March 2023 - openldap-technical

by Stefan Kania

Hi to all, the manpage of the slapo-dynlist is showing the following example: ----------- A dynamic group with dgIdentity authorization could be created with an entry like dn: cn=Dynamic Group,ou=Groups,dc=example,dc=com objectClass: groupOfURLs objectClass: dgIdentityAux cn: Dynamic Group memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) dgIdentity: cn=Group Proxy,ou=Services,dc=example,dc=com ----------- I can't find an explanation of the attribute "dgIdentity", it's not mentioned what is "cn=Group Proxy,ou=Services,dc=example,dc=com". Can someone explain it please. Stefan

8 months, 1 week

2
1
0 / 0

Re: Adding to the schema

by Eric Fetzer

How do I enable this overlay if I'm using slapd-config? Sorry, I've been reading all of the Zytrex documentation, but it's going right over my head. Especially the slapd-config stuff... On Tue, Mar 7, 2023 at 12:10 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, March 6, 2023 11:23 AM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > Hi All, > > > > > > I need to add to my schema on my freshly built server. > > If you're using OpenLDAP 2.5 or later, the ppolicy schema is built into > the > ppolicy overlay and you should not be loading it separately at all. I > would note that all releases prior to OpenLDAP 2.5 are historic and not > supported. > > Regards, > Quanah > > > >

8 months, 2 weeks

1
0
0 / 0

After update slapd 2.5.13->2.5.14, dynlist memberOf not working anymore

by Andreas Ladanyi

Hi, after upgrade from 2.5.13->2.5.14 i cant get any search result from slapd when filtering for specific memberOf=value. If i downgrade back to slapd 2.5.13 all is working again. It doesnt work with ldapsearch nor with sssd-ldap modul when filtering entities with a specific memberOf=Value: ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE_DN '(memberOf=.........)' memberOf uid ldapsearch shows the entities with memberOf attribute and the memberOf value if i search without a specific memberOf value in the filter: ldapsearch -o ldif-wrap=no -LLL -x -ZZ -H ldap://ldap-server -b OUR_BASE-DN memberOf The dynlist config is: dynlist-attrset labeledURIObject labeledURI memberOf regards, Andreas

8 months, 2 weeks

4
8
0 / 0

Re: slapd.conf or OLC (cn=config)

by Eric Fetzer

Thanks! On Thu, Mar 16, 2023 at 8:50 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Thursday, March 16, 2023 9:30 AM -0600 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > Options: > > > > > > Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///" > > Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d" > > ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} > > $SLAPD_OPTIONS > > > > > > > > Yes, there is a slapd.d directory. > > You're using slapd-config and not slapd.conf then. > > --Quanah > > > >

