Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
4 weeks, 1 day
Plans for the next LTS release?
by Sergio Durigan Junior
Hi there,
Two years ago I sent an announcement mentioning that the OpenLDAP 2.5.x
series was accepted for a Micro Release Exception in Ubuntu Jammy
(20.04). This meant that I'd be able to release any updates to the
2.5.x series on Jammy, which I have been doing since then.
We are now getting ready to work on the next Ubuntu LTS release, which
will come out next April. I seem to remember upstream discussions
mentioning that the next OpenLDAP LTS release would likely be the 2.7.x
series, but I don't remember seeing anything else about it. Are there
any plans to start working on the OpenLDAP LTS major series?
Thanks a lot,
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
2 months
Unable to ldapadd Kerberos schema in LDIF format
by Uwe Sauter
Dear all,
I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to
LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-servers-2.6.6-1.el9.x86_64.)
First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1
(/usr/share/doc/krb5-server-ldap/kerberos.ldif) ?
If I use krb5-kdc.ldif I get the following:
[root@gateway ~]# cd /opt/symas/etc/openldap/schema/
[root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=krb5-kdc,cn=schema,cn=config"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
Is this a permission issue or does the provided LDIF file contain lines that prevent the addition of the schema?
If I use the file provided by MIT Kerberos I get:
[root@gateway ~]# cd /usr/share/doc/krb5-server-ldap
[root@gateway krb5-server-ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: attributetypes: value #0 invalid per syntax
The book I'm following still uses Symas' LDAP 2.4 and thus needs to convert the .schema file to .ldif provided by MIT
Kerberos. The procedure is:
#### start instructions ####
# echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' > /tmp/slapd.conf
# mkdir /tmp/slapd.d
# slaptest -f /tmp/slapd.conf -F /tmp/slapd.d
# cp '/tmp/slapd.conf/cn=config/cn=schema/cn={0}kerberos.ldif' /tmp/kerberos.conf
Further instructions say:
- remove '{0}' in /tmp/kerberos.conf in lines startig with 'dn:' and 'cn:'
- add 'cn=schema,cn=config' to the DN
- remove the lines containing 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName',
'modifyTimestamp' and 'entryCSN' at the end of the file
After the modifications, there should be only lines containing 'objectClass', 'olcAttributeTypes', 'olcObjectClasses',
'cn' or 'dn'.
#### end instructions ####
If I follow these instructions and use the converted LDIF file the command succeeds:
[root@gateway tmp]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif.converted
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=kerberos,cn=schema,cn=config"
Is there an explanation for this behavior? Do the files provided by Symas and MIT contain errors?
(For convenience I attached all three files to this mail.)
Thank you,
Uwe
2 months
Help troubleshooting SSL certificates issue
by Jérôme BECOT
Hello,
We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which
we try to replace the certificates. On these servers we have a bundled
configuration:
# config
dn: cn=config
olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem
olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem
The file is a bundle containing both the certificates (wildcard and it's
issuer) and the key. Until this year we just had to upload the new
bundle and restart slapd. This year Gandi changed their signing
certificate but it is still issued by UserTrust. But OpenLDAP refuses to
use it now.
We tried to set LogLevel to any, but nothing really showed in the log.
On the server side:
slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041,
closing
On the client side (localhost):
openssl s_client -connect localhost:636 -servername ldap.deverywa.re
CONNECTED(00000003)
140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1695652388
Timeout : 300 (sec)
Verify return code: 0 (ok)
We still use 2048 RSA key to generate the certificates. We have checked
permissions and it is fine. How could I debug what's wrong on the server
side ?
Thank you
--
*Jérôme BECOT*
Ingénieur DevOps Infrastructure
Téléphone fixe: 01 82 28 37 06
Mobile : +33 757 173 193
Deveryware - 43 rue Taitbout - 75009 PARIS
https://www.deveryware.com <https://www.deveryware.com>
Deveryware_Logo
<https://www.deveryware.com>
2 months
changing certificate and key for autoca
by Stefan Kania
Hi all,
I like to change the certificate and the key for autoca, but I can't
find any description how to do it. I tried the following LDIF:
---------------
dn: dc=example,dc=net
changetype: modify
replace: cACertificate;binary
cACertificate;binary:< file:///root/mycert/cacert.pem
-
replace: cAPrivateKey;binary
cAPrivateKey;binary:< file:///root/mycert/cakey.pem
---------------
I got:
---------------
root@ldap-r01:~# ldapmodify -Y external -H ldapi:/// -f change-cert.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "dc=example,dc=net"
ldap_modify: Invalid syntax (21)
additional info: cACertificate;binary: value #0 invalid per syntax
----------------
So what is the right way to change the certificate and the key?
