openldap-technical March 2023

openldap-technical@openldap.org

22 participants
36 discussions

openldap TLSv1.0 is enabled
by Andre Rodier 16 May '25

16 May '25

Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues. Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 c70363a6 > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > creatorsName: cn=config > createTimestamp: 20221213065102Z > olcPasswordCryptSaltFormat: $6$%.16s > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > olcTLSProtocolMin: 3.3 > entryCSN: 20221214054517.926245Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20221214054517Z But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ? > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > Version: 2.0.7 > OpenSSL 1.1.1n 15 Mar 2022 > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world > > SSL/TLS Protocols: > SSLv2 disabled > SSLv3 disabled > TLSv1.0 enabled > TLSv1.1 enabled > TLSv1.2 enabled > TLSv1.3 enabled > > TLS Fallback SCSV: > Server supports TLS Fallback SCSV > > TLS renegotiation: > Secure session renegotiation supported > > TLS Compression: > OpenSSL version does not support compression > Rebuild with zlib1g-dev package for zlib support > > Heartbleed: > TLSv1.3 not vulnerable to heartbleed > TLSv1.2 not vulnerable to heartbleed > TLSv1.1 not vulnerable to heartbleed > TLSv1.0 not vulnerable to heartbleed > > Supported Server Cipher(s): > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > Accepted TLSv1.2 256 bits AES256-CCM > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > Accepted TLSv1.2 128 bits AES128-CCM > Accepted TLSv1.2 256 bits AES256-SHA > Accepted TLSv1.2 128 bits AES128-SHA > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 256 bits AES256-SHA > Accepted TLSv1.1 128 bits AES128-SHA > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 256 bits AES256-SHA > Accepted TLSv1.0 128 bits AES128-SHA > > Server Key Exchange Group(s): > TLSv1.3 128 bits secp256r1 (NIST P-256) > TLSv1.3 192 bits secp384r1 (NIST P-384) > TLSv1.3 260 bits secp521r1 (NIST P-521) > TLSv1.3 128 bits x25519 > TLSv1.3 224 bits x448 > TLSv1.3 112 bits ffdhe2048 > TLSv1.3 128 bits ffdhe3072 > TLSv1.3 150 bits ffdhe4096 > TLSv1.3 175 bits ffdhe6144 > TLSv1.3 192 bits ffdhe8192 > TLSv1.2 128 bits secp256r1 (NIST P-256) > TLSv1.2 192 bits secp384r1 (NIST P-384) > TLSv1.2 260 bits secp521r1 (NIST P-521) > TLSv1.2 128 bits x25519 > TLSv1.2 224 bits x448 > > SSL Certificate: > Signature Algorithm: sha256WithRSAEncryption > RSA Key Strength: 2048 > > Subject: ldap.homebox.world > Altnames: DNS:ldap.homebox.world > Issuer: (STAGING) Artificial Apricot R3 > > Not valid before: Dec 13 05:34:29 2022 GMT > Not valid after: Mar 13 05:34:28 2023 GMT Thanks for your insights. Andre

6 13

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

iNetOrgPerson doesn't exist?
by Luca Stancapiano 16 May '23

16 May '23

Hi all, I'm triing to create a user with openldap 2.4 dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com objectClass: iNetOrgPerson uid: iiiiii but it doesn't seem recognize the objectClass producing this error: adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Using other object classes is ok. What's the problem?

