openldap-technical August 2023

openldap-technical@openldap.org

20 participants
29 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Enable debug logging on OpenLDAP 2.4.59 server running on Red Hat Enterprise Linux 8.7 (Ootpa)
by Kaushal Shriyan 31 Aug '23

31 Aug '23

Hi, I have the below settings as per https://www.openldap.org/doc/admin25/slapdconfig.html. I did check both /var/log and /etc/default/ on RHEL 8.7 but was unable to locate the log files. # grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif olcLogLevel: 256 # ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.4.59 (Jun 4 2021 16:57:15) $ build@c8rpm :/home/build/git/rheldap8/RHEL8_x86_64/BUILD/symas-openldap-2.4.59/openldap-2.4.59/clients/tools (LDAP library: OpenLDAP 20459) Is there a way to enable debug logging on openldap server and openldap client on "Red Hat Enterprise Linux 8.7 (Ootpa)" for debugging the ldap user logging issue? Please comment. Thanks in advance. Best Regards, Kaushal

2 1

removed syncrepl getting Server is unwilling to perform (53)
by Marc 31 Aug '23

31 Aug '23

I removed the synrepl from a ldap server. Now I am getting errors when deleting entries ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral I also tried adding this, but does not change anything. dn: olcDatabase={0}config,cn=config changetype:modify add: olcMirrorMode olcMirrorMode: FALSE I don't think it is the acl's as I was able to change logging level before, when it was a slave. However now I am also not able to update the logging level. What config settings should I look at?

3 8

Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan 30 Aug '23

30 Aug '23

On Thu, Aug 24, 2023 at 2:39 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, August 21, 2023 11:54 PM +0530 Kaushal Shriyan > <kaushalshriyan(a)gmail.com> wrote: > > > Thanks Quanah for the quick response. I am > > following https://unixcop.com/how-to-install-openldap-on-rockylinux-or-c > > entos-8-step-by-step/. Are there any tutorials or guides to setup > > symas-openldap-servers-2.5.16-1.el8.x86_64 on Red Hat Enterprise Linux > > release 8.7 (Ootpa)? > > I would read the official documentation from the OpenLDAP website. > > --Quanah > > Thanks Quanah for the quick response and help. Much appreciated.

1 0

regular yum update 2.5.14 -> 2.5.16 resets rights on /var/symas/openldap-data
by cYuSeDfZfb cYuSeDfZfb 28 Aug '23

28 Aug '23

Hi, Just a quick warning to all: we upgraded a RHEL9 test system from 2.5.14 to 2.5.16, and see: Before: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data After: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data So after the update, ldap no longer started, due to "invalid path: Permission denied" Reverting the permissions back to ldap:ldap solves it. But... is this somehow on purpose, or....?