8 months, 3 weeks

1
0
0 / 0

Problems with syncrepl and password changes

by Manolo Garcia Alvarez

Hello. We're having some problems with replication and password changes. Let me explain... In our institution we are using Shibboleth to provide SSO to the users. The credentials are stored in OpenLDAP, but due to the high demand (100 auths/second) and the high volume (more than 700K users), we had to split it in three servers: - one is the producer, which receives all of the changes (both data and password changes), - two are the consumers, sync'd with the producer via syncrepl. The two consumers are behind a load balancer and are used to perform the BINDs and the user lookup. The problem that we are facing is that in some cirscunstances (maybe high load, high traffic?) the syncrepl lasts more than expected, and that causes the next situation: 1. an user changes its password, the object changes its modifyTimestamp to T1 2. before the syncrepl gets to replicate that change, the user tries to authenticate with the new password, the balancer assigns one of the consumers (say C1), tries to bind, but the password is not yet changed, so it fails recording one pwdFailureTime and updating its modifyTimestamp to T2 3. when syncrepl tries to update the object in C1, T2 is older than T1 so it refuses to change the object ("dn_callback : new entry is older than ours cn=XXXXX,dc=acces,dc=uoc,dc=edu ours 20230313155537.264968Z#000000#00d#000000, new 20230313155506.235663Z#000000#00b#000000 ") Resulting in one user with the password changed in the provider and in only one of the consumers. Have you found the same problem? Maybe is there something wrong in our setup? Thanks a lot. ------------------------------ Manolo García Arquitecte de Solucions Universitat Oberta de Catalunya 689 88 30 93 | mgarciaal(a)uoc.edu [image: Universitat Oberta de Catalunya] -- INFORMACIÓ SOBRE PROTECCIÓ DE DADES DE LA UNIVERSITAT OBERTA DE CATALUNYA (UOC) Us informem que les vostres dades identificatives i les contingudes en els missatges electrònics i fitxers adjunts es poden incorporar a les nostres bases de dades amb la finalitat de gestionar les relacions i comunicacions vinculades a la UOC, i que es poden conservar mentre es mantingui la relació. Si ho voleu, podeu exercir el dret a accedir a les vostres dades, rectificar-les i suprimir-les i altres drets reconeguts normativament adreçant-vos a l'adreça de correu emissora o a fuoc_pd(a)uoc.edu <mailto:fuoc_pd@uoc.edu>. Aquest missatge i qualsevol fitxer que porti adjunt, si escau, tenen el caràcter de confidencials i s'adrecen únicament a la persona o entitat a qui s'han enviat. Així mateix, posem a la vostra disposició un delegat de protecció de dades que no només s'encarregarà de supervisar tots els tractaments de dades de la nostra entitat, sinó que us podrà atendre per a qualsevol qüestió relacionada amb el tractament de dades. La seva adreça de contacte és dpd(a)uoc.edu <mailto:dpd@uoc.edu>. INFORMACIÓN SOBRE PROTECCIÓN DE DATOS DE LA UNIVERSITAT OBERTA DE CATALUNYA (UOC) Os informamos de que vuestros datos identificativos y los contenidos en los mensajes electrónicos y ficheros adjuntos pueden incorporarse a nuestras bases de datos con el fin de gestionar las relaciones y comunicaciones vinculadas a la UOC, y de que pueden conservarse mientras se mantenga la relación. Si lo deseáis, podéis ejercer el derecho a acceder a vuestros datos, rectificarlos y suprimirlos y otros derechos reconocidos normativamente dirigiéndoos a la dirección de correo emisora o a fuoc_pd(a)uoc.edu <mailto:fuoc_pd@uoc.edu>. Este mensaje y cualquier fichero que lleve adjunto, si procede, tienen el carácter de confidenciales y se dirigen únicamente a la persona o entidad a quien se han enviado. Así mismo, ponemos a vuestra disposición a un delegado de protección de datos que no solo se encargará de supervisar todos los tratamientos de datos de nuestra entidad, sino que podrá atenderos para cualquier cuestión relacionada con el tratamiento de datos. Su dirección de contacto es dpd(a)uoc.edu <mailto:dpd@uoc.edu>. UNIVERSITAT OBERTA DE CATALUNYA (UOC) DATA PROTECTION INFORMATION Your personal data and the data contained in your email messages and attached files may be stored in our databases for the purpose of maintaining relations and communications linked to the UOC, and the data may be stored for as long as these relations and communications are maintained. If you so wish, you can exercise your rights to access, rectification and erasure of your data, and any other legally held rights, by writing to the sender’s email address or to fuoc_pd(a)uoc.edu <http://fuoc_pd@uoc.edu>. This message and, where applicable, any attachments are confidential and addressed solely to the individual or organization they were sent to. The UOC has a data protection officer who not only supervises the data processing carried out at the University, but who will also respond to any questions you may have about this data processing. You can contact our data protection officer by writing to dpd(a)uoc.edu <http://dpd@uoc.edu>.

8 months, 3 weeks

3
2
0 / 0

Re: Antw: [EXT] invalid opcode

by Jeffrey Walton

On Thu, Mar 16, 2023 at 10:50 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > --On Thursday, March 16, 2023 11:29 AM -0400 Jeffrey Walton > <noloader(a)gmail.com> wrote: > > >> This doesn't make sense. You should be using an ldapv3 password modify > >> operation on the user account in question and letting the server do the > >> hashing (and also allows password policies, if deployed, to be used). > > > > If I understand things correctly... The server does not hash the > > password. The server never gets to see the plaintext password. > > You don't. > > > See > > https://www.postgresql.org/message-id/379034.1673389287%40sss.pgh.pa.us . > > What does a thread about how postgres works have to do with OpenLDAP or the > LDAP protocol? My bad... I crossed my mailing lists. Jeff