5 11

.so dynamic library versioning
by Sam Dave 04 Apr '23

04 Apr '23

Hello, Thanks in advance for some clues on the below: 1. Has there ever been a release of LMDB that adds/removes/changes API? 2. On both Debian 10 (with lmdb 0.9.22) and Debian 11 (with lmdb 0.9.24) , under lib/ I see liblmdb.so -> liblmdb.so.0 (symlink) liblmdb.so.0 -> liblmdb.so.0.0.0 (symlink) liblmdb.so.0.0.0 (the original file) Has this always been at 0.0.0 since the beginning of LMDB? From the point of view of what the LMDB developers would expect, I mean. (I have no idea which distros were distributing LMDB in the early days) 3. What are your intentions regarding this .so versioning in relation to adding/removing/changes to the API? Something like this, perhaps? https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info… 4. Another Linux distribution (NixOS 22.11, with lmdb 0.9.29) has *only* this under lib/: liblmdb.so (the original file) Does this sound right to you? What I mean is, when people compile LMDB down to an .so, would you expect them to normally add a version after the ".so"? (As they apparently did in Debian) Regards, Sam

2 2

back_meta and overlay pcache
by Stefan Kania 01 Apr '23

01 Apr '23

Hello, I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following: ---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: {0}back_ldap olcModuleLoad: {1}back_meta olcModuleLoad: {2}argon2 olcModuleLoad: {3}rwm.la olcModuleLoad: {4}pcache.la olcModuleLoad: {5}back_mdb.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... ... dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * read olcSizeLimit: 500 olcPasswordHash: {ARGON2} dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 dn: olcDatabase={1}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {1}meta olcSuffix: dc=example,dc=net olcReadOnly: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW: $argon2i$v=19$m=4096,t=3,p=1$c2dkc3Rld3Z0ZTV0NDU0NQ$F6NZb2w8O+6BOA3 L7zZ37mxFv7CPCXfHYuEiIxTYALY olcMonitoring: FALSE olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid sAMAccountName dn: olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {1}pcache olcPcache: mdb 100000 2 1000 100 olcPcacheAttrset: 0 mail postalAddress telephoneNumber givenName olcPcacheAttrset: 1 uid employeeType olcPcacheTemplate: "(&(mail=)(postalAddress=*)(telephoneNumber)" 0 3600 100 3 0 1600 olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 100 olcPcacheTemplate: "(mail=)" 0 3600 olcPcacheTemplate: "(sn=)" 1 3600 100 olcPcacheTemplate: "(uid=)" 1 3600 1000 30 200 olcPcachePersist: TRUE dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: /var/symas/pcache olcDbIndex: objectClass eq olcDbIndex: uid,employeeType,mail eq olcDbIndex: postalAddress,telephoneNumber,givenName eq dn: olcMetaSub={0}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbURI: "ldap://192.168.56.202/ou=org,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-orguser,cn=users,dc =example2,dc=org" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 tls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=org,dc=example,dc=net" "dc=example2,dc=org" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE dn: olcMetaSub={1}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {1}uri olcDbURI: "ldap://192.168.56.203/ou=com,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-comuser,cn=users,dc =example3,dc=com" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t ls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=com,dc=example,dc=net" "dc=example3,dc=com" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE ---------------- The same pcache setup works with back_ldap. What did I do wrong or did I miss something. Using this setting with back_ldap, doing a ledapsearch, stopping the domaincontroller, repeat the ldapserch, because the data is in cache I still get the result. Seting up back_meta, as soon as I stop the domaincontroller I got nothing at all. Do I have to set up a cache for every uri? Then what should be the DN? Stefan

1 2

Uninstall
by Eric Fetzer 31 Mar '23

31 Mar '23

OK, getting a little further. I've come to the realization that I need to uninstall, reconfigure to include a few overlays, then reinstall. I'm on RHEL 8.7, and thus built from source. What do I need to do to uninstall? Guessing the first thing I need to remove is /etc/openldap. Thanks, Eric

