openldap-technical

openldap-technical@openldap.org

10 participants
9793 discussions

Re: Antw: [EXT] OpenLDAP Upgrade
by Ulrich Windl 08 Dec '21

08 Dec '21

>>> <santoshk.sethi(a)tcs.com> schrieb am 07.12.2021 um 10:57 in Nachricht <20211207095727.5262.37798(a)hypatia.openldap.org>: > Thanks Emmanuel, > Is it a stable version we can reply upon? Because the request is for a > production environment which are running critical business applications > > As part the OS upgrade (6.4 to 7.9), the default OpenLDAP comes in RHEL7.9 > is openldap-servers-2.4.44-24.el7_9. > > This is a existing setup in production. We just want to upgrade it (rpm > -Uvh) :) on the exisitng RPMs. Actually when you'd update you'd use "rpm -vF ..." I guess ;-) But I'm unsure whether that will work "cross-vendor"; maybe check the file lists (rpm -qvlp ...) and compare with existng paths, also. The best would probably be to have a snapshot-type backup (like for a VM shutting down, making a volume snapshot, then boot and trxy the update) > > #rpm -qa | grep -i openldap > openldap-2.4.23-31.el6.x86_64 > compat-openldap-2.3.43-2.el6.x86_64 > openldap-devel-2.4.23-31.el6.x86_64 > openldap-servers-2.4.23-31.el6.x86_64 > openldap-clients-2.4.23-31.el6.x86_64 > > > Thanks > Santosh

1 0

2.6 slapadd bug? - SHA512 userPassword hash get 2 characters appended to the end at import
by Dave Macias 06 Dec '21

06 Dec '21

Hello, Playing with 2.6 on rhel8 When imported my data.ldif I noticed i no longer could bind and my credentials would fail. Thought it was simply my account and tried with other test accounts and failed too. When i compare the userPassword attributes from the source to my 2.6 environment, i see there are two extra characters at the end. So original looks like: (and whats in data.ldif file) userPassword:: e2Nblablasuperdupper512hashthatendshere vs the one in 2.6 userPassword:: e2Nblablasuperdupper512hashthatendshereXX This happens on all the userPassword attributes that are SHA512. The XX characters seem random, no pattern to it. In other words each userPassword attribute has its own XX characters. Interesting, i dont see this issue with accounts that still have SHA1 hash. They are identical. I dont recall if i saw this on 2.5 but I’ll update on that. Thank you, Dave

3 6

2.6 rhel8 rpm pkg - lastbind module issue
by Dave Macias 03 Dec '21

03 Dec '21

Hello, Playing around with 2.6 Was attempting to add lastbind module but get error: cat <<EOF | ldapadd -D cn=config -w mysecret dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /opt/symas/lib/openldap/ olcModuleLoad: lastbind.la EOF adding new entry "cn=module,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 I have no issues doing the above with 2.5 rpm rhel8 pkg. Is there something im doing wrong? Any input is appreciated. Thank you, Dave

4 10

Q: Detect "user on grace logins" (ppolicy being used)?
by Ulrich Windl 02 Dec '21

02 Dec '21

Hi! I have a question: When using ppolicy, is tthere a simple way for a user to detect that he/she is "on grace logins", i.e. the poassword has to be changed soon? We had a situation where some monitoring tools uses periodic logins to sume user account. When that user should have changed the password, the periodic logins consumed all the grace logins, and the user was effectively locked out. While there are many ways to resolve this, I wonder whether it would be rather easy to avoid any further login attempts when the user is expected to change the password. Regards, Ulrich

2 1

Concurrent/simultaneous write access
by Jäckel, Carsten 02 Dec '21

02 Dec '21

Hello, during internal discussions, we came up with the question of how OpenLDAP deals with concurrent, competing write accesses to an LDAP object. The background to the question is that we use two applications that want to write attributes on the same user object in the DIT and maybe this could happen at the same time. Does anyone know how the OpenLDAP deals with such a situation? We would like to ask the following questions in detail: - Does the OpenLDAP lock the entire object for write access or only the attributes that are currently being changed? - Is there a kind of queue for write operations in which the competing write accesses are stored? If so, what criteria are used to determine which write operation has priority? - Are there scenarios caused by concurrent, simultaneous write access to objects / object attributes that lead to a crash of the openLDAP? - How can we best simulate simultaneous write access to an object in the DIT from different systems? - Are there different behaviors dealing with concurrent write-access when using different openLDAP versions? Kind regards, Carsten

