Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
4 weeks, 1 day
Enable debug logging on OpenLDAP 2.4.59 server running on Red Hat Enterprise Linux 8.7 (Ootpa)
by Kaushal Shriyan
Hi,
I have the below settings as per
https://www.openldap.org/doc/admin25/slapdconfig.html. I did check
both /var/log and /etc/default/ on RHEL 8.7 but was unable to locate the
log files.
# grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif
olcLogLevel: 256
#
ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.4.59 (Jun 4 2021 16:57:15) $
build@c8rpm
:/home/build/git/rheldap8/RHEL8_x86_64/BUILD/symas-openldap-2.4.59/openldap-2.4.59/clients/tools
(LDAP library: OpenLDAP 20459)
Is there a way to enable debug logging on openldap server and openldap
client on "Red Hat Enterprise Linux 8.7 (Ootpa)" for debugging the ldap
user logging issue?
Please comment. Thanks in advance.
Best Regards,
Kaushal
2 months, 4 weeks
removed syncrepl getting Server is unwilling to perform (53)
by Marc
I removed the synrepl from a ldap server. Now I am getting errors when deleting entries
ldap_modify: Server is unwilling to perform (53)
additional info: shadow context; no update referral
I also tried adding this, but does not change anything.
dn: olcDatabase={0}config,cn=config
changetype:modify
add: olcMirrorMode
olcMirrorMode: FALSE
I don't think it is the acl's as I was able to change logging level before, when it was a slave. However now I am also not able to update the logging level.
What config settings should I look at?
2 months, 4 weeks
Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan
On Thu, Aug 24, 2023 at 2:39 AM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Monday, August 21, 2023 11:54 PM +0530 Kaushal Shriyan
> <kaushalshriyan(a)gmail.com> wrote:
>
> > Thanks Quanah for the quick response. I am
> > following https://unixcop.com/how-to-install-openldap-on-rockylinux-or-c
> > entos-8-step-by-step/. Are there any tutorials or guides to setup
> > symas-openldap-servers-2.5.16-1.el8.x86_64 on Red Hat Enterprise Linux
> > release 8.7 (Ootpa)?
>
> I would read the official documentation from the OpenLDAP website.
>
> --Quanah
>
>
Thanks Quanah for the quick response and help. Much appreciated.
3 months
regular yum update 2.5.14 -> 2.5.16 resets rights on /var/symas/openldap-data
by cYuSeDfZfb cYuSeDfZfb
Hi,
Just a quick warning to all:
we upgraded a RHEL9 test system from 2.5.14 to 2.5.16, and see:
Before:
[root@ldaps01 log]# ls -l /var/symas/
drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data
After:
[root@ldaps01 log]# ls -l /var/symas/
drwx------. 3 root root 50 Aug 28 16:28 openldap-data
So after the update, ldap no longer started, due to "invalid path:
Permission denied"
Reverting the permissions back to ldap:ldap solves it.
But... is this somehow on purpose, or....?
3 months
syncrepl default value questions
by Dick Visser
Hi
I'm configuring syncrepl and have some questions about its parameters.
The version used is:
@(#) $OpenLDAP: slapd 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $
Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org>
I'm using the docs from
https://www.openldap.org/doc/admin25/slapdconfig.html.
It says there:
"The network-timeout parameter sets how long the consumer will wait to
establish a network connection to the provider. Once a connection is
established, the timeout parameter determines how long the consumer will
wait for the initial Bind request to complete. The defaults for these
parameters come from *ldap.conf*(5)."
But, "man 5 ldap.conf " does not seem to list those defaults. Instead it
says this about them:
NETWORK_TIMEOUT <integer>
Specifies the timeout (in seconds) after which
the poll(2)/select(2) following a connect(2)
returns in case of no activity.
TIMEOUT <integer>
Specifies a timeout (in seconds) after which
calls to synchronous LDAP APIs will abort if no
response is received. Also used for any
ldap_result(3) calls where a NULL timeout pa‐
rameter is supplied.
So, I wonder what is being used as default for these.
In case there is none, that would come down to 'infinite'. But I don't find
that information either.
