openldap-technical

openldap-technical@openldap.org

3 participants
9868 discussions

changing password with otp active
by Stefan Kania 05 May '25

05 May '25

Hello to all When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ? Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted. So how can an user change his password via commandline with otp active? Thanks Stefan

2 4

Q: lastbind, pwdLastSuccess, and authTimestamp
by Windl, Ulrich 05 May '25

05 May '25

Hi! Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled. At it seems pwdLastSuccess and authTimestamp are set to the same value. Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay? I'm using OpenLDAP 2.5.X Kind regards, Ulrich Windl

3 5

ldap proxy
by fred750164＠gmail.com 05 May '25

05 May '25

I want to set up an architecture that allows a client to query an LDAP backend via an LDAP proxy. I want the query from the client to be unsecured, but the proxied communication between the LDAP proxy and the LDAP backend to be secured through mutual TLS authentication via SASL EXTERNAL. What configurations need to be implemented on the LDAP proxy and the LDAP backend? I saw in the slapd-ldap(5) documentation that the idassert-bind parameter could be used on the LDAP proxy for the TLS connection via SASL EXTERNAL, and in the slapd.conf(5) documentation that the authz-regexp parameter could be used on the LDAP backend to allow querying with a DN extracted from the certificate on this LDAP backend. However, I am struggling to set it up. I use openldap 2.4. slapd.conf on proxy server: [...] Database ldap suffix dc=test,dc=com uri ldaps://mytest.com:636 idassert-bind mode=self bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/openldap/certs/server.crt tls_key=/etc/openldap/certs/server.key tls_cacert=/etc/ssl/certs/ca-bundle.crt tls_cacertdir=/etc/ssl/certs tls_crlcheck=none tls_reqcert=allow [...] slapd.conf on backend server: [...] # Modules moduleload back_mdb moduleload authz-regexp # TLS TLSCACertificateFile /opt/openldap/etc/openldap/certs/ca-certificates.crt TLSCertificateFile /opt/openldap/etc/openldap/certs/backend.crt TLSCertificateKeyFile /opt/openldap/etc/openldap/certs/backend.key TLSCipherSuite HIGH TLSVerifyClient demand sasl-Host mytest.com sasl-realm EXTERNAL authz-regexp ".*" "cn=user1,dc=test,dc=com" [...] proxy: ldapsearch -H ldaps://mytest.com -b "dc=appli,dc=test,dc=com" -Y EXTERNAL -ZZ ldap_start_tls: Can't contact LDAP server (-1) backend: 67895427.2b4074ce 0x7f7e6bffe6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate. Any help would be appreciated.

7 43

using refint overlay for pwdPolicySubentry
by Windl, Ulrich 05 May '25

05 May '25

Hi! Some time ago U had replaced a password policy, and it was quite sme work to replace all occurrences. So I thought reint cul help. I configured: dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcRefintAttribute: member olcRefintAttribute: pwdPolicySubentry olcOverlay: {4}refint And I did apply a test rename of the policy used by many users. I got no error from the modify, but slapd said many times: slapd[28826]: ppolicy_get: policy subentry cn=pp-default-2024-05x,...,dc=de missing or invalid at 'pwdPolicySubentry', no policy will be applied! Shouldn't refint have fixed those entries, or is there something special about password policy? The other thing I had noticed was that the MMR consumer did not complain at all, and it even looks as if the update wasn't sent. Did anybody try this before? When I checked for the member attribute by deleting a user, all members containing that user were removed, however. I see "modifiersName: cn=Referential Integrity Overlay", too. Same is true for a rename. Kind regards, Ulrich Windl

2 2

Match certificate subject with escaped characters using olcAuthzRegexp
by Windl, Ulrich 05 May '25

05 May '25

Hi! Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl(a)ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de" As I understand it uid=windl+email=u.windl(a)ukr.de<mailto:uid=windl+email=u.windl@ukr.de>" and email=u.windl(a)ukr.de<mailto:uid=windl+email=u.windl@ukr.de>+uid=windl" would be equivalent. So when I want to match just the uid part I could use "uid\\3D([^,]+)", but that would include "\2Bemail\3Du...". If I'd use uid\\3D([^,\]+)", instead, any escaped character inside the uid would terminate the match. How do the experts handle it? Use very simplistic CNs in certificates? Kind regards, Ulrich Windl

2 2

Message "slapd[2734]: config error processing olcDatabase={0}config,cn=config: <olcMultiProvider> database is not a shadow"
by Windl, Ulrich 29 Apr '25

29 Apr '25

Hi! While setting up an OpenLDAP-2.5-based MMR configuration I had set up the master node, then dumped the config database, copied the LDIF to the other node. However when starting slapd, it failed with the message slapd[2734]: config error processing olcDatabase={0}config,cn=config: <olcMultiProvider> database is not a shadow See also https://stackoverflow.com/q/6792212/6607497 The context of olcMultiProvider is: dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config ... olcMultiProvider: TRUE On the first node I had updated the config using this LDIF: dn: olcDatabase=${db},cn=config changetype: modify delete: olcMirrorMode olcMirrorMode: TRUE - add: olcMultiProvider olcMultiProvider: TRUE So I don't understand why this won't work on the second node. Specifically I can restart the first node without an issue. The only difference is that the primary node has a patch against crashing on an invalid olcAuthzRegexp (I had reported). Well can anybody explain what this message means? Update: Reading https://www.openldap.com/lists/openldap-technical/201807/msg00051.html ("Do you have a unique olcServerID set in cn=config for both masters")I realized that I forgot to specify "-S SID" for slapadd. Unfortunately even after using option -S, the error message remains the same. Kind regards, Ulrich Windl

2 3

Q: odd accesslog entry and unchanged attributes
by Windl, Ulrich 29 Apr '25

29 Apr '25

Hi! Debugging issues with my OpenLDAP configuration I inspected the changelog. One entry had some "odd" values (IMHO). Consider this example: dn: reqStart=20250423131324.000185Z,cn=audit objectClass: auditModify structuralObjectClass: auditModify reqStart: 20250423131324.000185Z reqEnd: 20250423131324.000188Z reqType: modify reqSession: 1024 reqAuthzID: cn=config reqDN: olcDatabase={4}mdb,cn=config reqResult: 0 reqMod: olcRootPW:= {SSHA256}REDACTED agNLQ== reqMod: entryCSN:= 20250423131324.377585Z#000000#005#000000 reqMod: modifiersName:= cn=config reqMod: modifyTimestamp:= 20250423131324Z reqOld: olcRootPW: REDACTED reqOld: entryCSN: 20250423131324.038419Z#000000#005#000000 reqOld: modifiersName: cn=config reqOld: modifyTimestamp: 20250423131324Z reqEntryUUID: 7b0b106c-b490-103f-8f46-3bae5e23549d entryUUID: 7b40af6a-b490-103f-8f7d-3bae5e23549d creatorsName: cn=audit createTimestamp: 20250423131324Z entryCSN: 20250423131324.377585Z#000000#005#000000 modifiersName: cn=audit modifyTimestamp: 20250423131324Z The change in entryCSN and modifyTimestamp are: OLD: 20250423131324.038419Z#000000#005#000000 NEW: 20250423131324.377585Z#000000#005#000000 OLD: 20250423131324Z NEW: 20250423131324Z So the change happened within the same second, and modifyTimestamp did not actually change. So the question is kind of philosophical: Are attibutes logged as changed when actually they did not change? This would apply to modifyTimestamp and modifyTimestamp in this case. Kind regards, Ulrich Windl

2 1

LDAP URI for slapcat -H
by Windl, Ulrich 29 Apr '25

29 Apr '25

Hi! After reading the manual of slapcat (for 2.5) it recommends using option -H and an URI instead of other obsolete options. So I tried it, but all I get is a usage message, even with "-v" and "-d9". Like this: # slapcat -d9 -H 'ldap:///?entryCSN?sub?(objectClass=*)' usage: slapcat [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]] [-c] [-g] [-n databasenumber | -b suffix] [-l ldiffile] [-a filter] [-s subtree] [-H url] However when I use # slapcat -H 'ldap://?entryCSN?dc=...,dc=de?sub?(objectClass=*)' I get output. The URI should be: scheme COLON SLASH SLASH [host [COLON port]] [SLASH dn [QUESTION [attributes] [QUESTION [scope] [QUESTION [filter] [QUESTION extensions]]]]] Do I have tomatoes on my eyes? Anyway I think slapcat could provide a better error message. Even an ltrace did not enlighten me: # ltrace slapcat -d9 -H 'ldap:///?entryCSN?sub?(objectClass=*)?' ber_set_option(0, 0x8002, 0x55ad287ce980, 0x7f7d383ff680) = 0 ldap_pvt_thread_initialize(0x7f7d3862c1c0, 0x55ad287ce980, 32, 0x55ad287ce980) = 0 ldap_create(0x55ad287d6a78, 0, 0, 0) = 0 ldap_pvt_tls_set_option(0x55ad56df1a50, 0x6006, 0x7ffd5d8d1f6c, 48) = 0 strrchr("slapcat", '/') = nil strcmp("slapcat", "slapd") = -1 strcmp("slapcat", "slapadd") = 2 strcmp("slapcat", "slapcat") = 0 ldap_set_option(0, 0x5001, 0x55ad287d12d0, 0x7ffd5d8d2158) = 0 getopt(4, 0x7ffd5d8d2158, "a:b:cd:f:F:gH:l:n:o:s:v") = 100 __ctype_b_loc() = 0x7f7d384c1d60 strtoul(0x7ffd5d8d36a9, 0x7ffd5d8d1bb0, 0, 0) = 9 getopt(4, 0x7ffd5d8d2158, "a:b:cd:f:F:gH:l:n:o:s:v") = 72 ldap_url_parse_ext(0x7ffd5d8d36ae, 0x7ffd5d8d1cb0, 5, 0) = 10 __fprintf_chk(0x7f7d384004e0, 1, 0x55ad2877a9f0, 0x55ad2875c4ddusage: slapcat [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]]) = 88 fputs(" [-c]\n\t[-g] [-n databasenumber |"..., 0x7f7d384004e0 [-c] [-g] [-n databasenumber | -b suffix] [-l ldiffile] [-a filter] [-s subtree] [-H url] ) = 1 exit(1 <no return ...> +++ exited (status 1) +++ Kind regards, Ulrich Windl

2 3

SBOM required!
by Sahil Sharma D 29 Apr '25

29 Apr '25

Hi team, Could you please provide the SBOM for OpenLDAP version REL_ENG_2_6_4 , or advise me on where I can locate the SBOMs for all versions? Regards, Sahil

2 1

MDB monitoring: How many free pages actually?
by Windl, Ulrich 25 Apr '25

25 Apr '25

Hi, Considering this monitoring information, I wonder: olmMDBPagesMax: 12800 olmMDBPagesUsed: 9229 olmMDBPagesFree: 3810 Is the number of actual free pages 12800 - 9229 + 3810, i.e. "unallocated (12800 - 9229)" plus "usable" (3810)? How many free pages are needed before updates stop working? Kind regards, Ulrich Windl

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical