openldap-technical February 2022

openldap-technical@openldap.org

30 participants
37 discussions

Setup password policies: problem when adding OU
by Felix Natter 19 Feb '22

19 Feb '22

hello, I am trying to setup PPs using this guide: https://tylersguides.com/guides/openldap-password-policy-overlay/ Everything went fine up to adding the OU for the PP: policyou.ldif: dn: ou=policies,dc=company,dc=com objectClass: organizationalUnit ou: policies ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1) which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS (with "additional info: no write access to parent") Now I tried _several_ commands to fix this, then I did: ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2) which works. But I have to fix this on the production server now, and I don't know whether (2) fixed this or some other command. What could be the problem with (1)? Previously I used this guide to change the admin password twice: https://www.digitalocean.com/community/tutorials/how-to-change-account-pass… Do I have to set the password for cn=admin,cn=config separately? If yes, could you suggest a HOWTO? Many Thanks and Best Regards, Felix -- Felix Natter

3 4

Re: Error when running make test or slapd after building on windows
by Howard Chu 18 Feb '22

18 Feb '22

Dr. Ogg wrote: > Why not run in a Linux VM or a docker container? and avoid Cygwin? Or WSL2. I hear that works pretty well these days. > > >> On Feb 17, 2022, at 2:48 PM, Joshua Dunbar <jdunbar(a)montereytechnologies.com> wrote: >> >> Are there up to date instructions on how to build with Cygwin or Msys somewhere? I am trying to do this on a 64 bit Windows 10 computer. The way I am doing it with Cygwin with default configure options must be wrong. I am new to both Cygwin and OpenLDAP so apologies for my inexperience. >> >> -----Original Message----- >> From: Howard Chu <hyc(a)symas.com> >> Sent: Thursday, February 17, 2022 5:40 PM >> To: Quanah Gibson-Mount <quanah(a)fast-mail.org>; Joshua Dunbar <jdunbar(a)montereytechnologies.com>; openldap-technical(a)openldap.org >> Subject: Re: Error when running make test or slapd after building on windows >> >> Quanah Gibson-Mount wrote: >>> >>> >>> --On Thursday, February 17, 2022 8:00 PM +0000 Joshua Dunbar <jdunbar(a)montereytechnologies.com> wrote: >>> >>>> >>>> >>>> Hello, >>>> >>>> >>>> >>>> I am attempting to install openldap (latest version 2.6.1) on windows >>>> using Cygwin where I have installed dependencies of gcc core and make >>>> in order to get configure to run. I then run configure from a Cygwin >>>> terminal (without any arguments). Configure seems to run fine, and so >>>> does make depend, and make. Then when I attempt to run make test (or >>>> slapd with any other well formatted slapd.conf file) I get the >>>> following error message. I >>> >>> Hi Joshua, >>> >>> It's likely related to this discussion: >>> >>> <https://cygwin.com/pipermail/cygwin/2019-July/241961.html> >> >> More than just that. OpenLDAP code supports real POSIX environments and native WIN32 environments. >> It doesn't support Cygwin, which is a partially-working fake POSIX environment. >> >> You can use Cygwin or MSYS as the build platform, but the binaries will only work if built with the MinGW toolchain for native WIN32 output. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 2

DNS/ldap
by pascal.jakobi＠gmail.com 18 Feb '22

18 Feb '22

Just a question (quick). You probably saw the relatively new CAA record for DNS. This (great) record provides a means to get the address of a CA for a given DNS domain. Firstly, it is unclear to me why the old SRV records are not used as they essentially do the same. You may think of creating an SRV record for _pkica.<domain> that would provide a CA's IP address. Then my question is : why is this SRV not used on linux boxes ? This would provide a means to retrieve automatically a certificate/public key for a given user and avoid setting configs (i.e. ldap.conf) on the client side. In other tertms, don't we need a CAA equivalent for Directories ?

1 0

Error when running make test or slapd after building on windows
by Joshua Dunbar 17 Feb '22

17 Feb '22

Hello, I am attempting to install openldap (latest version 2.6.1) on windows using Cygwin where I have installed dependencies of gcc core and make in order to get configure to run. I then run configure from a Cygwin terminal (without any arguments). Configure seems to run fine, and so does make depend, and make. Then when I attempt to run make test (or slapd with any other well formatted slapd.conf file) I get the following error message. I have turned on the highest level of logging and don't get any additional useful information and have been going at this for a couple days now without any luck. I have tried manipulating permissions on the db folder as well as using different folder names and locations. I can see the lock.mdb file being generated in the /tests/testrun/db.1.a folder, but nothing else. Any insight or help would be very appreciated. 620dab00.2d2e09dc 0x800000010 config_build_entry: "olcDatabase={2}monitor" 620dab00.2d2e359c 0x800000010 slap_get_csn: conn=-1 op=0 generated new csn=20220217015512.758001Z#000000#000#000000 manage=0 620dab00.2d2ecdf4 0x800000010 backend_startup_one: starting "o=OpenLDAP Project,l=Internet" 620dab00.2d2edba0 0x800000010 mdb_db_open: "o=OpenLDAP Project,l=Internet" 620dab00.2d3072a8 0x800000010 mdb_db_open: database "o=OpenLDAP Project,l=Internet": dbenv_open(/tests/testrun/db.1.a). 620dab00.2d3a1894 0x800000010 mdb_db_open: database "o=OpenLDAP Project,l=Internet" cannot be opened: Invalid argument (22). Restore from backup! 620dab00.2d3a37d4 0x800000010 backend_startup_one (type=mdb, suffix="o=OpenLDAP Project,l=Internet"): bi_db_open failed! (22) 620dab00.2d3a42c4 0x800000010 slapd shutdown: initiated 620dab00.2d3c25f8 0x800000010 slapd destroy: freeing system resources. 620dab00.2d5278d0 0x800000010 slapd stopped. Thanks, Josh

3 4

Re: How to restrict access to pwdHistory attributes
by Chandeshwar Mishra 16 Feb '22

16 Feb '22

Hi Quanah, Thanks for your response. Our setup is a very old one and we are planning to migrate it to the latest stable version but Since this openldap is deployed in Production it is not possible for us to upgrade it suddenly. As you mentioned that ppolicy schema is missing in configuration, so is it possible that without having ppolicy schema, Openldap will remember the pwdHistory of the user ? In my case pwdHistory is visible to users, for which I want to apply ACL so that a user can only see his/her pwdHistory , not other users pwdHistory. Below are my configuration related to ppolicy configuration in config file:- include /etc/openldap/schema/ppolicy.schema --- more include directive related to schema ---- moduleload ppolicy.la moduleload memberof.la overlay memberof overlay syncprov overlay auditlog #overlay accesslog overlay ppolicy ppolicy_default "cn=passwordDefault,dc=example,dc=com" Thanks & Regards, Chandeshwar Kumar On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Saturday, February 12, 2022 5:22 AM +0000 > kumarchandeshwar99(a)gmail.com > wrote: > > > Hi, > > I am trying to restrict access to pwdHistory attributes provided by > > ppolicy overlay. I have applied the below ACL > > > > access to attrs=pwdHistory > > by * none > > but while doing slaptest, its throwing below error:- > > /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to > clause > > <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> > > ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] > > [attrs=<attrspec>] <attrspec> ::= <attrname> > > [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= > > <attr> [ , <attrlist> ] > > <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | > children > > <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] > > [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> > ] > > [dnattr=<attrname>] > > [realdnattr=<attrname>] > > [group[/<objectclass>[/<attrname>]][.<style>]=<group>] > > [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] > > [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] > > [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] > > > > Before posting here I searched archive and found one similar, issue , but > > it did not resolve my issue. I have running openldap-servers-2.4.23 on > > RHEL-6.5. > > You are missing the ppolicy schema in your configuration. > > However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no > longer in support. I'd strongly advise upgrading to both an OS that is > under support and a version of OpenLDAP that's under support. > > Regards, > Quanah > > > >

4 3

Re: OpenLDAP and NTLM
by Marc Boorshtein 15 Feb '22

15 Feb '22

> > > > NTLM has been obsoleted and shouldn't be used at all. SASL/GSSAPI or > SASL/GSS-SPNEGO should be fine. > I understand, but this is a legacy (really legacy) application that can't be changed. Is NTLM still working? >

2 1

OpenLDAP and NTLM
by Marc Boorshtein 15 Feb '22

15 Feb '22

I see that NTLM is supported as an authentication mechanism for supportedSASLMechanisms, but I'm not seeing any docs. Do I configure GSSAPI and NTLM is now available? Thanks Marc

3 2

slapo-memberof -> slapo-dynlist and value-based ACLs
by Michael Ströder 14 Feb '22

14 Feb '22

HI! I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's slapd.conf. Ok, basically it works but... Æ-DIR trys hard to follow need-to-know-principle. This means that memberOf values are only made visible to clients which they have defined to be visible on. Thus I have ACLs like this and which don't work for these clients (lines wrapped): access to dn.subtree="ou=ae-dir" filter="(objectClass=posixAccount)" attrs=memberOf val.regex="^.+$" [..] by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeSrvGroup)(aeStatus=0)(aeVisibleGroups=${v0}))]/entryDN" read [..] by * none I'm aware that this is quite special. But is there any chance that something like this will be ever supported? The alternative would be to implement an external update process for maintaining 'memberOf'. :-/ Ciao, Michael.

3 3

How to restrict access to pwdHistory attributes
by kumarchandeshwar99＠gmail.com 14 Feb '22

14 Feb '22

Hi, I am trying to restrict access to pwdHistory attributes provided by ppolicy overlay. I have applied the below ACL access to attrs=pwdHistory by * none but while doing slaptest, its throwing below error:- /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to clause <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] Before posting here I searched archive and found one similar, issue , but it did not resolve my issue. I have running openldap-servers-2.4.23 on RHEL-6.5. If any further details requires , Please let me know. Thanks.

2 1

issue with importing the samba3 schema
by Ulf Volmer 08 Feb '22

08 Feb '22

Hello, I'm trying to migrate an old openldap installation to a new one. OS of the new one is SLES15SP3, we are using the symas 2.5 packages. Sadly I got an error by importing the samba3 schema: # /opt/symas/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/symas/etc/openldap/schema/samba3.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=samba3,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed I'm able to import other schemas in the same way, si I don't think that I hold the tool in the wrong way. Any pointers for me? Best regards Ulf

2 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2022