openldap-technical September 2023

openldap-technical@openldap.org

18 participants
12 discussions

Plans for the next LTS release?
by Sergio Durigan Junior 01 Feb '24

01 Feb '24

Hi there, Two years ago I sent an announcement mentioning that the OpenLDAP 2.5.x series was accepted for a Micro Release Exception in Ubuntu Jammy (20.04). This meant that I'd be able to release any updates to the 2.5.x series on Jammy, which I have been doing since then. We are now getting ready to work on the next Ubuntu LTS release, which will come out next April. I seem to remember upstream discussions mentioning that the next OpenLDAP LTS release would likely be the 2.7.x series, but I don't remember seeing anything else about it. Are there any plans to start working on the OpenLDAP LTS major series? Thanks a lot, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

3 5

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

reset openldap root and cn=admin password
by Kaushal Shriyan 02 Oct '23

02 Oct '23

Hi, Is there a way to reset both openldap root and cn=admin password? Please guide me. Thanks in Advance. Best Regards, Kaushal

2 2

Limit number of concurrent sessions to OpenLDAP 2.6.3 server running on windows
by awsome jang 28 Sep '23

28 Sep '23

Hello, I would like to ask if it's possible to limit the number of concurrent sessions of an openldap server running on Windows? I found in FAQ: https://www.openldap.org/faq/data/cache/1126.html https://www.openldap.org/faq/data/cache/1127.html What I understand it requires rebuilding of OpenLDAP but I would like to change it as a parameter. Is there any other way to do it dynamically without recompilation? On Linux there is possibility to configure iptables to limit number of connections: -A RH-Firewall-1-INPUT -p tcp --dport ldaps -m connlimit --connlimit-above 100 -j REJECT Thank you in advance for your response, Best regards, Piotr

1 0

Unable to ldapadd Kerberos schema in LDIF format
by Uwe Sauter 26 Sep '23

26 Sep '23

Dear all, I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-servers-2.6.6-1.el9.x86_64.) First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1 (/usr/share/doc/krb5-server-ldap/kerberos.ldif) ? If I use krb5-kdc.ldif I get the following: [root@gateway ~]# cd /opt/symas/etc/openldap/schema/ [root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=krb5-kdc,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed Is this a permission issue or does the provided LDIF file contain lines that prevent the addition of the schema? If I use the file provided by MIT Kerberos I get: [root@gateway ~]# cd /usr/share/doc/krb5-server-ldap [root@gateway krb5-server-ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: attributetypes: value #0 invalid per syntax The book I'm following still uses Symas' LDAP 2.4 and thus needs to convert the .schema file to .ldif provided by MIT Kerberos. The procedure is: #### start instructions #### # echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' > /tmp/slapd.conf # mkdir /tmp/slapd.d # slaptest -f /tmp/slapd.conf -F /tmp/slapd.d # cp '/tmp/slapd.conf/cn=config/cn=schema/cn={0}kerberos.ldif' /tmp/kerberos.conf Further instructions say: - remove '{0}' in /tmp/kerberos.conf in lines startig with 'dn:' and 'cn:' - add 'cn=schema,cn=config' to the DN - remove the lines containing 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName', 'modifyTimestamp' and 'entryCSN' at the end of the file After the modifications, there should be only lines containing 'objectClass', 'olcAttributeTypes', 'olcObjectClasses', 'cn' or 'dn'. #### end instructions #### If I follow these instructions and use the converted LDIF file the command succeeds: [root@gateway tmp]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif.converted SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=kerberos,cn=schema,cn=config" Is there an explanation for this behavior? Do the files provided by Symas and MIT contain errors? (For convenience I attached all three files to this mail.) Thank you, Uwe

3 4

Help troubleshooting SSL certificates issue
by Jérôme BECOT 26 Sep '23

26 Sep '23

Hello, We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration: # config dn: cn=config olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now. We tried to set LogLevel to any, but nothing really showed in the log. On the server side: slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing On the client side (localhost): openssl s_client -connect localhost:636 -servername ldap.deverywa.re CONNECTED(00000003) 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1695652388 Timeout : 300 (sec) Verify return code: 0 (ok) We still use 2048 RSA key to generate the certificates. We have checked permissions and it is fine. How could I debug what's wrong on the server side ? Thank you -- *Jérôme BECOT* Ingénieur DevOps Infrastructure Téléphone fixe: 01 82 28 37 06 Mobile : +33 757 173 193 Deveryware - 43 rue Taitbout - 75009 PARIS https://www.deveryware.com <https://www.deveryware.com> Deveryware_Logo <https://www.deveryware.com>

