openldap-technical

openldap-technical@openldap.org

3 participants
9937 discussions

Request rate limiting
by BECOT Jérôme 24 Sep '25

24 Sep '25

Hello, Is there any way to limit bind query rates or any operation rate in OpenLDAP or in conjunction of another proxy ? Any advice appreciated Regards Jerome

5 5

logs on stderr don't enforce olcLogFileFormat
by David Coutadeur 18 Sep '25

18 Sep '25

Hi everyone! I don't know if this is intended or not, but when I run OpenLDAP with logs attached on stderr, like: ./slapd -h 'ldap://*:389 ldaps://*:636' -F ./slapd.d -u ldap -g ldap -d 256 the logs do not enforce olcLogFileFormat. For example: 68b6fe23.27b26379 0x7fe756a70e40 @(#) $OpenLDAP: slapd 2.6.10 (May 21 2025 22:00:00) $ instead of: Sep 02 16:21:50 hostname slapd[12345]: slapd starting Is this the expected behaviour? If so, are there any plans for having an option to set the date in stderr logs? Thanks in advance for any response! Regards, -- David Coutadeur | IAM integrator david.coutadeur(a)worteks.com +33 7 88 46 85 34 16 avenue Hoche, Paris 75008 Worteks | https://www.worteks.com

2 4

slapcat dump seems incomplete (attributes missing)
by Windl, Ulrich 15 Sep '25

15 Sep '25

Hi! After a long time I checked the database dump I had created with slapcat in OpenLDAP 2.5. I always thought that all attributes from the database were saved, but it seems some attributes related to password policy aren't: Specifically I cannot find the pwdChangedTime that is there when searching for it. I also miss the pwdHistory, but the pwdPolicySubentry attribute is there. When I compare the dump with the last one created with OpenLDAP 2.4, I see that those attributes (pwdChangedTime, pwdHistory) are still there. That makes me wonder: Is it a bug in OpenLDAP, or is it a bug in my configuration? As I understand it, ACLs should not play a role for slapcat, right? The command I'm using is "slapcat -o ldif-wrap=no -n $DBNUM -F $CONFDIR -g -l "$TMPFILE1" Module load order is: olcModuleLoad: {0}back_mdb.so olcModuleLoad: {1}syncprov.so olcModuleLoad: {2}accesslog.so olcModuleLoad: {3}ppolicy.so olcModuleLoad: {4}refint.so olcModuleLoad: {5}pw-sha2.so olcModuleLoad: {6}lastbind.so Mit freundlichen Grüßen Ulrich Windl Klinikum der Universität Regensburg IT / Infrastruktur Franz-Josef-Strauß-Allee 11 D-93053 Regensburg Tel: +49 941 944-13816 Softphone: +49 941 944-801142 FAX: +49 941 944-5882

2 2

LDAP race condition with ldap_initialize API in OpenLDAP 2.6.7
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP C sdk for our application client code. We are using OpenLDAP 2.6.7. As part of this migration activity,we used ldap_initialize() API for initializing and getting LDAP Handle. Our application supports multi threading. So, ldap_initialize() API will be called from multi threaded code. For example, 2 threads will call ldap_initialize() at same time/simultaneously. When 2 threads call ldap_initialize() at same time, sometimes observed a race condition during this API call. Due to this, the next api calls ldap_simple_bind_s or ldap_start_tls_s are getting failed for 2 threads and it is not recovered automatically until restarts our applications. We observed this race condition multiple times. Because of this issue, we are unable to start our application and it becomes a blocker for us to proceed further. After checking ldap_initialze() API code from openldap source code, noticed that race condition happened while initializing/setting global options. Are there any known issues with OpenLDAP when we use it in multi thread supported applications? Could you please check and provide a solution. Thank you for your help.

2 1

Need information related to multi thread support in OpenLDAP c sdk client
by venugopal chinnakotla 09 Sep '25

09 Sep '25

Hi Team, We are working on migration of nsldap C sdk to OpenLDAP c sdk for our application client code. As part of this activity, replacing API one by one and also looking for constant replacement. In NSLDAP C SDK: /* * Thread function callbacks (an API extension -- * LDAP_API_FEATURE_X_THREAD_FUNCTIONS). */ #define LDAP_OPT_THREAD_FN_PTRS 0x05 /* 5 - API extension */ /* * Thread callback functions: */ typedef void *(LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_ALLOC_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_FREE_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_LOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_MUTEX_UNLOCK_CALLBACK)( void *m ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_ERRNO_CALLBACK)( void ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_ERRNO_CALLBACK)( int e ); typedef int (LDAP_C LDAP_CALLBACK LDAP_TF_GET_LDERRNO_CALLBACK)( char **matchedp, char **errmsgp, void *arg ); typedef void (LDAP_C LDAP_CALLBACK LDAP_TF_SET_LDERRNO_CALLBACK)( int err, char *matched, char *errmsg, void *arg ); /* * Structure to hold thread function pointers: */ struct ldap_thread_fns { LDAP_TF_MUTEX_ALLOC_CALLBACK *ltf_mutex_alloc; LDAP_TF_MUTEX_FREE_CALLBACK *ltf_mutex_free; LDAP_TF_MUTEX_LOCK_CALLBACK *ltf_mutex_lock; LDAP_TF_MUTEX_UNLOCK_CALLBACK *ltf_mutex_unlock; LDAP_TF_GET_ERRNO_CALLBACK *ltf_get_errno; LDAP_TF_SET_ERRNO_CALLBACK *ltf_set_errno; LDAP_TF_GET_LDERRNO_CALLBACK *ltf_get_lderrno; LDAP_TF_SET_LDERRNO_CALLBACK *ltf_set_lderrno; void *ltf_lderrno_arg; }; nsldap c sdk has thread function pointers option to support multi thread functionality for client programs. In our existing code, we are using 'LDAP_OPT_THREAD_FN_PTRS' option with ldap_set_option API like "Client code usage: ldap_set_option(hLDAP, LDAP_OPT_THREAD_FN_PTRS, &tfns);". Now, we are looking for similar functionality within OpenLDAP to use it in our client program. I Went through OpenLDAP documents and source code, but to my knowledge, did not get any equivalent one. Could you please provide more details on this to achieve equivalent functionality of LDAP_OPT_THREAD_FN_PTRS with OpenLDAP? Thank you

2 1

Stale objects in mdb backend
by Matwey Kornilov 03 Sep '25

03 Sep '25

Hello, I am running OpenLDAP (slapd 2.4.49) on Ubuntu with an MDB backend configured for the suffix o=bar,dc=foo. With a help of slapcat, I have discovered stale data: several objects with the suffix dc=bar,dc=foo are physically present in the same MDB database files. These were likely created by the default Ubuntu installer before the entire configuration was manually replaced. However, /var/lib/ldap remained unnoticed at that time, and then production data were appended to this initial one. Is there a method to delete these specific dc=bar,dc=foo entries without taking the server offline and rebuilding the entire database from an LDIF export with slapcat+slapadd? ldapsearch seems to be uncapable to deal with this stale data. Thanks in advance.

1 0

RE: [EXT] Re: Re: Understanding ldappasswd: ldap_bind: Invalid credentials (49)
by Windl, Ulrich 22 Aug '25

22 Aug '25

(shame!) Bastian, you are right! One should never do a "quick hack" to existing scripts: In the original version the MAANGER was specified without the common CONTEXT, so the script used -D "$MANAGER","$CONTEXT". The DN however was including the CONTEXT (maybe to shorten the script line that uses it). When using MANAGER="$DN" I got a MANAGER that includes the CONTEXT already. The idea was "use the user name as manager, so the user will change its own password". The idea was correct, but "MANAGER=$DN was not. 8-( Kind regards, Ulrich Windl > -----Original Message----- > From: btwe(a)eva05.jsc.fz-juelich.de <btwe(a)eva05.jsc.fz-juelich.de> On > Behalf Of Bastian Tweddell > Sent: Friday, August 22, 2025 8:58 AM > To: Windl, Ulrich <u.windl(a)ukr.de> > Subject: [EXT] Re: Re: Understanding ldappasswd: ldap_bind: Invalid > credentials (49) > > > Hi Ulrich, > > Given that ldappasswd basically works, maybe check your variables. > I think you append `$CONTEXT` two times: > > On 22Aug25 06:43+0000, Windl, Ulrich wrote: > > > > CONTEXT='dc=...' > > > > if [ -n "$1" ]; then > > > > DN="uid=${1},ou=people,$CONTEXT" > > => DN="uid=username_from_arg1,ou=people,dc=..." > ^^^^^^ > > > > > MANAGER="$DN" > > => MANAGER="uid=username_from_arg1,ou=people,dc=..." > ^^^^^^ > > > > > echo "$MANAGER changing password for $DN" > > > > ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W > ${2:+-S > > => -D "uid=username_from_arg1,ou=people,dc=...","dc=..." > ^^^^^^ ^^^^^^ > > This would be wrong, wouldn't it? > > In general, think about using `set -euo pipefail` in bash scripts, and > in this case also use `set -x`. So you could spot that easily. > Also ldap cmdline tools usually take `-d -1` to print all debug info, > but you know that. > > > Das hätte ich wohl auch auf Deutsch schreiben können :) > Ich habs nicht an die Liste geschickt. > > > Viele Grüße, > -- > Bastian Tweddell > Juelich Supercomputing Centre > phone: +49 (2461) 61-6586 > > --------------------------------------------------------------------------------------------- > --------------------------------------------------------------------------------------------- > Forschungszentrum Jülich GmbH > 52425 Jülich > Sitz der Gesellschaft: Jülich > Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Dr. Stephanie Bauer (stellvertretende Vorsitzende), > Prof. Dr. Ir. Pieter Jansens, Prof. Dr. Laurens Kuipers > --------------------------------------------------------------------------------------------- > ---------------------------------------------------------------------------------------------

1 0

Understanding ldappasswd: ldap_bind: Invalid credentials (49)
by Windl, Ulrich 21 Aug '25

21 Aug '25

Hi! I have a question: A user can change its password using the standard SSH Login. However one user with an expired password has a special shell that does not allow login (the user is logged out immediately). So I tried to use ldappasswd to change the password using this helper script: #!/bin/sh SERVER='ldap://...' CONTEXT='dc=...' if [ -n "$1" ]; then DN="uid=${1},ou=people,$CONTEXT" MANAGER="$DN" echo "$MANAGER changing password for $DN" ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN" else echo "$0: missing or empty username" >&2 exit 1 fi So here the one to change the password is the user itself. When I use the script with just the username (set random password), I see: Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed And when I call it with a second parameter (ask for password), I see: New password: Re-enter new password: Enter LDAP Password: ldap_bind: Invalid credentials (49) I'm trying to understand: Does the user need special ACLs, or to I need additional parameters? The essential ACLs for userPassword are: ... olcAccess: {4}to attrs=shadowLastChange,userPassword,userPKCS12 by dn.exact="uid=PW-Admin,ou=system,dc=..." write by * break ... olcAccess: {6}to attrs=userPassword,userPKCS12 by self write by * auth ... olcAccess: {8}to * by * read If I use the PW-Admin account, I can change the password, however. Kind regards, Ulrich Windl

2 2

bind to LDAP server produces "invalid credentials" error
by Travis Bean 20 Aug '25

20 Aug '25

When starting the krb5-admin service, I receive the following error: “Cannot bind to LDAP server ldapi:/// as ‘cn=kdc-srv,cn=krbContainer,dc=example,dc=local’: Invalid credentials - while initializing database.” cn=kdc=srv,cn=krbContainer,dc=example,dc=local is referenced in my krb5.conf as ldap_kdc_dn. It is also referenced in my password stashes as the following: echo -ne "$ADMIN_PASSWORD\n$ADMIN_PASSWORD\n" | kdb5_ldap_util \ -D uid=admin,ou=people,dc=example,dc=local -w "$ADMIN_PASSWORD" stashsrvpw \ -f /etc/krb5kdc/service.keyfile cn=kdc-srv,cn=krbContainer,dc=example,dc=local It is also referenced via ldappasswd: ldappasswd -H ldapi:/// -D uid=admin,ou=people,dc=example,dc=local \ -w "$ADMIN_PASSWORD" -s "$ADMIN_PASSWORD" cn=kdc-srv,cn=krbContainer,dc=example,dc=local It is also referenced in my following ACL: olcAccess: to dn.subtree="cn=krbContainer,dc=example,dc=local" by dn.exact="cn=adm-srv,cn=krbContainer,dc=example,dc=local" write by dn.exact="cn=kdc-srv,cn=krbContainer,dc=example,dc=local" read I thought it was one of my ACLs, but when I modified/removed my ACLs, the problem persisted. I followed this previous post about ACLs ( serverfault.com/questions/869585/kerberos-kdc-wont-start-invalid-credentials), but to no avail. Here is the Bash script I am using for testing: https://drive.google.com/file/d/1PWNAxH6Y0Sk3vBWd85JheG6DOSjmCFbq/view?usp=… Kind regards, Travis Bean

1 0

Converting syncrepl consumer to cn=confg
by Nick Milas 20 Aug '25

20 Aug '25

Hello, I am trying to migrate from a syncrepl consumer 2.4.58 on (CentOS 7) to openldap 6.10 (on Rocky 9). All RPMs are LTB. The initial config is text based (slapd.conf). I added lines for the config database in slapd.conf: database config rootdn "cn=admin,cn=config" rootpw {SSHA}*************************** and then: slaptest -f /usr/local/openldap/etc/openldap/slapd.conf -F /usr/local/openldap/etc/openldap/slapd.d and then: slapcat -F /usr/local/openldap/etc/openldap/slapd.d -n0 -l /root/migration-file.ldif Finally a/ I added modules, b/ I changed syncrepl id (to 182 so that it is unique) and c/ I changed olcMirrorMode to olcMultiProvider The result is here (full file, passwords removed): https://pastebin.com/24bvSKkp <https://pastebin.com/24bvSKkp> Eventually, I slapadd'ed the above into slapd.d on the new server: [root@vmail4 openldap]# slapadd -vvv -n0 -F /usr/local/openldap/etc/openldap/slapd.d -l /root/migration-file.ldif added: "cn=config" (00000001) added: "cn=module{0},cn=config" (00000001) added: "cn=schema,cn=config" (00000001) added: "cn={0}core,cn=schema,cn=config" (00000001) added: "cn={1}cosine,cn=schema,cn=config" (00000001) added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001) added: "cn={3}nis,cn=schema,cn=config" (00000001) added: "cn={4}eduperson,cn=schema,cn=config" (00000001) added: "cn={5}postfix,cn=schema,cn=config" (00000001) added: "cn={6}dyngroup,cn=schema,cn=config" (00000001) added: "cn={7}misc,cn=schema,cn=config" (00000001) added: "cn={8}schac-20090326-1,cn=schema,cn=config" (00000001) added: "cn={9}dnsdomain2,cn=schema,cn=config" (00000001) added: "cn={10}pdns-domaininfo,cn=schema,cn=config" (00000001) added: "cn={11}proftpd-quota,cn=schema,cn=config" (00000001) added: "cn={12}kerberos,cn=schema,cn=config" (00000001) added: "cn={13}localemail,cn=schema,cn=config" (00000001) added: "cn={14}entryaccess,cn=schema,cn=config" (00000001) added: "cn={15}radius,cn=schema,cn=config" (00000001) added: "olcDatabase={-1}frontend,cn=config" (00000001) added: "olcDatabase={0}config,cn=config" (00000001) added: "olcDatabase={1}mdb,cn=config" (00000001) added: "olcOverlay={0}dynlist,olcDatabase={1}mdb,cn=config" (00000001) added: "olcDatabase={2}monitor,cn=config" (00000001) Closing DB... but it won't start: Aug 19 16:13:04 vmail4.noa.gr slapd-cli[14959]: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configuration Aug 19 16:13:04 vmail4.noa.gr slapd-cli[14950]: slapd-cli: [INFO] Using /usr/local/openldap/etc/openldap/slapd-cli.conf for configuration Aug 19 16:13:04 vmail4.noa.gr slapd-cli[14961]: [INFO] Launching OpenLDAP configuration test... Aug 19 16:13:04 vmail4.noa.gr slapd-cli[14950]: slapd-cli: [INFO] Launching OpenLDAP configuration test... Aug 19 16:13:04 vmail4.noa.gr slapd-cli[14963]: [ALERT] OpenLDAP configuration test failed Aug 19 16:13:04 vmail4.noa.gr slapd-cli[14950]: slapd-cli: [ALERT] OpenLDAP configuration test failed Aug 19 16:13:04 vmail4.noa.gr systemd[1]: slapd-ltb.service: Control process exited, code=exited, status=1/FAILURE How can I identify the problem with the configuration? I tried setting: DEBUG_LEVEL="-1" in /usr/local/openldap/etc/openldap/slapd-cli.conf but I don't see any additional details. Can you please provide some guidance on troubleshooting what is wrong? Thanks in advance, Nick

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical