openldap-technical

openldap-technical@openldap.org

5 participants
9963 discussions

Q: Reset a locked user's password
by Windl, Ulrich 23 Jun '24

23 Jun '24

Hi! I have a question related to policy and a user with an expired password and all grace logins consumed, like this: pwdChangedTime[0] 20231127075102Z pwdGraceUseTime[0] 20240429142254Z pwdGraceUseTime[1] 20240430112006Z pwdGraceUseTime[2] 20240527074731Z pwdGraceUseTime[3] 20240528114912Z pwdGraceUseTime[4] 20240528130249Z pwdFailureTime[0] 20240611082600.348275Z How can the user change his password? The user cannot log in anymoe, obviously. If the user could log in he would have admin privileges. I had the idea to delete the grace logins via ldapmodify, but the result (for version 2.4) was: ldap_modify: Constraint violation (19) additional info: pwdGraceUseTime: no user modification allowed So what are the options (for the user himself and for an admin)? Regards, Ulrich

3 5

Re: sync repl issue
by Luo, Frank 21 Jun '24

21 Jun '24

sorry. it is 2.4.46 and I believe it is standard syncrepl ( I could not find syncdata in slapd.conf). Thanks On Fri, Jun 21, 2024 at 10:52 AM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > > --On Friday, June 21, 2024 9:59 AM -0400 "Luo, Frank" <luoy(a)miamioh.edu> > wrote: > > > refreshAndPersist, mirrormode on for node 01 and 02 , off for node 03 and > > Hi, you didn't answer these two questions: > > Standard syncrepl or delta syncrepl? What version of OpenLDAP? > > Thanks! > > --Quanah > >

2 1

Re: sync repl issue
by Luo, Frank 21 Jun '24

21 Jun '24

refreshAndPersist, mirrormode on for node 01 and 02 , off for node 03 and 04 Thanks On Thu, Jun 20, 2024 at 7:22 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > > --On Thursday, June 20, 2024 4:48 PM -0400 "Luo, Frank" <luoy(a)miamioh.edu> > wrote: > > > Hi, all > > > > We have a 4 nodes set up, n01 and n02 have mirror mode on and they are > > provider and consumer to each other. n03's provider is n01 and n04's > > provider is n02. Each has contexcsn as followings so I think they are > > all in sync. > > > > However I have a node n04 missing some data (one entry I found so > > far). How to explain this and how to troubleshoot? Thanks a lot! > > What version of OpenLDAP? What kind of sync replication (standard, delta? > refreshonly, refreshAndPersist?) etc. > > --Quanah > >

2 1

sync repl issue
by Luo, Frank 20 Jun '24

20 Jun '24

Hi, all We have a 4 nodes set up, n01 and n02 have mirror mode on and they are provider and consumer to each other. n03's provider is n01 and n04's provider is n02. Each has contexcsn as followings so I think they are all in sync. However I have a node n04 missing some data (one entry I found so far). How to explain this and how to troubleshoot? Thanks a lot! Frank n01 contextCSN: 20180628172040.692013Z#000000#001#000000 contextCSN: 20180628172039.214361Z#000000#002#000000 contextCSN: 20240620192402.726831Z#000000#015#000000 contextCSN: 20240620193606.038191Z#000000#016#000000 n02 contextCSN: 20180628172040.692013Z#000000#001#000000 contextCSN: 20180628172039.214361Z#000000#002#000000 contextCSN: 20240620192402.726831Z#000000#015#000000 contextCSN: 20240620193606.038191Z#000000#016#000000 n03 contextCSN: 20180628172040.692013Z#000000#001#000000 contextCSN: 20180628172039.214361Z#000000#002#000000 contextCSN: 20240620192402.726831Z#000000#015#000000 contextCSN: 20240620193606.038191Z#000000#016#000000 n04 contextCSN: 20180628172040.692013Z#000000#001#000000 contextCSN: 20180628172039.214361Z#000000#002#000000 contextCSN: 20240620192402.726831Z#000000#015#000000 contextCSN: 20240620193606.038191Z#000000#016#000000

2 1

Complete removal of an attribute
by Benjamin Renard 19 Jun '24

19 Jun '24

Hello, I'm trying to find out the correct way to completely remove an attribute from an existing LDAP database. So far, I've been doing the following: - Deleting this attribute from all existing entries in the directory: ldapsearch -Y EXTERNAL -H ldapi:/// \ -b o=root '(toRemove=*)' dn -LLL | \ sed 's/^dn: $.*$$/dn: \1\nchangetype: modify\ndelete: toRemove/' | \ ldapmodify -Y EXTERNAL -H ldapi:/// - Removing all references to this attribute from the configuration (schema, index, ACLs, ...) My problem is that slapschema still throws an error about this attribute: 6669bbb2 UNKNOWN attributeDescription "TOREMOVE" inserted. I have double-checked and there are no references to this attribute in a database dump. In this situation, a dump/restore solves the problem, but this requires a service interruption that I would like to avoid. Do you have any ideas on how to work around this issue? Regards, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

2 2

[openLDAP 2.5] slapd silently stops
by BECOT Jérôme 13 Jun '24

13 Jun '24

Hello, We have to servers configured as Proxy with back_ldap. They stop almost everyday with a SIGABRT in the service log. Nothing in the standard logs when they stop. I'd like to increase the log level to args, but I'm not sure if it would help me. Any help appreciated. Regards Jerome

2 1

GSSAPI Support from 2.4.x to 2.5.x
by bowen.wang＠cohesity.com 05 Jun '24

05 Jun '24

In 2.4.x, openldap have gssapi.c and several apis on GSSAPI while that is not there anymore after 2.5.x. So what API should use if I want to achieve the same logic such as api ldap_gssapi_bind_s/ldap_gssapi_bind in 2.4.x?

2 1

[OpenLDAP 2.5] Accesslog size and performance issues
by BECOT Jérôme 27 May '24

27 May '24

Hello, Here is our setup: 2 master in mirrormode with accesslog replication and several slaves with lastbind and chain overlay. Everything works, but the accesslog db is quite large and filled with authtimestamp updates from client hosts running sssd. We also have a disk performance issue when the cleanup process is launched every 4h. We plan to reduce the accesslog history by setting 12h retention and increase cleanup . It should reduce the number of entries and therefore lighten the cleanup process but: I wonder if increasing the frequency will also have a positive effects (as the though here is that there will be less entries to delete). I think that allocated pages in the mdb database won't change. Is there a safe way to reduce the db size ? Finally, we considered not logging the sssd auth timestamp updates, but lastbind doesn't have any option to filter which branch is allowed to update, the only option is to set the precision to a higher value. Is there a way to achieve this ? Any suggestion will be warmly appreciated. Thank you Jerome

4 7

its8752 failure
by patrick+openldap.org＠laimbock.com 26 May '24

26 May '24

Hi all, Almalinux 9.4 x86_64. When building 2.6.8 with gcc 11.4.1 20231218 (Red Hat 11.4.1-3) or gcc 13.2.1 20231205 (Red Hat 13.2.1-6) I get a failure in 'make -j1 its' in its8752: >>>>> Starting its8752 ... running defines.sh This test tracks a case where slapd deadlocks during a significant write load See https://bugs.openldap.org/show_bug.cgi?id=8752 for more information. Starting slapd on TCP/IP port 9011... Using ldapsearch to check that slapd is running... Populating database on first provider... Stopping slapd and reworking configuration for MPR... Starting provider slapd on TCP/IP URI ldap://localhost:9011/ Using ldapsearch to check that provider slapd is running... Starting provider slapd on TCP/IP URI ldap://localhost:9012/ Using ldapsearch to check that provider slapd is running... Starting provider slapd on TCP/IP URI ldap://localhost:9013/ Using ldapsearch to check that provider slapd is running... Starting provider slapd on TCP/IP URI ldap://localhost:9014/ Using ldapsearch to check that provider slapd is running... Setting up accesslog on each provider... Modifying dn: cn=Elmer_Fudd,ou=People,dc=example,dc=com on provider 1 Modifying dn: cn=Elmer_Fudd,ou=People,dc=example,dc=com on provider 2 Modifying dn: cn=Elmer_Fudd,ou=People,dc=example,dc=com on provider 3 Modifying dn: cn=Elmer_Fudd,ou=People,dc=example,dc=com on provider 4 Waiting 7 seconds for servers to catch up... Waiting 7 seconds for servers to catch up... Waiting 7 seconds for servers to catch up... Waiting 7 seconds for servers to catch up... Waiting 7 seconds for servers to catch up... Waiting 7 seconds for servers to catch up... Servers did not replicate in time >>>>> ./data/regressions/its8752/its8752 failed (exit 1) make[1]: Leaving directory '/builddir/build/BUILD/openldap-2.6.8/tests' make[1]: *** [Makefile:364: mdb-its-yes] Error 1 make: *** [Makefile:355: regressions] Error 2 error: Bad exit status from /var/tmp/rpm-tmp.cKP3aW (%check) Looking at its8752 in bugzilla there is a target of 2.7.0 and there are a number of other ITSs mentioned: https://bugs.openldap.org/show_bug.cgi?id=9782 (confirmed) https://bugs.openldap.org/show_bug.cgi?id=9580 (in progress) https://bugs.openldap.org/show_bug.cgi?id=9341 (unconfirmed) Is this test supposed to pass successfully on 2.6.8? Thanks, Patrick

1 0

el9 bind ip address
by Marc 23 May '24

23 May '24

Anyone know if this file is still working in el9? Looks like if I put SLAPD_URLS it is not read. /etc/sysconfig/slapd

4 7

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical