openldap-technical April 2023

openldap-technical@openldap.org

28 participants
26 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

iNetOrgPerson doesn't exist?
by Luca Stancapiano 16 May '23

16 May '23

Hi all, I'm triing to create a user with openldap 2.4 dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com objectClass: iNetOrgPerson uid: iiiiii but it doesn't seem recognize the objectClass producing this error: adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Using other object classes is ok. What's the problem?

5 11

[About lmdb's write performance] mdb_txn_commit blocking for a long time
by Wang Zhiyong 05 May '23

05 May '23

Hello all. We are using lmdb in our own storage service and recently found a write performance issue. The phenomenon is that lmdb batch write is very slow, and a write transaction operation takes several minutes. For example, if a transaction writes 100,000 kv, the average value size is 100 bytes, and it takes 5 minutes. The size of lmdb data file is 460G. The analysis using perf is as follows: 53.14% liblgraph.so [.] mdb_page_alloc.isra.21 46.81% liblgraph.so [.] mdb_midl_xmerge 0.01% [kernel] [k] __check_object_size 0.01% [kernel] [k] __do_page_fault 0.01% [kernel] [k] __fput 0.01% [kernel] [k] get_futex_value_locked 0.01% [kernel] [k] radix_tree_descend 0.01% libpthread-2.17.so [.] __errno_location The cpu are consumed on the two functions mdb_page_alloc and mdb_midl_xmerge. By adding time statistics, I found that the blocking is in the mdb_freelist_save function in mdb_txn_commit. I'm not familiar with lmdb source code, can anyone explain why mdb_freelist_save consumes so much time? is this the expected result when lmdb data gets bigger? Is there any way to restore the write performance after the write becomes worse? What is the suggestion to improve the write performance of lmdb?

3 5

Unable to filter only group name
by BANDANI MAHARANA 03 May '23

03 May '23

Hi team, I am facing problem with filtering the group names in Ad server using openldap libraries. I am using ldap search api to get the list of group. My requirement is, with the provided input, i need to display all the available group similar to the entered group name. For example, if user types dev, it should display all the group names starting with dev. Like develop, development Kindly suggest how to achieve this. Thank you Bandani

2 1

olcPPolicyForwardUpdates not working
by Benjamin Renard 03 May '23

03 May '23

Hello, I have problem with the olcPPolicyForwardUpdates option that seem not working : On master and slave, I configured Ppolicy with pwdLockout. When I try to connect on master with a bad password, the pwdFailureTime attribute of the entry is successfully updated, but not if I do the same on the slave. On slave, my ppolicy configuration is exactly the same as on master but I add olcPPolicyForwardUpdates=TRUE. I also configured the chain overlay and the updateref parameter on the database. Extract of my slave configuration : olcDatabase={1}mdb,cn=config [...] olcSyncrepl: [...] olcUpdateRef: ldaps://ldap-master olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig objectClass: top olcOverlay: {0}chain olcChainReturnError: TRUE olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase objectClass: top olcDatabase: {0}ldap olcDbURI: ldaps://ldap-master olcDbIDAssertBind: bindmethod=simple binddn="[same user used in olcSyncrepl of the database]" credentials="secret" mode=self olcDbRebindAsUser: TRUE olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: TRUE Do you have any idea of what I doing wrong ? Thanks, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

3 17

idea for possible RFE: universally unique connection IDs
by Christopher Paul 29 Apr '23

29 Apr '23

Hello OpenLDAP-Technical, I would like to seek comments on an idea I have had for a while. Does anyone agree with me that it would be nice if connection IDs were uuids? Because when your slapd restarts, your monitoring system has no good way to track one "conn=1000" from another one (or from one server to another), and so forth. Would there be any downsides to this? Are there any upsides to re-using integers starting at 1000? I can think of one: with incrementing integers, you can tell the order of the connections with them. Thanks, Chris Paul | Rex Consulting | https://www.rexconsulting.net

2 1

Constructed attributes?!
by Marco Gaiarin 26 Apr '23

26 Apr '23

There's some way, in OpenLDAP, to have attributed 'calculated on the fly' like the AD 'Constructed Attributes'? For a sake of an example, an attribute 'userStatus: disabled' if userPassword start with an '!'? Thanks. -- Di questa cavolo di pianura, di questa gente senza misura, che gia` confonde la notte e il giorno, e la partenza con il ritorno, e la richezza con i rumore, ed il diritto con il favore (F. De Gregori)

1 0

Write bottlenecks
by Sam Dave 26 Apr '23

26 Apr '23

Hi, My write pipelines have a bottleneck at the bottom (LMDB writing). Work piles on top up-front, waiting for LMDB writes to complete. Therefore the earlier work cannot really parallelize as much as it could if I could somehow make the writes go faster. Are there any tips/tricks around this? I wonder if it could pay off to parallelize the writes into a few LMDB environments - and merge them in the end. This could have the advantage of more parallelization on the up-front work, but disadvantage of the final merging work. Regards, Sam

1 0

leave
by Alceu Rodrigues de Freitas Junior 21 Apr '23

21 Apr '23

leave

1 0

openldap 2.3 and user passwords
by aurfalien 21 Apr '23

21 Apr '23

Hello list and Happy Friday. First and foremost I am not an OpenLDAP admin, well I guess that I am now for the purposes of this email. I’ve been thrust into an environment running an older version of openldap on CentoOS 5 and have been tasked to simply allow users in changing their passwords via passwd. Once a user has logged in on their respective workstation and types passwd we get this; Changing password for user johndoe. Current Password: New password: Retype new password: passwd: Authentication token manipulation error This tells me that I need to allow them self write access to userPassword Attribute of the LDAP database? However after reading a decent amount of literature, it's suggesting to use olcAccess but as far as I can tell this does not apply to my specific environment. All of the openldap data looks to be in /var/lib/ldap versus what I’ve been reading of /etc/openldap/slapd.d. The /etc/openldap/slapd.conf has this section which looks like what I should focus on; # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! It sounds like I should start here and see if this solves the issue. However where and how do I modify the default access control policy for this environment in allowing users to modify there userPassword attribute? Like I had mentioned, all of the reading thus far suggests olcAccess however my database is not in that format? Again very very new here and am forced to work with openldap 2.3 on a Centos 5 server for now. This is not to say that I would fair any better in a newer environment due to my lack of any real knowledge in this subject matter. At any rate thank you in advance. Humbly yours, - aurf

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2023