Re: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"

14 Mar 2025


      On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
...
Ondřej,
Did the location of olcPasswordHash change? I found instutions to add
it to the frontend database, but failed, so I had opened a support
case for SLES15 SP6. Even support had no idea what is wrong, until I
desparately tried another locarion (cn=config), and that worked.
Hi Ulrich,
both places have to allow it because of what the 2.3 schema looked like,
but you're supposed to put it int he frontend because of when
moduleload happens.
...
Errors were like this:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
However I'm getting an error like:
# slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif
Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash' not allowed
slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65) attribute 'olcPasswordHash' not allowed
Closing DB...
You are on 2.5/2.6 right? There it's definitely allowed by
olcFrontendConfig.
...
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this:
# cat /tmp/change 
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
I said it before, don't specify more than one olcPasswordHash, you've
seen first hand that ppolicy will not be happy so I don't understand why
you're still trying...
...
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
So you're saying it succeeds with ldapmodify and fails with slapmodify?
Confused here.
...
Sorry, I cannot explain what's going on: I also tried to replace the
schemata.
Certainly can't replace a schema that's compiled in (e.g. most of dynamic
config options).
Regards,
-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"