openldap-technical April 2022

openldap-technical@openldap.org

27 participants
27 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

dynlist vs memberof performance issues
by Mark Cairney 11 Jan '23

11 Jan '23

Hi, I've been out the LDAP loop for a bit but the recent discussion of the memberof overlay on 2.5 piqued my curiosity. Having upgraded a Dev box, removed the memberof elements from the database and replaced the memberof overlay with dynlist the queries appear to work as expected but are both a) slow and b) heavily CPU-intensive on the LDAP server. 2021-09-01T12:47:17.603513+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 fd=12 ACCEPT from IP=192.168.152.33:58738 (IP=129.215.17.9:636) 2021-09-01T12:47:17.687488+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 fd=12 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 2021-09-01T12:47:17.688032+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 2021-09-01T12:47:17.688470+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=0 SRCH attr=supportedSASLMechanisms 2021-09-01T12:47:17.688878+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=0 SEARCH RESULT tag=101 err=0 qtime=0.000014 etime=0.000214 nentries=1 text= 2021-09-01T12:47:17.811279+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=1 BIND dn="" method=163 2021-09-01T12:47:17.819249+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=1 RESULT tag=97 err=14 qtime=0.000030 etime=0.009084 text=SASL(0): successful result: 2021-09-01T12:47:17.908889+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=2 BIND dn="" method=163 2021-09-01T12:47:17.909836+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=2 RESULT tag=97 err=14 qtime=0.000031 etime=0.000181 text=SASL(0): successful result: 2021-09-01T12:47:17.938839+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 BIND dn="" method=163 2021-09-01T12:47:17.939621+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 BIND authcid="mcairney(a)EASE.ED.AC.UK" authzid="mcairney(a)EASE.ED.AC.UK" 2021-09-01T12:47:17.940213+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 BIND dn="uid=mcairney,ou=people,ou=central,dc=authorise-dev,dc=ed,dc=ac,dc=uk" mech=GSSAPI bind_ssf=256 ssf=256 2021-09-01T12:47:17.940616+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=3 RESULT tag=97 err=0 qtime=0.000024 etime=0.000409 text= 2021-09-01T12:47:18.227342+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=4 SRCH base="dc=authorise-dev,dc=ed,dc=ac,dc=uk" scope=2 deref=0 filter="(uid=mcairney)" 2021-09-01T12:47:18.227703+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=4 SRCH attr=* + 2021-09-01T12:47:31.392255+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=5 UNBIND 2021-09-01T12:47:31.460705+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 op=4 SEARCH RESULT tag=101 err=0 qtime=0.000031 etime=13.233679 nentries=1 text= 2021-09-01T12:47:31.461098+01:00 bonsai.authorise-dev.is.ed.ac.uk slapd[30075]: conn=1019 fd=12 closed I'm guessing that as the values are computed that this will be heavier on the CPU but it seems a bit excessive? Has anyone else noticed any similar performance issues? This is a relatively low-specced DEV server (2 vCPUs, 4GB RAM) so I guess this could be a factor but there's no io waiting on the server and no swapping? The database is on a par in size with our Production service ( about 400K user objects with 1 group object per user and then about 80K actual groups of users) The config for the primary DB (ACLs and rootPW redacted) is: dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /opt/openldap/var/openldap-data/authorise olcSuffix: dc=authorise-dev,dc=ed,dc=ac,dc=uk olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 2 olcReadOnly: FALSE olcSecurity: ssf=1 olcSecurity: update_ssf=112 olcSecurity: simple_bind=64 olcSizeLimit: unlimited olcSyncUseSubentry: FALSE olcTimeLimit: unlimited olcMonitoring: TRUE olcDbEnvFlags: writemap olcDbEnvFlags: nometasync olcDbNoSync: FALSE olcDbIndex: objectClass eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn pres,eq,sub olcDbIndex: uid pres,eq,sub olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: eduniType eq olcDbIndex: gecos pres,eq,sub olcDbIndex: eduniCategory eq olcDbIndex: mail pres,eq,sub olcDbIndex: eduniSchoolCode eq olcDbIndex: eduniIDStatus eq olcDbIndex: eduniCollegeCode eq olcDbIndex: eduniOrgCode eq olcDbIndex: memberOf pres,eq olcDbIndex: eduniLibraryBarcode pres,eq olcDbIndex: eduniOrganisation pres,eq,sub olcDbIndex: eduniServiceCode pres,eq olcDbIndex: krbName pres,eq olcDbIndex: eduPersonAffiliation pres,eq olcDbIndex: eduPersonEntitlement pres,eq olcDbIndex: sn pres,eq,sub olcDbIndex: eduniIdmsId pres,eq olcDbIndex: member pres,eq olcDbIndex: memberUid pres,eq olcDbIndex: eduniRefNo pres,eq olcDbIndex: eduniTitle pres,eq olcDbIndex: title pres,eq,sub olcDbIndex: eduniCardNumber pres,eq olcDbIndex: eduniYearOfStudy eq olcDbIndex: description pres,eq,sub olcDbIndex: givenName pres,eq,sub olcDbIndex: aliasedObjectName eq olcDbIndex: yubiKeyId pres,eq olcDbIndex: isMemberOf pres,eq olcDbIndex: hasMember pres,eq olcDbIndex: proxyAddresses pres,eq,sub olcDbMaxReaders: 96 olcDbMaxSize: 32212254720 olcDbMode: 0600 olcDbSearchStack: 16 structuralObjectClass: olcMdbConfig dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig dn: olcOverlay={1}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: {1}accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogPurge: 02+00:00 00+04:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynListConfig olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames structuralObjectClass: olcDynListConfig -- /**************************** Mark Cairney ITI Enterprise Services Information Services University of Edinburgh Tel: 0131 650 6565 Email: Mark.Cairney(a)ed.ac.uk *******************************/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.

