Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month
iNetOrgPerson doesn't exist?
by Luca Stancapiano
Hi all, I'm triing to create a user with openldap 2.4
dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com
objectClass: iNetOrgPerson
uid: iiiiii
but it doesn't seem recognize the objectClass producing this error:
adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
Using other object classes is ok. What's the problem?
6 months, 3 weeks
[About lmdb's write performance] mdb_txn_commit blocking for a long time
by Wang Zhiyong
Hello all.
We are using lmdb in our own storage service and recently found a write performance issue.
The phenomenon is that lmdb batch write is very slow, and a write transaction operation takes several minutes.
For example, if a transaction writes 100,000 kv, the average value size is 100 bytes, and it takes 5 minutes.
The size of lmdb data file is 460G.
The analysis using perf is as follows:
53.14% liblgraph.so [.] mdb_page_alloc.isra.21
46.81% liblgraph.so [.] mdb_midl_xmerge
0.01% [kernel] [k] __check_object_size
0.01% [kernel] [k] __do_page_fault
0.01% [kernel] [k] __fput
0.01% [kernel] [k] get_futex_value_locked
0.01% [kernel] [k] radix_tree_descend
0.01% libpthread-2.17.so [.] __errno_location
The cpu are consumed on the two functions mdb_page_alloc and mdb_midl_xmerge.
By adding time statistics, I found that the blocking is in the mdb_freelist_save function in mdb_txn_commit.
I'm not familiar with lmdb source code, can anyone explain why mdb_freelist_save consumes so much time?
is this the expected result when lmdb data gets bigger?
Is there any way to restore the write performance after the write becomes worse?
What is the suggestion to improve the write performance of lmdb?
7 months
Unable to filter only group name
by BANDANI MAHARANA
Hi team,
I am facing problem with filtering the group names in Ad server using
openldap libraries.
I am using ldap search api to get the list of group.
My requirement is, with the provided input, i need to display all the
available group similar to the entered group name.
For example, if user types dev, it should display all the group names
starting with dev. Like develop, development
Kindly suggest how to achieve this.
Thank you
Bandani
7 months
olcPPolicyForwardUpdates not working
by Benjamin Renard
Hello,
I have problem with the olcPPolicyForwardUpdates option that seem not
working : On master and slave, I configured Ppolicy with pwdLockout.
When I try to connect on master with a bad password, the pwdFailureTime
attribute of the entry is successfully updated, but not if I do the same
on the slave. On slave, my ppolicy configuration is exactly the same as
on master but I add olcPPolicyForwardUpdates=TRUE. I also configured the
chain overlay and the updateref parameter on the database.
Extract of my slave configuration :
olcDatabase={1}mdb,cn=config
[...]
olcSyncrepl: [...]
olcUpdateRef: ldaps://ldap-master
olcOverlay={0}chain,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
objectClass: top
olcOverlay: {0}chain
olcChainReturnError: TRUE
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}mdb,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
objectClass: top
olcDatabase: {0}ldap
olcDbURI: ldaps://ldap-master
olcDbIDAssertBind: bindmethod=simple binddn="[same user used in
olcSyncrepl of the database]" credentials="secret" mode=self
olcDbRebindAsUser: TRUE
olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: {1}ppolicy
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
olcPPolicyForwardUpdates: TRUE
Do you have any idea of what I doing wrong ?
Thanks,
--
Benjamin Renard - Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com
7 months
idea for possible RFE: universally unique connection IDs
by Christopher Paul
Hello OpenLDAP-Technical,
I would like to seek comments on an idea I have had for a while. Does anyone agree with me that it would be nice if connection IDs were uuids? Because when your slapd restarts, your monitoring system has no good way to track one "conn=1000" from another one (or from one server to another), and so forth. Would there be any downsides to this?
Are there any upsides to re-using integers starting at 1000? I can think of one: with incrementing integers, you can tell the order of the connections with them.
Thanks,
Chris Paul | Rex Consulting | https://www.rexconsulting.net
7 months, 1 week
Constructed attributes?!
by Marco Gaiarin
There's some way, in OpenLDAP, to have attributed 'calculated on the fly'
like the AD 'Constructed Attributes'?
For a sake of an example, an attribute 'userStatus: disabled' if
userPassword start with an '!'?
Thanks.
--
Di questa cavolo di pianura, di questa gente senza misura, che gia`
confonde la notte e il giorno, e la partenza con il ritorno, e la
richezza con i rumore, ed il diritto con il favore (F. De Gregori)
7 months, 1 week
Write bottlenecks
by Sam Dave
Hi,
My write pipelines have a bottleneck at the bottom (LMDB writing). Work piles on top up-front, waiting for LMDB writes to complete.
Therefore the earlier work cannot really parallelize as much as it could if I could somehow make the writes go faster.
Are there any tips/tricks around this? I wonder if it could pay off to parallelize the writes into a few LMDB environments - and merge them in the end. This could have the advantage of more parallelization on the up-front work, but disadvantage of the final merging work.
Regards,
Sam
7 months, 1 week
leave
by Alceu Rodrigues de Freitas Junior
leave
7 months, 2 weeks
openldap 2.3 and user passwords
by aurfalien
Hello list and Happy Friday.
First and foremost I am not an OpenLDAP admin, well I guess that I am now for the purposes of this email.
I’ve been thrust into an environment running an older version of openldap on CentoOS 5 and have been tasked to simply allow users in changing their passwords via passwd.
Once a user has logged in on their respective workstation and types passwd we get this;
Changing password for user johndoe.
Current Password:
New password:
Retype new password:
passwd: Authentication token manipulation error
This tells me that I need to allow them self write access to userPassword Attribute of the LDAP database?
However after reading a decent amount of literature, it's suggesting to use olcAccess but as far as I can tell this does not apply to my specific environment. All of the openldap data looks to be in /var/lib/ldap versus what I’ve been reading of /etc/openldap/slapd.d.
The /etc/openldap/slapd.conf has this section which looks like what I should focus on;
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
It sounds like I should start here and see if this solves the issue.
However where and how do I modify the default access control policy for this environment in allowing users to modify there userPassword attribute?
Like I had mentioned, all of the reading thus far suggests olcAccess however my database is not in that format?
Again very very new here and am forced to work with openldap 2.3 on a Centos 5 server for now. This is not to say that I would fair any better in a newer environment due to my lack of any real knowledge in this subject matter.
At any rate thank you in advance.
Humbly yours,
- aurf
7 months, 2 weeks