3 5

Re: Adding to the schema
by Eric Fetzer 30 Mar '23

30 Mar '23

So I'm still on this. Since I'm running cn=config rather than slapd.conf, I'm confused as to where to put the: overlay ppolicy I don't have a: database mdb Here's my slapd.ldif that I loaded in (with the added olcModuleload you told me to add): dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/lib/openldap/slapd.args olcPidFile: /var/lib/openldap/slapd.pid dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/libexec/openldap olcModuleload: back_mdb.la olcModuleload ppolicy.so # Include more schemas in addition to default core include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/sudo.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend olcAccess: to dn.base="cn=Subschema" by * read olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootDN: cn=config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none So where would I put the: overlay ppolicy Thanks, Eric On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I > > don't see any references to it in the slapd.conf... I'm in the process > > of converting an ISDS db to OpenLDAP. Kind of daunting so far... > > > Generally speaking: > > In the portion of your configuration loading module: > > modulepath .... > moduleload ppolicy.so > > > In the database section of your configuration where you want to apply > password policies > > > database mdb > ... > > overlay ppolicy > > > Regards, > Quanah > > >

2 1

Up To Date Documentation
by Eric Fetzer 30 Mar '23

30 Mar '23

Where can I go for documentation on modern versions of OpenLDAP? I've been reading the guide at https://www.zytrax.com/books/ldap/ch1/ but it appears to be out of date from what I'm finding when trying to use it. Thanks, Eric

2 1

olcDbCacheSize in back_mdb
by Stefan Kania 29 Mar '23

29 Mar '23

Looking at the openldap.org adminhandbook to 2.6 I found https://openldap.org/doc/admin26/overlays.html#The%20Proxy%20Cache%20Engine The configuration for the databas for pcache: ------------ dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: ./testrun/db.2.a olcDbCacheSize: 20 olcDbIndex: objectClass eq olcDbIndex: cn,sn,uid,mail pres,eq,sub ------------ But I'm getting: ------------- adding new entry "olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config" ldap_add: Undefined attribute type (17) additional info: olcDbCacheSize: attribute type undefined ------------- The back_mdb module is loaded. -- Here my config "WITHOUT" olcDbCacheSize: ---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: {0}back_ldap olcModuleLoad: {1}argon2 olcModuleLoad: {2}rwm.la olcModuleLoad: {3}pcache.la olcModuleLoad: {4}back_mdb.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * read olcSizeLimit: 500 olcPasswordHash: {ARGON2} dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 dn: olcDatabase={1}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {1}ldap olcSuffix: dc=example1,dc=net olcReadOnly: TRUE olcRootDN: cn=admin,dc=example1,dc=net olcMonitoring: FALSE olcDbURI: "ldaps://dc-net01.example.net:636" olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-critical bindmeth od=simple timeout=0 network-timeout=0 binddn="cn=proxy-user,cn=users,dc=examp le1,dc=net" credentials="Passw0rd" keepalive=0:0:0 tls_reqcert=never tls_reqs an=allow olcDbIDAssertAuthzFrom: {0}* olcDbRebindAsUser: TRUE olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 dn: olcOverlay={0}rwm,olcDatabase={1}ldap,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid SAMACCOUNTNAME olcRwmMap: {2}attribute EMPLOYEETYP DEPARTMENT dn: olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {1}pcache olcPcache: mdb 100000 1 1000 100 olcPcacheAttrset: 0 mail postalAddress telephoneNumber olcPcacheTemplate: "(sn=)" 0 3600 0 0 0 olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 0 0 0 olcPcacheTemplate: "(&(departmentNumber=)(secretary=))" 0 3600 olcPcachePersist: TRUE dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: /var/symas/pcache olcDbIndex: objectClass eq olcDbIndex: uid eq ---------------- Did I miss someting or is it wrong in the adminbook?

2 1

Are there plans to support OpenSSL 3.0.x in OpenLDAP v2.5?
by Soichiro Shishido 27 Mar '23

27 Mar '23

Are there plans to support OpenSSL 3.0.x in OpenLDAP v2.5? OpenSSL 1.1.1 will be discontinued this year on 2023-09-11. Also, according to the OpenLDAP Project Release Maintenance Policy, it appears that v2.6 will not be LTS for some time yet. If OpenSSL 1.1.1 vulnerabilities are reported after 2023-09-12, and if we do not migrate to OpenSSL 3.0.x, OpenLDAP v2.5 will be left vulnerable.

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2023