Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
Hi!
After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new default hashing schema, but I fail to do so using
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
---- modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Before I had tried "replace" instead of "add", and I tried to place both values in one line as suggested by slapd-config: olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
The manual page also states: This setting is only allowed in the frontend entry.
I'm running out of ideas.
Kind regards, Ulrich Windl
The ldif must look like this: ------------ dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256} - add: olcPasswordHash olcPasswordHash: {SSHA} ------------ You cant't add it in one step
Am 04.03.25 um 08:48 schrieb Windl, Ulrich:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
Sorry,
It must be something else: modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Kind regards, Ulrich Windl
-----Original Message----- From: Stefan Kania stefan@kania-online.de Sent: Tuesday, March 4, 2025 9:37 AM To: openldap-technical@openldap.org Subject: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
The ldif must look like this:
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256}
add: olcPasswordHash olcPasswordHash: {SSHA}
You cant't add it in one step
Am 04.03.25 um 08:48 schrieb Windl, Ulrich:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcPasswordHash
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
On Tue, Mar 04, 2025 at 07:48:41AM +0000, Windl, Ulrich wrote:
Hi!
After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new default hashing schema, but I fail to do so using
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Before I had tried "replace" instead of "add", and I tried to place both values in one line as suggested by slapd-config: olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
The manual page also states: This setting is only allowed in the frontend entry.
Not sure, sounds like a typo somewhere but I would question the need to add more than one olcPasswordHash BTW. It specifies what hash will be used to hash a new password, it is *not* used to specify the hashes that the server understands (that's achieved by loading the appropriate module as you've done already).
If you put 2 hashes in there and send a password modify, the user will now have 2 userPassword values (the same password hashed with both), that's rarely useful and for instance the ppolicy overlay very much doesn't like that situation.
Regards,
Hi!
Even after having opened a support case with SUSE, it took about two weeks until I got any further:
Essentially you cannot add the values to "olcDatabase={-1}frontend,cn=config", but only to "cn=config".
However after that I got a new message when trying to change a user's password:
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
At that time I had two values assigned, but even after assigning only one value, the message did not change.
Even more, slapd suddenly had exited and refused to restart with the messages:
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({SSHA256})
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
slapd[13769]: config error processing cn=config: <olcPasswordHash> no valid hashes found
...
slapd[13769]: slapd stopped.
Changes actually applied were:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {4}pw-sha2.so
dn: cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
Any ideas?
Kind regards,
Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, March 4, 2025 8:49 AM To: openldap-technical@openldap.org Subject: [EXT] Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
Hi!
After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new default hashing schema, but I fail to do so using
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
---- modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Before I had tried "replace" instead of "add", and I tried to place both values in one line as suggested by slapd-config: olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
The manual page also states: This setting is only allowed in the frontend entry.
I'm running out of ideas.
Kind regards, Ulrich Windl
On Thu, Mar 13, 2025 at 02:37:55PM +0000, Windl, Ulrich wrote:
Hi!
Even after having opened a support case with SUSE, it took about two weeks until I got any further:
Essentially you cannot add the values to "olcDatabase={-1}frontend,cn=config", but only to "cn=config".
However after that I got a new message when trying to change a user's password:
Result: Constraint violation (19) Additional info: Password policy only allows one password value
At that time I had two values assigned, but even after assigning only one value, the message did not change.
Even more, slapd suddenly had exited and refused to restart with the messages:
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({SSHA256}) slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found slapd[13769]: config error processing cn=config: <olcPasswordHash> no valid hashes found ...
slapd[13769]: slapd stopped.
Changes actually applied were:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
Hi Ulrich, you should be storing your olcPasswordHash on the frontend database, not the 'cn=config' entry (because the module isn't loaded yet while that's being processed). What error do you get when trying to write to `olcDatabase={-1}frontend,cn=config`?
Regards,
Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the frontend database, but failed, so I had opened a support case for SLES15 SP6. Even support had no idea what is wrong, until I desparately tried another locarion (cn=config), and that worked.
Errors were like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
However I'm getting an error like: # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash' not allowed slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65) attribute 'olcPasswordHash' not allowed Closing DB...
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this: # cat /tmp/change dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config"
# ldapsearch -LLL -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -b 'olcDatabase={-1}frontend,cn=config' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.exact="" by * read olcAccess: {1}to dn.base="cn=Subschema" by * read olcAccess: {2}to dn.base="cn=schema,cn=config" by * read olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, March 14, 2025 11:57 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
On Thu, Mar 13, 2025 at 02:37:55PM +0000, Windl, Ulrich wrote:
Hi!
Even after having opened a support case with SUSE, it took about two weeks until I got any further:
Essentially you cannot add the values to "olcDatabase={-1}frontend,cn=config", but only to "cn=config".
However after that I got a new message when trying to change a user's
password:
Result: Constraint violation (19) Additional info: Password policy only allows one password value
At that time I had two values assigned, but even after assigning only one value, the message did not change.
Even more, slapd suddenly had exited and refused to restart with the
messages:
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not
available ({SSHA256})
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid
hashes found
slapd[13769]: config error processing cn=config: <olcPasswordHash> no
valid hashes found
...
slapd[13769]: slapd stopped.
Changes actually applied were:
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
Hi Ulrich, you should be storing your olcPasswordHash on the frontend database, not the 'cn=config' entry (because the module isn't loaded yet while that's being processed). What error do you get when trying to write to `olcDatabase={-1}frontend,cn=config`?
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the frontend database, but failed, so I had opened a support case for SLES15 SP6. Even support had no idea what is wrong, until I desparately tried another locarion (cn=config), and that worked.
Hi Ulrich, both places have to allow it because of what the 2.3 schema looked like, but you're supposed to put it int he frontend because of when moduleload happens.
Errors were like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
However I'm getting an error like: # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash' not allowed slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65) attribute 'olcPasswordHash' not allowed Closing DB...
You are on 2.5/2.6 right? There it's definitely allowed by olcFrontendConfig.
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this: # cat /tmp/change dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
I said it before, don't specify more than one olcPasswordHash, you've seen first hand that ppolicy will not be happy so I don't understand why you're still trying...
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config"
So you're saying it succeeds with ldapmodify and fails with slapmodify? Confused here.
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Certainly can't replace a schema that's compiled in (e.g. most of dynamic config options).
Regards,
Ondřej,
as you might understand, first you try what you thank should work, and if it doesn't, you start wild experimenting (while not knowing better) 😉
I read adding it to frontend (olcFrontendConfig) should work (and it's also conforming to the schema I see). However it would not work, so I had opened a support case with SUSE. After more than a week wehere it who't work, I started some desparate exeriments, and according to the schema, olcPasswordHash is also allowed in olcGlobal, and when trying to add it there,. It worked (using a single value).
I just retried the test: After loading a fresh cn=config and starting slapd, I could apply dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
but applying dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
fails with: modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Do I have to add olcFrontendConfig explicitly?
My frontend has (from 2.4): dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend
In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be updated.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, March 14, 2025 1:29 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the frontend database, but failed, so I had opened a support case for SLES15 SP6. Even support had no idea what is wrong, until I desparately tried another locarion (cn=config), and that worked.
Hi Ulrich, both places have to allow it because of what the 2.3 schema looked like, but you're supposed to put it int he frontend because of when moduleload happens.
Errors were like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
However I'm getting an error like: # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash'
not allowed
slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65)
attribute 'olcPasswordHash' not allowed
Closing DB...
You are on 2.5/2.6 right? There it's definitely allowed by olcFrontendConfig.
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this: # cat /tmp/change dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
I said it before, don't specify more than one olcPasswordHash, you've seen first hand that ppolicy will not be happy so I don't understand why you're still trying...
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config"
So you're saying it succeeds with ldapmodify and fails with slapmodify? Confused here.
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Certainly can't replace a schema that's compiled in (e.g. most of dynamic config options).
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Final update:
Once I added " objectClass: olcFrontendConfig" I could apply "olcPasswordHash: {SSHA256}" to "olcDatabase={-1}frontend,cn=config".
Kind regards," Ulrich Windl
-----Original Message----- From: Windl, Ulrich u.windl@ukr.de Sent: Monday, March 17, 2025 9:05 AM To: Ondřej Kuzník ondra@mistotebe.net Cc: openldap-technical@openldap.org Subject: [EXT] RE: Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
Ondřej,
as you might understand, first you try what you thank should work, and if it doesn't, you start wild experimenting (while not knowing better) 😉
I read adding it to frontend (olcFrontendConfig) should work (and it's also conforming to the schema I see). However it would not work, so I had opened a support case with SUSE. After more than a week wehere it who't work, I started some desparate exeriments, and according to the schema, olcPasswordHash is also allowed in olcGlobal, and when trying to add it there,. It worked (using a single value).
I just retried the test: After loading a fresh cn=config and starting slapd, I could apply dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
but applying dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
fails with: modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Do I have to add olcFrontendConfig explicitly?
My frontend has (from 2.4): dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend
In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be updated.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Friday, March 14, 2025 1:29 PM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the frontend database, but failed, so I had opened a support case for SLES15 SP6. Even support had no idea what is wrong, until I desparately tried another locarion (cn=config), and that worked.
Hi Ulrich, both places have to allow it because of what the 2.3 schema looked like, but you're supposed to put it int he frontend because of when moduleload happens.
Errors were like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
However I'm getting an error like: # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash'
not allowed
slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65)
attribute 'olcPasswordHash' not allowed
Closing DB...
You are on 2.5/2.6 right? There it's definitely allowed by olcFrontendConfig.
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this: # cat /tmp/change dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
I said it before, don't specify more than one olcPasswordHash, you've seen first hand that ppolicy will not be happy so I don't understand why you're still trying...
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config"
So you're saying it succeeds with ldapmodify and fails with slapmodify? Confused here.
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Certainly can't replace a schema that's compiled in (e.g. most of dynamic config options).
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Mon, Mar 17, 2025 at 08:04:30AM +0000, Windl, Ulrich wrote:
but applying dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA256}
fails with: modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Do I have to add olcFrontendConfig explicitly?
Hi Ulrich, yes, I did say that the attribute is allowed by *that* objectClass in particular.
My frontend has (from 2.4): dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend
In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be updated.
It is not currently incorrect to create it as such but it won't allow you to configure important things like you just noticed. As such, it is documented as "required".
It has always (since at least 2007) been added automatically for you if you created one from slapd.conf and apart from one place in the Admin Guide (which I've just corrected), all documentation mentions you should be adding it if creating one manually. If you spot any other examples that don't, please report them and we can fix those too.
So whoever create the configuration must have either created it without reading said documentation or followed the (unfixed) admin guide and they will realise eventually. In the future, we might consider rejecting configurations without olcFrontendConfig, that's when we would note something in the upgrade documentation.
Regards,
Hi! Update: Today when I reloaded the config and re-applied the LDIFs, it worked! I guess slapd had corrupted the config database in some strange way.
Kind regards, Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Thursday, March 13, 2025 3:38 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical@openldap.org Subject: RE: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
Hi!
Even after having opened a support case with SUSE, it took about two weeks until I got any further:
Essentially you cannot add the values to "olcDatabase={-1}frontend,cn=config", but only to "cn=config".
However after that I got a new message when trying to change a user's password:
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
At that time I had two values assigned, but even after assigning only one value, the message did not change.
Even more, slapd suddenly had exited and refused to restart with the messages:
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not available ({SSHA256})
slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid hashes found
slapd[13769]: config error processing cn=config: <olcPasswordHash> no valid hashes found
...
slapd[13769]: slapd stopped.
Changes actually applied were:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {4}pw-sha2.so
dn: cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
Any ideas?
Kind regards,
Ulrich Windl
From: Windl, Ulrich u.windl@ukr.de Sent: Tuesday, March 4, 2025 8:49 AM To: openldap-technical@openldap.org Subject: [EXT] Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
Hi!
After having loaded pw-sha2 in oOpenmLDAp 2.5, I tried to set a new default hashing schema, but I fail to do so using
dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA256} olcPasswordHash: {SSHA}
---- modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
Before I had tried "replace" instead of "add", and I tried to place both values in one line as suggested by slapd-config: olcPasswordHash: <hash> [<hash>...] This option configures one or more hashes to be used in generation of user passwords stored in the userPassword attribute during processing of LDAP Password Modify Extended Operations (RFC 3062). The <hash> must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and {CLEARTEXT}. The default is {SSHA}.
The manual page also states: This setting is only allowed in the frontend entry.
I'm running out of ideas.
Kind regards, Ulrich Windl
openldap-technical@openldap.org
-
Ondřej Kuzník -
Stefan Kania -
Windl, Ulrich