openldap-technical April 2023

openldap-technical@openldap.org

28 participants
27 discussions

openldap TLSv1.0 is enabled
by Andre Rodier 16 May '25

16 May '25

Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues. Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 c70363a6 > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > creatorsName: cn=config > createTimestamp: 20221213065102Z > olcPasswordCryptSaltFormat: $6$%.16s > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > olcTLSProtocolMin: 3.3 > entryCSN: 20221214054517.926245Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20221214054517Z But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ? > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > Version: 2.0.7 > OpenSSL 1.1.1n 15 Mar 2022 > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world > > SSL/TLS Protocols: > SSLv2 disabled > SSLv3 disabled > TLSv1.0 enabled > TLSv1.1 enabled > TLSv1.2 enabled > TLSv1.3 enabled > > TLS Fallback SCSV: > Server supports TLS Fallback SCSV > > TLS renegotiation: > Secure session renegotiation supported > > TLS Compression: > OpenSSL version does not support compression > Rebuild with zlib1g-dev package for zlib support > > Heartbleed: > TLSv1.3 not vulnerable to heartbleed > TLSv1.2 not vulnerable to heartbleed > TLSv1.1 not vulnerable to heartbleed > TLSv1.0 not vulnerable to heartbleed > > Supported Server Cipher(s): > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > Accepted TLSv1.2 256 bits AES256-CCM > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > Accepted TLSv1.2 128 bits AES128-CCM > Accepted TLSv1.2 256 bits AES256-SHA > Accepted TLSv1.2 128 bits AES128-SHA > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 256 bits AES256-SHA > Accepted TLSv1.1 128 bits AES128-SHA > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 256 bits AES256-SHA > Accepted TLSv1.0 128 bits AES128-SHA > > Server Key Exchange Group(s): > TLSv1.3 128 bits secp256r1 (NIST P-256) > TLSv1.3 192 bits secp384r1 (NIST P-384) > TLSv1.3 260 bits secp521r1 (NIST P-521) > TLSv1.3 128 bits x25519 > TLSv1.3 224 bits x448 > TLSv1.3 112 bits ffdhe2048 > TLSv1.3 128 bits ffdhe3072 > TLSv1.3 150 bits ffdhe4096 > TLSv1.3 175 bits ffdhe6144 > TLSv1.3 192 bits ffdhe8192 > TLSv1.2 128 bits secp256r1 (NIST P-256) > TLSv1.2 192 bits secp384r1 (NIST P-384) > TLSv1.2 260 bits secp521r1 (NIST P-521) > TLSv1.2 128 bits x25519 > TLSv1.2 224 bits x448 > > SSL Certificate: > Signature Algorithm: sha256WithRSAEncryption > RSA Key Strength: 2048 > > Subject: ldap.homebox.world > Altnames: DNS:ldap.homebox.world > Issuer: (STAGING) Artificial Apricot R3 > > Not valid before: Dec 13 05:34:29 2022 GMT > Not valid after: Mar 13 05:34:28 2023 GMT Thanks for your insights. Andre

6 13

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

iNetOrgPerson doesn't exist?
by Luca Stancapiano 16 May '23

16 May '23

Hi all, I'm triing to create a user with openldap 2.4 dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com objectClass: iNetOrgPerson uid: iiiiii but it doesn't seem recognize the objectClass producing this error: adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Using other object classes is ok. What's the problem?

5 11

[About lmdb's write performance] mdb_txn_commit blocking for a long time
by Wang Zhiyong 05 May '23

05 May '23

Hello all. We are using lmdb in our own storage service and recently found a write performance issue. The phenomenon is that lmdb batch write is very slow, and a write transaction operation takes several minutes. For example, if a transaction writes 100,000 kv, the average value size is 100 bytes, and it takes 5 minutes. The size of lmdb data file is 460G. The analysis using perf is as follows: 53.14% liblgraph.so [.] mdb_page_alloc.isra.21 46.81% liblgraph.so [.] mdb_midl_xmerge 0.01% [kernel] [k] __check_object_size 0.01% [kernel] [k] __do_page_fault 0.01% [kernel] [k] __fput 0.01% [kernel] [k] get_futex_value_locked 0.01% [kernel] [k] radix_tree_descend 0.01% libpthread-2.17.so [.] __errno_location The cpu are consumed on the two functions mdb_page_alloc and mdb_midl_xmerge. By adding time statistics, I found that the blocking is in the mdb_freelist_save function in mdb_txn_commit. I'm not familiar with lmdb source code, can anyone explain why mdb_freelist_save consumes so much time? is this the expected result when lmdb data gets bigger? Is there any way to restore the write performance after the write becomes worse? What is the suggestion to improve the write performance of lmdb?

3 5

Unable to filter only group name
by BANDANI MAHARANA 03 May '23

03 May '23

Hi team, I am facing problem with filtering the group names in Ad server using openldap libraries. I am using ldap search api to get the list of group. My requirement is, with the provided input, i need to display all the available group similar to the entered group name. For example, if user types dev, it should display all the group names starting with dev. Like develop, development Kindly suggest how to achieve this. Thank you Bandani

2 1

olcPPolicyForwardUpdates not working
by Benjamin Renard 03 May '23

03 May '23

Hello, I have problem with the olcPPolicyForwardUpdates option that seem not working : On master and slave, I configured Ppolicy with pwdLockout. When I try to connect on master with a bad password, the pwdFailureTime attribute of the entry is successfully updated, but not if I do the same on the slave. On slave, my ppolicy configuration is exactly the same as on master but I add olcPPolicyForwardUpdates=TRUE. I also configured the chain overlay and the updateref parameter on the database. Extract of my slave configuration : olcDatabase={1}mdb,cn=config [...] olcSyncrepl: [...] olcUpdateRef: ldaps://ldap-master olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig objectClass: top olcOverlay: {0}chain olcChainReturnError: TRUE olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase objectClass: top olcDatabase: {0}ldap olcDbURI: ldaps://ldap-master olcDbIDAssertBind: bindmethod=simple binddn="[same user used in olcSyncrepl of the database]" credentials="secret" mode=self olcDbRebindAsUser: TRUE olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: TRUE Do you have any idea of what I doing wrong ? Thanks, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

3 17

idea for possible RFE: universally unique connection IDs
by Christopher Paul 29 Apr '23

29 Apr '23

Hello OpenLDAP-Technical, I would like to seek comments on an idea I have had for a while. Does anyone agree with me that it would be nice if connection IDs were uuids? Because when your slapd restarts, your monitoring system has no good way to track one "conn=1000" from another one (or from one server to another), and so forth. Would there be any downsides to this? Are there any upsides to re-using integers starting at 1000? I can think of one: with incrementing integers, you can tell the order of the connections with them. Thanks, Chris Paul | Rex Consulting | https://www.rexconsulting.net

2 1

Constructed attributes?!
by Marco Gaiarin 26 Apr '23

26 Apr '23

There's some way, in OpenLDAP, to have attributed 'calculated on the fly' like the AD 'Constructed Attributes'? For a sake of an example, an attribute 'userStatus: disabled' if userPassword start with an '!'? Thanks. -- Di questa cavolo di pianura, di questa gente senza misura, che gia` confonde la notte e il giorno, e la partenza con il ritorno, e la richezza con i rumore, ed il diritto con il favore (F. De Gregori)

1 0

Write bottlenecks
by Sam Dave 26 Apr '23

26 Apr '23

Hi, My write pipelines have a bottleneck at the bottom (LMDB writing). Work piles on top up-front, waiting for LMDB writes to complete. Therefore the earlier work cannot really parallelize as much as it could if I could somehow make the writes go faster. Are there any tips/tricks around this? I wonder if it could pay off to parallelize the writes into a few LMDB environments - and merge them in the end. This could have the advantage of more parallelization on the up-front work, but disadvantage of the final merging work. Regards, Sam

1 0

leave
by Alceu Rodrigues de Freitas Junior 21 Apr '23

21 Apr '23

leave

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2023