openldap-technical August 2023

openldap-technical@openldap.org

20 participants
31 discussions

olcPPolicyForwardUpdates not working
by Benjamin Renard 18 Jun '25

18 Jun '25

Hello, I have problem with the olcPPolicyForwardUpdates option that seem not working : On master and slave, I configured Ppolicy with pwdLockout. When I try to connect on master with a bad password, the pwdFailureTime attribute of the entry is successfully updated, but not if I do the same on the slave. On slave, my ppolicy configuration is exactly the same as on master but I add olcPPolicyForwardUpdates=TRUE. I also configured the chain overlay and the updateref parameter on the database. Extract of my slave configuration : olcDatabase={1}mdb,cn=config [...] olcSyncrepl: [...] olcUpdateRef: ldaps://ldap-master olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig objectClass: top olcOverlay: {0}chain olcChainReturnError: TRUE olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase objectClass: top olcDatabase: {0}ldap olcDbURI: ldaps://ldap-master olcDbIDAssertBind: bindmethod=simple binddn="[same user used in olcSyncrepl of the database]" credentials="secret" mode=self olcDbRebindAsUser: TRUE olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: TRUE Do you have any idea of what I doing wrong ? Thanks, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

3 20

openldap TLSv1.0 is enabled
by Andre Rodier 16 May '25

16 May '25

Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues. Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 c70363a6 > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > creatorsName: cn=config > createTimestamp: 20221213065102Z > olcPasswordCryptSaltFormat: $6$%.16s > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > olcTLSProtocolMin: 3.3 > entryCSN: 20221214054517.926245Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20221214054517Z But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ? > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > Version: 2.0.7 > OpenSSL 1.1.1n 15 Mar 2022 > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world > > SSL/TLS Protocols: > SSLv2 disabled > SSLv3 disabled > TLSv1.0 enabled > TLSv1.1 enabled > TLSv1.2 enabled > TLSv1.3 enabled > > TLS Fallback SCSV: > Server supports TLS Fallback SCSV > > TLS renegotiation: > Secure session renegotiation supported > > TLS Compression: > OpenSSL version does not support compression > Rebuild with zlib1g-dev package for zlib support > > Heartbleed: > TLSv1.3 not vulnerable to heartbleed > TLSv1.2 not vulnerable to heartbleed > TLSv1.1 not vulnerable to heartbleed > TLSv1.0 not vulnerable to heartbleed > > Supported Server Cipher(s): > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > Accepted TLSv1.2 256 bits AES256-CCM > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > Accepted TLSv1.2 128 bits AES128-CCM > Accepted TLSv1.2 256 bits AES256-SHA > Accepted TLSv1.2 128 bits AES128-SHA > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 256 bits AES256-SHA > Accepted TLSv1.1 128 bits AES128-SHA > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 256 bits AES256-SHA > Accepted TLSv1.0 128 bits AES128-SHA > > Server Key Exchange Group(s): > TLSv1.3 128 bits secp256r1 (NIST P-256) > TLSv1.3 192 bits secp384r1 (NIST P-384) > TLSv1.3 260 bits secp521r1 (NIST P-521) > TLSv1.3 128 bits x25519 > TLSv1.3 224 bits x448 > TLSv1.3 112 bits ffdhe2048 > TLSv1.3 128 bits ffdhe3072 > TLSv1.3 150 bits ffdhe4096 > TLSv1.3 175 bits ffdhe6144 > TLSv1.3 192 bits ffdhe8192 > TLSv1.2 128 bits secp256r1 (NIST P-256) > TLSv1.2 192 bits secp384r1 (NIST P-384) > TLSv1.2 260 bits secp521r1 (NIST P-521) > TLSv1.2 128 bits x25519 > TLSv1.2 224 bits x448 > > SSL Certificate: > Signature Algorithm: sha256WithRSAEncryption > RSA Key Strength: 2048 > > Subject: ldap.homebox.world > Altnames: DNS:ldap.homebox.world > Issuer: (STAGING) Artificial Apricot R3 > > Not valid before: Dec 13 05:34:29 2022 GMT > Not valid after: Mar 13 05:34:28 2023 GMT Thanks for your insights. Andre

6 13

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Enable debug logging on OpenLDAP 2.4.59 server running on Red Hat Enterprise Linux 8.7 (Ootpa)
by Kaushal Shriyan 31 Aug '23

31 Aug '23

Hi, I have the below settings as per https://www.openldap.org/doc/admin25/slapdconfig.html. I did check both /var/log and /etc/default/ on RHEL 8.7 but was unable to locate the log files. # grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif olcLogLevel: 256 # ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.4.59 (Jun 4 2021 16:57:15) $ build@c8rpm :/home/build/git/rheldap8/RHEL8_x86_64/BUILD/symas-openldap-2.4.59/openldap-2.4.59/clients/tools (LDAP library: OpenLDAP 20459) Is there a way to enable debug logging on openldap server and openldap client on "Red Hat Enterprise Linux 8.7 (Ootpa)" for debugging the ldap user logging issue? Please comment. Thanks in advance. Best Regards, Kaushal

2 1

removed syncrepl getting Server is unwilling to perform (53)
by Marc 31 Aug '23

31 Aug '23

I removed the synrepl from a ldap server. Now I am getting errors when deleting entries ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral I also tried adding this, but does not change anything. dn: olcDatabase={0}config,cn=config changetype:modify add: olcMirrorMode olcMirrorMode: FALSE I don't think it is the acl's as I was able to change logging level before, when it was a slave. However now I am also not able to update the logging level. What config settings should I look at?

3 8

Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan 31 Aug '23

31 Aug '23

On Thu, Aug 24, 2023 at 2:39 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, August 21, 2023 11:54 PM +0530 Kaushal Shriyan > <kaushalshriyan(a)gmail.com> wrote: > > > Thanks Quanah for the quick response. I am > > following https://unixcop.com/how-to-install-openldap-on-rockylinux-or-c > > entos-8-step-by-step/. Are there any tutorials or guides to setup > > symas-openldap-servers-2.5.16-1.el8.x86_64 on Red Hat Enterprise Linux > > release 8.7 (Ootpa)? > > I would read the official documentation from the OpenLDAP website. > > --Quanah > > Thanks Quanah for the quick response and help. Much appreciated.

1 0

regular yum update 2.5.14 -> 2.5.16 resets rights on /var/symas/openldap-data
by cYuSeDfZfb cYuSeDfZfb 28 Aug '23

28 Aug '23

Hi, Just a quick warning to all: we upgraded a RHEL9 test system from 2.5.14 to 2.5.16, and see: Before: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data After: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data So after the update, ldap no longer started, due to "invalid path: Permission denied" Reverting the permissions back to ldap:ldap solves it. But... is this somehow on purpose, or....?

1 0

syncrepl default value questions
by Dick Visser 28 Aug '23

28 Aug '23

Hi I'm configuring syncrepl and have some questions about its parameters. The version used is: @(#) $OpenLDAP: slapd 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> I'm using the docs from https://www.openldap.org/doc/admin25/slapdconfig.html. It says there: "The network-timeout parameter sets how long the consumer will wait to establish a network connection to the provider. Once a connection is established, the timeout parameter determines how long the consumer will wait for the initial Bind request to complete. The defaults for these parameters come from *ldap.conf*(5)." But, "man 5 ldap.conf " does not seem to list those defaults. Instead it says this about them: NETWORK_TIMEOUT <integer> Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. TIMEOUT <integer> Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also used for any ldap_result(3) calls where a NULL timeout pa‐ rameter is supplied. So, I wonder what is being used as default for these. In case there is none, that would come down to 'infinite'. But I don't find that information either. Something similar goes for 'keepalive', that is described as: "The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used. For example, keepalive="240:10:30" will send a keepalive probe 10 times, every 30 seconds, after 240 seconds of idle activity. If no response to the probes is received, the connection will be dropped." The "man 5 ldap.conf" has these keepalive params: KEEPALIVE_IDLE Sets/gets the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes. Linux only. KEEPALIVE_PROBES Sets/gets the maximum number of keepalive probes TCP should send before dropping the con‐ nection. Linux only. KEEPALIVE_INTERVAL Sets/gets the interval in seconds between indi‐ vidual keepalive probes. Linux only. Again, no defaults. We do run this on Linux, and the kernel has corresponding values for: root@foo:/proc/sys/net/ipv4# for i in tcp_keepalive_*; do echo "$i = $(cat $i)"; done tcp_keepalive_intvl = 75 tcp_keepalive_probes = 9 tcp_keepalive_time = 7200 So, I'm guessing in my case "keepalive" will use "7200:9:75" - right? I.e. the defaults are from the OS' TCP stack configuration. Many thanks Dick Visser

1 0

still stuck with allowing access to all attributes except 1 or 2
by Marc 27 Aug '23

27 Aug '23

olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break ... olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs= by ssf=64 dn.exact="yyyy" read by * break olcAccess: {8} to dn.subtree="xxxxxx" by ssf=256 dn.exact="yyyy" search by ssf=256 self read by anonymous is there not a syntax or so for attrs=-userPassword Or am I approaching this incorrectly?

3 5

Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan 23 Aug '23

23 Aug '23

On Mon, Aug 21, 2023 at 10:29 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, August 21, 2023 10:38 PM +0530 Kaushal Shriyan > <kaushalshriyan(a)gmail.com> wrote: > > > > Prepare the database template included in OpenLDAP installed > > > ># cp -r /usr/share/openldap-servers/DB_CONFIG.example > ># /var/lib/ldap/DB_CONFIG > > cp: cannot stat '/usr/share/openldap-servers/DB_CONFIG.example': No such > > file or directory > > > ># ls -l /usr/share/openldap-servers/DB_CONFIG.example > > ls: cannot access '/usr/share/openldap-servers/DB_CONFIG.example': No > > such file or directory > ># ls -l /etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif > > ls: cannot access > > '/etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif': No such file > > or directory > > I don't know where you are getting information about > /usr/share/openldap-servers/DB_CONFIG.example. That doesn't exist in > OpenLDAP 2.5+ > > --Quanah > Thanks Quanah for the quick response. I am following https://unixcop.com/how-to-install-openldap-on-rockylinux-or-centos-8-step-…. Are there any tutorials or guides to setup symas-openldap-servers-2.5.16-1.el8.x86_64 on Red Hat Enterprise Linux release 8.7 (Ootpa)? Please suggest further. Thanks in advance. Best Regards, Kaushal

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2023