openldap-technical

openldap-technical@openldap.org

2 participants
9931 discussions

Symas OpenLDAP 2.6.10-1 on EL8/EL9: SASL library version mismatch (expects 2.1.29, repos provide 2.1.28)
by anilkumar.pathuri7＠gmail.com 03 Oct '25

03 Oct '25

Hello Symas Support Team, We’re attempting to standardize on Symas OpenLDAP 2.6.10-1 across our fleet (RHEL/Rocky 8.10 and 9.6, x86_64). After upgrading, the binaries emit a SASL ABI error: ldap_int_sasl_init: SASL library version mismatch: expected 2.1.29, got 2.1.28 Environment OS: Rocky Linux 8.10, Rocky Linux 9.6, RHEL 8.10, RHEL 9.6 (x86_64) Symas repo: soldap-release26 (EL8 and EL9) Packages we installed (EL8/EL9): symas-openldap-servers-2.6.10-1.el8/.el9 symas-openldap-clients-2.6.10-1.el8/.el9 symas-openldap-libs-2.6.10-1.el8/.el9 symas-openldap-devel-2.6.10-1.el8/.el9 SASL packages visible in the repos: symas-cyrus-sasl-libs 2.1.28 (and variants like 2.1.28+20230721-1), no 2.1.29 listing on EL8 or EL9 dnf list --showduplicates symas-cyrus-sasl-libs on EL8 and EL9 shows only 2.1.28 builds in soldap-release26; no 2.1.29. Could you please advise us on how we can resolve this issue? Regards, Anil

2 1

Debian 13
by Stefan Kania 29 Sep '25

29 Sep '25

Will there be packages for Debian 13 soon, or can I use the Debian 12 packages on Debian 13? Thank you for the answer -- Stefan

2 1

Request rate limiting
by BECOT Jérôme 24 Sep '25

24 Sep '25

Hello, Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ? Any advice appreciated Regards Jerome

5 5

logs on stderr don't enforce olcLogFileFormat
by David Coutadeur 18 Sep '25

18 Sep '25

Hi everyone! I don't know if this is intended or not, but when I run OpenLDAP with logs attached on stderr, like: ./slapd -h 'ldap://*:389 ldaps://*:636' -F ./slapd.d -u ldap -g ldap -d 256 the logs do not enforce olcLogFileFormat. For example: 68b6fe23.27b26379 0x7fe756a70e40 @(#) $OpenLDAP: slapd 2.6.10 (May 21 2025 22:00:00) $ instead of: Sep 02 16:21:50 hostname slapd[12345]: slapd starting Is this the expected behaviour? If so, are there any plans for having an option to set the date in stderr logs? Thanks in advance for any response! Regards, -- David Coutadeur | IAM integrator david.coutadeur(a)worteks.com +33 7 88 46 85 34 16 avenue Hoche, Paris 75008 Worteks | https://www.worteks.com

2 4

slapcat dump seems incomplete (attributes missing)
by Windl, Ulrich 15 Sep '25

15 Sep '25

Hi! After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there. When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there. That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1" Module load order is: olcModuleLoad: {0}back_mdb.so olcModuleLoad: {1}syncprov.so olcModuleLoad: {2}accesslog.so olcModuleLoad: {3}ppolicy.so olcModuleLoad: {4}refint.so olcModuleLoad: {5}pw-sha2.so olcModuleLoad: {6}lastbind.so Mit freundlichen Grüßen Ulrich Windl Klinikum der Universität Regensburg IT / Infrastruktur Franz-Josef-Strauß-Allee 11 D-93053 Regensburg Tel: +49 941 944-13816 Softphone: +49 941 944-801142 FAX: +49 941 944-5882

2 2

LDAP race condition with ldap_initialize API in OpenLDAP 2.6.7
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration activity,we used ldap_initialize() API for initializing and getting LDAP Handle. Our application supports multi threading. So, ldap_initialize() API will be called from multi threaded code. For example, 2 threads will call ldap_initialize() at same time/simultaneously. When 2 threads call ldap_initialize() at same time, sometimes observed a race condition during this API call. Due to this, the next api calls ldap_simple_bind_s or ldap_start_tls_s are getting failed for 2 threads and it is not recovered automatically until restarts our applications. We observed this race condition multiple times. Because of this issue, we are unable to start our application and it becomes a blocker for us to proceed further. After checking ldap_initialze() API code from openldap source code, noticed that race condition happened while initializing/setting global options. Are there any known issues with OpenLDAP when we use it in multi thread supported applications? Could you please check and provide a solution. Thank you for your help.

2 1

Need information related to multi thread support in OpenLDAP c sdk client
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP c sdk for our application client code. As part of this activity, replacing API one by one and also looking for constant replacement. In NSLDAP C SDK: /* * Thread function callbacks (an API extension -- * LDAP_API_FEATURE_X_THREAD_FUNCTIONS). */ #define LDAP_OPT_THREAD_FN_PTRS 0x05 /* 5 - API extension */ /* * Thread callback functions: */ typedef void *(LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_ALLOC_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_FREE_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_LOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_UNLOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_ERRNO_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_ERRNO_CALLBACK)( int e ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_LDERRNO_CALLBACK)( char **matchedp, char **errmsgp, void *arg ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_LDERRNO_CALLBACK)( int err, char *matched, char *errmsg, void *arg ); /* * Structure to hold thread function pointers: */ struct ldap_thread_fns { LDAP_TF_MUTEX_ALLOC_CALLBACK *ltf_mutex_alloc; LDAP_TF_MUTEX_FREE_CALLBACK *ltf_mutex_free; LDAP_TF_MUTEX_LOCK_CALLBACK *ltf_mutex_lock; LDAP_TF_MUTEX_UNLOCK_CALLBACK *ltf_mutex_unlock; LDAP_TF_GET_ERRNO_CALLBACK *ltf_get_errno; LDAP_TF_SET_ERRNO_CALLBACK *ltf_set_errno; LDAP_TF_GET_LDERRNO_CALLBACK *ltf_get_lderrno; LDAP_TF_SET_LDERRNO_CALLBACK *ltf_set_lderrno; void *ltf_lderrno_arg; }; nsldap c sdk has thread function pointers option to support multi thread functionality for client programs. In our existing code, we are using 'LDAP_OPT_THREAD_FN_PTRS' option with ldap_set_option API like "Client code usage: ldap_set_option(hLDAP, LDAP_OPT_THREAD_FN_PTRS, &tfns);". Now, we are looking for similar functionality within OpenLDAP to use it in our client program. I Went through OpenLDAP documents and source code, but to my knowledge, did not get any equivalent one. Could you please provide more details on this to achieve equivalent functionality of LDAP_OPT_THREAD_FN_PTRS with OpenLDAP? Thank you

