED attributeDescription "O" inserted.
60d0a1cd UNKNOWN attributeDescription "OLCRWMTFSUPPORT" inserted.
60d0a1cd UNKNOWN attributeDescription "OLCRWMNORMALIZEMAPPED" inserted.
60d0a1cd UNKNOWN attributeDescription "OLCRWMREWRITE" inserted.
60d0a1cd config error processing olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config:
slaptest: bad configuration file!
dn: olcOverlay={0}rwm
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {0}rwm
olcRwmTFSupport: false
olcRwmNormalizeMapped: FALSE
structuralObjectClass: olcRwmConfig
olcRwmRewrite: {0}rwm-rewriteEngine "on"
olcRwmRewrite: {1}rwm-rewriteMap "ldap" "attr2dn"
"ldap://localhost/o=abc.org?dn?sub"
olcRwmRewrite: {2}rwm-rewriteContext "bindDN"
olcRwmRewrite: {3}rwm-rewriteRule "^eduPersonPrincipalName=[^,]+@[^,]+$" "${
attr2dn($0)}" ":@I"
Does anyone have a hint what's going wrong?
Thanks,
Christian
1 year, 11 months
avoid modifying /etc/sasl2/slapd.conf
by Michael Ströder
HI!
Some automated tests of my Python module check SASL bind with various
mechs. For this to work I normally have to add those SASL mechs to
/etc/sasl2/slapd.conf.
But this fails in the openSUSE build system with "permission denied".
Is there a possibility to override SASL mechs used by slapd with an env
var or similar?
Ciao, Michael.
1 year, 11 months
pw-totp
by Stefan Kania
Hello,
I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
everything via Ansible. My configure-options are:
-------------
./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
--enable-backends=mod --disable-perl --disable-ndb --enable-crypt
--enable-modules --enable-dynamic --enable-syslog --enable-debug
--enable-local --enable-spasswd --disable-sq l
--prefix=/opt/openldap-current
-------------
In addition I build:
------------
/opt/openldap-current/contrib/slapd-modules/passwd/sha2
/opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
/opt/openldap-current/contrib/slapd-modules/passwd/totp/
------------
"make test" is runnning without any error.
The setup is running without any error, here my cn=config:
------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /opt/openldap-current/var/run/slapd.args
olcLogLevel: sync
olcLogLevel: stats
olcLogLevel: stats
olcPidFile: /opt/openldap-current/var/run/slapd.pid
olcToolThreads: 1
olcTLSCertificateFile:
/opt/openldap-current/etc/my_certificates/ldap25-p01-ce
rt.pem
olcTLSCertificateKeyFile:
/opt/openldap-current/etc/my_certificates/ldap25-p01
-key.pem
olcTLSCACertificateFile:
/opt/openldap-current/etc/my_certificates/cacert.pem
olcPasswordHash: {TOTP1}
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath:
/opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
dap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_monitor
olcModuleLoad: {2}pw-totp.la
olcModuleLoad: {3}autoca.la
... schema....
dn: olcBackend={0}mdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}mdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
ternal,cn=auth manage by * break
olcAccess: {1}to dn="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=ex
ternal,cn=auth manage by
dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
write by * break
olcRootDN: cn=admin,cn=config
olcRootPW:
dn: olcDatabase={1}monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config
read
by dn.exact=cn=admin,dc=example,dc=net read
dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcmdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /opt/openldap-current/var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0} to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by
dn.exact=gidNumber=1111+uidNumber=1111,cn=peercred,cn=e
xternal,cn=auth manage by
dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
write by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read by *
break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcAccess: {3} to attrs=userPassword by anonymous auth by self write by
* non
e
olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
time=unl
imited size=unlimited
olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
time=unlim
ited size=unlimited
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcDbCheckpoint: 512 30
olcDbIndex: default eq
olcDbIndex: objectClass
olcDbIndex: entryUUID
olcDbIndex: entryCSN
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: description pres,eq,sub
olcDbIndex: title pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbMaxSize: 85899345920
dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {0}totp
dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutoCAConfig
olcOverlay: {1}autoca
olcAutoCAuserKeybits: 4096
olcAutoCAserverKeybits: 4096
olcAutoCAKeybits: 4096
------------
After a few minutes or if I restart slapd I get the following error-message:
---------------------
Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
(Jun 5 2021 14:07:21) $
root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
<olcPasswordHash> scheme not available ({TOTP1})
Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
<olcPasswordHash> no valid hashes found
Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
cn=config: <olcPasswordHash> no valid hashes found
---------------------
I used the documentation from symas for configuring TOTP. What's wrong
and why is slapd starting after configuration but chrashes when I
restart slapd?
Stefan
1 year, 12 months