4 4

changing certificate and key for autoca
by Stefan Kania 21 Sep '23

21 Sep '23

Hi all, I like to change the certificate and the key for autoca, but I can't find any description how to do it. I tried the following LDIF: --------------- dn: dc=example,dc=net changetype: modify replace: cACertificate;binary cACertificate;binary:< file:///root/mycert/cacert.pem - replace: cAPrivateKey;binary cAPrivateKey;binary:< file:///root/mycert/cakey.pem --------------- I got: --------------- root@ldap-r01:~# ldapmodify -Y external -H ldapi:/// -f change-cert.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "dc=example,dc=net" ldap_modify: Invalid syntax (21) additional info: cACertificate;binary: value #0 invalid per syntax ---------------- So what is the right way to change the certificate and the key? Thank's Stefan

2 4

openldap + bind-dyndb-ldap + bind
by Marc 21 Sep '23

21 Sep '23

Anyone experience with openldap and dyndb from bind? I am getting this: critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 supported by LDAP

5 8

Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
by cYuSeDfZfb cYuSeDfZfb 21 Sep '23

21 Sep '23

Hi, We're seeing this quite consistently. Before updating: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data After updating: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data And afterwards symas-openldap-server (running as ldap:ldap) no longer starts, since permission denied on /var/symas/openldap-data. Reverting the permissions back to ldap:ldap solves it. But...WHY is this happening. Are we somehow encouraged to run openldap as root..? Why would a post-install script reset permissions on /var/symas/openldap-data? Thanks!

2 2

assert error + core dump slapd v 2.6.6
by Frédéric Goudal 14 Sep '23

14 Sep '23

Hello, Openldap version 2.6.6 compiled on ubuntu 22.4 LTS For test purpose I’m trying to add an object with objectClass top+person at the root of my openldap (which is not empty), The dn is cn=toto,dc=my,dc=domain When I do something on this object, the slapd server crash, but when restarted the operation has been done. It seems that it is the accelog database that is causing a problem The error is : 501d0f3.15b397b4 0x7f929fc44700 <= index_entry_add( 5, "reqStart=20230913151043.000000Z,cn=accesslog" ) success 6501d0f3.15b410ee 0x7f929fc44700 => mdb_entry_encode(0x00000005): reqStart=20230913151043.000000Z,cn=accesslog 6501d0f3.15b4564d 0x7f929fc44700 <= mdb_entry_encode(0x00000005): reqStart=20230913151043.000000Z,cn=accesslog 6501d0f3.15e04a0b 0x7f929fc44700 mdb_add: added id=00000005 dn="reqStart=20230913151043.000000Z,cn=accesslog" 6501d0f3.15e0bab7 0x7f929fc44700 send_ldap_result: conn=1000 op=12 p=3 6501d0f3.15e0f6a9 0x7f929fc44700 send_ldap_result: err=0 matched="" text="" 6501d0f3.15e1603a 0x7f929fc44700 slap_graduate_commit_csn: removing 0x7f92901234d0 20230913151043.360508Z#000000#057#000000 6501d0f3.15e1c5a6 0x7f929fc44700 accesslog_response: adding minCSN 20230913151043.360508Z#000000#057#000000 6501d0f3.15e20736 0x7f929fc44700 accesslog_response: adding a new csn=20230913151043.360508Z#000000#057#000000 into minCSN 6501d0f3.15e3a20c 0x7f929fc44700 mdb_modify: cn=accesslog 6501d0f3.15e40781 0x7f929fc44700 mdb_dn2entry("cn=accesslog") 6501d0f3.15e45a2d 0x7f929fc44700 => mdb_dn2id("cn=accesslog") 6501d0f3.15e50b53 0x7f929fc44700 <= mdb_dn2id: got id=0x1 6501d0f3.15e57cc9 0x7f929fc44700 => mdb_entry_decode: 6501d0f3.15e5bb28 0x7f929fc44700 <= mdb_entry_decode 6501d0f3.15e5f9b4 0x7f929fc44700 mdb_modify_internal: 0x00000001: cn=accesslog 6501d0f3.15e63487 0x7f929fc44700 <= acl_access_allowed: granted to database root 6501d0f3.15e6881d 0x7f929fc44700 mdb_modify_internal: add minCSN slapd: attr.c:481: attr_merge: Assertion `( nvals == NULL && (*a)->a_nvals == (*a)->a_vals ) || ( nvals != NULL && ( ( (*a)->a_vals == NULL && (*a)->a_nvals == NULL ) || ( (*a)->a_nvals != (*a)->a_vals ) ) )' failed. Aborted (core dumped) Is it a bug ? f.g. — Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2023