invalid opcode
by Stefan Kania
Hi to all,
I just installed a fresh 2.5 server with the symas-packages and debian
11. I can start the service, but as soon as I try to authenticate for
example with:
ldapsearch -x -D cn=admin,dc=example,dc=net -W
the server crashes, I put the loglevel to "any" and I saw
kernel: traps: slapd[18020] trap invalid opcode ip:7febaf26a415
sp:7fc3ad4b69e0 error:0 in libargon2.so.1[7febaf266000+5000]
Everytime I try to authenitcate. All packages are up to date.
any idea
8 months, 3 weeks
Re: Adding to the schema
by Eric Fetzer
If the other moduleload in there is back_mdb.la, should I also go with
ppolicy.la or should I stick with .so?
Thanks,
Eric
On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer
> <eric.fetzer(a)gmail.com> wrote:
>
> >
> > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I
> > don't see any references to it in the slapd.conf... I'm in the process
> > of converting an ISDS db to OpenLDAP. Kind of daunting so far...
>
>
> Generally speaking:
>
> In the portion of your configuration loading module:
>
> modulepath ....
> moduleload ppolicy.so
>
>
> In the database section of your configuration where you want to apply
> password policies
>
>
> database mdb
> ...
>
> overlay ppolicy
>
>
> Regards,
> Quanah
>
>
>
9 months
RoleOccupant filter
by forumforeign
Hello.
I have LDAP groups which keep users inside. Here an example of group:
# developer, roles, domain.com
dn: cn=developer,ou=roles,dc=domain,dc=com
objectClass: organizationalRole
cn: developer
roleOccupant: uid=user1,ou=people,dc=domain,dc=com
roleOccupant: uid=user2,ou=people,dc=domain,dc=com
I need to make a search filter, which can say, if certain user belong to
group? Or does certain group have a user?
Next filter give all uids of group developer:
openldapsearch -v -H ldaps://<ldap_host> -x -b 'dc=domain,dc=com' -W -D
"cn=vmail,ou=services,dc=domain,dc=com"
'(&(objectClass=organizationalRole)(cn=developer))' RoleOccupant
When I try to add 'uid' to filter it doesn't return any records:
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))'
RoleOccupant
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))'
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' RoleOccupant
How I can change filter, that check if user1 belong to group developer?
9 months
Re: Adding to the schema
by Eric Fetzer
Is the ... where I set the policy?
_______________________________________________________
In the database section of your configuration where you want to apply
password policies
database mdb
...HERE...
overlay policy
________________________________________________________
Thanks,
Eric
On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer
> <eric.fetzer(a)gmail.com> wrote:
>
> >
> > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I
> > don't see any references to it in the slapd.conf... I'm in the process
> > of converting an ISDS db to OpenLDAP. Kind of daunting so far...
>
>
> Generally speaking:
>
> In the portion of your configuration loading module:
>
> modulepath ....
> moduleload ppolicy.so
>
>
> In the database section of your configuration where you want to apply
> password policies
>
>
> database mdb
> ...
>
> overlay ppolicy
>
>
> Regards,
> Quanah
>
>
>
9 months
Re: Backup Mirrormode setup
by Meike Stone
Am Mi., 16. März 2022 um 21:39 Uhr schrieb Quanah Gibson-Mount
<quanah(a)fast-mail.org>:
>
>
>
> --On Wednesday, March 16, 2022 10:23 PM +0100 Meike Stone
> <meike.stone(a)googlemail.com> wrote:
>
> >
> > We are still using the bdb backend and the latest 2.4.59 (don't ask,
> > it will be replaced soon) and I remember, a "few" years ago, I had
> > problems with slapcat and online databases, because the server was
> > stucking for a while and answers were delayed ..
> > (The Admin Guide tells, that "Backups are managed slightly differently"
> > ...) Secondly, while offline, I can copy the whole database directory
> > including the transaction logs ..
>
> Ah, ok. Yes, you could set up a read-only consumer node to take backups
> from. I'd highly prioritize moving to a supported release of OpenLDAP with
> the back-mdb backend as well (I see you say it should be replaced soon). :)
>
Oh my god, almost a year has passed - now finally our department wants
to migrate to the latest version 2.5.14. I'm responsible for the
Master LDAP-Server, but there are a few ro-replicas in other
departments where I'm not responsible - and I have no access.
Is it possible to migrate the master server to the new version and
update the replicas (running 2.4.59) later, independent from the
master (migration)? Are there any problems to be expected?
Regards and many thanks
Meike
9 months
dynlist's +memberOf attribute not searchable/fetchable with anonymous binds
by Michal Soltys
Hi,
Consider following simple dynlist config (v2.5.13):
groupOfURLs labeledURI uniqueMember+memberOf@groupOfUniqueNames
So for static groups we get a dynamic memberOf for each user that is a
member of some static group, for example:
DN: cn=TouK,ou=TouK,ou=Group,dc=touk,dc=pl
...
uniqueMember: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl
DN: cn=Michał Sołtys,ou=Touki,ou=People,dc=touk,dc=pl
...
memberOf: cn=touk,ou=touk,ou=group,dc=touk,dc=pl
Now this works fine if we bind with a user and do a search. But if we do
an anonymous search no memberOf is returned or searchable by. For example:
assume following ACLs at the top:
{0}to * by dn=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
{1}to dn.subtree=ou=People,dc=touk,dc=pl
attrs=entry,entryUUID,memberOf,@toukAnonAccess by anonymous =scr by * break
{2}to dn.subtree=ou=Group,dc=touk,dc=pl
attrs=entry,@groupOfUniqueNames,@groupOfNames by anonymous =scr by * break
...
and the following search:
ldapsearch -x -H ldaps://ldap.touk.pl -s sub -b
'ou=Touki,ou=People,dc=touk,dc=pl' -o ldif-wrap=no -LLL -v memberOf
entryUUID
we get the following results:
ldap_initialize( ldaps://ldap.touk.pl:636/??base )
filter: (objectclass=*)
requesting: memberOf entryUUID
dn: ou=Touki,ou=People,dc=touk,dc=pl
entryUUID: 6be7e4f8-a800-103a-9fd7-3100241d53c2
dn: cn=Jan Gajl,ou=Touki,ou=People,dc=touk,dc=pl
entryUUID: 6c39df1a-a800-103a-8089-3100241d53c2
Why is memberOf omitted with anonymous binds when search explicitly (or
implicitly via +) requests it and acls grant required rights ? With
explicit binds or EXTERNAL - memberOf is returned (and searchable)
correctly.
Is there something else that is required for memberOf to work with
anonymous binds ?
9 months
Re: Adding to the schema
by Eric Fetzer
So by configuration loading module, do you mean the slapd.ldif file? If
so, since I already loaded it, can I modify and reload it or would that not
work? If that's the case, can I load just a subset of it?
Thanks,
Eric
On Tue, Mar 7, 2023 at 12:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Tuesday, March 7, 2023 12:16 PM -0700 Eric Fetzer
> <eric.fetzer(a)gmail.com> wrote:
>
> >
> > I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I
> > don't see any references to it in the slapd.conf... I'm in the process
> > of converting an ISDS db to OpenLDAP. Kind of daunting so far...
>
>
> Generally speaking:
>
> In the portion of your configuration loading module:
>
> modulepath ....
> moduleload ppolicy.so
>
>
> In the database section of your configuration where you want to apply
> password policies
>
>
> database mdb
> ...
>
> overlay ppolicy
>
>
> Regards,
> Quanah
>
>
>
9 months
Re: Adding to the schema
by Eric Fetzer
I'm using 2.6.4. Sorry, brand new at this, how do I enable it? I don't
see any references to it in the slapd.conf... I'm in the process of
converting an ISDS db to OpenLDAP. Kind of daunting so far...
Thanks,
Eric
On Tue, Mar 7, 2023 at 12:10 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Monday, March 6, 2023 11:23 AM -0700 Eric Fetzer
> <eric.fetzer(a)gmail.com> wrote:
>
> >
> > Hi All,
> >
> >
> > I need to add to my schema on my freshly built server.
>
> If you're using OpenLDAP 2.5 or later, the ppolicy schema is built into
> the
> ppolicy overlay and you should not be loading it separately at all. I
> would note that all releases prior to OpenLDAP 2.5 are historic and not
> supported.
>
> Regards,
> Quanah
>
>
>
>
9 months
issues with disabling filtered searches for memberURL groups
by Kartik Subbarao
One of the changes from 2.4 to 2.5 is that dynlist groups are now
returned with (member=memberDN) searches. This is potentially appealing,
but even with the ITS#9929 performance improvements, given the number of
dynlist groups we have, search times are significantly impacted.
We'd like to be able to cleanly disable this feature and exclude dynlist
groups from (member=memberDN) filter consideration. The only way I've
found so far is to patch the dynlist code itself. What I'm currently
doing is adding a continue statement right above this line in
dynlist_search():
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5_14...
That way the member searches are excluded, but dynlists otherwise work
as expected.
Here is the dynlist config we're using, just basic support for
groupOfURLs/memberURL:
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
Is there some way to achieve my goal without having to patch the code?
Or should I open an ITS feature request to add a configurable option to
exclude dynlists from member searches?
Thanks,
-Kartik
9 months