2 1

force resync of slave
by Enrico Weigelt, metux IT consult 02 Dec '21

02 Dec '21

Hello friends, I've encountered my slaves (Zimbra cluster) aren't fully in sync with master. Some entries are missing attributes. Maybe it's a fallout from previous errors in my MMR setup (several minutes clocks difference, so one master couldn't sync to another). * modifying an affected entry doesn't fix it, just changes the actually changed attributes (delta-sync ?) * starting the slave w/ -c 'rid=100,csn=0' showed lots of corresponding log traffic (on first start), but still tells the entries were equal, doesn't fix the entries * problem: I don't know which entries are affect, just found a few of them Can anyone give me a hint on how to do a full resync ? thx --mtx -- --- Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren GPG/PGP-Schlüssel zu. --- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info(a)metux.net -- +49-151-27565287

2 1

Move from memberof to dynlist
by Magnus Morén 01 Dec '21

01 Dec '21

I am trying to move from memberof(overlay) to dynlist but can't get it to work. I have static groups with uniqueMembers cn=somegroup,ou=group,dc=domain,dc=net uniqueMember: uid=user1,ou=people,dc=domain,dc=net uniqueMember: uid=user2,ou=people,dc=domain,dc=net ... I want to have: memberOf: cn=somegroup,ou=group,dc=domain,dc=net on all users who is member of any group. In my test i use cn=config style and OpenLDAP 2.6.0 from Symas In my old ldap server (slapd.conf based) i have overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true I have tried this from man slapo-dynlist but I must have done something wrong or not understand how it is supposed to work. This example extends the dynamic memberOf feature to add the memberOf attribute to all the members of both static and dynamic groups: include /path/to/dyngroup.schema # ... database <database> # ... overlay dynlist dynlist-attrset groupOfURLs memberURL member+memberOf@groupOfNames This dynamic memberOf feature can fully replace the functionality of the slapo-memberof(5) overlay.

3 6

Re: 2.6 rhel8 rpm pkg - lastbind module issue
by Dave Macias 01 Dec '21

01 Dec '21

> > Im looking at > > this: https://git.openldap.org/openldap/openldap/-/blob/6327f45d7de73f66 > > 9fa438d4f5823e139cf4e6b4/contrib/slapd-modules/lastbind/slapo-lastbind.5 > > > > slapadd -n 1 -F /opt/symas/etc/openldap/slapd.d -l data.ldif > > <= str2entry: str2ad(authTimestamp): attribute type undefined > > slapadd: could not parse entry (line=24) > > Closing DB... > > You need the fix for ITS#9725 to make use of authTimestamp. > I see. Thank you for the input! So then i guess i have to wait until the fix is applied to the OS pkgs. Best, Dave

2 1

ppolicy-question
by A. Schulze 01 Dec '21

01 Dec '21

Hello, using slapo-ppolicy I could configure slapd to hash a password if it's sent unhashed. moduleload ppolicy.la moduleload argon2.la password-hash {ARGON2} database mdb suffix dc=test ... overlay ppolicy ppolicy_default "cn=default,ou=ppolicies,dc=test" ppolicy_hash_cleartext That work and I could hash them using ARGON2. But clients could still hash a password them self and write '{MD5}...' as userPassword for example. Is it possible to reject any userPasswords prefixed with hash schema? Andreas

4 6

Multi-Master not syncing
by Enrico Weigelt, metux IT consult 30 Nov '21

30 Nov '21

Hello friends, I'm in huge trouble: my MMR setup (Zimbra) isn't syncing completely. * host A is the old master, host B a new one. * host B used to be a slave of A, but later was promoted to master (each has a syncrepl pointer to the other and mirrormode is TRUE) * sync from A to B seems to be fine, but the route back doesn't work * new objects (eg. new users) are synced up from B to A, but later changes don't get throught (eg. additional entries like mail aliases) On host B i get lots of repeated log messages like this: Nov 30 09:56:04 hz1-rz-mail-ldap-01 slapd[3999428]: conn=6002 op=1 syncprov_search_response: Entry uid=u37701,ou=people,dc=hs-harz,dc=de CSN 20211129215211.258933Z#000000#001#000000 older or equal to ctx 20211130085608.894386Z#000000#001#000000 On Host A I'm getting lots of log messages like this: Nov 30 10:12:38 inkataube slapd[17590]: dn_callback : new entry is older than ours uid=g50425,ou=people,dc=hs-harz,dc=de ours 20211130032044.897539Z#000000#001#000000, new 20211130032015.857165Z#000000#002#000000 It looks like both nodes can't agree on what's the most recent entries. Is there any way to force them taking either side's version ? thanks --mtx --- Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren GPG/PGP-Schlüssel zu. --- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info(a)metux.net -- +49-151-27565287

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical