openldap-technical

openldap-technical@openldap.org

17 participants
9883 discussions

using refint overlay for pwdPolicySubentry
by Windl, Ulrich 09 May '25

09 May '25

Hi! Some time ago U had replaced a password policy, and it was quite sme work to replace all occurrences. So I thought reint cul help. I configured: dn: olcOverlay={4}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcRefintAttribute: member olcRefintAttribute: pwdPolicySubentry olcOverlay: {4}refint And I did apply a test rename of the policy used by many users. I got no error from the modify, but slapd said many times: slapd[28826]: ppolicy_get: policy subentry cn=pp-default-2024-05x,...,dc=de missing or invalid at 'pwdPolicySubentry', no policy will be applied! Shouldn't refint have fixed those entries, or is there something special about password policy? The other thing I had noticed was that the MMR consumer did not complain at all, and it even looks as if the update wasn't sent. Did anybody try this before? When I checked for the member attribute by deleting a user, all members containing that user were removed, however. I see "modifiersName: cn=Referential Integrity Overlay", too. Same is true for a rename. Kind regards, Ulrich Windl

2 9

changing password with otp active
by Stefan Kania 09 May '25

09 May '25

Hello to all When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ? Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted. So how can an user change his password via commandline with otp active? Thanks Stefan

3 13

Q: The role of accesslog with delta syncrepl in OpenLDAP 2.5
by Windl, Ulrich 09 May '25

09 May '25

Hi! I think I converted my syncreply configuration (that wasn't perfect) to a delta syncrepl configuration (that I think is correct). However I'm not very confident whether everything is working as expected, also whether I'm using the correct procedures. In the process of configuring I had hanging processes (adding the syncrepl overlay) and crasing processes (adding the syncprov). Then I had noticed that slapd did empty the local accesslog (which I named changelog, because that is what it is). I had expected that slapd would only "append" new entries, and old entries would be expired as specified only. Also I wonder whether the local accesslog has some meaning when slapd start up: Does slapd consider its contents at all, and if so: In which way? I had repeatable crashes when starting slapd until I deleted the changelogs. Kind regards, Ulrich Windl

2 2

Poor OpenSSL performance
by Howard Chu 09 May '25

09 May '25

I've noticed that OpenSSL 3.x performs much worse than OpenSSL 1.x. The analysis in this blog post is pretty revealing. https://www.haproxy.com/blog/state-of-ssl-stacks Anyone up for adding WolfSSL support to libldap? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

RE25 testing call (2.5.20) #1
by Quanah Gibson-Mount 08 May '25

08 May '25

This is the first testing call for OpenLDAP 2.5.20. Depending on the results, this may be the only testing call. Generally, get the code for RE25: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.5.20 Engineering Fixed lloadd handling of starttls critical (ITS#10323) Fixed slapd regression with certain searches (ITS#10307) Fixed slapo-pcache caching behaviors (ITS#10270) Minor Cleanup ITS#9934 ITS#10020 ITS#10226 ITS#10279 ITS#10309 ITS#10320 ITS#10327 ITS#10328 ITS#10331 Regards, Quanah

1 0

Translucent and Syncreplication
by Bergmann, Clemens 08 May '25

08 May '25

Hi, We are currently setting up a new openLDAP service and face Problems when combining slapo-translucent and syncreplication. To increase reliability and performance the new new openldap Server is behind a Loadbalancer which redirects requests to three instances. These three instances sync config and data via syncrepl. This works fine. We also have a legacy LDAP Server that some of the data has to be stored and updated in during migration of other services. For this we use the slapo-translucent functionality and that also works fine. We now face problems when combing these two concepts. When stacking the syncrepl and translucent overlays the server is not starting because slapo-translucent/slapd-ldap is setting olcLastMod to false. This has come up many times in this list but I was unable to find a solution. Is there another setup to combine translucent with high availability? Mit freundlichen Grüßen Clemens (Bergmann) -- Clemens Bergmann [er/ihm; he/him] Gruppe Nutzermanagement und Entwicklung Technische Universität Darmstadt Hochschulrechenzentrum, Alexanderstraße 2, 64283 Darmstadt Tel. +49 6151 16 71184 <http://www.hrz.tu-darmstadt.de/> http://www.hrz.tu-darmstadt.de/

3 2

[Seeking Help] - When there is no entry in ldap db getting success response instead of noSuchObject
by Niranjan Ganjikunta 07 May '25