Thank's
Stefan
2 months, 1 week
openldap + bind-dyndb-ldap + bind
by Marc
Anyone experience with openldap and dyndb from bind?
I am getting this:
critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 supported by LDAP
2 months, 1 week
Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
by cYuSeDfZfb cYuSeDfZfb
Hi,
We're seeing this quite consistently.
Before updating:
[root@ldaps01 log]# ls -l
/var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data
After updating:
[root@ldaps01 log]# ls -l
/var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data
And afterwards symas-openldap-server (running as ldap:ldap) no longer
starts, since permission denied on /var/symas/openldap-data.
Reverting the permissions back to ldap:ldap solves it. But...WHY is this
happening.
Are we somehow encouraged to run openldap as root..?
Why would a post-install script reset permissions on
/var/symas/openldap-data?
Thanks!
2 months, 1 week
assert error + core dump slapd v 2.6.6
by Frédéric Goudal
Hello,
Openldap version 2.6.6 compiled on ubuntu 22.4 LTS
For test purpose I’m trying to add an object with objectClass top+person at the root of my openldap (which is not empty),
The dn is cn=toto,dc=my,dc=domain
When I do something on this object, the slapd server crash, but when restarted the operation has been done. It seems that it is the accelog database that is causing a problem
The error is :
501d0f3.15b397b4 0x7f929fc44700 <= index_entry_add( 5, "reqStart=20230913151043.000000Z,cn=accesslog" ) success
6501d0f3.15b410ee 0x7f929fc44700 => mdb_entry_encode(0x00000005): reqStart=20230913151043.000000Z,cn=accesslog
6501d0f3.15b4564d 0x7f929fc44700 <= mdb_entry_encode(0x00000005): reqStart=20230913151043.000000Z,cn=accesslog
6501d0f3.15e04a0b 0x7f929fc44700 mdb_add: added id=00000005 dn="reqStart=20230913151043.000000Z,cn=accesslog"
6501d0f3.15e0bab7 0x7f929fc44700 send_ldap_result: conn=1000 op=12 p=3
6501d0f3.15e0f6a9 0x7f929fc44700 send_ldap_result: err=0 matched="" text=""
6501d0f3.15e1603a 0x7f929fc44700 slap_graduate_commit_csn: removing 0x7f92901234d0 20230913151043.360508Z#000000#057#000000
6501d0f3.15e1c5a6 0x7f929fc44700 accesslog_response: adding minCSN 20230913151043.360508Z#000000#057#000000
6501d0f3.15e20736 0x7f929fc44700 accesslog_response: adding a new csn=20230913151043.360508Z#000000#057#000000 into minCSN
6501d0f3.15e3a20c 0x7f929fc44700 mdb_modify: cn=accesslog
6501d0f3.15e40781 0x7f929fc44700 mdb_dn2entry("cn=accesslog")
6501d0f3.15e45a2d 0x7f929fc44700 => mdb_dn2id("cn=accesslog")
6501d0f3.15e50b53 0x7f929fc44700 <= mdb_dn2id: got id=0x1
6501d0f3.15e57cc9 0x7f929fc44700 => mdb_entry_decode:
6501d0f3.15e5bb28 0x7f929fc44700 <= mdb_entry_decode
6501d0f3.15e5f9b4 0x7f929fc44700 mdb_modify_internal: 0x00000001: cn=accesslog
6501d0f3.15e63487 0x7f929fc44700 <= acl_access_allowed: granted to database root
6501d0f3.15e6881d 0x7f929fc44700 mdb_modify_internal: add minCSN
slapd: attr.c:481: attr_merge: Assertion `( nvals == NULL && (*a)->a_nvals == (*a)->a_vals ) || ( nvals != NULL && ( ( (*a)->a_vals == NULL && (*a)->a_nvals == NULL ) || ( (*a)->a_nvals != (*a)->a_vals ) ) )' failed.
Aborted (core dumped)
Is it a bug ?
f.g.
—
Frédéric Goudal
Ingénieur Système, DSI Bordeaux-INP
+33 556 84 23 11
2 months, 2 weeks