8 months, 3 weeks

1
0
0 / 0

Re: Problems with syncrepl and password changes

by Manolo Garcia Alvarez

You're right, sorry. We are running version 2.4.44: OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) Thanks ! El jue, 16 mar 2023 a las 15:14, Quanah Gibson-Mount (<quanah(a)fast-mail.org>) escribió: > > > --On Thursday, March 16, 2023 11:12 AM +0100 Manolo Garcia Alvarez > <mgarciaal(a)uoc.edu> wrote: > > > > > > > Hello. > > > > We're having some problems with replication and password changes. Let me > > explain... In our institution we are using Shibboleth to provide SSO to > > the users. The credentials are stored in OpenLDAP, but due to the high > > demand (100 auths/second) and the high volume (more than 700K users), we > > had to split it in three servers: > > Thta's not high volume or a large amount of users (just to note). You > didn't provide any information on the version of OpenLDAP in use, which is > critical information. > > --Quanah > > > -- ------------------------------ Manolo García Arquitecte de Solucions Universitat Oberta de Catalunya 689 88 30 93 | mgarciaal(a)uoc.edu [image: Universitat Oberta de Catalunya] -- INFORMACIÓ SOBRE PROTECCIÓ DE DADES DE LA UNIVERSITAT OBERTA DE CATALUNYA (UOC) Us informem que les vostres dades identificatives i les contingudes en els missatges electrònics i fitxers adjunts es poden incorporar a les nostres bases de dades amb la finalitat de gestionar les relacions i comunicacions vinculades a la UOC, i que es poden conservar mentre es mantingui la relació. Si ho voleu, podeu exercir el dret a accedir a les vostres dades, rectificar-les i suprimir-les i altres drets reconeguts normativament adreçant-vos a l'adreça de correu emissora o a fuoc_pd(a)uoc.edu <mailto:fuoc_pd@uoc.edu>. Aquest missatge i qualsevol fitxer que porti adjunt, si escau, tenen el caràcter de confidencials i s'adrecen únicament a la persona o entitat a qui s'han enviat. Així mateix, posem a la vostra disposició un delegat de protecció de dades que no només s'encarregarà de supervisar tots els tractaments de dades de la nostra entitat, sinó que us podrà atendre per a qualsevol qüestió relacionada amb el tractament de dades. La seva adreça de contacte és dpd(a)uoc.edu <mailto:dpd@uoc.edu>. INFORMACIÓN SOBRE PROTECCIÓN DE DATOS DE LA UNIVERSITAT OBERTA DE CATALUNYA (UOC) Os informamos de que vuestros datos identificativos y los contenidos en los mensajes electrónicos y ficheros adjuntos pueden incorporarse a nuestras bases de datos con el fin de gestionar las relaciones y comunicaciones vinculadas a la UOC, y de que pueden conservarse mientras se mantenga la relación. Si lo deseáis, podéis ejercer el derecho a acceder a vuestros datos, rectificarlos y suprimirlos y otros derechos reconocidos normativamente dirigiéndoos a la dirección de correo emisora o a fuoc_pd(a)uoc.edu <mailto:fuoc_pd@uoc.edu>. Este mensaje y cualquier fichero que lleve adjunto, si procede, tienen el carácter de confidenciales y se dirigen únicamente a la persona o entidad a quien se han enviado. Así mismo, ponemos a vuestra disposición a un delegado de protección de datos que no solo se encargará de supervisar todos los tratamientos de datos de nuestra entidad, sino que podrá atenderos para cualquier cuestión relacionada con el tratamiento de datos. Su dirección de contacto es dpd(a)uoc.edu <mailto:dpd@uoc.edu>. UNIVERSITAT OBERTA DE CATALUNYA (UOC) DATA PROTECTION INFORMATION Your personal data and the data contained in your email messages and attached files may be stored in our databases for the purpose of maintaining relations and communications linked to the UOC, and the data may be stored for as long as these relations and communications are maintained. If you so wish, you can exercise your rights to access, rectification and erasure of your data, and any other legally held rights, by writing to the sender’s email address or to fuoc_pd(a)uoc.edu <http://fuoc_pd@uoc.edu>. This message and, where applicable, any attachments are confidential and addressed solely to the individual or organization they were sent to. The UOC has a data protection officer who not only supervises the data processing carried out at the University, but who will also respond to any questions you may have about this data processing. You can contact our data protection officer by writing to dpd(a)uoc.edu <http://dpd@uoc.edu>.

8 months, 3 weeks

2
1
0 / 0

Re: slapd.conf or OLC (cn=config)

by Eric Fetzer

Options: Environment="SLAPD_URLS=ldap:/// ldapi:/// ldaps:///" Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d" ExecStart=/usr/libexec/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS Yes, there is a slapd.d directory. Thanks, Eric On Thu, Mar 16, 2023 at 8:08 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Wednesday, March 15, 2023 10:11 AM -0600 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > Looking at my slapd.conf file, I have a bunch of olc settings in it. > > Does that mean I'm OLC? I installed it using this > > site: https://computingforgeeks.com/install-configure-openldap-server- > > centos/ > > What options is slapd running with? Is there a "slapd.d" directory where > its configuration is deployed? > > --Quanah >

8 months, 3 weeks

2
1
0 / 0

Re: Antw: [EXT] invalid opcode

by Jeffrey Walton

On Thu, Mar 16, 2023 at 10:08 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > --On Saturday, March 11, 2023 7:51 PM +0100 Stefan Kania > <stefan(a)kania-online.de> wrote: > > > For a rootdn > > ------------------- > > dn: olcDatabase={2}mdb,cn=config > > changetype: modify > > replace: olcRootPW > > olcRootPW: > > {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$ZGJmZ2lrbmpiZHZzZ3NhdmRzZw$J6eXYSxY4 > > tDs4l8SdBkIwcAU0OqEEdR0gpFNJ5MSqQs > > ------------------- > > This makes sense, since you can't use the ldapv3 password modify operation > to update this password value. > > > and a posix or simpleSecurityObject: > > ------------------- > > dn: uid=repl-user,ou=users,dc=example,dc=net > > changetype: modify > > replace: userPassword > > userPassword: > > {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNsYXQ5ODc2NTQzMg$Td51W49s0X74o > > m++/EnMRsP4La3x46KufcGGY01T8+M > > ------------------- > > This doesn't make sense. You should be using an ldapv3 password modify > operation on the user account in question and letting the server do the > hashing (and also allows password policies, if deployed, to be used). If I understand things correctly... The server does not hash the password. The server never gets to see the plaintext password. See https://www.postgresql.org/message-id/379034.1673389287%40sss.pgh.pa.us . Jeff

8 months, 3 weeks

2
1
0 / 0

slapd.conf or OLC (cn=config)

by Eric Fetzer

How can I tell which methodology my implementation is using?

8 months, 3 weeks

2
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2023