Final update:
Once I added " objectClass: olcFrontendConfig" I could apply "olcPasswordHash: {SSHA256}" to "olcDatabase={-1}frontend,cn=config".
Kind regards," Ulrich Windl
-----Original Message----- From: Windl, Ulrich u.windl@ukr.de Sent: Monday, March 17, 2025 9:05 AM To: Ondřej Kuzník ondra@mistotebe.net Cc: openldap-technical@openldap.org Subject: [EXT] RE: Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
Ondřej,
as you might understand, first you try what you thank should work, and if it doesn't, you start wild experimenting (while not knowing better) 😉
I read adding it to frontend (olcFrontendConfig) should work (and it's also conforming to the schema I see). However it would not work, so I had opened a support case with SUSE. After more than a week wehere it who't work, I started some desparate exeriments, and according to the schema, olcPasswordHash is also allowed in olcGlobal, and when trying to add it there,. It worked (using a single value).
I just retried the test: After loading a fresh cn=config and starting slapd, I could apply dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
but applying dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
fails with: modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Do I have to add olcFrontendConfig explicitly?
My frontend has (from 2.4): dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend
In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be updated.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, March 14, 2025 1:29 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the frontend database, but failed, so I had opened a support case for SLES15 SP6. Even support had no idea what is wrong, until I desparately tried another locarion (cn=config), and that worked.
Hi Ulrich, both places have to allow it because of what the 2.3 schema looked like, but you're supposed to put it int he frontend because of when moduleload happens.
Errors were like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
However I'm getting an error like: # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash'
not allowed
slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65)
attribute 'olcPasswordHash' not allowed
Closing DB...
You are on 2.5/2.6 right? There it's definitely allowed by olcFrontendConfig.
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this: # cat /tmp/change dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
I said it before, don't specify more than one olcPasswordHash, you've seen first hand that ppolicy will not be happy so I don't understand why you're still trying...
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config"
So you're saying it succeeds with ldapmodify and fails with slapmodify? Confused here.
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Certainly can't replace a schema that's compiled in (e.g. most of dynamic config options).
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP