openldap-technical

openldap-technical@openldap.org

1 participants
9898 discussions

Re: removing ppolicy overlay
by Frank Swasey 30 May '18

30 May '18

The lack of responses indicates that people either do not use ppolicy or once used, they never remove it. For future reference here's the procedure that I've worked up: shutdown slapd on all MMR members slapcat the database edit the database to remove all "pwd*" attributes and all entries that are pwd* objectClass edit the slapd.conf file (if you are using slapd.d you are on your own) replace the database (delete, and slapadd) Empty the accesslog database if you are using that start slapd Copy your edited database to the rest of your servers and use the tried and true "nuke & repave" process to delete the existing database, edit the config, slapadd the edited database - Frank > On Apr 16, 2018, at 11:09, Frank Swasey <Frank.Swasey(a)uvm.edu> wrote: > > Is there a recommended way to discontinue the use of the ppolicy overlay? > > The only way I've found that works is to stop the ldap server and using slapcat/edit/slapadd eradicate all the ppolicy attributes (combined with removing the ppolicy overlay and schema from the slapd.conf file). > > I'm attempting this on RHEL7 with OpenLDAP 2.4.46 (local built). > > Thanks, > - Frank

3 2

Duplicate Password Policies and Can Not Rest User Password
by Daniel Howard 30 May '18

30 May '18

Hello, I have two issues. One is I gave myself redundant *ppolicy* overlays I can't delete. The other is I don't know why I can not reset a user's password. The first is that in a rush, late at night, I ended up with multiple (duplicate) Password Policy Overlays. I went back and tried to delete these, but: $ *sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///* dn: olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config changetype: delete deleting entry "olcOverlay={5}ppolicy,olcDatabase={1}hdb,cn=config" ldap_delete: Server is unwilling to perform (53) It looks like this is a known consideration, per http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays and that I'll have to cowboy the server config to get the redundant overlays removed. root@ldap0:~# *slapd -V* @(#) $OpenLDAP: slapd (Ubuntu) (May 31 2017 21:52:16) $ buildd@lgw01-30 :/build/openldap-tnOaja/openldap-2.4.31/debian/build/servers/slapd Okay, so what is that overlay? Pretty simple stuff: dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=qxxxxxxxxd,dc=com olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE (But defined four times ... {2..5}) What is the problem, then? The problem is I can not set a user's password. root@ldap0:~# */usr/bin/ldappasswd -y /etc/ldapscripts/ldapscripts.passwd -D cn=admin,dc=qxxxxxxxxd,dc=com -x -H ldap://localhost -T /tmp/ldapsetpasswd uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com* Result: No such attribute (16) Say what? dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com structuralObjectClass: account entryUUID: cd55cc80-f8a5-1037-976e-9da738d41e24 creatorsName: cn=admin,dc=qxxxxxxxxd,dc=com createTimestamp: 20180530223739Z pwdFailureTime: 20180530223741Z pwdFailureTime: 20180530224243Z pwdFailureTime: 20180530224244Z pwdFailureTime: 20180530224306Z pwdFailureTime: 20180530224307Z pwdFailureTime: 20180530224354Z pwdFailureTime: 20180530224538Z pwdFailureTime: 20180530224541Z entryCSN: 20180530224541.157285Z#000000#000#000000 modifiersName: cn=admin,dc=qxxxxxxxxd,dc=com modifyTimestamp: 20180530224541Z entryDN: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE Maybe the user is locked out? root@ldap0:~# *ldapmodify -Q -Y EXTERNAL -H ldapi:/// -D cn=admin,dc=qxxxxxxxxd,dc=com* dn: uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com changetype: modify delete: pwdFailureTime modifying entry "uid=zachary,ou=People,dc=qxxxxxxxxd,dc=com" ldap_modify: Constraint violation (19) additional info: pwdFailureTime: no user modification allowed Q1: Any bright idea on removing the redundant ppolicy overlays? Q2: Any bright idea on what's up with resetting zachary's password? Thanks, -danny -- http://dannyman.toldme.com

1 0

MDB_INVALID: File is not an LMDB file
by Chris Trenkamp 30 May '18

30 May '18

My program suddenly started returning this error, "MDB_INVALID: File is not an LMDB file" whenever it tries to open the database file. It is running on Windows. I made a copy of the database, compiled lmdb with MDB_DEBUG set to 2 and ran this program: #include <stdio.h> #include "lmdb.h" int main(int argc, char* argv[]) { int rc; MDB_env *env; rc = mdb_env_create(&env); printf("%d\n", rc); rc = mdb_env_open(env, "./brokedb", 0, 0644); printf("%d\n", rc); } And it gave this output: 0 mdb_env_read_header:4040 page 0 not a meta page -30793 Does anyone know how this might have happened, and things to look for in my program that might have caused this? Is there a way to recover the data from the file? Thanks.

2 1

LDAP instance crashing frequently due to swap memory exhaustion
by Saurabh Lahoti 29 May '18

29 May '18

Dear, LDAP instance crashes frequently due to low or no swap memory. What could be the probable reasons for this crash..? ---- *Thanks & Kind Regards,* Saurabh LAHOTI.

