openldap-technical May 2023

openldap-technical@openldap.org

25 participants
19 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

RE25 testing call (2.5.15) #1
by Quanah Gibson-Mount 26 Jun '23

26 Jun '23

This is the first testing call for OpenLDAP 2.5.15. Depending on the results, this may be the only testing call. NOTE: This release adds support for OpenSSL 3.0 to the 2.5 release series. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.15 Engineering Added libldap openssl3 support (ITS#9436, ITS#10030) Fixed libldap handling of TCP KEEPALIVE options (ITS#10015) Fixed libldap with async connections (ITS#10023) Fixed libldap openssl TLSv1.3 cipher suite handling (ITS#10035) Fixed slapd callback handling with overlays that do extended operations (ITS#9990) Fixed slapd conversion of pcache configurations (ITS#10031) Fixed slapd cn=config modification handling with abandon (ITS#10045) Fixed slapo-constraint handling of push replication (ITS#9953) Fixed slapo-dynlist filter evaluation efficiency (ITS#10041) Fixed slapo-pcache handling of invalid schema (ITS#10032) Fixed slapo-ppolicy handling of push replication (ITS#9953) Fixed slapo-ppolicy handling of pwdMinDelay (ITS#10028) Fixed slapo-syncprov abandon handling (ITS#10016) Fixed slapo-translucent handling of invalid schema (ITS#10032) Fixed slapo-unique handling of push replication (ITS#9953) Fixed slapo-variant to improve regex handling (ITS#10048) Build Environment Fixed compatibility with stricter C99 compilers (ITS#10011) Keep .pc files during make clean (ITS#9989) Contrib Fixed slapo-variant handling of push replication (ITS#9953) Minor Cleanup ITS#9855 ITS#9995 ITS#9996 ITS#9997 ITS#9998 ITS#9999 ITS#10000 ITS#10003 ITS#10004 ITS#10033 ITS#10037 ITS#10039 ITS#10046 Regards, Quanah

2 1

RE26 testing call (2.6.5) #1
by Quanah Gibson-Mount 26 Jun '23

26 Jun '23

This is the first testing call for OpenLDAP 2.6.5. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.5 Engineering Fixed libldap handling of TCP KEEPALIVE options (ITS#10015) Fixed libldap with async connections (ITS#10023) Fixed libldap openssl TLSv1.3 cipher suite handling (ITS#10035) Fixed slapd callback handling with overlays that do extended operations (ITS#9990) Fixed slapd conversion of pcache configurations (ITS#10031) Fixed slapd cn=config modification handling with abandon (ITS#10045) Fixed slapd-mdb online indexer termination and cleanup (ITS#9993) Fixed slapd-mdb online indexer when interrupted (ITS#10047) Fixed slapd-monitor connection cleanup (ITS#10042) Fixed slapo-constraint handling of push replication (ITS#9953) Fixed slapo-dynlist filter evaluation efficiency (ITS#10041) Fixed slapo-pcache handling of invalid schema (ITS#10032) Fixed slapo-ppolicy handling of push replication (ITS#9953) Fixed slapo-ppolicy handling of pwdMinDelay (ITS#10028) Fixed slapo-syncprov abandon handling (ITS#10016) Fixed slapo-translucent handling of invalid schema (ITS#10032) Fixed slapo-unique handling of push replication (ITS#9953) Fixed slapo-variant to improve regex handling (ITS#10048) Build Environment Fixed compatibility with stricter C99 compilers (ITS#10011) Keep .pc files during make clean (ITS#9989) Contrib Fixed slapo-variant handling of push replication (ITS#9953) Minor Cleanup ITS#9855 ITS#9995 ITS#9996 ITS#9997 ITS#9998 ITS#9999 ITS#10000 ITS#10003 ITS#10004 ITS#10033 ITS#10037 ITS#10039 ITS#10046 Regards, Quanah

2 1

troubleshooting replication issues
by abby.knows.it＠gmail.com 13 Jun '23

13 Jun '23

We have three nodes and want to replicate between them. This setup worked fine for over a year. Recently replication fails and the slapd process crashes. In a general sense I'm looking for a FAQ on troubleshooting replication, the common issues and solutions. Also how to turn on logging for replication specifically would help. Thanks. Abby

4 3

Only view exact match on ACL
by Lukas Adrian Kron 24 May '23

24 May '23

Hello, I would like to restrict bind users in the search. I've already managed that they only see groups for which you have been activated. Now I have the problem that bind users should only see users in the people branch if they know the exact user name in the search. So far I have solved the whole thing using the following two ACL sets. You can now also search for people. Since I had to include objectClass for the search to work, you can search for all people or for other values. However, I want all the data I specify to be displayed, but only if the username returns an exact result. I am at the end of my knowledge with the ACL sets. All the Info on ACL cannot help me further here. {5} to dn.exact="ou=Personen,dc=SERVER" by group.exact="GROUP" search by * break {6} to dn.one="ou=Personen,dc=SERVER" attrs=entry,cn,objectClass,givenname,uid,mail,sn,userPassword by group.exact="GROUP" read by * break Thanks a lot. Kindly Lukas Adrian

1 0

SSL timeout
by Robert T Dunn 23 May '23

23 May '23

We are experiencing a problem with SSL timeout as reported with issue 8047: https://bugs.openldap.org/show_bug.cgi?id=8047 Our issue is when the LDAP client does an SSL connect to establish the TLS session with the remote server. If the SERVER_HELLO returned from the remote server takes a significant amount of time or does not come back from the server at all (for example, someone unplugged the server), the LDAP client connection DOES NOT timeout, and there are no LDAP configuration options to force the session to timeout. So, the LDAP client connection is effectively hung forever. Issue 8047 reported the SSL timeout issue, but the issue's status is still UNCONFIRMED. Are there any plans to correct this problem in future versions of LDAP Client? Thanks, Rob Dunn IBM z/TPFDF development email: strmbrgr(a)us.ibm.com<mailto:strmbrgr@us.ibm.com> phone: (845) 433-1312

3 3

DIT changes approval
by sysadm+ldap-technical＠rolep.work 23 May '23

23 May '23

Hello, Is there any way to approve (past or future) DIT changes by more than one people? OpeLDAP has ACL sets, I know. But I don't understand, how (or even can I) to use it forr approve changes in (part of) DIT by two or more people (must not singly, but whole set of people).

3 2

SASL EXTERNAL
by thomaswilliampritchard＠gmail.com 22 May '23

22 May '23

I understand SASL is a framework defined outside of OpenLDAP and the EXTERNAL mechanism of SASL implies authentication is established outside of the SASL mechanism using context around the client connection. It sounds like that could be something like the Client IP, the DN in the client certificate if using mutual TLS, or the gid / uid of the client when connecting over unix sockets. I am looking for a way to audit that my SASL EXTERNAL configuration does not allow any sort of authentication through anything other than the unix socket option. I have not come across a way that I can configure the external mechanism with only uid / gid methodology. Is it sufficient to simply audit the ACLs and see that there is only an ACL for the unix socket mechanism to be confident the server is not entertaining IP / TLS / or some other EXTERNAL methodology?

1 0

OpenLDAP: slapd 2.4.59 | Too Many Open files
by chauhan.ramraj＠gmail.com 19 May '23

19 May '23

Hi All Requesting some sort of help with "Too Many open files". .I have seen several post and even in these archives about too many open files..Details about openldap installation. Version - 2.4.59 OS- RockyLinux 8 Ldap is used by the coldfusion application for authentication. During normal operation things are ok..but after some time or when a load of like 30 concurrent users for a period of 5 mins are added, I get "Too Many Open files" after the file descriptors reach 1024. What I have observed that post the search result log. , the UNBIND and CLOSE on the connection at times takes over 3 mins..and have see that there are over 1000 connections in ESTABLISHED mode based on the lsof -i :ldap ...I have tried to set below limits but to no avail..it still thows error post 1023 open FDs.. * hard nofile 65535 * soft nofile 65535 * hard memlock 3000000 * soft memlock 3000000 * hard nproc 16000 * soft nproc 16000 * hard stack 512000 * soft stack 512000 Have been able to increase the FDs as well by modifiying the slapd startup script(changed the settings to 4096..it did reflect in monitor)..but after some time the connection unbind and close calls are invoke more than 3 mins...as compared to when the load is low..when it happens within few secs.. Any help to make changes to ldap configuration or pointers how to go ahead troubleshooting this would be really appreciated.

3 5

Two mdb_env_open() on same file/dir? Etc.
by Sam Dave 18 May '23

18 May '23

Can two or more mdb_env_open() be called on the same file/directory (in same program or multiple programs)? Can two or more mdb_dbi_open() be called to open ultimately the same database? What are some ramifications of doing so (and of course working with various readonly/readwrite transactions, etc.) I don't see much written about this in documentation. - Samuel

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2023