1 0

syncrepl default value questions
by Dick Visser 28 Aug '23

28 Aug '23

Hi I'm configuring syncrepl and have some questions about its parameters. The version used is: @(#) $OpenLDAP: slapd 2.5.13+dfsg-5 (Feb 8 2023 01:56:12) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> I'm using the docs from https://www.openldap.org/doc/admin25/slapdconfig.html. It says there: "The network-timeout parameter sets how long the consumer will wait to establish a network connection to the provider. Once a connection is established, the timeout parameter determines how long the consumer will wait for the initial Bind request to complete. The defaults for these parameters come from *ldap.conf*(5)." But, "man 5 ldap.conf " does not seem to list those defaults. Instead it says this about them: NETWORK_TIMEOUT <integer> Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. TIMEOUT <integer> Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also used for any ldap_result(3) calls where a NULL timeout pa‐ rameter is supplied. So, I wonder what is being used as default for these. In case there is none, that would come down to 'infinite'. But I don't find that information either. Something similar goes for 'keepalive', that is described as: "The keepalive parameter sets the values of idle, probes, and interval used to check whether a socket is alive; idle is the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes; probes is the maximum number of keepalive probes TCP should send before dropping the connection; interval is interval in seconds between individual keepalive probes. Only some systems support the customization of these values; the keepalive parameter is ignored otherwise, and system-wide settings are used. For example, keepalive="240:10:30" will send a keepalive probe 10 times, every 30 seconds, after 240 seconds of idle activity. If no response to the probes is received, the connection will be dropped." The "man 5 ldap.conf" has these keepalive params: KEEPALIVE_IDLE Sets/gets the number of seconds a connection needs to remain idle before TCP starts sending keepalive probes. Linux only. KEEPALIVE_PROBES Sets/gets the maximum number of keepalive probes TCP should send before dropping the con‐ nection. Linux only. KEEPALIVE_INTERVAL Sets/gets the interval in seconds between indi‐ vidual keepalive probes. Linux only. Again, no defaults. We do run this on Linux, and the kernel has corresponding values for: root@foo:/proc/sys/net/ipv4# for i in tcp_keepalive_*; do echo "$i = $(cat $i)"; done tcp_keepalive_intvl = 75 tcp_keepalive_probes = 9 tcp_keepalive_time = 7200 So, I'm guessing in my case "keepalive" will use "7200:9:75" - right? I.e. the defaults are from the OS' TCP stack configuration. Many thanks Dick Visser

1 0

still stuck with allowing access to all attributes except 1 or 2
by Marc 27 Aug '23

27 Aug '23

olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break ... olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs= by ssf=64 dn.exact="yyyy" read by * break olcAccess: {8} to dn.subtree="xxxxxx" by ssf=256 dn.exact="yyyy" search by ssf=256 self read by anonymous is there not a syntax or so for attrs=-userPassword Or am I approaching this incorrectly?

3 5

Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan 23 Aug '23

23 Aug '23

On Mon, Aug 21, 2023 at 10:29 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, August 21, 2023 10:38 PM +0530 Kaushal Shriyan > <kaushalshriyan(a)gmail.com> wrote: > > > > Prepare the database template included in OpenLDAP installed > > > ># cp -r /usr/share/openldap-servers/DB_CONFIG.example > ># /var/lib/ldap/DB_CONFIG > > cp: cannot stat '/usr/share/openldap-servers/DB_CONFIG.example': No such > > file or directory > > > ># ls -l /usr/share/openldap-servers/DB_CONFIG.example > > ls: cannot access '/usr/share/openldap-servers/DB_CONFIG.example': No > > such file or directory > ># ls -l /etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif > > ls: cannot access > > '/etc/openldap/slapd.d/cn=config/olcDatabase={2}mdb.ldif': No such file > > or directory > > I don't know where you are getting information about > /usr/share/openldap-servers/DB_CONFIG.example. That doesn't exist in > OpenLDAP 2.5+ > > --Quanah > Thanks Quanah for the quick response. I am following https://unixcop.com/how-to-install-openldap-on-rockylinux-or-centos-8-step-…. Are there any tutorials or guides to setup symas-openldap-servers-2.5.16-1.el8.x86_64 on Red Hat Enterprise Linux release 8.7 (Ootpa)? Please suggest further. Thanks in advance. Best Regards, Kaushal

2 2

lmdb usage in containers
by Vitaly Repin 21 Aug '23

21 Aug '23

Hello, I have a question about usage of the same lmdb database in different containers and in the host machine. So far I just mapped lmdp file in docker-compose.yml: volumes: - "/var/spool/lmdbenv/:/var/spool/lmdbenv/" And I'm reading/writing to/from the database from different containers. Everything seems to work at a first glance. Example of adding an element to lmdb: /usr/bin/python -mlmdb --env /var/spool/lmdbenv edit \ --set "client"="{ \"client_ip\" : \"$client_ip\", \"client_data\" : \"$client_data\" }" Is it the proper use case for lmdb? Is there any special "flush" API which I have to use to make sure that the record inserted in one container becomes visible in another? Thanks in advance! -- WBR & WBW, Vitaly

2 2

Re: [EXT] rhel8 OS rpm spec file
by Kaushal Shriyan 21 Aug '23

21 Aug '23

Hi, Are there any tutorials or guides to configure symas based Openldap server on Red Hat Enterprise Linux release 8.7 (Ootpa)? # rpm -qa | grep openldap symas-openldap-servers-2.5.16-1.el8.x86_64 symas-openldap-servers-selinux-1.0.6-1.el8.noarch symas-openldap-libs-2.5.16-1.el8.x86_64 symas-openldap-clients-2.5.16-1.el8.x86_64 # Please guide me. Thanks in Advance. Best Regards, Kaushal On Wed, Aug 9, 2023 at 11:19 PM Kaushal Shriyan <kaushalshriyan(a)gmail.com> wrote: > > > On Mon, Aug 7, 2023 at 12:01 PM Windl, Ulrich <u.windl(a)ukr.de> wrote: > >> I think the question is somewhat off-topic here: Learn how to build an >> RPM package from elsewhere, maybe >> https://www.redhat.com/sysadmin/create-rpm-package or >> https://developers.redhat.com/blog/2019/03/18/rpm-packaging-guide-creating-… >> or https://linuxconfig.org/how-to-create-an-rpm-package >> >> -----Original Message----- >> From: Kaushal Shriyan <kaushalshriyan(a)gmail.com> >> Sent: Sunday, August 6, 2023 3:51 AM >> To: openldap-technical(a)openldap.org >> Subject: [EXT] rhel8 OS rpm spec file >> >> Hi, >> >> Is there a way to generate openldap-servers.x86_64 rpm spec file from >> https://www.openldap.org/software/download/OpenLDAP/openldap-release/openld… >> >> >> # ll >> total 900 >> -rw-r--r-- 1 1001 1001 11109 Jul 10 21:59 aclocal.m4 >> -rw-r--r-- 1 1001 1001 6100 Jul 10 21:59 ANNOUNCEMENT >> drwxr-xr-x 2 1001 1001 4096 Jul 10 21:59 build >> -rw-r--r-- 1 1001 1001 14120 Jul 10 21:59 CHANGES >> drwxr-xr-x 3 1001 1001 38 Jul 10 21:59 clients >> -rwxr-xr-x 1 1001 1001 753489 Jul 10 21:59 configure >> -rw-r--r-- 1 1001 1001 99724 Jul 10 21:59 configure.ac < >> http://configure.ac> >> drwxr-xr-x 7 1001 1001 129 Jul 10 21:59 contrib >> -rw-r--r-- 1 1001 1001 2345 Jul 10 21:59 COPYRIGHT >> drwxr-xr-x 8 1001 1001 102 Jul 10 21:59 doc >> drwxr-xr-x 3 1001 1001 4096 Jul 10 21:59 include >> -rw-r--r-- 1 1001 1001 3793 Jul 10 21:59 INSTALL >> drwxr-xr-x 8 1001 1001 123 Jul 10 21:59 libraries >> -rw-r--r-- 1 1001 1001 2214 Jul 10 21:59 LICENSE >> -rw-r--r-- 1 1001 1001 1029 Jul 10 21:59 Makefile.in >> -rw-r--r-- 1 1001 1001 3594 Jul 10 21:59 README >> drwxr-xr-x 4 1001 1001 52 Jul 10 21:59 servers >> drwxr-xr-x 5 1001 1001 93 Jul 10 21:59 tests >> # ./configure --help | grep spec >> To assign environment variables (e.g., CC, CFLAGS...), specify them as >> Defaults for the options are specified in brackets. >> --help=short display options specific to this package >> `/usr/local/bin', `/usr/local/lib' etc. You can specify >> --with-odbc with specific ODBC support >> compiler's sysroot if not specified). >> # >> >> Please guide me. >> >> Thanks in Advance. >> >> Best Regards, >> >> Kaushal >> >> > Thanks Quanah and Ulrich for the quick email response. Much appreciated > for guiding me. Thanks once again. > > Best Regards, > > Kaushal >

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2023