openldap-technical March 2023

openldap-technical@openldap.org

22 participants
35 discussions

invalid opcode
by Stefan Kania 16 Mar '23

16 Mar '23

Hi to all, I just installed a fresh 2.5 server with the symas-packages and debian 11. I can start the service, but as soon as I try to authenticate for example with: ldapsearch -x -D cn=admin,dc=example,dc=net -W the server crashes, I put the loglevel to "any" and I saw kernel: traps: slapd[18020] trap invalid opcode ip:7febaf26a415 sp:7fc3ad4b69e0 error:0 in libargon2.so.1[7febaf266000+5000] Everytime I try to authenitcate. All packages are up to date. any idea

5 19

Re: Adding to the schema
by Eric Fetzer 09 Mar '23

09 Mar '23

If the other moduleload in there is back_mdb.la, should I also go with ppolicy.la or should I stick with .so? Thanks, Eric On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I > > don't see any references to it in the slapd.conf... I'm in the process > > of converting an ISDS db to OpenLDAP. Kind of daunting so far... > > > Generally speaking: > > In the portion of your configuration loading module: > > modulepath .... > moduleload ppolicy.so > > > In the database section of your configuration where you want to apply > password policies > > > database mdb > ... > > overlay ppolicy > > > Regards, > Quanah > > >

2 1

RoleOccupant filter
by forumforeign 09 Mar '23

09 Mar '23

Hello. I have LDAP groups which keep users inside. Here an example of group: # developer, roles, domain.com dn: cn=developer,ou=roles,dc=domain,dc=com objectClass: organizationalRole cn: developer roleOccupant: uid=user1,ou=people,dc=domain,dc=com roleOccupant: uid=user2,ou=people,dc=domain,dc=com I need to make a search filter, which can say, if certain user belong to group? Or does certain group have a user? Next filter give all uids of group developer: openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D "cn=vmail,ou=services,dc=domain,dc=com" '(&(objectClass=organizationalRole)(cn=developer))' RoleOccupant When I try to add 'uid' to filter it doesn't return any records: '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' RoleOccupant '(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' '(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant How I can change filter, that check if user1 belong to group developer?

3 5

Re: Adding to the schema
by Eric Fetzer 08 Mar '23

08 Mar '23

Is the ... where I set the policy? _______________________________________________________ In the database section of your configuration where you want to apply password policies database mdb ...HERE... overlay policy ________________________________________________________ Thanks, Eric On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I > > don't see any references to it in the slapd.conf... I'm in the process > > of converting an ISDS db to OpenLDAP. Kind of daunting so far... > > > Generally speaking: > > In the portion of your configuration loading module: > > modulepath .... > moduleload ppolicy.so > > > In the database section of your configuration where you want to apply > password policies > > > database mdb > ... > > overlay ppolicy > > > Regards, > Quanah > > >

2 1

Re: Backup Mirrormode setup
by Meike Stone 08 Mar '23

08 Mar '23

Am Mi., 16. März 2022 um 21:39 Uhr schrieb Quanah Gibson-Mount <quanah(a)fast-mail.org>: > > > > --On Wednesday, March 16, 2022 10:23 PM +0100 Meike Stone > <meike.stone(a)googlemail.com> wrote: > > > > > We are still using the bdb backend and the latest 2.4.59 (don't ask, > > it will be replaced soon) and I remember, a "few" years ago, I had > > problems with slapcat and online databases, because the server was > > stucking for a while and answers were delayed .. > > (The Admin Guide tells, that "Backups are managed slightly differently" > > ...) Secondly, while offline, I can copy the whole database directory > > including the transaction logs .. > > Ah, ok. Yes, you could set up a read-only consumer node to take backups > from. I'd highly prioritize moving to a supported release of OpenLDAP with > the back-mdb backend as well (I see you say it should be replaced soon). :) > Oh my god, almost a year has passed - now finally our department wants to migrate to the latest version 2.5.14. I'm responsible for the Master LDAP-Server, but there are a few ro-replicas in other departments where I'm not responsible - and I have no access. Is it possible to migrate the master server to the new version and update the replicas (running 2.4.59) later, independent from the master (migration)? Are there any problems to be expected? Regards and many thanks Meike

2 1

dynlist's +memberOf attribute not searchable/fetchable with anonymous binds
by Michal Soltys 08 Mar '23