12 27

slow memberOf queries in 2.5 with dynlist overlay
by Paul B. Henson 30 May '22

30 May '22

I'm still trying to figure out why my servers sometimes get into a state where queries requesting the memberOf attribute take an exceedingly long time to process, for example: Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 fd=104 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" method=128 Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" mech=SIMPLE bind_ssf=0 ssf=71 Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000050 text= Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=1 SRCH base="dc=cpp,dc=edu" scope=2 deref=0 filter="(uid=henson)" Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=1 SRCH attr=memberOf Feb 13 19:46:42 ldap-02 slapd[13564]: conn=297643 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000012 etime=36.955710 nentries=1 text= How is the qtime calculated? It is nice and short, despite the wall clock reading over 30 seconds :(. Usually I have to reboot the server completely to clear this up, but this time I just had to restart it, and then the queries were lickity split again: Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 fd=40 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" method=128 Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" mech=SIMPLE bind_ssf=0 ssf=71 Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000088 text= Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=1 SRCH base="dc=cpp,dc=edu" scope=2 deref=0 filter="(uid=henson)" Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=1 SRCH attr=memberOf Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000013 etime=0.213149 nentries=1 text= Over 30 seconds elapsed time to .2 seconds? I'd like to see the .2 all the time :). When the server gets like this, there's a very high read IO load, 200-300Mb/s, compared to generally less than 1Mb/s when things are working right. It almost seems like it's doing a full disk scan searching for members every time. Any suggestions on what to dig into? Thanks...

5 16

RE26 testing call #2 (OpenLDAP 2.6.2)
by Quanah Gibson-Mount 02 May '22

02 May '22

This is the second testing call for OpenLDAP 2.6.2. Depending on the results, this may be the final testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Fixes since last testing call: ITS#9802 (further fixes) ITS#9820 ITS#9825 ITS#9831 ITS#9832 Thanks! OpenLDAP 2.6.2 Engineering Added libldap support for OpenSSL 3.0 (ITS#9436) Added slapd support for OpenSSL 3.0 (ITS#9436) Fixed ldapdelete to prune LDAP subentries (ITS#9737) Fixed libldap to drop connection when non-LDAP data is received (ITS#9803) Fixed libldap to allow newlines at end of included file (ITS#9811) Fixed slapd slaptest conversion of olcLastBind (ITS#9808) Fixed slapd to correctly init global_host earlier (ITS#9787) Fixed slapd bconfig locking for cn=config replication (ITS#9584) Fixed slapd usage of thread local counters (ITS#9789) Fixed slapd to clear runqueue task correctly (ITS#9785) Fixed slapd idletimeout handling (ITS#9820) Fixed slapd syncrepl handling of new sessions (ITS#9584) Fixed slapd to clear connections on bind (ITS#9799) Fixed slapd to correctly advance connections index (ITS#9831) Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) Fixed slapd-meta SEGV on config rewrite (ITS#9802) Fixed slapd-meta ordering on config rewrite (ITS#9802) Fixed slapd-meta memory leak in keepalive setting (ITS#9802) Fixed slapd-monitor SEGV on shutdown (ITS#9809) Fixed slapd-monitor crash when hitting sizelimit (ITS#9832) Added slapo-autoca support for OpenSSL 3.0 (ITS#9436) Added slapo-otp support for OpenSSL 3.0 (ITS#9436) Fixed slapo-dynlist dynamic group regression (ITS#9825) Fixed slapo-pcache SEGV on shutdown (ITS#9809) Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) Fixed slapo-translucent to correctly duplicate substring filters (ITS#9818) Build Enviornment Add ability to override default compile time paths (ITS#9675) Fix compiliation with certain versions of gcc (ITS#9790) Fix compilation with openssl exclusions (ITS#9791) Fix warnings from make jobserver (ITS#9788) Contrib Update ppm module to the 2.1 release (ITS#9814) Documentation admin26 Document new lloadd features (ITS#9780) Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804) Fixed slapd-sock(5) to clarify "sockresps result" behavior (ITS#8255)

2 4

How to allow openldap searches for all just one group
by gerson.garcia＠itron.com 01 May '22

01 May '22

All, I am inheriting the support of small openldap deployment and I am new to it. I have a request to create a security group to this implementation and only users in this group should have access to manage objects in the ldap. We have something like this: +-dc=nocinbox,dc=com +---ou=groups +---cn=admin +---cn=app-admin +---cn=sec-admin +---ou=users +---cn=admin +---cn=appadmin +---cn=appadmin2 +---cn=secadmin In the olcDatabase configuration I have the following: olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid" write by * read And only secadmin can make changes in the LDAP, that is great. However, all other users can ldapsearch: $ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D "cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses ldap_initialize( ldaps://openldap:636/??base ) Enter LDAP Password: filter: (objectclass=*) requesting: All userApplication attributes # numResponses: 29 Is there any olcAccess configuration I can used to not allow any user to run ldapsearch but still able to authenticate them? They still need to ssh and access some web servers. Thank you very much, Gerson

3 4

Could not find admin user after setup slapd on Debian
by sparkcyf＠foxmail.com 30 Apr '22

30 Apr '22

After install the openldap (slapd) from Debian package repository (using the version 2.4.57+dfsg-3~bpo10+1, database created by the dpkg configuration script provide by apt), the admin user (cn=admin,dc=example,dc=com) in could not be found either when performing ldapsearch or viewing the structure of the organisation in phpldapadmin / Apache directory studio. result of ldapsearch: ------------ root@ldap:~# ldapsearch -x -b "dc=example,dc=com" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example.com dc: exmaple # search result search: 2 result: 0 Success ------------ However, using ldapwhoami (ldapwhoami -vvv -h ldap.example.com -D cn=admin,dc=example,dc=com -x -w password) can return a successful result. result of ldapwhoami: ------------ ldap_initialize( ldap://localhost ) dn:cn=admin,dc=example,dc=com Result: Success (0) ------------ A similar issue can be found here: https://github.com/osixia/docker-openldap/issues/555 on Github. According to the user in Github, this issue is first occurred in openldap 2.4.57 (https://github.com/osixia/docker-openldap/releases/tag/v1.5.0 I'm not sure whether it is a feature or a bug of slapd. Thanks in advance!

5 8

Migrating from Debian 6 to Ubuntu 20
by Tan Mientras 29 Apr '22

29 Apr '22

Hello. Trying to migrate our ldap from one server to a new one I did: old-server# slapcat -f /etc/ldap/slapd.conf > ldap.txt new-server# slapadd -f /etc/ldap/slapd.conf -l ldap.txt (yes, I'm still using legacy configuration format) Migration seems fine and tree is visible and valid using phpldapadmin, however third party applications aren't login-in/integrating with the new server. I have narrowed it to this: - querying with admin user works in both servers - ldapsearch -x -h old-server -b "dc=domain,dc=root" -D "uid=query,ou=people,dc=domain,dc=root" -W works and, password provided, it returns results - ldapsearch -x -h new-server -b "dc=domain,dc=root" -D "uid=query,ou=people,dc=domain,dc=root" -W results in *result: 32 No such object *(so login works, but the query user cant find results) Did I miss something for migration? a required step apart from copying configuration files and slapcat+slapadd? Thanks in advance

2 1

slapd (Symas 2.6.1) does not start with syncprov
by Magnus Morén 28 Apr '22

28 Apr '22

Migrating to new ldap server and getting problems. OS: Rocky Linux 8 (== RHEL/CentOS 8). Fully updated. LDAP software: symas-openldap-servers-2.6.1-2.el8.x86_64 cn=config and and data import (via ldif) on master. Everything look good. start/stop/restart is working. ldap access is working. Adding "syncprov" on master (to enable producer/consumer mode). Now the slapd on the master/producer crashes on start! Apr 26 18:31:27 apollo11 systemd[1]: Started Symas OpenLDAP Server Daemon. Apr 26 18:31:27 apollo11 kernel: traps: slapd[1379] general protection fault ip:7fa53a499f38 sp:7fa4f8e3d1b0 error:0 in back_mdb.so.2.0.200[7fa53a471000+40000] Apr 26 18:31:27 apollo11 systemd[1]: Started Process Core Dump (PID 1380/UID 0). Apr 26 18:31:27 apollo11 systemd-coredump[1381]: Resource limits disable core dumping for process 1377 (slapd). Apr 26 18:31:27 apollo11 systemd-coredump[1381]: Process 1377 (slapd) of user 0 dumped core. Apr 26 18:31:27 apollo11 systemd[1]: symas-openldap-servers.service: Main process exited, code=killed, status=11/SEGV Apr 26 18:31:27 apollo11 systemd[1]: symas-openldap-servers.service: Failed with result 'signal'. Apr 26 18:31:27 apollo11 systemd[1]: systemd-coredump(a)3-1380-0.service: Succeeded. The syncprov ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov.la dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionlog: 100 dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN,entryUUID eq Magnus Morén

5 12

RE25 Testing call #2 (OpenLDAP 2.5.12)
by Quanah Gibson-Mount 27 Apr '22

27 Apr '22

This is the second testing call for OpenLDAP 2.5.12. Depending on the results, this may be the final testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Fixes since last testing call: ITS#9802 (further fixes) ITS#9820 ITS#9825 ITS#9831 Thanks! OpenLDAP 2.5.12 Engineering Fixed libldap to drop connection when non-LDAP data is received (ITS#9803) Fixed libldap to allow newlines at end of included file (ITS#9811) Fixed slapd slaptest conversion of olcLastBind (ITS#9808) Fixed slapd usage of thread local counters (ITS#9789) Fixed slapd to clear runqueue task correctly (ITS#9785) Fixed slapd idletimeout handling (ITS#9820) Fixed slapd bconfig locking for cn=config replication (ITS#9584) Fixed slapd syncrepl handling of new sessions (ITS#9584) Fixed slapd to clear connections on bind (ITS#9799) Fixed slapd to correctly advance connections index (ITS#9831) Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) Fixed slapd-meta SEGV on config rewrite (ITS#9802) Fixed slapd-meta ordering on config rewrite (ITS#9802) Fixed slapd-meta memory leak in keepalive setting (ITS#9802) Fixed slapd-monitor SEGV on shutdown (ITS#9809) Fixed slapo-dynlist dynamic group regression (ITS#9825) Fixed slapo-pcache SEGV on shutdown (ITS#9809) Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) Fixed slapo-translucent to correctly duplicate substring filters (ITS#9818) Build Environment Fix compilation with openssl exclusions (ITS#9791) Fix warnings from make jobserver (ITS#9788) Fix compiliation with certain versions of gcc (ITS#9790) Documentation Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804)

2 1

OpenLDAP 2.5 and smbkrb5pwd module
by Abdelkader Chelouah 25 Apr '22

25 Apr '22

I used to build *smbkrb5pwd* module (https://github.com/opinsys/smbkrb5pwd) under OpenLDAP 2.4 and everything was working as expected. Starting from OpenLDAP 2.5, building the module still succeeds but an error 80 occurs when the module is loaded ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 modifying entry "cn=module{0},cn=config" 2022-04-22T08:50:40.501922+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 2022-04-22T08:50:40.501945+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000066 text= 2022-04-22T08:50:40.502151+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=1 MOD dn="cn=module{0},cn=config" 2022-04-22T08:50:40.502181+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=1 MOD attr=olcModuleLoad 2022-04-22T08:50:40.503892+00:00 arrakis slapd-2.5-aa[8947]: lt_dlopenext failed: (smbkrb5pwd_srv.la) file not found 2022-04-22T08:50:40.503923+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=1 RESULT tag=103 err=80 qtime=0.000006 etime=0.001772 text=<olcModuleLoad> handler exited with 1 2022-04-22T08:50:40.504117+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=2 UNBIND (the error message is misleading since file *smbkrb5pwd_srv.la* is really in the modules directory) I'm wondering if someone has experienced the same issue and was able to overcome it ? Regards

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2022