1 0

search abandoned by pagedResult nentries=0
by jehan procaccia INT 25 May '18

25 May '18

Hello I have a software (zimbra) that request my openldap server regularly in order to update the "Global Address List" (for mail auto-completion) It request the openldap with a simple search filter after binding however, although it seems to start fine, the result ends with May 24 20:40:48 ldapmt slapd[16434]: conn=1003 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=search abandoned by pagedResult size=0 nentries=0 and no result is returned I do see the request in the ldap logs May 24 20:40:48 ldapmt slapd[16434]: conn=1003 op=2 SRCH base="dc=telecom,dc=fr" scope=2 deref=3 filter="(|(mail=*)(sn=*))" If I do the exact same request (binddn, bindpassw, searchbase, ldapuri, scope, deref, filter) from the zimbra server itself, I do get a correct result with nentries=6505 I don't understand why when the zimbra software does the same request, it fails with nentries=0 text=search abandoned by pagedResult !? what is that message "search abandoned by pagedResult" means ? how can I further debug that problem ? ( I already set loglevel to acl filter stats ) Regards

1 0

.so version numbers for dlopen'd objects
by Paul B. Henson 23 May '18

23 May '18

I'm trying to get the OpenBSD openldap port updated to use modules, currently it just builds everything into a monolithic binary. They are objecting to the existence of the version number in the shared objects for the modules: -rwxr-xr-x 1 henson henson 1773576 May 21 12:54 back_bdb-2.4.so.2.10.7 -rwxr-xr-x 1 henson henson 864 May 21 12:54 back_bdb.la lrwxrwxrwx 1 henson henson 22 May 21 12:54 back_bdb.so -> back_bdb-2.4.so.2.10.7 They say that shared objects which are intended to be dlopen'd, as opposed to linked to, should not include version numbers, and it should look like: -rwxr-xr-x 1 henson henson 1773576 May 21 12:54 back_bdb-2.4.so -rwxr-xr-x 1 henson henson 864 May 21 12:54 back_bdb.la What is the openldap developer perspective on this? Thanks.

5 14

Understanding slapd connections
by Igor Zobin 22 May '18

22 May '18

Hello everyone! I am struggling to understand what exactly the command lsof -i tcp:389 is showing. What exactly is counted as an established connection here? Can I limit that amount somehow through slapd configuration? Can I monitor which of those connections shown by lsof are still in use and which just hang around doing nothing? Igor.

2 1

Re: pwdRESET not working
by Net Warrior 22 May '18

22 May '18

Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following: ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this? I was expecting something like this, this is from my old notes ( 2013 ) at that time it worked You are required to change your LDAP password immediately. Last login: Wed Feb 13 12:07:38 2013 from server.domain.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user pmorales. Enter login(LDAP) password: My sss configuration # sssd::config [sssd] domains = domain services = nss, pam, ssh, sudo config_file_version=2 [domain/zebra] # sssd::provider::ldap id_provider=ldap auth_provider=ldap chpass_provider=ldap ldap_uri=ldap://openldap.domain.com ldap_chpass_uri=ldap://openldap.domain.com ldap_search_base=dc=domain,dc=com ldap_tls_reqcert=never ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem ldap_tls_cacertdir=/etc/openldap/cacerts ldap_id_use_start_tls=false ldap_user_search_base=ou=Users,dc=domain,dc=com ldap_group_search_base=ou=Groups,dc=domain,dc=com debug_level=6 ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com ldap_chpass_update_last_change=true ldap_user_shadow_last_change=shadowLastChange ldap_pwd_policy=shadow nsswitch.conf passwd: files sss shadow: files sss group: files sss System-Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077 Password Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077 Thanks Regards 2018-05-10 11:45 GMT-03:00 Net Warrior <netwarrior863(a)gmail.com>: > Hi > > From time to time I need to reset user passwords when they forget it so I > want to force them to change it when they connect over ssh, as long as I > remember this worked before, ( do not remember which openldap version it was > a long time ) anyway , how can I force user to change their passwords upon > ssh connection? or is not possible anymore? > > > Thanks > Regards > > > On 05/08/2018 09:25 AM, Clément OUDOT wrote: >> >> >> Le 03/05/2018 à 16:23, Net Warrior a écrit : >>> >>> Hello there guys, when setting the pwsReset to TRUE I cannot login to >>> the system anymore, just get the permission denied, then I found this. >>> >>> https://github.com/pwm-project/pwm/issues/155 >>> >>> Did I face that bug or maybe it's something else? >> >> >> It's not a bug. If pwdReset is set to TRUE, the BIND will be successful >> but you will not be allowed to do another operation but changing >> password. If your application is doing a SEARCH just after the BIND, you >> will be denied. >> >> >> >

2 1

OTP or 2FA for Manager Account?
by Douglas Duckworth 18 May '18

18 May '18

Hi Does OpenLDAP support use of one time passwords or 2FA for the Manager account? Thanks Doug

7 11

ldapdelete: Invalid DN on an Accesslog generated DN
by Giuseppe Civitella 17 May '18

17 May '18

Hi all, while doing some tests to enable accesslog in my directory, I did enable the overlay and then disabled it because of login problems. Once restored the directory, I found a few entries like this: dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify REQSESSION: 1679 REQAUTHZID: cn=admin,BASEDN REQDN: cn=gcivitella,ou=users,BASEDN REQRESULT: 0 REQMOD: description:= description utente gcivitella (update check accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000 REQMOD: modifiersName:= cn=admin,BASEDN REQMOD: modifyTimestamp:= 20180509102412Z REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3 creatorsName: cn=admin,BASEDN createTimestamp: 20180509102412Z entryCSN: 20180509102412.246481Z#000000#000#000000 modifiersName: cn=admin,BASEDN modifyTimestamp: 20180509102412Z Now I'm unable to delete them. I get an "invalid DN" error: ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v "reqStart=20180509102412.000000Z,BASEDN" ldap_initialize( ldap://127.0.0.1:389/??base ) Enter LDAP Password: deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN Is there a way to force the deletion or temporary disable the schema check? Best regards, Giuseppe

3 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical