Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the frontend database, but failed, so I had opened a support case for SLES15 SP6. Even support had no idea what is wrong, until I desparately tried another locarion (cn=config), and that worked.
Errors were like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
However I'm getting an error like: # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash' not allowed slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65) attribute 'olcPasswordHash' not allowed Closing DB...
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this: # cat /tmp/change dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config"
# ldapsearch -LLL -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -b 'olcDatabase={-1}frontend,cn=config' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.exact="" by * read olcAccess: {1}to dn.base="cn=Subschema" by * read olcAccess: {2}to dn.base="cn=schema,cn=config" by * read olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, March 14, 2025 11:57 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
On Thu, Mar 13, 2025 at 02:37:55PM +0000, Windl, Ulrich wrote:
Hi!
Even after having opened a support case with SUSE, it took about two weeks until I got any further:
Essentially you cannot add the values to "olcDatabase={-1}frontend,cn=config", but only to "cn=config".
However after that I got a new message when trying to change a user's
password:
Result: Constraint violation (19) Additional info: Password policy only allows one password value
At that time I had two values assigned, but even after assigning only one value, the message did not change.
Even more, slapd suddenly had exited and refused to restart with the
messages:
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not
available ({SSHA256})
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid
hashes found
slapd[13769]: config error processing cn=config: <olcPasswordHash> no
valid hashes found
...
slapd[13769]: slapd stopped.
Changes actually applied were:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
Hi Ulrich, you should be storing your olcPasswordHash on the frontend database, not the 'cn=config' entry (because the module isn't loaded yet while that's being processed). What error do you get when trying to write to `olcDatabase={-1}frontend,cn=config`?
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP