openldap-technical October 2022

openldap-technical@openldap.org

18 participants
17 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

iNetOrgPerson doesn't exist?
by Luca Stancapiano 16 May '23

16 May '23

Hi all, I'm triing to create a user with openldap 2.4 dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com objectClass: iNetOrgPerson uid: iiiiii but it doesn't seem recognize the objectClass producing this error: adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Using other object classes is ok. What's the problem?

5 11

dynlist vs memberof performance issues
by Mark Cairney 11 Jan '23

11 Jan '23

Hi, I've been out the LDAP loop for a bit but the recent discussion of the memberof overlay on 2.5 piqued my curiosity. Having upgraded a Dev box, removed the memberof elements from the database and replaced the memberof overlay with dynlist the queries appear to work as expected but are both a) slow and b) heavily CPU-intensive on the LDAP server. 2021-09-01T12:47:17.603513+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 fd=12 ACCEPT from IP=192.168.152.33:58738 (IP=129.215.17.9:636) 2021-09-01T12:47:17.687488+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 fd=12 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 2021-09-01T12:47:17.688032+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 2021-09-01T12:47:17.688470+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=0 SRCH attr=supportedSASLMechanisms 2021-09-01T12:47:17.688878+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=0 SEARCH RESULT tag=101 err=0 qtime=0.000014 etime=0.000214 nentries=1 text= 2021-09-01T12:47:17.811279+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=1 BIND dn="" method=163 2021-09-01T12:47:17.819249+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=1 RESULT tag=97 err=14 qtime=0.000030 etime=0.009084 text=SASL(0): successful result: 2021-09-01T12:47:17.908889+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=2 BIND dn="" method=163 2021-09-01T12:47:17.909836+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=2 RESULT tag=97 err=14 qtime=0.000031 etime=0.000181 text=SASL(0): successful result: 2021-09-01T12:47:17.938839+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 BIND dn="" method=163 2021-09-01T12:47:17.939621+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 BIND authcid="mcairney(a)EASE.ED.AC.UK" authzid="mcairney(a)EASE.ED.AC.UK" 2021-09-01T12:47:17.940213+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 BIND dn="uid=mcairney,ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk" mech=GSSAPI bind_ssf=256 ssf=256 2021-09-01T12:47:17.940616+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 RESULT tag=97 err=0 qtime=0.000024 etime=0.000409 text= 2021-09-01T12:47:18.227342+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=4 SRCH base="dc=authorise-dev,dc=ed,dc=ac,dc=uk" scope=2 deref=0 filter="(uid=mcairney)" 2021-09-01T12:47:18.227703+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=4 SRCH attr=* + 2021-09-01T12:47:31.392255+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=5 UNBIND 2021-09-01T12:47:31.460705+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=4 SEARCH RESULT tag=101 err=0 qtime=0.000031 etime=13.233679 nentries=1 text= 2021-09-01T12:47:31.461098+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 fd=12 closed I'm guessing that as the values are computed that this will be heavier on the CPU but it seems a bit excessive? Has anyone else noticed any similar performance issues? This is a relatively low-specced DEV server (2 vCPUs, 4GB RAM) so I guess this could be a factor but there's no io waiting on the server and no swapping? The database is on a par in size with our Production service ( about 400K user objects with 1 group object per user and then about 80K actual groups of users) The config for the primary DB (ACLs and rootPW redacted) is: dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /opt/openldap/var/openldap-data/authorise olcSuffix: dc=authorise-dev,dc=ed,dc=ac,dc=uk olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 2 olcReadOnly: FALSE olcSecurity: ssf=1 olcSecurity: update_ssf=112 olcSecurity: simple_bind=64 olcSizeLimit: unlimited olcSyncUseSubentry: FALSE olcTimeLimit: unlimited olcMonitoring: TRUE olcDbEnvFlags: writemap olcDbEnvFlags: nometasync olcDbNoSync: FALSE olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: eduniType eq olcDbIndex: gecos pres,eq,sub olcDbIndex: eduniCategory eq olcDbIndex: mail pres,eq,sub olcDbIndex: eduniSchoolCode eq olcDbIndex: eduniIDStatus eq olcDbIndex: eduniCollegeCode eq olcDbIndex: eduniOrgCode eq olcDbIndex: memberOf pres,eq olcDbIndex: eduniLibraryBarcode pres,eq olcDbIndex: eduniOrganisation pres,eq,sub olcDbIndex: eduniServiceCode pres,eq olcDbIndex: krbName pres,eq olcDbIndex: eduPersonAffiliation pres,eq olcDbIndex: eduPersonEntitlement pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: eduniIdmsId pres,eq olcDbIndex: member pres,eq olcDbIndex: memberUid pres,eq olcDbIndex: eduniRefNo pres,eq olcDbIndex: eduniTitle pres,eq olcDbIndex: title pres,eq,sub olcDbIndex: eduniCardNumber pres,eq olcDbIndex: eduniYearOfStudy eq olcDbIndex: description pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: aliasedObjectName eq olcDbIndex: yubiKeyId pres,eq olcDbIndex: isMemberOf pres,eq olcDbIndex: hasMember pres,eq olcDbIndex: proxyAddresses pres,eq,sub olcDbMaxReaders: 96 olcDbMaxSize: 32212254720 olcDbMode: 0600 olcDbSearchStack: 16 structuralObjectClass: olcMdbConfig dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 02+00:00 00+04:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynListConfig olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames structuralObjectClass: olcDynListConfig -- /**************************** Mark Cairney ITI Enterprise Services Information Services University of Edinburgh Tel: 0131 650 6565 Email: Mark.Cairney(a)ed.ac.uk *******************************/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.

12 27

upgrading openldap 2.4 to 2.5
by CHIROSSEL, Olivier 02 Nov '22

02 Nov '22

Hi I have an architecture with 2 openldap masters in mirormode ( refreshAndPersist ). and few consumers ( refreshAndPersist ) The provisionning api and consumer request masters via vip ( sorry server configuration ), It's complex for me to upgrade all the openldap in the same operation. Can i upgrade only the 2 masters in 2.5, and the consumers in a second time ? The replication between master in 2.5 and consumers in 2.4 work's fine ? Thank's in advance for your replies. Regards Olivier

2 1

Two notes on slapppasswd (old version)
by Ulrich Windl 31 Oct '22

31 Oct '22

Hi! When using an old version (from 2.4.41) of slapasswd, I noticed two things: 1) Using "-h SSHA", slappasswd was asking for passwords first, then telling me: "Password generation failed for scheme SSHA: scheme not recognized" I think "SSHA" is unique enough to recognize; and if it's not, then complain before asking for passwords. 2) When I mistyped the option as "-h '{SSHA}>'", slappasswd did not complain and produce some output. I think if it's picky on the first case, it should also be for the second case (assuming the output "{SSHA}oTEDKWKn0fimGo6J8de0I5qRixGWJxhJ" was correct overall) Maybe check if these problems still exist in the current version. Regards, Ulrich Windl

2 1

LMDB, virtual machines, and copying mdb files
by selama＠gmail.com 28 Oct '22

28 Oct '22

I am working on developing a new document-oriented (XML+JSON) database, using LMDB as an engine, and I have two questions. 1. So far, it have been working really smoothly for me. But my one customer so far for the DB is really concerned about running LMDB in a virtual environment such as Docker, when performing reads and writes. Especially when mounting volumes. Their concern is because of the following caveat: "Do not use LMDB databases on remote filesystems, even between processes on the same host. This breaks flock() on some OSes, possibly memory map sync, and certainly sync between programs on different hosts" I think it shouldn't be an issue with Docker, but I want to be certain. 2. We have one server that updates the database, and another server with a read-only copy of the same database. Our plan was to simply copy the mdb files from the update machine to the read only machine, but we noticed that if we copy the file immediately after writing, the copy may end up being corrupted. My solution was to suspend all writing and wait few minutes before writing, to make sure everything back from memory, and I'm also using the "sync" command (not sure if it does anything here). It seem to be working, but I wonder if there is a more robust way of doing that? And also, is it safe to overwrite to the read-only server while it performs read transactions to the current file (or maybe rename it and copy to a new file with the same name)?

5 5

Read speeds, bottleneck, correct understanding?
by Sam Dave 27 Oct '22

27 Oct '22

Hi, If my program reads through an LMDB database apparently slow at first run, but suddenly runs much quicker at the second run (which does exactly the same thing), can't I already say with confidence that my choice of LMDB - in this case its builtin memory mapping functionality - is already paying off in terms of read speeds? I mean, that alone (exact same thing runs much faster the second time) already PROVES that the bottleneck was reading from disk as opposed to memory, right? I'm looking for excuses for patting myself on the back for investing in LMDB. Regards, Sam

2 3

cn=config TLS Configuration Problem
by Timothy Stonis 25 Oct '22

25 Oct '22

Hi, I am trying to setup an OpenLDAP 2.6.3 server and I’d like to only use olc configuration (no slapd.conf file). So far things are going okay, but I’m having a problem with TLS configuration. I am able to enable TLS using a self-signed certificate without any problem, however, if I try to disable TLS using the following LDIF: dn: cn=config changetype: modify delete: olcTLSCertificateFile - delete: olcTLSCertificateKeyFile - I get the following error: modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) I enabled debugging and cannot seem to see the error. I have also tried reordering the entries, doing one at a time, disabling ldaps:// binding, etc but nothing seems to work. If I just remove the certificate and/or key files, then the server does not start. Is enabling TLS a one way street? Or, should I just use slapd.conf? As a second question, I read in an article online that there is a way to store the TLS cert(s) and key in the LDAP database itself. However, I cannot find any info on that in the documentation. Can anyone shed some light on that? Thank you in advance! Tim

2 7

RE25 testing call (2.5.14)
by Quanah Gibson-Mount 24 Oct '22

24 Oct '22

This is the first testing call for OpenLDAP 2.5.14. Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.14 Engineering Fixed client tools to remove 'h' and 'p' options (ITS#9917,ITS#8618) Fixed ldapsearch memory leak with controls (ITS#9860) Fixed libldap ldif_open_urlto check for failure (ITS#9904) Fixed libldap ldap_url_parsehosts check for failure (ITS#9904) Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035) Fixed slapd transactions extended operations cleanup after write (ITS#9892) Fixed slapd-mdb max number of index databases to 256 (ITS#9895) Fixed slapd-monitor to free remembered cookies (ITS#9339) Fixed slapo-deref memory leak (ITS#9924) Fixed slapo-dynlist to ignore irrelevant objectClasses (ITS#9897) Fixed slapo-remoteauth memory leaks (ITS#9438) Build Environment Fixed build process to not use gmake specific features (ITS#9894) Fixed slapo-otp testdir creation (ITS#9437) Fixed slapd-tester memory leak (ITS#9908) Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, ITS#9901) Fixed usage of bashism (ITS#9900) Documentation Fixed slapo-unique(5) to clarify when quoting should be used (ITS#9915) Regards, Quanah

5 9

Attribute Cert. schema (RFC 5755)
by Pascal Jakobi 21 Oct '22

21 Oct '22

Hi there I am looking for an RFC 5755 (attribute certificates profile) schema file. I thought it was in pmi.schema, but it appears that no, unless I am missing sthing. Before creating one from the RFC, I would like to be sure it does not exist somewhere I couldn't find. Thanks in adv. P

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2022