Something similar goes for 'keepalive', that is described as:
"The keepalive parameter sets the values of idle, probes, and interval used
to check whether a socket is alive; idle is the number of seconds a
connection needs to remain idle before TCP starts sending keepalive probes;
probes is the maximum number of keepalive probes TCP should send before
dropping the connection; interval is interval in seconds between individual
keepalive probes. Only some systems support the customization of these
values; the keepalive parameter is ignored otherwise, and system-wide
settings are used. For example, keepalive="240:10:30" will send a keepalive
probe 10 times, every 30 seconds, after 240 seconds of idle activity. If no
response to the probes is received, the connection will be dropped."
The "man 5 ldap.conf" has these keepalive params:
KEEPALIVE_IDLE
Sets/gets the number of seconds a connection
needs to remain idle before TCP starts sending
keepalive probes. Linux only.
KEEPALIVE_PROBES
Sets/gets the maximum number of keepalive
probes TCP should send before dropping the con‐
nection. Linux only.
KEEPALIVE_INTERVAL
Sets/gets the interval in seconds between indi‐
vidual keepalive probes. Linux only.
Again, no defaults.
We do run this on Linux, and the kernel has corresponding values for:
root@foo:/proc/sys/net/ipv4# for i in tcp_keepalive_*; do echo "$i = $(cat
$i)"; done
tcp_keepalive_intvl = 75
tcp_keepalive_probes = 9
tcp_keepalive_time = 7200
So, I'm guessing in my case "keepalive" will use "7200:9:75" - right?
I.e. the defaults are from the OS' TCP stack configuration.
Many thanks
Dick Visser
3 months
still stuck with allowing access to all attributes except 1 or 2
by Marc
olcAccess: {0} to dn.exact=""
by * read
olcAccess: {1} to dn.exact="cn=Subschema"
by * read
olcAccess: {2} to attrs=userPassword,shadowLastChange
by ssf=256 self read
by ssf=256 anonymous auth
by * none break
...
olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs=
by ssf=64 dn.exact="yyyy" read
by * break
olcAccess: {8} to dn.subtree="xxxxxx"
by ssf=256 dn.exact="yyyy" search
by ssf=256 self read
by anonymous
is there not a syntax or so for attrs=-userPassword
Or am I approaching this incorrectly?
3 months
Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan
On Mon, Aug 21, 2023 at 10:29 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Monday, August 21, 2023 10:38 PM +0530 Kaushal Shriyan
> <kaushalshriyan(a)gmail.com> wrote:
> >
> > Prepare the database template included in OpenLDAP installed
> >
> ># cp -r /usr/share/openldap-servers/DB_CONFIG.example
> ># /var/lib/ldap/DB_CONFIG
> > cp: cannot stat '/usr/share/openldap-servers/DB_CONFIG.example': No such
> > file or directory
> >
> ># ls -l /usr/share/openldap-servers/DB_CONFIG.example
> > ls: cannot access '/usr/share/openldap-servers/DB_CONFIG.example': No
> > such file or directory
> ># ls -l /etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif
> > ls: cannot access
> > '/etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif': No such file
> > or directory
>
> I don't know where you are getting information about
> /usr/share/openldap-servers/DB_CONFIG.example. That doesn't exist in
> OpenLDAP 2.5+
>
> --Quanah
>
Thanks Quanah for the quick response. I am following
https://unixcop.com/how-to-install-openldap-on-rockylinux-or-centos-8-ste....
Are there any tutorials or guides to setup
symas-openldap-servers-2.5.16-1.el8.x86_64 on Red Hat Enterprise Linux
release 8.7 (Ootpa)?
Please suggest further. Thanks in advance.
Best Regards,
Kaushal
3 months, 1 week
lmdb usage in containers
by Vitaly Repin
Hello,
I have a question about usage of the same lmdb database in different
containers and in the host machine.
So far I just mapped lmdp file in docker-compose.yml:
volumes:
- "/var/spool/lmdbenv/:/var/spool/lmdbenv/"
And I'm reading/writing to/from the database from different containers.
Everything seems to work at a first glance.
Example of adding an element to lmdb:
/usr/bin/python -mlmdb --env /var/spool/lmdbenv edit \
--set "client"="{
\"client_ip\" : \"$client_ip\",
\"client_data\" : \"$client_data\"
}"
Is it the proper use case for lmdb? Is there any special "flush" API which
I have to use to make sure that the record inserted in one container
becomes visible in another?
Thanks in advance!
--
WBR & WBW, Vitaly
3 months, 1 week
Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan
Hi,
Are there any tutorials or guides to configure symas based Openldap server
on Red Hat Enterprise Linux release 8.7 (Ootpa)?
# rpm -qa | grep openldap
symas-openldap-servers-2.5.16-1.el8.x86_64
symas-openldap-servers-selinux-1.0.6-1.el8.noarch
symas-openldap-libs-2.5.16-1.el8.x86_64
symas-openldap-clients-2.5.16-1.el8.x86_64
#
Please guide me. Thanks in Advance.
Best Regards,
Kaushal
On Wed, Aug 9, 2023 at 11:19 PM Kaushal Shriyan <kaushalshriyan(a)gmail.com>
wrote:
>
>
> On Mon, Aug 7, 2023 at 12:01 PM Windl, Ulrich <u.windl(a)ukr.de> wrote:
>
>> I think the question is somewhat off-topic here: Learn how to build an
>> RPM package from elsewhere, maybe
>> https://www.redhat.com/sysadmin/create-rpm-package or
>> https://developers.redhat.com/blog/2019/03/18/rpm-packaging-guide-creatin...
>> or https://linuxconfig.org/how-to-create-an-rpm-package
>>
>> -----Original Message-----
>> From: Kaushal Shriyan <kaushalshriyan(a)gmail.com>
>> Sent: Sunday, August 6, 2023 3:51 AM
>> To: openldap-technical(a)openldap.org
>> Subject: [EXT] rhel8 OS rpm spec file
>>
>> Hi,
>>
>> Is there a way to generate openldap-servers.x86_64 rpm spec file from
>> https://www.openldap.org/software/download/OpenLDAP/openldap-release/open...
>>
>>
>> # ll
>> total 900
>> -rw-r--r-- 1 1001 1001 11109 Jul 10 21:59 aclocal.m4
>> -rw-r--r-- 1 1001 1001 6100 Jul 10 21:59 ANNOUNCEMENT
>> drwxr-xr-x 2 1001 1001 4096 Jul 10 21:59 build
>> -rw-r--r-- 1 1001 1001 14120 Jul 10 21:59 CHANGES
>> drwxr-xr-x 3 1001 1001 38 Jul 10 21:59 clients
>> -rwxr-xr-x 1 1001 1001 753489 Jul 10 21:59 configure
>> -rw-r--r-- 1 1001 1001 99724 Jul 10 21:59 configure.ac <
>> http://configure.ac>
>> drwxr-xr-x 7 1001 1001 129 Jul 10 21:59 contrib
>> -rw-r--r-- 1 1001 1001 2345 Jul 10 21:59 COPYRIGHT
>> drwxr-xr-x 8 1001 1001 102 Jul 10 21:59 doc
>> drwxr-xr-x 3 1001 1001 4096 Jul 10 21:59 include
>> -rw-r--r-- 1 1001 1001 3793 Jul 10 21:59 INSTALL
>> drwxr-xr-x 8 1001 1001 123 Jul 10 21:59 libraries
>> -rw-r--r-- 1 1001 1001 2214 Jul 10 21:59 LICENSE
>> -rw-r--r-- 1 1001 1001 1029 Jul 10 21:59 Makefile.in
>> -rw-r--r-- 1 1001 1001 3594 Jul 10 21:59 README
>> drwxr-xr-x 4 1001 1001 52 Jul 10 21:59 servers
>> drwxr-xr-x 5 1001 1001 93 Jul 10 21:59 tests
>> # ./configure --help | grep spec
>> To assign environment variables (e.g., CC, CFLAGS...), specify them as
>> Defaults for the options are specified in brackets.
>> --help=short display options specific to this package
>> `/usr/local/bin', `/usr/local/lib' etc. You can specify
>> --with-odbc with specific ODBC support
>> compiler's sysroot if not specified).
>> #
>>
>> Please guide me.
>>
>> Thanks in Advance.
>>
>> Best Regards,
>>
>> Kaushal
>>
>>
> Thanks Quanah and Ulrich for the quick email response. Much appreciated
> for guiding me. Thanks once again.
>
> Best Regards,
>
> Kaushal
>
3 months, 1 week