07 May '25

Hi Gentlemen, We are hosting an LDAP server on an Ubuntu Linux system, and our requirement is to return a noSuchObject error in the LDAP response when a search yields no results, instead of returning a success response. we are using below search command. ldapsearch -b "ou=Subscribers,ou=sda,o=centertel.pl" -D "cn=admin" -w "XXXXX" -H ldap://ip:389 -v -s sub "ptkSubscriberIMSI=26003123456789" This command is trying to search for the imsi under the base dn by using the filter. in this case if there is no entry present in db we are expecting noSuchObject (32) response from ldap. We tried to build overlay by using below c++ script to modify the default ldap behaviour to get nosuchobject when there is no entry in db. #include "portable.h" // Required for OpenLDAP build environment #include <stdio.h> #include <ac/string.h> // OpenLDAP-specific replacements #include <ac/regex.h> // Brings in regex_t, regmatch_t #include <ldap.h> #include "slap.h" #include <stdio.h> #include <ldap.h> #include <slap.h> int my_overlay_search(Operation *op, SlapReply *rs) { // Correct call to next overlay/backend int rc = overlay_op_walk(op, rs, SLAP_OP_SEARCH, (slap_overinfo *)op->o_bd->bd_info, NULL); if (rs->sr_err == LDAP_SUCCESS && rs->sr_entry == NULL) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = "No such object found"; Debug(LDAP_DEBUG_ANY, "Custom overlay: noSuchObject error triggered\n"); } return rc; } and by using below command build .so file gcc -fPIC -shared \ -I "$OPENLDAP_SRC/include" \ -I "$OPENLDAP_SRC/servers/slapd" \ -I "$OPENLDAP_SRC/libraries/libldap" \ -I "$OPENLDAP_SRC/libraries/liblber" \ -o "my_overlay.c" "noSuchobject_overlay.so" \ -lldap we didnt get any error while building the .so file. but while loading the module by using below ldif file content getting error dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: /usr/lib/ldap/noSuchobject_overlay.so config="/etc/ldap/ldap.conf" root@lodsto-essvt:~# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f new_load_overlay.ldif modifying entry "cn=module{0},cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 and we got stuck in this module load. May be can you review and propose proper steps and script to build the required module to get expected ldap behaviour. Thanks in advance. RGds, Niranjan Kumar [cid:image001.png@01DBBF8D.9A9631F0]

2 1

ldap proxy
by fred750164＠gmail.com 06 May '25

06 May '25

I want to set up an architecture that allows a client to query an LDAP backend via an LDAP proxy. I want the query from the client to be unsecured, but the proxied communication between the LDAP proxy and the LDAP backend to be secured through mutual TLS authentication via SASL EXTERNAL. What configurations need to be implemented on the LDAP proxy and the LDAP backend? I saw in the slapd-ldap(5) documentation that the idassert-bind parameter could be used on the LDAP proxy for the TLS connection via SASL EXTERNAL, and in the slapd.conf(5) documentation that the authz-regexp parameter could be used on the LDAP backend to allow querying with a DN extracted from the certificate on this LDAP backend. However, I am struggling to set it up. I use openldap 2.4. slapd.conf on proxy server: [...] Database ldap suffix dc=test,dc=com uri ldaps://mytest.com:636 idassert-bind mode=self bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/openldap/certs/server.crt tls_key=/etc/openldap/certs/server.key tls_cacert=/etc/ssl/certs/ca-bundle.crt tls_cacertdir=/etc/ssl/certs tls_crlcheck=none tls_reqcert=allow [...] slapd.conf on backend server: [...] # Modules moduleload back_mdb moduleload authz-regexp # TLS TLSCACertificateFile /opt/openldap/etc/openldap/certs/ca-certificates.crt TLSCertificateFile /opt/openldap/etc/openldap/certs/backend.crt TLSCertificateKeyFile /opt/openldap/etc/openldap/certs/backend.key TLSCipherSuite HIGH TLSVerifyClient demand sasl-Host mytest.com sasl-realm EXTERNAL authz-regexp ".*" "cn=user1,dc=test,dc=com" [...] proxy: ldapsearch -H ldaps://mytest.com -b "dc=appli,dc=test,dc=com" -Y EXTERNAL -ZZ ldap_start_tls: Can't contact LDAP server (-1) backend: 67895427.2b4074ce 0x7f7e6bffe6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate. Any help would be appreciated.

7 44

Match certificate subject with escaped characters using olcAuthzRegexp
by Windl, Ulrich 06 May '25

06 May '25

Hi! Trying to match the (som,e experimental) certificate subject to assign it LDAP users, I have some problems: Escaping of the subject seems to make regexp matching even harder. For example "CN = "uid=windl+email=u.windl(a)ukr.de", GN = Ulrich, SN = Windl" (as displayed by OpenSSL) is converted to "dn:sn=windl,givenName=ulrich,cn=uid\3Dwindl\2Bemail\3Du.windl@ukr.de" As I understand it uid=windl+email=u.windl(a)ukr.de<mailto:uid=windl+email=u.windl@ukr.de>" and email=u.windl(a)ukr.de<mailto:uid=windl+email=u.windl@ukr.de>+uid=windl" would be equivalent. So when I want to match just the uid part I could use "uid\\3D([^,]+)", but that would include "\2Bemail\3Du...". If I'd use uid\\3D([^,\]+)", instead, any escaped character inside the uid would terminate the match. How do the experts handle it? Use very simplistic CNs in certificates? Kind regards, Ulrich Windl

2 5

Q: lastbind, pwdLastSuccess, and authTimestamp
by Windl, Ulrich 06 May '25

06 May '25

Hi! Slapd-config states that pwdLastSuccess (provided by slapd) will be set if olcLastBind is set to true. However to do that the lastbind module/overlay is needed. But the latter sets authTimestamp. Slapo-policy documents that authTimestamp (provided by lastbind module) is set when lastbind is enabled. At it seems pwdLastSuccess and authTimestamp are set to the same value. Can someone explain the logic behind? I'm confused; do I really need the lastbind overlay? I'm using OpenLDAP 2.5.X Kind regards, Ulrich Windl

3 6

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical