openldap-technical May 2023

openldap-technical@openldap.org

25 participants
21 discussions

Multiple memberOf overlays
by John C. Pfeifer 05 Aug '25

05 Aug '25

I am in the process of converting an existing LDAP infrastructure to OpenLDAP. I have a case where it would be convenient for two different objectClasses to map into the memberOf attribute. Is it possible to define two overlay configs or will they end up fighting each other over the memberOf attribute? For instance: dn: olcOverlay={5}memberofA,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {5}memberofA olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassA olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf dn: olcOverlay={6}memberofB,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {6}memberofB olcMemberOfDangling: error olcMemberOfRefInt: FALSE olcMemberOfGroupOC: objectClassB olcMemberOfMemberAD: member olcMemberOfMemberOfAD: memberOf // John Pfeifer Division of Information Technology University of Maryland, College Park

4 3

olcPPolicyForwardUpdates not working
by Benjamin Renard 18 Jun '25

18 Jun '25

Hello, I have problem with the olcPPolicyForwardUpdates option that seem not working : On master and slave, I configured Ppolicy with pwdLockout. When I try to connect on master with a bad password, the pwdFailureTime attribute of the entry is successfully updated, but not if I do the same on the slave. On slave, my ppolicy configuration is exactly the same as on master but I add olcPPolicyForwardUpdates=TRUE. I also configured the chain overlay and the updateref parameter on the database. Extract of my slave configuration : olcDatabase={1}mdb,cn=config [...] olcSyncrepl: [...] olcUpdateRef: ldaps://ldap-master olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig objectClass: top olcOverlay: {0}chain olcChainReturnError: TRUE olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase objectClass: top olcDatabase: {0}ldap olcDbURI: ldaps://ldap-master olcDbIDAssertBind: bindmethod=simple binddn="[same user used in olcSyncrepl of the database]" credentials="secret" mode=self olcDbRebindAsUser: TRUE olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: TRUE Do you have any idea of what I doing wrong ? Thanks, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

3 20

openldap TLSv1.0 is enabled
by Andre Rodier 16 May '25

16 May '25

Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues. Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 c70363a6 > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > creatorsName: cn=config > createTimestamp: 20221213065102Z > olcPasswordCryptSaltFormat: $6$%.16s > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > olcTLSProtocolMin: 3.3 > entryCSN: 20221214054517.926245Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20221214054517Z But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ? > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > Version: 2.0.7 > OpenSSL 1.1.1n 15 Mar 2022 > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world > > SSL/TLS Protocols: > SSLv2 disabled > SSLv3 disabled > TLSv1.0 enabled > TLSv1.1 enabled > TLSv1.2 enabled > TLSv1.3 enabled > > TLS Fallback SCSV: > Server supports TLS Fallback SCSV > > TLS renegotiation: > Secure session renegotiation supported > > TLS Compression: > OpenSSL version does not support compression > Rebuild with zlib1g-dev package for zlib support > > Heartbleed: > TLSv1.3 not vulnerable to heartbleed > TLSv1.2 not vulnerable to heartbleed > TLSv1.1 not vulnerable to heartbleed > TLSv1.0 not vulnerable to heartbleed > > Supported Server Cipher(s): > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > Accepted TLSv1.2 256 bits AES256-CCM > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > Accepted TLSv1.2 128 bits AES128-CCM > Accepted TLSv1.2 256 bits AES256-SHA > Accepted TLSv1.2 128 bits AES128-SHA > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 256 bits AES256-SHA > Accepted TLSv1.1 128 bits AES128-SHA > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 256 bits AES256-SHA > Accepted TLSv1.0 128 bits AES128-SHA > > Server Key Exchange Group(s): > TLSv1.3 128 bits secp256r1 (NIST P-256) > TLSv1.3 192 bits secp384r1 (NIST P-384) > TLSv1.3 260 bits secp521r1 (NIST P-521) > TLSv1.3 128 bits x25519 > TLSv1.3 224 bits x448 > TLSv1.3 112 bits ffdhe2048 > TLSv1.3 128 bits ffdhe3072 > TLSv1.3 150 bits ffdhe4096 > TLSv1.3 175 bits ffdhe6144 > TLSv1.3 192 bits ffdhe8192 > TLSv1.2 128 bits secp256r1 (NIST P-256) > TLSv1.2 192 bits secp384r1 (NIST P-384) > TLSv1.2 260 bits secp521r1 (NIST P-521) > TLSv1.2 128 bits x25519 > TLSv1.2 224 bits x448 > > SSL Certificate: > Signature Algorithm: sha256WithRSAEncryption > RSA Key Strength: 2048 > > Subject: ldap.homebox.world > Altnames: DNS:ldap.homebox.world > Issuer: (STAGING) Artificial Apricot R3 > > Not valid before: Dec 13 05:34:29 2022 GMT > Not valid after: Mar 13 05:34:28 2023 GMT Thanks for your insights. Andre

6 13

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

RE25 testing call (2.5.15) #1
by Quanah Gibson-Mount 26 Jun '23

26 Jun '23

This is the first testing call for OpenLDAP 2.5.15. Depending on the results, this may be the only testing call. NOTE: This release adds support for OpenSSL 3.0 to the 2.5 release series. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.15 Engineering Added libldap openssl3 support (ITS#9436, ITS#10030) Fixed libldap handling of TCP KEEPALIVE options (ITS#10015) Fixed libldap with async connections (ITS#10023) Fixed libldap openssl TLSv1.3 cipher suite handling (ITS#10035) Fixed slapd callback handling with overlays that do extended operations (ITS#9990) Fixed slapd conversion of pcache configurations (ITS#10031) Fixed slapd cn=config modification handling with abandon (ITS#10045) Fixed slapo-constraint handling of push replication (ITS#9953) Fixed slapo-dynlist filter evaluation efficiency (ITS#10041) Fixed slapo-pcache handling of invalid schema (ITS#10032) Fixed slapo-ppolicy handling of push replication (ITS#9953) Fixed slapo-ppolicy handling of pwdMinDelay (ITS#10028) Fixed slapo-syncprov abandon handling (ITS#10016) Fixed slapo-translucent handling of invalid schema (ITS#10032) Fixed slapo-unique handling of push replication (ITS#9953) Fixed slapo-variant to improve regex handling (ITS#10048) Build Environment Fixed compatibility with stricter C99 compilers (ITS#10011) Keep .pc files during make clean (ITS#9989) Contrib Fixed slapo-variant handling of push replication (ITS#9953) Minor Cleanup ITS#9855 ITS#9995 ITS#9996 ITS#9997 ITS#9998 ITS#9999 ITS#10000 ITS#10003 ITS#10004 ITS#10033 ITS#10037 ITS#10039 ITS#10046 Regards, Quanah

2 1

RE26 testing call (2.6.5) #1
by Quanah Gibson-Mount 26 Jun '23

26 Jun '23

This is the first testing call for OpenLDAP 2.6.5. Depending on the results, this may be the only testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.6.5 Engineering Fixed libldap handling of TCP KEEPALIVE options (ITS#10015) Fixed libldap with async connections (ITS#10023) Fixed libldap openssl TLSv1.3 cipher suite handling (ITS#10035) Fixed slapd callback handling with overlays that do extended operations (ITS#9990) Fixed slapd conversion of pcache configurations (ITS#10031) Fixed slapd cn=config modification handling with abandon (ITS#10045) Fixed slapd-mdb online indexer termination and cleanup (ITS#9993) Fixed slapd-mdb online indexer when interrupted (ITS#10047) Fixed slapd-monitor connection cleanup (ITS#10042) Fixed slapo-constraint handling of push replication (ITS#9953) Fixed slapo-dynlist filter evaluation efficiency (ITS#10041) Fixed slapo-pcache handling of invalid schema (ITS#10032) Fixed slapo-ppolicy handling of push replication (ITS#9953) Fixed slapo-ppolicy handling of pwdMinDelay (ITS#10028) Fixed slapo-syncprov abandon handling (ITS#10016) Fixed slapo-translucent handling of invalid schema (ITS#10032) Fixed slapo-unique handling of push replication (ITS#9953) Fixed slapo-variant to improve regex handling (ITS#10048) Build Environment Fixed compatibility with stricter C99 compilers (ITS#10011) Keep .pc files during make clean (ITS#9989) Contrib Fixed slapo-variant handling of push replication (ITS#9953) Minor Cleanup ITS#9855 ITS#9995 ITS#9996 ITS#9997 ITS#9998 ITS#9999 ITS#10000 ITS#10003 ITS#10004 ITS#10033 ITS#10037 ITS#10039 ITS#10046 Regards, Quanah

2 1

troubleshooting replication issues
by abby.knows.it＠gmail.com 13 Jun '23

13 Jun '23

We have three nodes and want to replicate between them. This setup worked fine for over a year. Recently replication fails and the slapd process crashes. In a general sense I'm looking for a FAQ on troubleshooting replication, the common issues and solutions. Also how to turn on logging for replication specifically would help. Thanks. Abby

4 3

Only view exact match on ACL
by Lukas Adrian Kron 24 May '23

24 May '23

Hello, I would like to restrict bind users in the search. I've already managed that they only see groups for which you have been activated. Now I have the problem that bind users should only see users in the people branch if they know the exact user name in the search. So far I have solved the whole thing using the following two ACL sets. You can now also search for people. Since I had to include objectClass for the search to work, you can search for all people or for other values. However, I want all the data I specify to be displayed, but only if the username returns an exact result. I am at the end of my knowledge with the ACL sets. All the Info on ACL cannot help me further here. {5} to dn.exact="ou=Personen,dc=SERVER" by group.exact="GROUP" search by * break {6} to dn.one="ou=Personen,dc=SERVER" attrs=entry,cn,objectClass,givenname,uid,mail,sn,userPassword by group.exact="GROUP" read by * break Thanks a lot. Kindly Lukas Adrian

1 0

SSL timeout
by Robert T Dunn 23 May '23

23 May '23

We are experiencing a problem with SSL timeout as reported with issue 8047: https://bugs.openldap.org/show_bug.cgi?id=8047 Our issue is when the LDAP client does an SSL connect to establish the TLS session with the remote server. If the SERVER_HELLO returned from the remote server takes a significant amount of time or does not come back from the server at all (for example, someone unplugged the server), the LDAP client connection DOES NOT timeout, and there are no LDAP configuration options to force the session to timeout. So, the LDAP client connection is effectively hung forever. Issue 8047 reported the SSL timeout issue, but the issue's status is still UNCONFIRMED. Are there any plans to correct this problem in future versions of LDAP Client? Thanks, Rob Dunn IBM z/TPFDF development email: strmbrgr(a)us.ibm.com<mailto:strmbrgr@us.ibm.com> phone: (845) 433-1312

3 3

DIT changes approval
by sysadm+ldap-technical＠rolep.work 23 May '23

23 May '23

Hello, Is there any way to approve (past or future) DIT changes by more than one people? OpeLDAP has ACL sets, I know. But I don't understand, how (or even can I) to use it forr approve changes in (part of) DIT by two or more people (must not singly, but whole set of people).

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2023