Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month
iNetOrgPerson doesn't exist?
by Luca Stancapiano
Hi all, I'm triing to create a user with openldap 2.4
dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com
objectClass: iNetOrgPerson
uid: iiiiii
but it doesn't seem recognize the objectClass producing this error:
adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
Using other object classes is ok. What's the problem?
6 months, 3 weeks
Re: OpenSSL1.1.1 support after its EOL
by Anil 1. Tadikamalla (EXT-NSB)
Hi Team,
Can you please help to address below queries ASAP from OpenLDAP point of view:
1. Please do let us know if OpenLDAP can provide extended support of OpenSSL1.1.1 beyond the EOL(End of life cycle) i.e after september 2023?
2. Does OpenLDAP depend on RHEL for OpenSSL support or Does it package OpenSSL on its own? If it depends on RHEL and RHEL introduces OpenSSL3.0 support, how would this be handled by OpenLDAP?
Regards,
Anil Kumar
________________________________
From: Anil 1. Tadikamalla (EXT-NSB)
Sent: Friday, December 9, 2022 9:54:28 AM
To: openldap-technical(a)openldap.org
Cc: Seenivasan 1. Alagarsamy (EXT-NSB)
Subject: Re: OpenSSL1.1.1 support after its EOL
Hi Team,
GENTLE REMINDER....
Can you please help to address below query to from OpenLDAP Point of View ASAP.
Does OpenLDAP depend on RHEL for OpenSSL support or Does it package OpenSSL on its own? If it depends on RHEL and RHEL introduces OpenSSL3.0 support, how would this be handled by OpenLDAP?
Regards,
Anil Kumar
________________________________
From: Anil 1. Tadikamalla (EXT-NSB)
Sent: Friday, December 9, 2022 12:53 AM
To: openldap-technical(a)openldap.org
Cc: Seenivasan 1. Alagarsamy (EXT-NSB)
Subject: OpenSSL1.1.1 support after its EOL
Hi Team,
Please do let us know if OpenLDAP can provide extended support of OpenSSL1.1.1 beyond the EOL(End of life cycle) i.e after september 2023?
Regards,
Anil Kumar
9 months, 2 weeks
about slapo totp
by Bastian Tweddell
Dear all,
I am investigating if it is possible to use the TOTP overlay in the
following concept:
Many thanks for any
- nis related data of users are in ldap
- user ssh access to the system is pubkey only
- after successful authentication also request TOTP via PAM call to
slapd (only TOTP, no password)
Does this make sense and can this be achieved?
Thanks in advance,
--
Bastian Tweddell Juelich Supercomputing Centre
phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens,
Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
9 months, 4 weeks
RE26 testing call (2.6.4) #3
by Quanah Gibson-Mount
This is the third testing call for OpenLDAP 2.6.4. Depending on the
results, this may be the final testing call.
Generally, get the code for RE26:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.6.4 Engineering
Fixed client tools to remove 'h' and 'p' options (ITS#9917,ITS#8618)
Fixed ldapsearch memory leak with paged results (ITS#9860)
Fixed libldap ldif_open_urlto check for failure (ITS#9904)
Fixed libldap ldap_url_parsehosts check for failure (ITS#9904)
Fixed liblunicode UTF8bvnormalize buffer size (ITS#9955)
Fixed lloadd memory leaks (ITS#9907)
Fixed lloadd shutdown code to protect memory correctly (ITS#9913)
Fixed lloadd race in epoch.c (ITS#9947)
Fixed lloadd potential deadlock with cn=monitor (ITS#9951)
Fixed lloadd to keep listener base around when not active (ITS#9984)
Fixed lloadd object reclamation sequencing (ITS#9983)
Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035)
Fixed slapd free of redundant cmdline option (ITS#9912)
Fixed slapd transactions extended operations cleanup after write
(ITS#9892)
Fixed slapd deadlock with replicated cn=config (ITS#9930,ITS#8102)
Fixed slapd connection close logic (ITS#9991)
Fixed slapd bconfig locking of cn=config entries (ITS#9045)
Fixed slapd-mdb max number of index databases to 256 (ITS#9895)
Fixed slapd-mdb to always release entries from ADD operations (ITS#9942)
Fixed slapd-mdb to fully init empty DN in tool_entry_get (ITS#9940)
Fixed slapd-monitor memory leaks with lloadd (ITS#9906)
Fixed slapd-monitor to free remembered cookies (ITS#9339)
Fixed slapo-accesslog reqStart ordering matching rule (ITS#9880)
Fixed slapo-deref memory leak (ITS#9924)
Fixed slapo-dynlist to ignore irrelevant objectClasses (ITS#9897)
Fixed slapo-dynlist to avoid unnecessary searches (ITS#9929)
Fixed slapo-dynlist to mark internal searches as such (ITS#9960)
Fixed slapo-pcache crash in consistency_check (ITS#9966)
Fixed slapo-remoteauth memory leaks (ITS#9438)
Fixed slapo-rwm memory leaks (ITS#9817)
Build Environment
Fixed ancient DOS related ifdef checks (ITS#9925)
Fixed build process to not use gmake specific features (ITS#9894)
Fixed source tree to remove symlinks (ITS#9926)
Fixed slapo-otp testdir creation (ITS#9437)
Fixed slapd-tester memory leak (ITS#9908)
Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, ITS#9901)
Fixed usage of bashism (ITS#9900)
Fixed test suite portability (ITS#9931)
Documentation
Fixed ldap_bind(3) to document ber_bvfree in ldap_sasl_bind
(ITS#9976)
Fixed slapo-asyncmeta(5) to clarify scheduling for target
connections (ITS#9941)
Fixed slapo-dynlist(5) to clarify configuration settings (ITS#9957)
Fixed slapo-unique(5) to clarify when quoting should be used
(ITS#9915)
Minor cleanup
ITS#9935
ITS#9336
ITS#9337
ITS#9985
Regards,
Quanah
10 months, 1 week
RE25 testing call (2.5.14) #3
by Quanah Gibson-Mount
This is the third testing call for OpenLDAP 2.5.14. Depending on the
results, this may be the final testing call.
Generally, get the code for RE25:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.5.14 Engineering
Fixed client tools to remove 'h' and 'p' options (ITS#9917,ITS#8618)
Fixed ldapsearch memory leak with paged results (ITS#9860)
Fixed libldap ldif_open_urlto check for failure (ITS#9904)
Fixed libldap ldap_url_parsehosts check for failure (ITS#9904)
Fixed liblunicode UTF8bvnormalize buffer size (ITS#9955)
Fixed lloadd race in epoch.c (ITS#9947)
Fixed lloadd to keep listener base around when not active (ITS#9984)
Fixed lloadd object reclamation sequencing (ITS#9983)
Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035)
Fixed slapd transactions extended operations cleanup after write
(ITS#9892)
Fixed slapd deadlock with replicated cn=config (ITS#9930,ITS#8102)
Fixed slapd connection close logic (ITS#9991)
Fixed slapd bconfig locking of cn=config entries (ITS#9045)
Fixed slapd-mdb max number of index databases to 256 (ITS#9895)
Fixed slapd-mdb to always release entries from ADD operations (ITS#9942)
Fixed slapd-mdb to fully init empty DN in tool_entry_get (ITS#9940)
Fixed slapd-monitor to free remembered cookies (ITS#9339)
Fixed slapo-accesslog reqStart ordering matching rule (ITS#9880)
Fixed slapo-deref memory leak (ITS#9924)
Fixed slapo-dynlist to ignore irrelevant objectClasses (ITS#9897)
Fixed slapo-dynlist to avoid unnecessary searches (ITS#9929)
Fixed slapo-dynlist to mark internal searches as such (ITS#9960)
Fixed slapo-pcache crash in consistency_check (ITS#9966)
Fixed slapo-remoteauth memory leaks (ITS#9438)
Build Environment
Fixed ancient DOS related ifdef checks (ITS#9925)
Fixed build process to not use gmake specific features (ITS#9894)
Fixed source tree to remove symlinks (ITS#9926)
Fixed slapo-otp testdir creation (ITS#9437)
Fixed slapd-tester memory leak (ITS#9908)
Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, ITS#9901)
Fixed usage of bashism (ITS#9900)
Fixed test suite portability (ITS#9931)
Documentation
Fixed ldap_bind(3) to document ber_bvfree in ldap_sasl_bind
(ITS#9976)
Fixed slapo-asyncmeta(5) to clarify scheduling for target
connections (ITS#9941)
Fixed slapo-dynlist(5) to clarify configuration settings (ITS#9957)
Fixed slapo-unique(5) to clarify when quoting should be used
(ITS#9915)
Minor cleanup
ITS#9935
ITS#9336
ITS#9337
ITS#9985
Regards,
Quanah
10 months, 1 week
How to retrieve invalid CA certificate error upon ldap over TLS connection using openldap PAI
by tishamol@gmail.com
Hi,
How can i get an error specific to invalid CA certificate for an ldaps connection(LDAP over TLS)?
Our flow is like this
1:ldap_initialize()
2:ldap_sasl_bind_s()
But even if i import an invalid CA certificate on ldap client to verify the server certificate , i don't get any error specific to TLS handshake fail. ldap_sasl_bind_s()() always return -1.
Can you suggest someway to fetch this error from openldap?
Thanks,
Smitha
10 months, 1 week
VRF support in openldap
by tishamol@gmail.com
Hi,
I would like to know is there any support for passing vrf-id to openldap
library ?
Thanks,
Smitha
10 months, 1 week
Any chance to include ITS#9990 fix in 2.5.14?
by Kartik Subbarao
I ran into a passwd exop overlay problem this week when upgrading from
2.4.57 to 2.5.13 and was able to track it down (ITS#9990). Fortunately
the fix is very simple, just revert the changes to passwd.c made in
ITS#8698. I noticed the testing call for 2.5.14 and wanted to ask if it
might be possible to include this fix in that release.
Totally understood if you guys need to get this out the door as soon as
possible. just figured I'd ask to see if we can get this fix included :-)
Thanks,
-Kartik
10 months, 1 week
RE25 testing call (2.5.14) #2
by Quanah Gibson-Mount
This is the second testing call for OpenLDAP 2.5.14. Depending on the
results, this may be the final testing call.
Generally, get the code for RE25:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Thanks!
OpenLDAP 2.5.14 Engineering
Fixed client tools to remove 'h' and 'p' options (ITS#9917,ITS#8618)
Fixed ldapsearch memory leak with paged results (ITS#9860)
Fixed libldap ldif_open_urlto check for failure (ITS#9904)
Fixed libldap ldap_url_parsehosts check for failure (ITS#9904)
Fixed liblunicode UTF8bvnormalize buffer size (ITS#9955)
Fixed lloadd race in epoch.c (ITS#9947)
Fixed lloadd to keep listener base around when not active (ITS#9984)
Fixed lloadd object reclamation sequencing (ITS#9983)
Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035)
Fixed slapd transactions extended operations cleanup after write
(ITS#9892)
Fixed slapd deadlock with replicated cn=config (ITS#9930)
Fixed slapd-mdb max number of index databases to 256 (ITS#9895)
Fixed slapd-mdb to always release entries from ADD operations (ITS#9942)
Fixed slapd-mdb to fully init empty DN in tool_entry_get (ITS#9940)
Fixed slapd-monitor to free remembered cookies (ITS#9339)
Fixed slapo-accesslog reqStart ordering matching rule (ITS#9880)
Fixed slapo-deref memory leak (ITS#9924)
Fixed slapo-dynlist to ignore irrelevant objectClasses (ITS#9897)
Fixed slapo-dynlist to avoid unnecessary searches (ITS#9929)
Fixed slapo-dynlist to mark internal searches as such (ITS#9960)
Fixed slapo-pcache crash in consistency_check (ITS#9966)
Fixed slapo-remoteauth memory leaks (ITS#9438)
Build Environment
Fixed ancient DOS related ifdef checks (ITS#9925)
Fixed build process to not use gmake specific features (ITS#9894)
Fixed source tree to remove symlinks (ITS#9926)
Fixed slapo-otp testdir creation (ITS#9437)
Fixed slapd-tester memory leak (ITS#9908)
Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, ITS#9901)
Fixed usage of bashism (ITS#9900)
Fixed test suite portability (ITS#9931)
Documentation
Fixed ldap_bind(3) to document ber_bvfree in ldap_sasl_bind
(ITS#9976)
Fixed slapo-asyncmeta(5) to clarify scheduling for target
connections (ITS#9941)
Fixed slapo-dynlist(5) to clarify configuration settings (ITS#9957)
Fixed slapo-unique(5) to clarify when quoting should be used
(ITS#9915)
Minor cleanup
ITS#9935
ITS#9336
ITS#9337
Regards,
Quanah
10 months, 1 week