08 Mar '23

Hi, Consider following simple dynlist config (v2.5.13): groupOfURLs labeledURI uniqueMember+memberOf@groupOfUniqueNames So for static groups we get a dynamic memberOf for each user that is a member of some static group, for example: DN: cn=TouK,ou=TouK,ou=Group,dc=touk,dc=pl ... uniqueMember: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl DN: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl ... memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl Now this works fine if we bind with a user and do a search. But if we do an anonymous search no memberOf is returned or searchable by. For example: assume following ACLs at the top: {0}to * by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break {1}to dn.subtree=ou=People,dc=touk,dc=pl attrs=entry,entryUUID,memberOf,@toukAnonAccess by anonymous =scr by * break {2}to dn.subtree=ou=Group,dc=touk,dc=pl attrs=entry,@groupOfUniqueNames,@groupOfNames by anonymous =scr by * break ... and the following search: ldapsearch -x -H ldaps://ldap.touk.pl -s sub -b 'ou=Touki,ou=People,dc=touk,dc=pl' -o ldif-wrap=no -LLL -v memberOf entryUUID we get the following results: ldap_initialize( ldaps://ldap.touk.pl:636/??base ) filter: (objectclass=*) requesting: memberOf entryUUID dn: ou=Touki,ou=People,dc=touk,dc=pl entryUUID: 6be7e4f8-a800-103a-9fd7-3100241d53c2 dn: cn=Jan Gajl,ou=Touki,ou=People,dc=touk,dc=pl entryUUID: 6c39df1a-a800-103a-8089-3100241d53c2 Why is memberOf omitted with anonymous binds when search explicitly (or implicitly via +) requests it and acls grant required rights ? With explicit binds or EXTERNAL - memberOf is returned (and searchable) correctly. Is there something else that is required for memberOf to work with anonymous binds ?

1 1

Re: Adding to the schema
by Eric Fetzer 07 Mar '23

07 Mar '23

So by configuration loading module, do you mean the slapd.ldif file? If so, since I already loaded it, can I modify and reload it or would that not work? If that's the case, can I load just a subset of it? Thanks, Eric On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I > > don't see any references to it in the slapd.conf... I'm in the process > > of converting an ISDS db to OpenLDAP. Kind of daunting so far... > > > Generally speaking: > > In the portion of your configuration loading module: > > modulepath .... > moduleload ppolicy.so > > > In the database section of your configuration where you want to apply > password policies > > > database mdb > ... > > overlay ppolicy > > > Regards, > Quanah > > >

1 0

Re: Adding to the schema
by Eric Fetzer 07 Mar '23

07 Mar '23

I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I don't see any references to it in the slapd.conf... I'm in the process of converting an ISDS db to OpenLDAP. Kind of daunting so far... Thanks, Eric On Tue, Mar 7, 2023 at 12:10 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, March 6, 2023 11:23 AM -0700 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > Hi All, > > > > > > I need to add to my schema on my freshly built server. > > If you're using OpenLDAP 2.5 or later, the ppolicy schema is built into > the > ppolicy overlay and you should not be loading it separately at all. I > would note that all releases prior to OpenLDAP 2.5 are historic and not > supported. > > Regards, > Quanah > > > >

2 1

Adding to the schema
by Eric Fetzer 07 Mar '23

07 Mar '23

Hi All, I need to add to my schema on my freshly built server. I found a schema that meets my needs @ https://opensource.apple.com/source/OpenLDAP/OpenLDAP-143/OpenLDAP/servers/…. My problem is that it doesn't seem to include a "ppolicy.ldif" file. The only way I know how to add to the schema is with an include statement in slapd.ldif. What am I missing? Thanks, Eric

2 2

issues with disabling filtered searches for memberURL groups
by Kartik Subbarao 07 Mar '23

07 Mar '23

One of the changes from 2.4 to 2.5 is that dynlist groups are now returned with (member=memberDN) searches. This is potentially appealing, but even with the ITS#9929 performance improvements, given the number of dynlist groups we have, search times are significantly impacted. We'd like to be able to cleanly disable this feature and exclude dynlist groups from (member=memberDN) filter consideration. The only way I've found so far is to patch the dynlist code itself. What I'm currently doing is adding a continue statement right above this line in dynlist_search(): https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5_14/s… That way the member searches are excluded, but dynlists otherwise work as expected. Here is the dynlist config we're using, just basic support for groupOfURLs/memberURL: overlay dynlist dynlist-attrset groupOfURLs memberURL member Is there some way to achieve my goal without having to patch the code? Or should I open an ITS feature request to add a configurable option to exclude dynlists from member searches? Thanks, -Kartik

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2023