openldap-technical February 2024

openldap-technical@openldap.org

20 participants
18 discussions

LastBind feature
by bourguijl＠gmail.com 08 Feb '24

08 Feb '24

Dears, I'm running openldap 2.5.16 in which I'm using lastbind feature included in source. To enable it, I read that 2 attributs should be inserted in DB config file side, in which I added : olcLastBind: TRUE olcLastBindPrecision: 3600 But it seems that olcLastBindPrecision isn't supported because when I did a slapcat of the configuration of the ldap instance in which both are added, I get following error message : UNKNOWN attributeDescription "OLCLASTBINDPRECISION" inserted. I removed it from my configuration and restarted the slapd then I discovered that attribut "pwdLastSuccess" is well updated but I don't know with which precision (default ??). So, my question is why this parameter isn't supported ? Is there something else to enable ? Thx in advance, Jean-Luc.

2 1

openldap.log file location on Windows environment
by mbalakri＠opentext.com 08 Feb '24

08 Feb '24

Could anyone assist in locating the openldap.log file within a Windows environment? In OpenLDAP version 2.4.58, the log file resided in the same directory as slapd.exe. However, following the upgrade to OpenLDAP 2.5.13, we no longer receive log messages in the openldap.log file. Has the log file's location changed in the recent version? Is there an option available to configure the log file location?

1 1

Upgrade from 2.4.x to 2.6.x
by Sajesh Singh 07 Feb '24

07 Feb '24

Good day OpenLDAP folks. I am looking to upgrade our current OpenLDAP to the latest 2.6 release from my current install of 2.4.44. I am wondering if: 1) Is it possible to have one master running 2.4.44 and another running the latest 2.6 replicating to each other? 2) Is replication possible between hosts that have a mixture of: a) slapd.conf & cn=config b) hdb and mdb Thank you, Saj

2 2

Accesslog requirement for sync replication
by Marc Franquesa 05 Feb '24

05 Feb '24

Hi I have been using replication since long time without any issues (and still without issues), but on recent versions I got this warning on the logs: syncprov_setup_accesslog: couldn't get definition for attribute reqType, is accesslog configured? The answer is no, I never configured accesslog (this why I'm a bit confused, as I never used/needed on my replication setup). After reviewing the documentation I understand that for syncrepl I should load and configure accesslog overlay. Although I have some questions/concerns I haven't been able to found/understand from the documentation and would like someone clarifies: * Is there any way to implement replication without accesslog? (currently I have it but I would like to not get that warning) * If I setup accesslog, do I need to setup a different accesslog DIT for each target DIT I replicate? Or can a single accesslog be shared with 2 different target DITs? I mean: I'm currently replicating both cn=config (dynamic configuration) and the main DIT (so 2 different contexts/DITs/trees) Do I need to use a different accesslog DIT for each one or can they share the same DIT as accesslog ? * Does this log DIT needs to be backup up or is simply a log which I could get rid of in case of recovery? Any comments, hints or simply answers are welcome Thanks

2 3

LMDB cursor position
by M Gurschi 03 Feb '24

03 Feb '24

Hello team, Can you please let me know, when using *mdb_cursor_get* with *MDB_SET* operation, in case the key is not present in the db, where is the cursor left pointing? My scenario is that i want to retrieve two adjacent keys. 1. first *mdb_cursor_get* with *MDB_SET* 2. after that, *mdb_cursor_get* with *MDB_NEXT* I'm wondering what can i expect the cursor to point at in case the key is not found in step 1. Kind Regards, Maxim Gurschi

2 7

otp vs totp
by Quanah Gibson-Mount 02 Feb '24

02 Feb '24

--On Thursday, February 1, 2024 10:55 AM +0100 Bastian Tweddell <b.tweddell(a)fz-juelich.de> wrote: > The reason was, that we use it as a TOTP-only solution. > I had a testsetup with slapo-otp as well, but this module required > userPassword + TOTP, IIRC; where we cannot not have userPassword. > > Our setup is to use TOTP as 2FA for ssh logins against the centralized > LDAP infrstructure. The ssh-login 1FA is ssh pubkey (also in LDAP) and > 2FA is TOTP. To achieve this we use a PAM module which does an ldapbind > against the user-DN which has the userPassword schema '{TOTP1}'. > > Maybe I wrong or outdated here and slapo-opt also supports TOTP-only > authentication now? After discussion in today's project team meeting, we've opened an issue to have this supported by slapo-otp in the future: <https://bugs.openldap.org/show_bug.cgi?id=10169> If you follow that bug, once a solution is in, we'd always welcome testing of it. :) Regards, Quanah

2 1

Plans for the next LTS release?
by Sergio Durigan Junior 01 Feb '24

01 Feb '24

Hi there, Two years ago I sent an announcement mentioning that the OpenLDAP 2.5.x series was accepted for a Micro Release Exception in Ubuntu Jammy (20.04). This meant that I'd be able to release any updates to the 2.5.x series on Jammy, which I have been doing since then. We are now getting ready to work on the next Ubuntu LTS release, which will come out next April. I seem to remember upstream discussions mentioning that the next OpenLDAP LTS release would likely be the 2.7.x series, but I don't remember seeing anything else about it. Are there any plans to start working on the OpenLDAP LTS major series? Thanks a lot, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

3 5

UNKNOWN attributeDescription "..." inserted.
by Bastian Tweddell 01 Feb '24

01 Feb '24

Dear all, We are facing 'UNKNOWN attributeDescription' errors in our infrastructure, caused by two different reasons. I realized those only by using `slapcat` which prints the following error/warning message to STDERR: ``` UNKNOWN attributeDescription "..." inserted. ``` In both cases, this issue does not degrade the production of our system. All operations including syncreplication are working in normal parameter. Case A: In our production, a dedicated slapd syncrepl consumer has the totp module from contrib enabled and ldapbind calls against '{TOTP1}' are performed. This module introduces a new attribute "authTimestamp". IIUC, `slapcat` cannot know about this attribute, because it is not in the config. But attributes of that type are stored in the MDB. I'd like to ask: - How should we deal with this situation? - Is it safe to continue as is or should we define the attribute "authTimestamp" in our schema extension as well? Case B: We are about to remove some attribute definitions from our schema extension. These are obsolete and not in use in the DB anymore. On the testbed slapd+syncrepl works as expected. But here as well, even though that the DB does not contain any of the obsolete attributes in any entry, `slapcat` throws the same error/warning for all removed attributes from the schema file. My first approach was to re-index the database (even with truncate mode), which did not solve the situation. Stopping the consumer slapd, removing the mdb files and restarting the syncrepl solves it. But on production I would not want to do re-sync everything unnecessarily (it would be possible though). I'd like to ask here: - Is there a way to cleanup MDB from obsolete attributes? - Where/how are those attributes referenced in MDB? - Would it harm to ignore those errors? - Is the removal of attribute definitions from the schema not supported/suggested at all? Btw, we are running slapd 2.6.3 with mdb backend. (Upgrade to 2.6.7 is in planning now). During the composition of this mail, further issues came up with slapd-totp and I would like to add some follow-up questions here. If you prefer, I'll write another mail or I could open an issue on bugzilla. 1. By reading some code in slapd-totp.c I recognized that the introduced attribute authTimestamp is SINGLE-VALUE. But slapcat reveals that entries have multiple values of authTimestamp. This sounds not correct to me. 2. In slapd-totp.c: line 856 and 873 both call `ch_calloc` for the same structm, shadowing the same pointer. This looks like a memory leak to me, because also only one free is called. (I might be wrong though). Many thanks in advance, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 High Performance Systems --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens --------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------

3 6

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2024