2 1

Stale objects in mdb backend
by Matwey Kornilov 03 Sep '25

03 Sep '25

Hello, I am running OpenLDAP (slapd 2.4.49) on Ubuntu with an MDB backend configured for the suffix o=bar,dc=foo. With a help of slapcat, I have discovered stale data: several objects with the suffix dc=bar,dc=foo are physically present in the same MDB database files. These were likely created by the default Ubuntu installer before the entire configuration was manually replaced. However, /var/lib/ldap remained unnoticed at that time, and then production data were appended to this initial one. Is there a method to delete these specific dc=bar,dc=foo entries without taking the server offline and rebuilding the entire database from an LDIF export with slapcat+slapadd? ldapsearch seems to be uncapable to deal with this stale data. Thanks in advance.

1 0

RE: [EXT] Re: Re: Understanding ldappasswd: ldap_bind: Invalid credentials (49)
by Windl, Ulrich 22 Aug '25

22 Aug '25

(shame!) Bastian, you are right! One should never do a "quick hack" to existing scripts: In the original version the MAANGER was specified without the common CONTEXT, so the script used -D "$MANAGER","$CONTEXT". The DN however was including the CONTEXT (maybe to shorten the script line that uses it). When using MANAGER="$DN" I got a MANAGER that includes the CONTEXT already. The idea was "use the user name as manager, so the user will change its own password". The idea was correct, but "MANAGER=$DN was not. 8-( Kind regards, Ulrich Windl > -----Original Message----- > From: btwe(a)eva05.jsc.fz-juelich.de <btwe(a)eva05.jsc.fz-juelich.de> On > Behalf Of Bastian Tweddell > Sent: Friday, August 22, 2025 8:58 AM > To: Windl, Ulrich <u.windl(a)ukr.de> > Subject: [EXT] Re: Re: Understanding ldappasswd: ldap_bind: Invalid > credentials (49) > > > Hi Ulrich, > > Given that ldappasswd basically works, maybe check your variables. > I think you append `$CONTEXT` two times: > > On 22Aug25 06:43+0000, Windl, Ulrich wrote: > > > > CONTEXT='dc=...' > > > > if [ -n "$1" ]; then > > > > DN="uid=${1},ou=people,$CONTEXT" > > => DN="uid=username_from_arg1,ou=people,dc=..." > ^^^^^^ > > > > > MANAGER="$DN" > > => MANAGER="uid=username_from_arg1,ou=people,dc=..." > ^^^^^^ > > > > > echo "$MANAGER changing password for $DN" > > > > ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W > ${2:+-S > > => -D "uid=username_from_arg1,ou=people,dc=...","dc=..." > ^^^^^^ ^^^^^^ > > This would be wrong, wouldn't it? > > In general, think about using `set -euo pipefail` in bash scripts, and > in this case also use `set -x`. So you could spot that easily. > Also ldap cmdline tools usually take `-d -1` to print all debug info, > but you know that. > > > Das hätte ich wohl auch auf Deutsch schreiben können :) > Ich habs nicht an die Liste geschickt. > > > Viele Grüße, > -- > Bastian Tweddell > Juelich Supercomputing Centre > phone: +49 (2461) 61-6586 > > --------------------------------------------------------------------------------------------- > --------------------------------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Dr. Stephanie Bauer (stellvertretende Vorsitzende), > Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers > --------------------------------------------------------------------------------------------- > ---------------------------------------------------------------------------------------------

1 0

Understanding ldappasswd: ldap_bind: Invalid credentials (49)
by Windl, Ulrich 21 Aug '25

21 Aug '25

Hi! I have a question: A user can change its password using the standard SSH Login. However one user with an expired password has a special shell that does not allow login (the user is logged out immediately). So I tried to use ldappasswd to change the password using this helper script: #!/bin/sh SERVER='ldap://...' CONTEXT='dc=...' if [ -n "$1" ]; then DN="uid=${1},ou=people,$CONTEXT" MANAGER="$DN" echo "$MANAGER changing password for $DN" ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN" else echo "$0: missing or empty username" >&2 exit 1 fi So here the one to change the password is the user itself. When I use the script with just the username (set random password), I see: Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed And when I call it with a second parameter (ask for password), I see: New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49) I'm trying to understand: Does the user need special ACLs, or to I need additional parameters? The essential ACLs for userPassword are: ... olcAccess: {4}to attrs=shadowLastChange,userPassword,userPKCS12 by dn.exact="uid=PW-Admin,ou=system,dc=..." write by * break ... olcAccess: {6}to attrs=userPassword,userPKCS12 by self write by * auth ... olcAccess: {8}to * by * read If I use the PW-Admin account, I can change the password, however. Kind regards, Ulrich Windl

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical