openldap-technical

openldap-technical@openldap.org

20 participants
9821 discussions

Re: consumer replication net recovering
by Suresh Veliveli 21 Feb '25

21 Feb '25

This is another instance where replication stops. Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) csn=20241223060050.594465Z#000000#000#000000 tid 0x7f5aed0fb640 Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 be_search (0) Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 uid=xxxx,ou=People,dc=georgetown,dc=edu Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 be_modify uid=xxxxx,ou=People,dc=georgetown,dc=edu (0) Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_message_to_entry: rid=143 DN: uid=xxxxx,ou=People,dc=georgetown,dc=edu, UUID: db41232e-527d-103f-995c-4344349468b5 Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) csn=20241223060104.603554Z#000000#000#000000 tid 0x7f5aed0fb640 Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 be_search (0) Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 uid=yyyyy,ou=People,dc=georgetown,dc=edu Dec 23 01:01:23 aaa-prod-aws-3 slapd[1182444]: syncrepl_entry: rid=143 be_modify uid=yyyy,ou=People,dc=georgetown,dc=edu (0) No "syncrep_" messages were logged after the above. Regards, Suresh On Mon, Dec 23, 2024 at 2:42 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Friday, December 20, 2024 5:46 PM -0500 Suresh Veliveli > <Suresh.Veliveli(a)georgetown.edu> wrote: > > > > > I do have these but no syncrepl_sync. > > > > > > Dec 12 08:59:30 aaa-prod-gcp-9 slapd[4165]: syncrepl_message_to_entry: > > rid=129 DN: uid=xxxx,ou=xxxx,dc=georgetown,dc=edu, UUID: > > 37387976-3ae0-103f-94fc-3b4be3361dc7 > > Dec 12 08:59:30 aaa-prod-gcp-9 slapd[4165]: syncrepl_entry: rid=129 > > LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) > > csn=20241212135921.652395Z#000000#000#000000 tid 0x7f671b7fe640 > > Yes sorry, that was a typo on my end. > > "syncrepl_" sync messages. Specifically you want to see the ones that > have > "be_" in them, but not "be_search". I.e., be_add, be_modify, etc. They > show the result of the operation, something like: > > syncrepl_entry: rid=100 be_modify <DN> (<result code>) > > --Quanah > > -- Suresh Veliveli Sr. UNIX Systems Engineer Georgetown University University Information Services | Security Infrastructure and Policy-Identity and Collaboration 202-262-6676 (cell) | 202-687-3108 (work)

5 20

manual page slapd-mdb.5 and "maxsize"
by Windl, Ulrich 21 Feb '25

21 Feb '25

Migrating to OpenLDAP 2.5 and MDB I hit the default 10MB limit (when trying to import a 6.8MB LDIF). Seeking how to extend the size online, I found: maxsize <bytes><https://manpages.debian.org/testing/slapd/slapd-mdb.5.en.html#maxsize> Specify the maximum size of the database in bytes. A memory map of this size is allocated at startup time and the database will not be allowed to grow beyond this size. The default is 10485760 bytes. This setting may be changed upward if the configured limit needs to be increased. However it's completely non-obvious that the name for cn=config is "olcDbMaxSize" (and not "olcMaxssize"). (The final MDB file size was about 23MB, including the indices) Kind regards, Ulrich Windl

1 0

Debian Bookworm: Issues with stucking / hanging slapd process 2.5, while add / modify entries (master-master replication)
by linuxmail＠4lin.net 21 Feb '25

21 Feb '25

Hello, we fighting since upgrade from Buster to Bookworm with smaller and bigger issues on our OpenLDAP. We use WebADM as IDM (Rcdevs) and this is using OpenLDAP as backend. Since a long while on Bookworm, we have the issues, that slapd stucks on operations, like on adding entries. For example adding more than 1 CN entry to an existing OU. The only way to get all working is again, to stop slapd, but systemctl stop slapd doesn't work, you have to use kill -9 .. and that, pretty often. So, I hoped, to get it working again, I cloned the VMs; cutted the (normal) network and used a localhost bridge, so that both can see each others, without issues. Then I've created a backup (slapcat); deleted the db and slapd.d/cn=config ... and restored on both the DB. This part worked without issues .. but: ``` cat /home/foo/sudo_single.ldif dn: cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local objectclass: sudorole objectclass: top cn: jochoa_fra_dev_bookworm_02 sudorunasuser: ALL sudooption: !authenticate sudocommand: /bin/su sudohost: fra-dev-bookworm-02.example.local sudouser: jochoa(a)example.local ldapadd -ZZ -c -x -D 'cn=webadmin,ou=Accounts,dc=example,dc=local' -W -H ldap://fra-corp-auth-01.example.com:389 -f /home/foo/sudo_single.ldif -vv ldap_initialize( ldap://fra-corp-auth-01.example.com:389/??base ) Enter LDAP Password: add objectclass: sudorole top add cn: jochoa_fra_dev_bookworm_02 add sudorunasuser: ALL add sudooption: !authenticate add sudocommand: /bin/su add sudohost: fra-dev-bookworm-02.example.local add sudouser: jochoa(a)example.local adding new entry "cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local" ``` and then .. it just stucks, till I break with CTRL +C The same happens via ApacheDirectory or using WebADM Gui ... sometimes it works .. but often not. ```` eb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on 1 descriptor Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on: Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: 22r Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: read active on 22 Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=10 active_threads=0 tvp=zero Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: connection_get(22) Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: connection_get(22): got connid=1041 Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: connection_read(22): checking for input on id=1041 Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: op tag 0x68, time 1740046822 Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: conn=1041 op=1 do_add Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: conn=1041 op=1 do_add: dn (cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local) Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: >>> dnPrettyNormal: <cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local> Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: <<< dnPrettyNormal: <cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local>, <cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local> Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: conn=1041 op=1 ADD dn="cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_entry_get: ndn: "cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_entry_get: oc: "(null)", at: "(null)" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: mdb_dn2entry("cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local") Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_dn2id("cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local") Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: => mdb_entry_get: cannot find entry: "cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: mdb_entry_get: rc=32 Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: ==> mdb_add: cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_required entry (cn=jochoa_fra_dev_bookworm_02,ou=user_rules,ou=sudoers,dc=example,dc=local), objectClass "sudoRole" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "objectClass" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "cn" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "sudoRunAsUser" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "sudoOption" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "sudoCommand" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "sudoHost" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "sudoUser" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: oc_check_allowed type "structuralObjectClass" Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on 1 descriptor Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: activity on: Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: Feb 20 11:20:22 fra-corp-auth-01 slapd[710]: daemon: epoll: listen=8 active_threads=0 tvp=zero ``` If I try to stop the slapd om ldap1: ``` Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: conn=1001 fd=20 closed (slapd shutdown) Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_closing: readying conn=1041 sd=22 for close Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_close: deferring conn=1041 sd=22 Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_closing: readying conn=1011 sd=23 for close Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: connection_close: deferring conn=1011 sd=23 Feb 20 11:23:10 fra-corp-auth-01 slapd[710]: slapd shutdown: waiting for 4 operations/tasks to finish ``` strace shows: ``` futex(0x7f3e9a9ff990, FUTEX_WAIT_BITSET|FUTEX_CLOCK_REALTIME, 720, NULL, FUTEX_BITSET_MATCH_ANY ``` So, if I stop all .. start slapd again .. all seems fine .. * ldap2 ``` Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2 syncprov_op_search: registered persistent search Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2 syncprov_op_search: no change, skipping log replay Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2 syncprov_op_search: nothing changed, finishing up initial search early Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2 syncprov_sendinfo: refreshDelete cookie= Feb 20 11:49:32 fra-corp-auth-02 slapd[686]: conn=1209 op=2 syncprov_search_response: detaching op ``` then I again try to use ldapadd .. and I see still: * ldap2 ``` ... Feb 20 11:54:35 fra-corp-auth-02 slapd[4696]: =>do_syncrepl rid=002 Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=10 active_threads=0 tvp=zero Feb 20 11:54:36 fra-corp-auth-02 slapd[4696]: start_refresh: rid=002 a refresh on rid=001 in progress, pausing Feb 20 11:54:37 fra-corp-auth-02 slapd[4696]: =>do_syncrepl rid=002 Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: daemon: epoll: listen=10 active_threads=0 tvp=zero Feb 20 11:54:38 fra-corp-auth-02 slapd[4696]: start_refresh: rid=002 a refresh on rid=001 in progress, pausing Feb 20 11:54:39 fra-corp-auth-02 slapd[4696]: =>do_syncrepl rid=002 .... but .. a ldapsearch on ldap1 .. **still works** :-/ on ldap1 .. log is silent, except from my ldapsearch and ... I have to kill -9 slapd on ldap1 again and start .. I have no clue .. what else I can do ..... any hints ? cu denny

2 1

How do I list existing indexes
by Richard Perini 21 Feb '25

21 Feb '25

I'm sure this question has been asked before, but my googling has failed to find an answer: How can I get a list of attribute indexes for our OpenLDAP instance? We're running version 2.4.57 (FreeBSD). Thanks in advance, -- Richard Perini Ramico Australia Pty Ltd Sydney, Australia rpp(a)ramico.com.au ----------------------------------------------------------------------------- "The difference between theory and practice is that in theory there is no difference, but in practice there is"

2 1

Migration from 2.4 to 2.5: problem with using "olcPPolicyDefault" in ACL duriung slapadd
by Windl, Ulrich 20 Feb '25

20 Feb '25

Hi! I'm about to migrate openLDAP 2.4 from SLES12 SP5 to openLDAP 2.5 from SLES15 SP6, following the rather terse https://www.openldap.org/doc/admin25/appendix-upgrading.html. I've removed the policy schema as advised from the LDIF export of cn=config, but now it seems that slapadd cannot use "olcPPolicyDefault" in an ACL: # slapadd -v -n0 -F /etc/openldap/slapd.d -S 1 -w -l 0.ldif added: "cn=config" (00000001) added: "cn=module{0},cn=config" (00000001) added: "cn=schema,cn=config" (00000001) added: "cn={0}core,cn=schema,cn=config" (00000001) added: "cn={1}cosine,cn=schema,cn=config" (00000001) added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001) added: "cn={3}rfc2307bis,cn=schema,cn=config" (00000001) added: "cn={4}yast,cn=schema,cn=config" (00000001) added: "cn={5}sudo,cn=schema,cn=config" (00000001) added: "olcDatabase={-1}frontend,cn=config" (00000001) olcAccess: value #1: unknown attr "olcPPolicyDefault" in to clause. <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] <style> ::= exact | regex | base(Object) <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | exact | regex <attrstyle> ::= exact | regex | base(Object) | one(level) | sub(tree) | children <peernamestyle> ::= exact | regex | ip | ipv6 | path <domainstyle> ::= exact | regex | base(Object) | sub(tree) <access> ::= [[real]self]{<level>|<priv>} <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ <control> ::= [ stop | continue | break ] slapadd: could not add entry dn="olcDatabase={0}config,cn=config" (line=908): ▒5=▒ Closing DB... (Also note the garbage in the error message that seems to appear for any slapadd error) As noted Openldap is SUSE's version (openldap2_5-2.5.18+31-150500.11.12.1.x86_64) they re-introduced in SLES15 SP5 (maybe due to failing to provide a working migration tool to 389-DS and a proper administration manual) So is it a bug that the attribute cannot be used in ACL, or is it a configuration error on my side? (line 908 is "dn: olcDatabase={0}config,cn=config") The actual line in question is like this: olcAccess: {1}to attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=domain,dc=org" read by * break Kind regards, Ulrich Windl

2 2

[authcid=<identity>] [authzid=<identity>]
by Stefan Kania 20 Feb '25

20 Feb '25

hi to all, I like to split the replication for cn=config and the object-db between to different kerberos-principals so I did the following (so far) 1. create to principals and a keytab for both of them. 2. configured k5start to get two different cchache files (one for each user) 3. Now I want to change my syncrepl from: --------------------------- dn: olcDatabase={0}config,cn=config changetype: modify replace: olcSyncRepl olcSyncRepl: rid=001 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow olcSyncRepl: rid=002 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="5 5 100 +" timeout=1 tls_reqcert=allow --------------------------- And ----------------------------- dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcSyncrepl olcSyncrepl: rid=101 provider=ldaps://provider01.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" tls_reqcert=allow olcSyncrepl: rid=102 provider=ldaps://provider02.example.net bindmethod=sasl saslmech=gssapi authzid=uid=krepl-main,cn=gssapi,cn=auth timeout=0 network-timeout=0 filter="(objectclass=*)" searchbase="dc=example,dc=net" scope=sub schemachecking=off type=refreshAndPersist retry="60 +" keepalive=240:10:30 tls_reqcert=allow ----------------------------------- to use a different identity. I found the options [authcid=<identity>] [authzid=<identity>] But nothing how to configure these options. When I get the ticket for the user and do a ldapwhoami I'm getting dn:uid=krepl-config,cn=gssapi,cn=auth and dn:uid=krepl-main,cn=gssapi,cn=auth The DNs are: krbPrincipalName=krepl-krbPrincipalName=krepl-config(a)EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net and krbPrincipalName=krepl-main(a)EXAMPLE.NET,cn=EXAMPLE.NET,cn=kerberos,dc=example,dc=net So which option du I have to take and what is the right value for the option? Stefan

1 0

OpenLDAP Pass-through Authentication
by Dino Edwards 20 Feb '25

20 Feb '25

Hi, Trying to get pass-through authentication working however, I'm running to the following error in OpenLDAP: openldap | 679ceede.3aa31e0a 0x7f2ff617e6c0 conn=1004 op=1 SRCH attr=uid mail displayName openldap | 679ceede.3aa4b816 0x7f2ff617e6c0 conn=1004 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000019 etime=0.000172 nentries=1 text= openldap | 679ceede.3aaafd88 0x7f2ff597d6c0 conn=1005 fd=14 ACCEPT from IP=172.16.32.1:47082 (IP=0.0.0.0:1389) openldap | 679ceede.3aab8f34 0x7f2ff597d6c0 conn=1005 op=0 BIND dn="cn=username(a)domain.tld,ou=users,dc=domain,dc=local <mailto:cn=username@domain.tld,ou=users,dc=domain,dc=local> " method=128 openldap | 679ceede.3aac9267 0x7f2ff597d6c0 SASL [conn=1005] Failure: cannot connect to saslauthd server: No such file or directory openldap | 679ceede.3aad25b9 0x7f2ff597d6c0 conn=1005 op=0 RESULT tag=97 err=49 qtime=0.000005 etime=0.000120 text= openldap | 679ceede.3ab0191f 0x7f2ff617e6c0 conn=1005 fd=14 closed (connection lost) openldap | 679ceede.3ab3d76a 0x7f2ff597d6c0 conn=1004 fd=13 closed (connection lost) I followed the admin docs at: https://www.openldap.org/doc/admin26/guide.html#Pass-Through%20authenticatio n Here's what I did: Created /usr/lib/sasl2/slapd.conf with the following content: mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/sasl2/mux Created /etc/saslauthd.conf with the following content: ldap_servers: ldap://192.168.xxx.xxx.xxx ldap_search_base: OU=Users,DC=domain,DC=tld ldap_filter: (uid=%u) ldap_bind_dn: CN=saslauthd,CN=Users,DC=domain,DC=tld ldap_password: somepassword Added a user that already exists in domain.tld in openldap with the following password: {SASL}username(a)domain.tld <mailto:%7bSASL%7dusername@domain.tld> I would appreciate some help on this. Thanks

4 9

slapo-otp: manual page could be improved
by Windl, Ulrich 20 Feb '25

20 Feb '25

Hi! Reading the slapo-otp manual page, It's not quite clear to me how it works: * The tokens are stored in a separate entry, but does the manual page say what object type that entry has to be? I wonder why the token isn't stored directly within the user entry as tokens most likely are not shared. * Likewise "parameters" are stored in a separate entry; again what object type would those be? * Confusingly the manual talks about "attributes" next: Are those "parameters"? I mean: length and HMAC algorithm might be shared among entries, but counter and time-step cannot. A sample configuration would be really helpful, given that the only reference is "See also slapd-config(5)". Kind regards, Ulrich Windl

1 0

Change from mono to multivalued
by Frédéric Goudal 19 Feb '25

19 Feb '25

Hello, I may have to change some attributes from mono valued to multivalued on my production openldap I would like to know if I can do the change dynamically on the running ldap ? Most of my openldap are in 2.6.x version, but… I have one old in 2.4 (yes I know, it’s a very bad idea but too many problems to change it for me now) Thanks in advance Frederic — Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11

2 1

EAP-TLS extend logged lines
by Alexey D. Filimonov 19 Feb '25

19 Feb '25

Hello. Currently I have EAP-TLS auth. On successfull auth, it logs Wed Feb 19 15:23:13 2025 : Auth: (9) Login OK: [anonymous-xxx] (from client name_of_client1 port 8 cli ee:ee:ee:ed:ae:ee) I'd like to extend or replace this line with UPN from certiificate and other attributes. Where should I start from ?

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical