openldap-technical March 2023

openldap-technical@openldap.org

22 participants
35 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

iNetOrgPerson doesn't exist?
by Luca Stancapiano 16 May '23

16 May '23

Hi all, I'm triing to create a user with openldap 2.4 dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com objectClass: iNetOrgPerson uid: iiiiii but it doesn't seem recognize the objectClass producing this error: adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Using other object classes is ok. What's the problem?

5 11

.so dynamic library versioning
by Sam Dave 04 Apr '23

04 Apr '23

Hello, Thanks in advance for some clues on the below: 1. Has there ever been a release of LMDB that adds/removes/changes API? 2. On both Debian 10 (with lmdb 0.9.22) and Debian 11 (with lmdb 0.9.24) , under lib/ I see liblmdb.so -> liblmdb.so.0 (symlink) liblmdb.so.0 -> liblmdb.so.0.0.0 (symlink) liblmdb.so.0.0.0 (the original file) Has this always been at 0.0.0 since the beginning of LMDB? From the point of view of what the LMDB developers would expect, I mean. (I have no idea which distros were distributing LMDB in the early days) 3. What are your intentions regarding this .so versioning in relation to adding/removing/changes to the API? Something like this, perhaps? https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info… 4. Another Linux distribution (NixOS 22.11, with lmdb 0.9.29) has *only* this under lib/: liblmdb.so (the original file) Does this sound right to you? What I mean is, when people compile LMDB down to an .so, would you expect them to normally add a version after the ".so"? (As they apparently did in Debian) Regards, Sam

2 2

back_meta and overlay pcache
by Stefan Kania 01 Apr '23

01 Apr '23

Hello, I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following: ---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: {0}back_ldap olcModuleLoad: {1}back_meta olcModuleLoad: {2}argon2 olcModuleLoad: {3}rwm.la olcModuleLoad: {4}pcache.la olcModuleLoad: {5}back_mdb.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... ... dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * read olcSizeLimit: 500 olcPasswordHash: {ARGON2} dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 dn: olcDatabase={1}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {1}meta olcSuffix: dc=example,dc=net olcReadOnly: TRUE olcRootDN: cn=admin,dc=example,dc=net olcRootPW: $argon2i$v=19$m=4096,t=3,p=1$c2dkc3Rld3Z0ZTV0NDU0NQ$F6NZb2w8O+6BOA3 L7zZ37mxFv7CPCXfHYuEiIxTYALY olcMonitoring: FALSE olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid sAMAccountName dn: olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {1}pcache olcPcache: mdb 100000 2 1000 100 olcPcacheAttrset: 0 mail postalAddress telephoneNumber givenName olcPcacheAttrset: 1 uid employeeType olcPcacheTemplate: "(&(mail=)(postalAddress=*)(telephoneNumber)" 0 3600 100 3 0 1600 olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 100 olcPcacheTemplate: "(mail=)" 0 3600 olcPcacheTemplate: "(sn=)" 1 3600 100 olcPcacheTemplate: "(uid=)" 1 3600 1000 30 200 olcPcachePersist: TRUE dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}meta,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: /var/symas/pcache olcDbIndex: objectClass eq olcDbIndex: uid,employeeType,mail eq olcDbIndex: postalAddress,telephoneNumber,givenName eq dn: olcMetaSub={0}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbURI: "ldap://192.168.56.202/ou=org,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-orguser,cn=users,dc =example2,dc=org" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 tls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=org,dc=example,dc=net" "dc=example2,dc=org" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE dn: olcMetaSub={1}uri,olcDatabase={1}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {1}uri olcDbURI: "ldap://192.168.56.203/ou=com,dc=example,dc=net" olcDbIDAssertAuthzFrom: {0}* olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=proxy-comuser,cn=users,dc =example3,dc=com" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t ls_reqcert=never tls_reqsan=allow tls_crlcheck=none olcDbMap: {0}attribute uid sAMAccountName olcDbRewrite: {0}suffixmassage "ou=com,dc=example,dc=net" "dc=example3,dc=com" olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE ---------------- The same pcache setup works with back_ldap. What did I do wrong or did I miss something. Using this setting with back_ldap, doing a ledapsearch, stopping the domaincontroller, repeat the ldapserch, because the data is in cache I still get the result. Seting up back_meta, as soon as I stop the domaincontroller I got nothing at all. Do I have to set up a cache for every uri? Then what should be the DN? Stefan

1 2

Uninstall
by Eric Fetzer 31 Mar '23

31 Mar '23

OK, getting a little further. I've come to the realization that I need to uninstall, reconfigure to include a few overlays, then reinstall. I'm on RHEL 8.7, and thus built from source. What do I need to do to uninstall? Guessing the first thing I need to remove is /etc/openldap. Thanks, Eric

3 5

Re: Adding to the schema
by Eric Fetzer 30 Mar '23

30 Mar '23

So I'm still on this. Since I'm running cn=config rather than slapd.conf, I'm confused as to where to put the: overlay ppolicy I don't have a: database mdb Here's my slapd.ldif that I loaded in (with the added olcModuleload you told me to add): dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/lib/openldap/slapd.args olcPidFile: /var/lib/openldap/slapd.pid dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/libexec/openldap olcModuleload: back_mdb.la olcModuleload ppolicy.so # Include more schemas in addition to default core include: file:///etc/openldap/schema/core.ldif include: file:///etc/openldap/schema/cosine.ldif include: file:///etc/openldap/schema/nis.ldif include: file:///etc/openldap/schema/inetorgperson.ldif include: file:///etc/openldap/schema/sudo.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend olcAccess: to dn.base="cn=Subschema" by * read olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootDN: cn=config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none So where would I put the: overlay ppolicy Thanks, Eric On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I > > don't see any references to it in the slapd.conf... I'm in the process > > of converting an ISDS db to OpenLDAP. Kind of daunting so far... > > > Generally speaking: > > In the portion of your configuration loading module: > > modulepath .... > moduleload ppolicy.so > > > In the database section of your configuration where you want to apply > password policies > > > database mdb > ... > > overlay ppolicy > > > Regards, > Quanah > > >

2 1

Up To Date Documentation
by Eric Fetzer 30 Mar '23

30 Mar '23

Where can I go for documentation on modern versions of OpenLDAP? I've been reading the guide at https://www.zytrax.com/books/ldap/ch1/ but it appears to be out of date from what I'm finding when trying to use it. Thanks, Eric

2 1

olcDbCacheSize in back_mdb
by Stefan Kania 29 Mar '23

29 Mar '23

Looking at the openldap.org adminhandbook to 2.6 I found https://openldap.org/doc/admin26/overlays.html#The%20Proxy%20Cache%20Engine The configuration for the databas for pcache: ------------ dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: ./testrun/db.2.a olcDbCacheSize: 20 olcDbIndex: objectClass eq olcDbIndex: cn,sn,uid,mail pres,eq,sub ------------ But I'm getting: ------------- adding new entry "olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config" ldap_add: Undefined attribute type (17) additional info: olcDbCacheSize: attribute type undefined ------------- The back_mdb module is loaded. -- Here my config "WITHOUT" olcDbCacheSize: ---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: {0}back_ldap olcModuleLoad: {1}argon2 olcModuleLoad: {2}rwm.la olcModuleLoad: {3}pcache.la olcModuleLoad: {4}back_mdb.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * read olcSizeLimit: 500 olcPasswordHash: {ARGON2} dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7 ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 dn: olcDatabase={1}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {1}ldap olcSuffix: dc=example1,dc=net olcReadOnly: TRUE olcRootDN: cn=admin,dc=example1,dc=net olcMonitoring: FALSE olcDbURI: "ldaps://dc-net01.example.net:636" olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-critical bindmeth od=simple timeout=0 network-timeout=0 binddn="cn=proxy-user,cn=users,dc=examp le1,dc=net" credentials="Passw0rd" keepalive=0:0:0 tls_reqcert=never tls_reqs an=allow olcDbIDAssertAuthzFrom: {0}* olcDbRebindAsUser: TRUE olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 dn: olcOverlay={0}rwm,olcDatabase={1}ldap,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid SAMACCOUNTNAME olcRwmMap: {2}attribute EMPLOYEETYP DEPARTMENT dn: olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {1}pcache olcPcache: mdb 100000 1 1000 100 olcPcacheAttrset: 0 mail postalAddress telephoneNumber olcPcacheTemplate: "(sn=)" 0 3600 0 0 0 olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 0 0 0 olcPcacheTemplate: "(&(departmentNumber=)(secretary=))" 0 3600 olcPcachePersist: TRUE dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}ldap,cn=config objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDatabase: {0}mdb olcDbDirectory: /var/symas/pcache olcDbIndex: objectClass eq olcDbIndex: uid eq ---------------- Did I miss someting or is it wrong in the adminbook?

2 1

Are there plans to support OpenSSL 3.0.x in OpenLDAP v2.5?
by Soichiro Shishido 27 Mar '23

27 Mar '23

Are there plans to support OpenSSL 3.0.x in OpenLDAP v2.5? OpenSSL 1.1.1 will be discontinued this year on 2023-09-11. Also, according to the OpenLDAP Project Release Maintenance Policy, it appears that v2.6 will not be LTS for some time yet. If OpenSSL 1.1.1 vulnerabilities are reported after 2023-09-12, and if we do not migrate to OpenSSL 3.0.x, OpenLDAP v2.5 will be left vulnerable.

2 2

overlay pcache and cn=config
by Stefan Kania 27 Mar '23

27 Mar '23

Hello, I've got the following working slapd.conf: -------------------- include /opt/symas/etc/openldap/schema/core.schema include /opt/symas/etc/openldap/schema/cosine.schema include /opt/symas/etc/openldap/schema/inetorgperson.schema include /opt/symas/etc/openldap/schema/misc.schema include /opt/symas/etc/openldap/schema/nis.schema include /opt/symas/etc/openldap/schema/msuser.schema modulepath /opt/symas/lib/openldap moduleload back_ldap moduleload back_mdb moduleload rwm.la moduleload memberof.la moduleload pcache.la loglevel any pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldap://192.168.56.201:389" suffix "dc=example1,dc=net" rootdn "cn=admin,dc=example1,dc=net" idassert-bind bindmethod=simple mode=none binddn="CN=Administrator,cn=users,dc=example1,dc=net" credentials=Passw0rd tls_cacertdir=/opt/symas/etc/openldap tls_reqcert=never idassert-authzFrom "*" overlay rwm rwm-map attribute uid sAMAccountName rwm-map objectClass posixAccount person overlay memberof memberof-group-oc groupOfuniqueNames memberof-member-ad uniquemember memberof-dangling error overlay pcache pcache mdb 100000 6 1000 100 pcachePersist TRUE directory "/var/symas/pcache" pcacheAttrset 0 1.1 pcacheTemplate (uid=) 0 3600 pcacheTemplate (&(|(objectClass=))) 0 3600 pcacheAttrset 1 employeetype givenName cn sn uid mail pcacheTemplate (uid=) 1 3600 pcacheBind (uid=) 1 3600 sub dc=de pcacheAttrset 2 givenName cn sn uid mail uidNumber pcacheTemplate (objectClass=) 2 3600 pcacheAttrset 3 userPassword pcacheTemplate (uid=) 3 3600 pcacheTemplate (objectClass=) 2 3600 pcacheAttrset 4 employeetype givenName cn sn uid mail pcacheTemplate (uid=) 1 3600 pcacheAttrset 5 memberOf pcacheTemplate (objectClass=*) 2 3600 -------------------- Search for an entry in AD is working: ---------------------- root@ldap-proxy01:~/server-setup/proxy# ldapsearch -x -b dc=example1,dc=net cn=administrator -LLL dn dn: cn=Administrator,cn=Users,dc=example1,dc=net ---------------------- Now I want to convert it to cn=config but Im getting the following error: -------------------- root@ldap-proxy01:/opt/symas/etc/openldap# slaptest -F ./my-slapd.d/ -f slapd.conf Entry (olcDatabase={0}mdb,olcOverlay={2}pcache,olcDatabase={1}ldap,cn=config): object class 'olcMdbBkConfig' requires attribute 'olcBackend' config_build_entry: build "olcDatabase={0}mdb" failed: "(null)" config file testing succeeded mdb_opinfo_get: err Permission denied(13) -------------------- Then I try to create my own LDIFs: basic config: ----------------- dn: cn=config objectClass: olcGlobal cn: config olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcArgsFile: /var/symas/run/slapd.args olcToolThreads: 1 dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: back_mdb olcModuleLoad: back_ldap olcModuleLoad: back_monitor olcModuleLoad: argon2 include: file:///opt/symas/etc/openldap/schema/core.ldif include: file:///opt/symas/etc/openldap/schema/cosine.ldif include: file:///opt/symas/etc/openldap/schema/nis.ldif include: file:///opt/symas/etc/openldap/schema/inetorgperson.ldif include: file:///opt/symas/etc/openldap/schema/msuser.ldif dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcSizeLimit: 500 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read by dn.exact=cn=admin,dc=example,dc=net read by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth read dn: olcDatabase={2}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap olcSuffix: dc=example1,dc=net olcAddContentAcl: FALSE olcLastMod: FALSE olcLastBind: FALSE olcLastBindPrecision: 0 olcMaxDerefDepth: 15 olcReadOnly: TRUE olcRootDN: cn=admin,dc=example1,dc=net olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcDbURI: "ldap://dc-net01.example.net:389" olcDbStartTLS: none starttls=no olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=administrator,cn=users,dc =example1,dc=net" credentials="Passw0rd" keepalive=0:0:0 tcp-user-timeout=0 t ls_cacertdir="/opt/symas/etc/openldap" tls_reqcert=never tls_reqsan=allow tls _crlcheck=none olcDbIDAssertAuthzFrom: * olcDbRebindAsUser: TRUE olcDbChaseReferrals: FALSE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbOnErr: continue olcDbKeepalive: 0:0:0 ----------------- LDIF for rwm ------------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm.la dn: olcOverlay={0}rwm,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmTFSupport: false olcRwmMap: {0}objectClass posixAccount person olcRwmMap: {1}attribute uid sAMAccountName ------------------ LDIF for pcache ------------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: pcache.la dn: olcOverlay={3}pcache,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: {3}pcache olcPcache: mdb 100000 5 1000 100 olcPcacheAttrset: 0 employeeType givenName cn sn uid mail olcPcacheAttrset: 1 givenName cn sn uid mail uidNumber olcPcacheAttrset: 2 userPassword olcPcacheAttrset: 3 employeeType givenName cn sn uid mail olcPcacheAttrset: 4 memberOf olcPcacheTemplate: "(objectClass=*)" 2 3600 0 0 0 olcPcacheTemplate: (&(objectClass=)(memberUid=)) 2 300 olcPcacheTemplate: (&(objectClass=)(uid=)) 0 300 dn: olcDatabase=mdb,olcOverlay={3}pcache,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcMdbConfig objectClass: olcPcacheDatabase olcDbDirectory: /var/symas/pcache olcDbIndex: pcacheQueryID eq ------------------ But wenn I do a ldapsearch I got the following result: ---------------- root@ldap-proxy01:~/server-setup/proxy# ldapsearch -x -b dc=example1,dc=net cn=administrator -LLL dn # refldap://example1.net/CN=Configuration,DC=example1,DC=net # refldap://example1.net/DC=DomainDnsZones,DC=example1,DC=net # refldap://example1.net/DC=ForestDnsZones,DC=example1,DC=net ---------------- I only got the Referrals from AD, but not the object I'm looking for. It's nearly impossible to find a good documentation on how to setup pcache overlay via cn=config. As i said with slapd.conf everyting works. Any hint that get things working as expected? When I'm starting the slapd the log is showing: ----------- mdb_db_open: database "dc=example1,dc=net": dbenv_open(/var/symas/pcache). ----------- Same Server different problem I did not add memberof, because everytime I add the overlay with the following LDIF (should be replaced by dynlist in the near future) But I think it should work: -------------- dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: memberof.la dn: olcOverlay={1}memberof,olcDatabase={2}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcMemberOfConfig olcOverlay: {1}memberof olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member -------------- The slapd chrashes and "slapcat -n0" is giving e the following error: --------------- root@ldap-proxy01:~/server-setup/proxy# slapcat -n0 olcAttributeTypes: value #741 olcAttributeTypes: Duplicate attributeType: " z*V" config error processing cn={4}msuser,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: " z*V" slapcat: bad configuration file! ---------------

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2023