Hi!

Update: Today when I reloaded the config and re-applied the LDIFs, it worked!

I guess slapd had corrupted the config database in some strange way.

 

Kind regards,

Ulrich Windl

 

From: Windl, Ulrich <u.windl@ukr.de>
Sent: Thursday, March 13, 2025 3:38 PM
To: Windl, Ulrich <u.windl@ukr.de>; openldap-technical@openldap.org
Subject: RE: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"

 

Hi!

 

Even after having opened a support case with SUSE, it took about two weeks until I got any further:

Essentially you cannot add the values to “olcDatabase={-1}frontend,cn=config”, but only to “cn=config”.

However after that I got a new message when trying to change a user’s password:

 

Result: Constraint violation (19)

Additional info: Password policy only allows one password value

 

At that time I had two values assigned, but even after assigning only one value, the message did not change.

 

Even more, slapd suddenly had exited and refused to restart with the messages:

slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({SSHA256})

slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found

slapd[13769]: config error processing cn=config: <olcPasswordHash> no valid hashes found

slapd[13769]: slapd stopped.

 

 

Changes actually applied were:

dn: cn=module{0},cn=config

changetype: modify

add: olcModuleLoad

olcModuleLoad: {4}pw-sha2.so

 

dn: cn=config

changetype: modify

replace: olcPasswordHash

olcPasswordHash: {SSHA256}

 

Any ideas?

 

Kind regards,

Ulrich Windl

 

From: Windl, Ulrich <u.windl@ukr.de>
Sent: Tuesday, March 4, 2025 8:49 AM
To: openldap-technical@openldap.org
Subject: [EXT] Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"

 

Hi!

 

After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new default hashing schema, but I fail to do so using

 

dn: olcDatabase={-1}frontend,cn=config

changetype: modify

add: olcPasswordHash

olcPasswordHash: {SSHA256}

olcPasswordHash: {SSHA}

 

----

modifying entry "olcDatabase={-1}frontend,cn=config"

ldap_modify: Object class violation (65)

        additional info: attribute 'olcPasswordHash' not allowed

 

Before I had tried “replace” instead of “add”, and I tried to place both values in one line as suggested by slapd-config:

       olcPasswordHash: <hash> [<hash>...]

              This option  configures  one  or  more  hashes  to  be  used  in

              generation   of   user  passwords  stored  in  the  userPassword

              attribute during processing of  LDAP  Password  Modify  Extended

              Operations (RFC 3062).  The <hash> must be one of {SSHA}, {SHA},

              {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}.  The default is {SSHA}.

 

The manual page also states:

This setting is only allowed in the frontend entry.

 

I’m running out of ideas.

 

Kind regards,

Ulrich Windl