Re: How to properly monitor MDB usage

[Clément OUDOT]

Le mar. 7 mai 2024 à 19:32, Benjamin Renard  a
écrit :

>
> @Clément: I also implemented a similar monitoring plugin :)
> (https://exchange.icinga.com/brenard/check_mdb). Don't forget to share
> your works on this great website (and possibly on
> https://exchange.nagios.org) ;)
>
>
Great, thanks for the pointers!

Re: How to properly monitor MDB usage

[Clément OUDOT]

Le 07/05/2024 à 17:07, Benjamin Renard a écrit :

Hi,

I'm looking for the right method to monitor the usage of an MDB 
database according to the limit of its size imposed via the parameter 
olcDbMaxSize. Currently, I am using the following command:


# mdb_stat -e /var/lib/ldap/accesslog/
Environment Info
  Map address: (nil)
  Map size: 4294967296
  Page size: 4096
  Max pages: 1048576
  Number of pages used: 1048572
  Last transaction ID: 24153425
  Max readers: 126
  Number of readers used: 18
Status of Main DB
  Tree depth: 1
  Branch pages: 0
  Leaf pages: 1
  Overflow pages: 0
  Entries: 6

Here, I determine the percentage of database usage with the 
information "Number of pages used" and "Max pages".


This seemed to be a good method, but I noticed that after a 
significant purge of objects in the directory, the number of used 
pages does not seem to decrease.


Is there another and/or better method to monitor this? Failing that, 
is there a solution to release "falsely" used pages, ideally without 
too much downtime of the service (so not a dump/restore)? I read that 
it was possible to use the "mdb_copy -c" command, but I am a little 
concerned about the duration on a database with approximately 
1,000,000 entries.


Thank you in advance.



Hello Benjamin,

if it helps, we have created a monitoring script for this: 
https://ltb-project.org/documentation/check_lmdb_usage.html


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Group ACLs

[Clément OUDOT]

Le 04/10/2023 à 14:46, Emmanuel Seyman a écrit :

Hello, all.

I have an instance of OpenLDAP in which I use groups to manage access
controls, similar to the way the FAQ and admin guide describe it.

My DIT layout:

uid=userildr1,ou=people,o=gdAA,dc=example,dc=com
uid=userildr2,ou=people,o=gdAA,dc=example,dc=com
...
cn=readINT,ou=groups,o=gdAA,dc=example,dc=com
cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com
cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com
...
ou=people,o=INT,dc=example,dc=com
...
ou=groups,o=INT,dc=example,dc=com


Outside of the DIT, my slapd.conf file (yes, I know) contains:

access to dn.sub="o=INT,dc=example,dc=com"
 by self write
 by 
group/groupOfUniqueNames/uniqueMember="cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com"
 write
 by 
group/groupOfUniqueNames/uniqueMember="cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com"
 write
 by 
group/groupOfUniqueNames/uniqueMember="cn=readINT,ou=groups,o=gdAA,dc=example,dc=com"
 read

The uid=userildr1,ou=people,o=gdAA,dc=example,dc=com entry is in the readINT
group yet seems unable to run a search. I get an error 50 ("Operations are
restricted to bind/unbind/abandon/StartTLS/modify password") and cannot
figure out why this is happening. If anyone can tell me what's going on,
I would appreciate it.

I'm seeing "config_back_db_open: line 0: warning: cannot assess the validity of
the ACL scope within backend naming context" in the log files but this looks
harmless.

This is OpenLDAP 2.5.14 running on RHEL 8, with the LTB packages.
Logs and the configuration file are available if necessary.



Hello Emmanuel,

the error "Operations are restricted to 
bind/unbind/abandon/StartTLS/modify password" means the account has the 
pwdReset flag set to TRUE and must reset its password. It is linked to 
password policy.



--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks |https://www.worteks.com

LTB packages available for OpenLDAP 2.5.15 and 2.6.5

[Clément OUDOT]

Hello,

for people interested, the LDAP Tool Box project has published the 
packages for OpenLDAP 2.5.15 and 2.6.5.


https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-5-15-and-2-6-5-packages-released/

--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: pwdAccountLockedTime does not have any impact

[Clément OUDOT]

Le 11/07/2023 à 11:41, CVZ a écrit :


Hi Everybody, <https://stackoverflow.com/posts/76341444/timeline>

Sorry, we are figghting with pwdAccountLockedTime.

I want to use "pwdAccountLockedTime" attribute to automatically lock 
an account using OpenLDAP (v.2.5.14). Whatever the value in the field, 
the account is never locked.


I first started by activating the "ppolicy" module using slapadd and a 
ppolicy-module.ldif file suh as mentioned here 
"https://stackoverflow.com/questions/49257247/how-to-activate-ppolicy-module-in-openldap;, 
then I have checked that the module is loaded and I did not have any 
problem:


|$ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy 
olcModuleLoad: {0}ppolicy |


Then, I have extended the LDAP scheme to allow using of ppolicy 
attributes such as "pwdAccountLockedTime".




No need to do that, pwdAccountLockedTime is an operational attribute.


I have set it to "010100Z" in order to lock permanently an 
account (to check if it was working). But I still can connect (using 
LDAP Admin tools) with the account that was supposed to be locked.


We also tried to modify the value

dn: uid=...
replace: pwdAccountLockedTime
pwdAccountLockedTime: 20221021135537Z

And even with dates in the future, but we are still able to connect. 
With whoami command, or from a SOGo webmail connected to the LDAP server.


Any idea?
Thank in advance for your help.



Check that pwdLockout is set to TRUE in your ppolicy.


--

Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks |https://www.worteks.com

Re: migration 2.4 -> 2.5 (bdb -> mdb) | monitoring & health checks

[Clément OUDOT]

Le mer. 21 juin 2023 à 08:39, cYuSeDfZfb cYuSeDfZfb 
a écrit :

> Hi Quanah,
>
> Thanks for your answer and kind suggestions! We will implement them.
>
> And anyone here using zabbix, and has some scripting for monitoring laying
> around..?
>
>
Hello,

we provide some monitoring scripts in LDAP Tool Box project, for example:
https://ltb-project.org/documentation/check_lmdb_usage.html

Clément.

Re: RoleOccupant filter

[Clément OUDOT]

Le 07/03/2023 à 06:58, forumforeign a écrit :

06.03.23 19:14, Clément OUDOT пише:


Le 06/03/2023 à 16:13, forumforeign a écrit :
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' 
RoleOccupant
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' 

'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' 
RoleOccupant


How I can change filter, that check if user1 belong to group developer? 



Use 
'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' 
, it will return one entry if user is member of the 
group"cn=developer", and no entry else.




Unfortunately it also doesn't work:

$ openldapsearch -v -H ldaps:// -x -b 'dc=domain,dc=com' -W 
-D "cn=vmail,ou=services,dc=domain,dc=com" 
'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' 
RoleOccupant

Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: 
(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))

# requesting: RoleOccupant
#

# search result
search: 2
result: 0 Success

# numResponses: 1

Also, I have tried (without RoleOccupant at the end)

$ openldapsearch -v -H ldaps:// -x -b 'dc=domain,dc=com' -W 
-D "cn=vmail,ou=services,dc=domain,dc=com" 
'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' 




There was a typo in the filter, the attribute of the RDN was missing :

'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=uid=user1,ou=people,dc=domain,dc=com))' 




--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: RoleOccupant filter

[Clément OUDOT]

Le 06/03/2023 à 16:13, forumforeign a écrit :
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' 
RoleOccupant
'(&(objectClass=organizationalRole)(cn=developer)(uid=user1,ou=people,dc=domain,dc=com))' 

'(&(objectClass=organizationalRole)(cn=developer)(uid=user1*))' 
RoleOccupant


How I can change filter, that check if user1 belong to group developer? 



Use 
'(&(objectClass=organizationalRole)(cn=developer)(roleOccupant=user1,ou=people,dc=domain,dc=com))' 
, it will return one entry if user is member of the group"cn=developer", 
and no entry else.



--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Checking users password

[Clément OUDOT]

Le 22/11/2022 à 11:52, Ian Porter a écrit :

Hi

I have tried to change a users password either by

ldappasswd -H ldapi:/// -x -D "ADMIN ACCOUNT" -W -S 
"uid=USER,ou=USER,o=ORG"


or via a ldif file with ldapmodify

ldapmodify -H ldap:// -x -D "ADMIN ACCOUNT" -W -f ./password.ldif

dn: uid=USER,ou=USER,o=ORG
changetype: modify
replace: userPassword
userPassword: {SSHA}SSHAPASSWORD HERE

where the ADMIN ACCOUNT / USER etc have been replaced with the ldap 
cn=manager etc, but every time I try to confirm that the password has 
been updated via


ldapwhoami -x -W -D "uid=USER,ou=USER,o=ORG" -H ldapi:///
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

I keep on getting the ldap_bind invalid credentials, I have tested the 
userPassword attribute via the apache directory studio and verified 
the userPassword is correct.


Any advice, please



Why are you using ldapi:// with ldapwhoami and ldap:// with ldapmodify ?


Did you check in your ACL that access to userPassword attribute is 
allowed to authenticate users?


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks |https://www.worteks.com

Re: Fwd: [OldapWS] -> Proposal of a REST Web Service for CRUD Operations

[Clément OUDOT]

Le 19/09/2022 à 18:54, Howard Chu a écrit :

Forwarding for exposure - any interest?



Hello,

I confirm my interest too.

We are currently working with FusionDirectory which offers a REST API : 
https://rest-api.fusiondirectory.org/


The advantage is that FD has triggers which can be used to run a script 
on entry creation/modification/deletion. But this may be too high-level 
for an OpenLDAP server.


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: need help to make OpenLDAP work as "this other directory, plus"

[Clément OUDOT]

Le 16/06/2022 à 09:25, jar...@bioteam.net a écrit :

Hi all.

So, I'm trying to basically put a band-aid over an intentionally broken LDAP 
implementation. We use Okta as our single source of truth for directory services, and its 
implementation of LDAP intentionally leaves out uidNumber and gidNumber (and you can't 
change this) in order to force you to use their insanely expensive "Advanced Server 
Access" product. This $9500/yr expense for a minimum of 50 machines is a non-starter 
for the lab project we are trying to get working with LDAP. We're only talking about ~10 
machines here and we very much want them to be ultimately authenticating against Okta for 
their passwords -- because this automatically MFAs them by default, and prevents 
credential proliferation for the services we run in the lab.

So basically what I want to do is set up an LDAP server which passes just about 
everything through to Okta, but keeps consistent uidNumber and gidNumber values 
for each user in Okta who logs in.

I think this is possible either with the "meta" backend or the "ldap" backend 
or both, but I'm not clear on how to configure these. I've followed this guide to get OpenLDAP 
working on a Rocky 8 server: https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/

But that guide does not contain instructions for something like this, and even the 
OpenLDAP documentation is scarce when it comes to configuring backends. e.g.: 
https://www.openldap.org/doc/admin26/backends.html#LDAP even just for LDAP there is no 
indication of how I would introduce the bind DN for the backend LDAP or how it would know 
what to add, and the "meta" backend has no implementation details at all: 
https://www.openldap.org/doc/admin26/backends.html#Metadirectory



Hello Jarett,

another approach would be to create a local OpenLDAP server and 
synchronize it with Okta LDAP server with LSC: https://lsc-project.org/


You will then be able to easily manage local attributes.

--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Official way to import schema with cn=config

[Clément OUDOT]

Le 02/04/2022 à 09:33, David Timber a écrit :
I had to write my own schema for my application and I was struggling 
to figure out how to import the schema I wrote to cn=config. I had 
though I was missing something until I found this.


https://gist.github.com/jaseg/8577024

Notice the name of the script. Someone had to write this because 
there's no tool that you can use to import schemas when the slapd is 
configured with cn=config.



Note that Fusion Directory project provides an utility for this: 
https://manpages.debian.org/bullseye/fusiondirectory-schema/fusiondirectory-insert-schema.1.en.html




You can get away with it by using include directive with slapd.conf.



You can use olcInclude with cn=config.


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: log analysis tools

[Clément OUDOT]

Le sam. 5 févr. 2022 à 20:57, Quanah Gibson-Mount  a
écrit :

>
>
> --On Friday, February 4, 2022 10:12 PM -0500 Dave Macias 
>
> wrote:
>
> >
> >
> > https://www.ltb-project.org/documentation/ldap-stats.html
>
> Is that the one I used to help maintain? I don't believe it's been updated
> for 2.5 and later, unless it was forked and someone else has started
> working on it.
>


Hello Quanah,

this is indeed a fork done inside LTB project, there was no git repo for
this script (or I did not found it). Of course if there are changes in 2.5
log format, we can update the script.

Clément.

Re: Evolution of slapd 2.5 configuration over time ?

[Clément OUDOT]

Le 26/08/2021 à 18:13, Howard Chu a écrit :

What would be the best practice to update the cn=schema,cn=config entry after 
an upgrade? It seems this schema is only available when we migrate slapd.conf to
cn=config.

The contents of the cn=schema,cn=config entry on disk are mostly irrelevant. 
That entry
represents all the hardcoded schema in slapd, so it will always be generated in 
memory
with slapd's current schema at runtime.



Oh I discover that, thanks a lot!

Do you know why it is generated when we convert slapd.conf to cn=config? 
It does not seem to have any advantage.


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Evolution of slapd 2.5 configuration over time ?

[Clément OUDOT]

Le 26/08/2021 à 17:24, Howard Chu a écrit :

It means that, when upgrading OpenLDAP, the previous configuration may not be 
compatible with the new OpenLDAP version.


False. Additions to the schema are always forward-compatible. Where we have 
renamed objectclasses,
we have kept the old name as an alias. So old configs will continue to work.



Hello Howard,

thanks a lot for this confirmation.

What would be the best practice to update the cn=schema,cn=config entry 
after an upgrade? It seems this schema is only available when we migrate 
slapd.conf to cn=config.


Maybe it could be interesting to provide an upgrage LDIF file that we 
could use to modify existing configuration?


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

LTB packages for OpenLDAP 2.4.59 [was: OpenLDAP 2.4.59 available]

[Clément OUDOT]

Hello,

LTB packages for OpenLDAP 2.4.59 are now availble 
(Debian/Ubuntu/CentOS/RHEL).


More information on 
https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-59-packages-released/


--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

[Open Source Experience] Call for Papers is open

[Clément OUDOT]

Hello,

there will be a big Open Source event in Paris in november. I am part of 
the program commitee and would like to know if some of you would be 
interested to submit talks: https://sessionize.com/opensource-experience/


You can reach me directly if you have some questions on the subject.

Regards,

--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

OpenLDAP LTB packages for 2.4.58 are available

[Clément OUDOT]

Hello,

LTB packages for OpenLDAP 2.4.58 are available:
https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-58-packages-released/

Download: https://ltb-project.org/download#openldap

Thanks to OpenLDAP team and LTB team!

Clément.

Re: Issue on backup on Open LDAP 2.4.38

[Clément OUDOT]

Le 03/03/2021 à 17:37, pascal.fou...@orange.com a écrit :


Hi all

Since several weeks , we met an issue on our test and UA Open LDAP 
 main master servers  version 2.4.38 hosted on Linux Red Hat 6.4 :


slapd: [INFO] Using /etc/default/slapd for configuration

slapd: [INFO] Launching OpenLDAP database backup...

slapd: [OK] data saved in 
/var/opt/data/flat/openldap/backups/data-20210303154336.ldif


603fa0ac bdb(cn=changelog): Logging region out of memory; you may need 
to increase its size


603fa0ac hdb_db_open: database "cn=changelog": 
db_open(/var/opt/data/db/openldap/changelog/id2entry.bdb) failed: 
Cannot allocate memory (12).


603fa0ac backend_startup_one (type=hdb, suffix="cn=changelog"): 
bi_db_open failed! (12)


slap_startup failed

slapd: [ALERT] OpenLDAP database backup failed

Once a week, this servers is completely updated using a backup sent 
from our production server


On the backup master server,  backup process runs well.

Any idea to fix this issue ?



Seems clear you have a memory issue. With BDB/HDB, you can change memory 
settings in DB_CONFIG file located in the data directory (here 
/var/opt/data/db/openldap/changelog/). Adapt the settings 
set_lg_regionmax / set_lg_max / set_lg_bsize


And obviously you are running an outdated version on an outdated distro. 
The best advice is to use the latest OpenLDAP version and switch to MDB.



--
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

LTB packages (was: OpenLDAP 2.4.57 available)

[Clément OUDOT]

Le 18/01/2021 à 21:21, proj...@openldap.org a écrit :
> OpenLDAP 2.4.57 is now available for download as detailed on our download 
> page:


LDAP Tool Box packages are available for Debian stretch / Debian buster
/ CentOS 7 / CentOS 8

See https://ltb-project.org/download#openldap


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

LTB OpenLDAP 2.4.56 (was:OpenLDAP 2.4.56 available)

[Clément OUDOT]

Hello,

Debian and RPM packages are now available on LTB repositories.See
https://ltb-project.org/download#openldap

Clément.

Re: Issues with resetting user password

[Clément OUDOT]

Le 18/09/2020 à 00:57, Quanah Gibson-Mount a écrit :
>
>
> --On Thursday, September 17, 2020 11:41 PM + "CLARKE, ED C"
>  wrote:
>
>>  [Image: ""]
>>
>> Hello,
>>
>>
>>
>> I am new to this arena, I have a Open LDAP installed on my Linux server
>> RHEL 7.8.
>>
>> I am not able to reset user passwords, I have checked the systemctl
>> status slapd.service And it is active & running.
>>
>> Below is an example of the resetpw.ldif:
>
> Are you using the ppolicy module?  You've provided no information
> about your configuration.
>
> The correct way to change a user password is to use an LDAPv3 password
> modify operation, not an ldapmodify change.  See the ldappasswd(1)
> command.
>

Note that we can't modify pwdReset attribute trough ldappasswd, as far
as I know.

Ed, what is the error returned by your ldapmodify command?


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

LDAP Tool Box packages (was: OpenLDAP 2.4.53 available)

[Clément OUDOT]

Le lun. 7 sept. 2020 à 17:37,  a écrit :
>
> OpenLDAP 2.4.53 is now available for download as detailed on our download 
> page:
>
> https://www.openldap.org/software/download/

LTB packages for OpenLDAP 2.4.53 are also available:
https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-53-packages-released/

Clément.

OpenLDAP LTB packages (was: OpenLDAP 2.4.52 available)

[Clément OUDOT]

Le ven. 28 août 2020 à 19:46,  a écrit :
>
> OpenLDAP 2.4.52 is now available for download

Hello,

LDAP Tool Box packages have been published (see announce:
https://projects.ow2.org/view/ldaptoolbox/ltb-openldap-2-4-52-packages-released/)

We dropped support for Debian Wheezy, Debian Jessie and Centos/RHEL 6
as OpenLDAP 2.4.52 is requiring a version of OpenSSL that is not
available on these systems.

Cheers,

Clément.

Re: Enable and Disable a user account in OpenLDAP using various methods, CLI, GUI, etc.

[Clément OUDOT]

Le 19/08/2020 à 21:55, Quanah Gibson-Mount a écrit :
> --On Wednesday, August 19, 2020 8:50 PM + wbran...@mcw.edu wrote:
>> things, I just need to know this specific task.
>> So if it is possible in OpenLDAP, to disable and enable users can anyone
>> point me to a document or a YouTube Video or any information.
>
> We would need to know how your OpenLDAP instance is configured.  For
> example, if you are using the password policy overlay along with a
> specific password policy that allows for disabling accounts.  If
> you're not doing that, then you likely have to implement something
> that allows this to be done.  For example, a custom attribute that
> tracks the account status, and then an ACL that blocks access to the
> userPassword attribute if an account has been disabled.
>
> I.e., the information you have provided so far doesn't enable us to
> provide you the information necessary.
>

If you use the ppolicy overlay, you can use LTB Service Desk, a Web GUI.
See https://service-desk.readthedocs.io

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]

[Clément OUDOT]

Le lun. 17 août 2020 à 16:28, Giuseppe De Marco 
a écrit :

> Hi Clément, great job, awesome!
>
> Is there any possibilities to have in ltb the SQL backend in future
> releases?
>
> Official Deb packages lacks of this, It seems a little bit Buffy so ltb
> would be a great opportunità to have a well supported sql backend without
> SRC compilations
>
>
Yes, please open a feature request here:
https://github.com/ltb-project/openldap-deb/issues

Clément.

LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]

[Clément OUDOT]

Hello,

LDAP Tool Box packages for OpenLDAP 2.4.51 are released. They can be
downloaded on https://ltb-project.org/download#openldap or installed
with yum/apt

Thanks again to OpenLDAP team for their great work!

Clément.

Re: [Question]: Looking for updated ppolicy in v2.4.50

[Clément OUDOT]

Le 29/06/2020 à 16:07, Dave Macias a écrit :
> Hello,
>
Hi,


> Using openldap v2.4.50 and noticed that there were some updates
> <https://github.com/openldap/openldap/commit/4bc54d104a9563d35f3d5fc2e69fe7afea36a9d2>
>  which
> were part of the 2.4.50 release.


As far as I know, this is not part of 2.4.50 but planned for 2.5.


>
> I installed openldap but cannot find those new attributes
> (pwdMaxLength, pwdStartTime, etc)
>
> > grep pwdMaxL /etc/openldap/schema/*
> > grep pwdStar /etc/openldap/schema/*
>
> Maybe I am missing something. 
> Could someone please point me in the right direction?
>

You can try to get 2.5 branch and test these new features.


For people interested by this topic, I gave this afternoon a quick talk
about password policy in OpenLDAP:
https://www.slideshare.net/wortekscom/pass-the-salt-2020-understand-password-policy-in-openldap-and-discover-tools-to-manage-it


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: OpenLDAP help - Import issue

[Clément OUDOT]

Le 04/05/2020 à 11:51, Pranjit Biswas a écrit :
>
> This is how password was created ..
>
>  
>
> slappasswd -s test1234
>
> {SSHA}wbMAL5Q8I8yDEfyCaau1irgIgBSqUQAb
>
>  
>
> This SSHA PW has been updated in olcDatabase={2}hdb.ldif.
>
> olcRootPW: {SSHA}wbMAL
>

This is your mistake. You must not directly edit the LDIF files. Use
ldapmodify or export/import your configuration.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: OpenLDAP, systemd and EL 7.7

[Clément OUDOT]

Le 02/05/2020 à 23:26, Abdelkader Chelouah a écrit :
>
> Hello,
>
>
> Since the upgrade to RHEL 7.7, my openldap service with property
> |Type=forking| and property |PIDFile| defined doesn't start and its
> status shows the following error messages:
>
>
> May 02 20:02:57  systemd[1]: New main PID 445254 does not belong to
> service, and PID file is not owned by root. Refusing.
>
>
> Actually, slapd is started with -u ldap -g ldap options, so the owner
> of the pid file slapd.pid is ldap. The problem was introduced by 
> |systemd-219-67| to fix the security issue CVE-2018-16888. See
> https://access.redhat.com/solutions/4420581 for more details.
>
>
> Is there a way to overcome this issue ?
>
>

Hello,


I just tested with OpenLDAP LTB packages on CentOS 7 (7.8.2003) and 8
(8.1.1911) and there is no issue.

Here is the systemd file:

[root@kptn-centos7 ~]# cat /usr/lib/systemd/system/slapd.service
[Unit]
Description=OpenLDAP LTB startup script
Documentation=https://ltb-project.org/documentation
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/usr/local/openldap/var/run/slapd.pid
ExecStart=/usr/local/openldap/sbin/slapd-cli start
ExecStop=/usr/local/openldap/sbin/slapd-cli stop

[Install]
WantedBy=multi-user.target



-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: OpenLDAP help - Import issue

[Clément OUDOT]

Le 02/05/2020 à 18:24, Pranjit Biswas a écrit :
>
> HI ,
>
>  
>
> We are trying to install openldap.x86_64  - 2.4.44-21.el7_6 on an
> Linux RHEL 7.7 on AWS .
>
>  
>
> We have installed and made changes to the config files and did a
> slaptest of the config file as shown below .
>
>  
>
> [root@efg-ac cn=config]# slaptest -u
>
> 5ea6064f ldif_read_file: checksum error on
> "/etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif"
>
> 5ea6064f ldif_read_file: checksum error on
> "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
>
> config file testing succeeded
>
>  
>
> Now we are importing the ldif file from our current on-prem server .
>
> Even though we were getting different errors earlier , after all the
> changes we have made to the config , the error that we are getting now
> is ldap_bind error for the credentials .
>
>  
>
> [root@efg-dev cn=config]# ldapadd -w * *-x -D
> "cn=Manager,dc=bpost,dc=be" -f ldap_dump-27042020-DEV.ldif
>
> *ldap_bind: Invalid credentials (49)*
>
>  
>
> We are not sure which password to give here .
>
>  
>
> We have given the same credentials in the config file :
> olcDatabase={2}hdb.ldif
>
> olcRootDN: cn=Manager,dc=bpost,dc=be
>
> olcRootPW: **
>
>  
>

Just to be sure, did you give the password in clear text in ldapadd command?


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

LTB packages for OpenLDAP 2.4.50 (was: OpenLDAP 2.4.50 available)

[Clément OUDOT]

Hello,

LDAP Tool Box packages for OpenLDAP 2.4.50 are available for
RedHat/CentOS/Debian/Ubuntu :
https://ltb-project.org/download#openldap

Thanks to David Coutadeur for the Debian packages.

Clément.

Re: 2.4.50 and pw-argon2

[Clément OUDOT]

Le 29/04/2020 à 11:03, Geert Hendrickx a écrit :
> FWIW, the pw-argon2 module does not build on CentOS 6, it needs a newer
> libsodium than the one available in EPEL 6 (that one does not implement
> argon2 yet).
>
> CentOS 7 is fine.
>

I confirm, this will be included in LTB packages for CentOS 7 and CentOS 8.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: rootdn & password policy

[Clément OUDOT]

Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
> Hello,
> I have a question related to rootdn and password policy.
> I understand that the rootdn can bypass all restrictions.
> We have a requirement to bypass a password policy for the admin user.  
> Is there a way to create the admin user so that this user can have the same 
> privilege as rootdn and I don't need to bind as rootdn in my application?
> Currently I have granted the following to the admin_user:
>  ===
> dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess
> olcAccess: {0}to attrs=userPassword       by self write       by
> anonymous auth       by dn.base="cn=Manager,dc=abcdomain,dc=com" write
>       by dn.base="uid=admin_user,ou=Service
> Accounts,dc=abcdomain,dc=com" write       by * none olcAccess: {1}to *
>       by self write       by dn.base="cn=Manager,dc=abcdomain,dc=com"
> write       by dn.base="uid=admin_user,ou=Service
> Accounts,dc=abcdomain,dc=com" write       by * read
>
> ===
> Any help would be appreciated.


I have done some tests today, I did not find a solution.

I tried to give the "manage" right to a service account, and then use
the relax or ManageDSAIT controls to force the change of a password
which is too short, it is always rejected. The modification is only
accepted if it is done by rootdn.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: [EXT] Slapd unexpectedly shutdown

[Clément OUDOT]

Le 07/04/2020 à 23:56, Quanah Gibson-Mount a écrit :
>
>
> --On Wednesday, April 8, 2020 12:35 AM +0200 Kevin Olbrich
>  wrote:
>
>> My version is 2.4.49+dfsg-2~bpo10+1 (buster-backports). Should be in
>> there I think.
>> I've now included ppolicy.schema to solve the issue. Tomorrow I will
>> try if the issue is still present.
>
> Ok.  If it still crashes, the best thing to do would be to:
>
> a) Install the debugging symbols package
>
> b) Get a full backtrace under GDB from the running process at the time
> at which it segfaults.
>
> c) Open a bug at https://bugs.openldap.org, include your configuration
> (minus any passwords) and the full backtrace in the bug report.
>

Hello,

we also have quite similar issue with back-meta, even in 2.4.49, see
https://bugs.openldap.org/show_bug.cgi?id=9098

Maybe this issues are linked.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: pwdChangedTime not defined when creating new entry

[Clément OUDOT]

Le 09/03/2020 à 10:31, Michael Ströder a écrit :
> On 3/9/20 10:19 AM, Clément OUDOT wrote:
>> Le 06/03/2020 à 17:47, Quanah Gibson-Mount a écrit :
>>> --On Friday, March 6, 2020 8:47 AM + Manuela Mandache
>>>  wrote:
>>>> Thanks for your answer. Well, if you don't get the same behavior as I
>>>> do,
>>>> it does seem I have a configuration issue. But what configuration issue
>>>> can that be? Where should I look for it?
>>> I might start with seeing if there are noticable differences between
>>> the 2.3 and 2.4 ppolicy man pages.  And perhaps Clément can share the
>>> config he was working with. :)
>> Here is the overlay configuration:
>>
>> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
>> [..]
>> olcPPolicyHashCleartext: TRUE
> What happens if you set this to FALSE?


I don't see what it could change, as I create the user entry with an
already encrypted password. So ppolicy overlay will not hash the password.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com


Worteks | https://www.worteks.com

Re: pwdChangedTime not defined when creating new entry

[Clément OUDOT]

Le 06/03/2020 à 17:47, Quanah Gibson-Mount a écrit :
>
>
> --On Friday, March 6, 2020 8:47 AM + Manuela Mandache
>  wrote:
>
>> Hello Clément,
>>
>> Thanks for your answer. Well, if you don't get the same behavior as I
>> do,
>> it does seem I have a configuration issue. But what configuration issue
>> can that be? Where should I look for it?
>>
>> The present dynamic configuration of the directory running on 2.4.44 was
>> obtained through direct conversion of the static configuration of the
>> directory running on 2.3.34 - where the pwdChangedTime is set when I add
>> a new entry with ldapadd.
>
> I might start with seeing if there are noticable differences between
> the 2.3 and 2.4 ppolicy man pages.  And perhaps Clément can share the
> config he was working with. :)


Here is the overlay configuration:

dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
olcPPolicyForwardUpdates: FALSE

The LDIF of the created entry:

dn: uid=testpolicy,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
pwdPolicySubentry: cn=default,ou=ppolicies,dc=example,dc=com
uid: testpolicy
userPassword::
e1NTSEEyNTZ9VyttdTB0eU5LZThnamFDajBaU0J2Tm9MRFJ0anNTbDZqUkk1WTZ
 MREk2V1lSZlhCZ0YvRndBPT0=
sn: test
cn: test


The related ppolicy :

dn: cn=default,ou=ppolicies,dc=example,dc=com
objectClass: device
objectClass: extensibleObject
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 86400
pwdGraceAuthNLimit: 0
pwdInHistory: 4
pwdLockout: TRUE
pwdMaxAge: 31536000
pwdMaxFailure: 3
pwdMinAge: 0
pwdMinLength: 4
pwdMustChange: TRUE
pwdSafeModify: FALSE



-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: pwdChangedTime not defined when creating new entry

[Clément OUDOT]

Le 05/03/2020 à 18:55, Dieter Klünter a écrit :
> Am Thu, 5 Mar 2020 18:15:41 +0100
> schrieb Clément OUDOT :
>
>> Le 05/03/2020 à 10:10, Dieter Klünter a écrit :
>>> Am Wed, 04 Mar 2020 13:36:08 +
>>> schrieb Manuela Mandache :
>>>  
>>>> Hello all,
>>>>
>>>> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
>>>> overlay on the main database. When a new entry with a userPassword
>>>> defined is created, pwdChangedTime is not defined, so this initial
>>>> userPassword never expires.
>>>>
>>>> The directory has been migrated from its OpenLDAP 2.3.34 instance
>>>> (yes, we missed some steps...), and there the pwdChangedTime is
>>>> set, and naturally equal to createTimestamp.
>>>>
>>>> The overlay is configured as follows:
>>>> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
>>>> objectClass: olcOverlayConfig
>>>> objectClass: olcPPolicyConfig
>>>> olcOverlay: {2}ppolicy
>>>> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
>>>> olcPPolicyHashCleartext: TRUE
>>>> olcPPolicyUseLockout: TRUE
>>>>
>>>> Is there a parameter I missed which would switch on setting
>>>> pwdChangedTime at entry creation? Do I have to provide some other
>>>> configuration elements?
>>>>
>>>> Or is it unreasonable to expect this initialisation of the
>>>> attribute this way, and only a password change can set it? I think
>>>> the setting at creation is rather handy... Using pwdMustChange
>>>> would be difficult, we have a lot of client apps which would be
>>>> forced to check and probably adapt their authentication
>>>> procedures.  
>>> [...]
>>> The password attribute value must be set by a password modify
>>> exented operation in order to set password policy in effect, see man
>>> slapo-ppolicy(5)   
>>
>> Are you sure? The password modify extended operation is required for
>> smbk5pwd overlay, but not for ppolicy overlay?
> From ldappasswd(1)
> ldappasswd
>   uses the LDAPv3 Password Modify (RFC 3062) extended operation.


Agree but the question was related to ppolicy overlay, not ldappasswd
command.

When you create an entry, you do it with a standard ADD operation. It
there is a password in the entry, the ppolicy overlay will do its job
and create the pwdChangedTime attribute.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: pwdChangedTime not defined when creating new entry

[Clément OUDOT]

Le 05/03/2020 à 10:10, Dieter Klünter a écrit :
> Am Wed, 04 Mar 2020 13:36:08 +
> schrieb Manuela Mandache :
>
>> Hello all,
>>
>> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
>> overlay on the main database. When a new entry with a userPassword
>> defined is created, pwdChangedTime is not defined, so this initial
>> userPassword never expires.
>>
>> The directory has been migrated from its OpenLDAP 2.3.34 instance
>> (yes, we missed some steps...), and there the pwdChangedTime is set,
>> and naturally equal to createTimestamp.
>>
>> The overlay is configured as follows:
>> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
>> objectClass: olcOverlayConfig
>> objectClass: olcPPolicyConfig
>> olcOverlay: {2}ppolicy
>> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
>> olcPPolicyHashCleartext: TRUE
>> olcPPolicyUseLockout: TRUE
>>
>> Is there a parameter I missed which would switch on setting
>> pwdChangedTime at entry creation? Do I have to provide some other
>> configuration elements?
>>
>> Or is it unreasonable to expect this initialisation of the attribute
>> this way, and only a password change can set it? I think the setting
>> at creation is rather handy... Using pwdMustChange would be
>> difficult, we have a lot of client apps which would be forced to
>> check and probably adapt their authentication procedures.
> [...]
> The password attribute value must be set by a password modify exented
> operation in order to set password policy in effect, see man
> slapo-ppolicy(5) 


Are you sure? The password modify extended operation is required for
smbk5pwd overlay, but not for ppolicy overlay?

I just test a creation of an entry with a password when ppolicy overlay
is configured, and the pwdChangedTime is well created.

You may have a configuration issue.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

LTB Debian and CentOS builds (was: OpenLDAP 2.4.49 available, LMDB 0.9.25 available)

[Clément OUDOT]

Le jeu. 30 janv. 2020 à 19:27, OpenLDAP project  a écrit :
>
> OpenLDAP 2.4.49 is now available for download as detailed on our download
> page:

Hello,

LDAP Tool Box packages for Debian and CentOS are now available:
https://ltb-project.org/download#openldap

Clément.

Re: RE24 testing call (2.4.49) LMDB RE0.9 testing call (0.9.25)

[Clément OUDOT]

Le 13/01/2020 à 18:12, Quanah Gibson-Mount a écrit :
> This is the first testing call for OpenLDAP 2.4.49.  Depending on the
> results, this may be the only testing call.
>
> Generally, get the code for RE24:
>
> <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz>
>
>
> Configure & build.
>
> Execute the test suite (via make test) after it is built.  Optionally,
> cd tests && make its to run through the regression suite.


Hello,

tested on CentOS 7 with LTB build. Test suite works, regression suite
could not be run until the end because I did not have enough disk space
on my virtual machine, but first tests were all ok.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Is there a way to set a preference on entries with multiple userPassword attributes?

[Clément Oudot]

Le 2019-11-20 21:40, Jeremy Diaz a écrit :


Hello,

Currently I have ldap entries with 2 userPassword attributes. One is a
regular SHA password which the other one delegates to sasl. However 
this
results in all entries binding through sasl rather than locally. I 
need
some entries to default to sasl and other entries to default to SHA 
but

still failover to the other password entry. Is this possible through
openldap?



Hello Jeremy,

I have done some tests. I confirm that you can have 2 userPassword 
values, one SASL and the other regular. When you BIND with a password, 
it seems all values are tested, and if one match, then the BIND is 
successful. I don't see how you can select an order in the passwords.


But why is it a problem? With this setup, you can use SASL or regular 
password for an entry, and the failback will work.



--
Clément Oudot

Worteks - https://www.worteks.com

Re: OpenLDAP 2.5 plans and community engagement

[Clément OUDOT]

Le 25/07/2019 à 10:43, Ondřej Kuzník a écrit :
> On Thu, Jul 25, 2019 at 10:14:36AM +0200, Clément OUDOT wrote:
>> Le 24/07/2019 à 20:01, Ondřej Kuzník a écrit :
>>> Let us know what the pain points have been with OpenLDAP when you were just
>>> starting, right now and if you have a suggestion how to make it easier to 
>>> start
>>> using it. Or if you wanted to contribute, has anything discouraged you?
>>> There are things we might not be able to influence easily (LDAP itself can 
>>> be
>>> complex), but a fresh look might help direct efforts in the right direction.
>> thanks a lot for this mail. I hope that I can help OpenLDAP project the
>> best I can.
>>
>> I can work on website or documentation, let me know.
> Hi Clément,
> if you wanted to get started now, website would be the more important of
> the two. The main issue is that if someone's landed there for the first
> time, they expect to find something completely different (latest
> version download link, news, ...?) Don't know what's the best course of
> action, so will leave that up to you and others.
>
> AFAIK the git repo here reflects exactly what is served?
> https://www.openldap.org/devel/gitweb.cgi?p=openldap-www.git
>
> An evolution on the caterpillar might also be considered at some point.
>
> If you wanted to review documentation, pick a task and we can help from
> there :)


Great, I'll do it as soon as possible, but will be after my vacations ;)


Clément.

Re: OpenLDAP 2.5 plans and community engagement

[Clément OUDOT]

Le 24/07/2019 à 20:01, Ondřej Kuzník a écrit :
> Let us know what the pain points have been with OpenLDAP when you were just
> starting, right now and if you have a suggestion how to make it easier to 
> start
> using it. Or if you wanted to contribute, has anything discouraged you?
> There are things we might not be able to influence easily (LDAP itself can be
> complex), but a fresh look might help direct efforts in the right direction.


Hello Ondřej,

thanks a lot for this mail. I hope that I can help OpenLDAP project the
best I can.

I can work on website or documentation, let me know.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Invalid DN reported during authentication

[Clément OUDOT]

Le 24/06/2019 à 15:57, Chris K a écrit :
> Hello experts,
>

Hello,


> 5d10d347 conn=1048 op=1 do_bind: invalid dn
> (swadm...@openldapsec.brm.acslab.wokyourdog.net
> <mailto:swadm...@openldapsec.brm.acslab.wokyourdog.net>)


Your LDAP client is sending the invalid DN, so the issue is not on
server side. Check your LDAP client configuration.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: ObjectClass auxiliary - Beginner's question

[Clément OUDOT]

Le 21/05/2019 à 09:33, Olivier - a écrit :
> Hi all,
>
>
> I have to re-write a shcema but i'm beginner with this.
> I would like to add some attributes to describe service.
>
> We use a AUXILIARY class to add some attributes :
>
> objectclass ( 1.2.250.1.152.14.2.1.2 NAME 'intService'
>  SUP top  AUXILIARY
> MAY (...))
>
>
> We have  an object using this objectclass and other :
> dn: idService=196018, dmdName=Services, dc=fr
> objectClass: intService
> objectClass: organizationalUnit
>
> Now i would like to transform this object in static group so I use
> GroupOfnames and I got this error :
>
> Object class violation (65)
> additional info: invalid structural object class chain
> (organizationalUnit/groupOfNames)
>
>
> Why can't I use groupOfNames with organizationalUnit ? Or is it
> another problem ?



This is a schema restriction, you can't mix structural object classes
inside an entry (unless they belong to the same chain, like
person/organizationalPerson/inetOrgPerson).


So you can't have groupOfNames and organizationalUnit. Choose one of them.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Issue with OpenLDAP as a proxy to multiple Windows DCs backends

[Clément OUDOT]

Le 10/05/2019 à 12:27, David Sanchez Herrero a écrit :
> Hello Clement,
>
> Thank you for your answer. I tried some of these parameters before
> with no success. I can't remember exactily which values I probed
> because I tested them a few weeks ago, so I checked them again with
> this configuration, and I have the same wrong behaviour as without them:
>

You can maybe try the quarantine :


   quarantine ,[;,[...]]
  Turns on quarantine of URIs that returned
LDAP_UNAVAILABLE, so that an attempt to reconnect only occurs at given
intervals instead  of  any  time  a
  client  requests  an  operation.  The pattern is: retry
only after at least interval seconds elapsed since last attempt, for
exactly num times; then
  use the next pattern.  If num for the last pattern is "+",
it retries forever; otherwise, no more retries occur.  This directive
must appear  before
  any target specification; it affects all targets with the
same pattern.



-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Issue with OpenLDAP as a proxy to multiple Windows DCs backends

[Clément OUDOT]

Le 09/05/2019 à 12:10, David Sanchez Herrero a écrit :
> Hello all,
>
> I'm having an issue with the configuration of an OpenLDAP working as a
> proxy to various Active Directory backends. The OpenLDAP proxy is in
> our network
> and we have various VPN to connect it to the remote Windows Domain
> Controllers (5 remote Domain Controlers of different customers, each
> one managing it's own domain).
>
> To configure the proxy, we use de META database.
>
> When all the Domain Controllers are up, everything works fine, but
> when one of then goes down (network problems, a machine reboot, etc.),
> the web app that uses the OpenLDAP proxy
> stops autheticating all users of all domains. The system process it's
> even hanged and when you try to stop or restart the service,
> it takes a long time to respond. I can't find a way to force a short
> timeout to ignore the offline DC and let the users of the other
> domains to continue working.
>
> The server OS is CentOS Linux release 7.4.1708 (Core), and the
> OpenLDAP version 2.4.44.
>
> To check if this is an issue of this old version, I have deployed
> another server with Fedora 30 and OpenLDAP 2.4.47, but same behaviour,
> so it's probably a configuration problem.
>
> Below are the slapd.conf file I'm using (with no private data). Any
> ideas about what to change in the configuration file?
>
> Thanks in advance and best regards, David.



Hello David,


you should try to configure some timeout to cut connections to failing
AD. From "man slapd-meta" :


   bind-timeout 
  This  directive  defines  the  timeout,  in microseconds,
used when polling for response after an asynchronous bind connection. 
The initial call to
  ldap_result(3) is performed with a trade-off timeout of
10 us; if that results in a timeout exceeded, subsequent calls use 
the  value  provided
  with  bind-timeout.   The default value is used also for
subsequent calls if bind-timeout is not specified.  If set before any
target specification,
  it affects all targets, unless overridden by any
per-target directive.


   idle-timeout 
  This directive causes a cached connection to be dropped an
recreated after it has been idle for the specified time.  The value can
be specified as

  [d][h][m][[s]]

  where  ,  ,   and  are respectively treated as
days, hours, minutes and seconds.  If set before any target
specification, it affects all
  targets, unless overridden by any per-target directive.


   keepalive ::
  The keepalive parameter sets the values of idle, probes,
and interval used to check whether a socket is alive; idle  is  the 
number  of  seconds  a
  connection  needs to remain idle before TCP starts sending
keepalive probes; probes is the maximum number of keepalive probes TCP
should send before
  dropping the connection; interval is interval in seconds
between individual keepalive probes.  Only some systems support the
customization of  these
  values; the keepalive parameter is ignored otherwise, and
system-wide settings are used.


   network-timeout 
  Sets the network timeout value after which
poll(2)/select(2) following a connect(2) returns in case of no
activity.  The value is in seconds, and it
  can be specified as for idle-timeout.  If set before any
target  specification,  it  affects  all  targets,  unless  overridden 
by  any  per-target
  directive.



You can maybe give a try to "network-timeout" first.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Open LDAP - How to define an additionnal "uid" like attribute equivalent to a RDMS unique key index

[Clément OUDOT]

Le 30/04/2019 à 21:02, Michael Ströder a écrit :
> On 4/30/19 12:20 PM, pascal.fou...@orange.com wrote:
>> =>  extented flags
>>
>> https://ldapwiki.com/wiki/Extended%20Flags
> Most of these attribute type description extensions are not relevant for
> OpenLDAP at all.
>
>> I've tried several configurations such as :
>> - define xuid attribute using uid as a parent attribute type
>>
>> olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' SUP uid EQUALITY
>> caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
> You should *not* use SUP uid unless you're 100% sure about its
> implications regarding matching rules also affecting index use and
> slapo-unique.
>
>> - define xuid attribute using uid as a parent attribute type with
>> additional extended flags
>>
>> olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' SUP uid EQUALITY
>> caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
>> 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE X-NDS_NAME 'uniqueID'
>> X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '0'
>> X-NDS_NONREMOVABLE '0' )
> Everything starting with X-NDS only applies to Novell eDirectory (or
> whatever it's called today) and thus is useless.
>
> For the rest see (as Quanah suggested):
> https://www.openldap.org/software/man.cgi?query=slapo-unique


Hello,

as said by others, you indeed need to configure the unique overlay. You
can also have a look to constraint overlay to add other checks, like
regexp or size.

https://www.openldap.org/software/man.cgi?query=slapo-constraint


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: reverse search in dymanic group ?

[Clément OUDOT]

Le 05/04/2019 à 19:18, Martin Pittamitz a écrit :
> On 05/04/2019 16:33, Clément OUDOT wrote:
>>
>>
>> Le 05/04/2019 à 10:36, Olivier - a écrit :
>>> Hi all,
>>>
>>
>> Hello,
>>
>>
>>> I'm testing static group and dynamic group.
>>>
>>>   * Dynmaic group : is it possible to do reverse search in dynamic
>>> group  ? I reead something about the "ismemberof" attribute and
>>> /ds-virtual-static-group/. But i'm not sure we can do it with
>>> openldap
>>>
>>
>> Not with dynlist overlay, but you could try autogroup overlay with
>> memberof overlay. The autogroup overlay will build static groups
>> trough a memberUrl.
>>
>>
>>
>>>  *
>>>
>>>
>>>
>>>
>>>   * Static group seems to be fine for me. I have a newbie's question :
>>> can we have , for example, the mail attribute of all members of
>>> service Y in only one request  ?
>>> I mean : make a request on service Y to have member's list and ,
>>> in the same action , have the member's mail.
>>>
>>
>> You could do it by using the "deref" search extended control.
>>
>>
>>
>> -- 
>> Clément Oudot | Identity Solutions Manager
>>
>> clement.ou...@worteks.com
>>
>> Worteks | https://www.worteks.com
>
> Hi,
>
>
> I have implemented a setup like that ("autogroup" and "memberof"
> overlay, modified dynlist schema to include "member" attribute).
>
>
> Everything is working, except for the memberOf attribute in
> combination with autogroup and a groupOfURLs.
>
>
> E.g. I can list all the members of an autogroup fine if I search for
> the group, but if I request the memberOf for a certain uid, only the
> non-autogroup groups are returned.
>
>
> According to the bits of documentation I could find, everything should
> be setup correctly, but the memberOf is never set for autogroups.
>
>
> From #openldap I got the information that this should be working,
> theoretically, ... see this thread, which describes exactly my use
> case with the same problems surfacing:
>
> http://www.openldap.org/lists/openldap-bugs/201407/msg00040.html
>
>
> Any insights on this?
>


Hello,


it seems to work if you set memberOf overlay after autogroup overlay:


dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: {0}groupOfURLs memberURL member

dn: olcOverlay={10}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {10}memberof
olcMemberOfGroupOC: groupOfURLs
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: reverse search in dymanic group ?

[Clément OUDOT]

Le 05/04/2019 à 10:36, Olivier - a écrit :
> Hi all,
>

Hello,


> I'm testing static group and dynamic group.
>
>   * Dynmaic group : is it possible to do reverse search in dynamic
> group  ? I reead something about the "ismemberof" attribute and
> /ds-virtual-static-group/. But i'm not sure we can do it with openldap
>

Not with dynlist overlay, but you could try autogroup overlay with
memberof overlay. The autogroup overlay will build static groups trough
a memberUrl.



>  *
>
>
>
>
>   * Static group seems to be fine for me. I have a newbie's question :
> can we have , for example, the mail attribute of all members of
> service Y in only one request  ?
> I mean : make a request on service Y to have member's list and ,
> in the same action , have the member's mail.
>

You could do it by using the "deref" search extended control.



-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: LDAP authentication with just sAMAccountName

[Clément OUDOT]

Le 12/03/2019 à 14:34, Florea, Cosmin Petre a écrit :
>
> Hi,
>
> In the meantime, i learned from the DirectoryEntry's source file that
> an anonymous bind is made first to  URL "LDAP://RootDSE", then the
> name of the domain is read from property "defaultNamingContext", then
> a second bind with sAMAccountName@domain is made. The problem is that
> i don't know how do do it with OpenLDAP API. Do you have any examples?
>

You should read ITS 8973: http://www.openldap.org/its/index.cgi?findid=8973

A change in OpenLDAP 2.4.47 prevents to use the C# DirectoryEntry /
DirectorySearcher objects. You need to use
System.DirectoryServices.Protocols to request an OpenLDAP directory.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Expected operation of pwdFailureCountInterval

[Clément OUDOT]

Le 27/02/2019 à 04:05, Tom Jay a écrit :
> Hello,
>
> Can someone explain the expected operation of the
> pwdFailureCountInterval attribute please? The documentation seems to
> be fairly clear, but if I add it to the password policy, along with
> some other attributes, the account remains locked, even after the
> pwdFailureCountInterval time. Despite authenticating with a valid
> password, the pwdFailureTime entries remain and the account remains
> locked.
>
> These are the attributes in use:
> pwdLockout: TRUE
> pwdMaxFailure: 5
> pwdFailureCountInterval: 1200


Hello Tom,

if you read the documentation, you will see that you need to configure
pwdLockoutDuration to set the time during which the account is locked.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: 答复: 答复: Forbidden account password reuse of the last 5 password

[Clément OUDOT]

Le 15/02/2019 à 04:08, Tian Zhiying a écrit :
>
> Clément Oudot,
>
>  
>
> Thank you.
>
> I have changed the rootdn from root to other user, it’s still not
> working. I can modified the user password same with before.
>
>  
>

First check that your are sending you password in cleartext, so that
OpenLDAP can check the syntax and compare it to passwords in history.

You might need to set pwdCheckQuality to 1 or 2 in your ppolicy, but I
am not sure it is required to check history. It is needed to check
password length and other checks from the optionnal password checker module.

-- 

Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: 答复: Forbidden account password reuse of the last 5 password

[Clément OUDOT]

Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
>
> But it seems not working, my password is following:
>
> First time password: AAbb1122
>
> Second time password: CCdd3344
>
> *Third time password: AAbb1122, same with the first time password, it
> has been modified successfully.*
>

Check that the password modification is not done by the rootdn, as the
rootdn is bypassing password policy constraints.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: OpenLDAP 2.4.47 available, LMDB 0.9.23 available

[Clément OUDOT]

Hello,

for information, LDAP Tool Box packages for OpenLDAP 2.4.47 are available:
* https://ltb-project.org/documentation/openldap-rpm
* https://ltb-project.org/documentation/openldap-deb

Thanks a lot to OpenLDAP community for this great software!


Clément.

Re: Password policy messages - how can I pass back

[Clément OUDOT]

Le 10/10/2018 à 20:16, Ervin Hegedüs a écrit :
> Hi there,

Hello,


>
>
>
> I mean:
>
> # /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D 
> "UID="dminuser,dc=hu" -s "abcdefghijkl" "uid=airween,ou=Users,dc=hu" 
> Result: Constraint violation (19)
>
> There isn't any detailed information, what's the reason why the
> policy module drops the request, but I can see that in the logfile:
>
> Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module 
> error: (pwdCheckModule-poc.so) Passwords less than 16 characters require at 
> least 3 traits (upper case, lower case, digits, or special characters).[1]
> Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1 p=3
> Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched="" 
> text="Passwords less than 16 characters require at least 3 traits (upper 
> case, lower case, digits, or special characters)"


With LDAP clients like ldappasswd, you need to send the ppolicy client
control with "-e ppolcy"

> Note, that in PHP side I'm using:
>
> ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
>
> and $_err variable is empty.


This should be possible in PHP 7.3, see
https://bugs.php.net/bug.php?id=69437



-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Using ppolicy and autogroup to apply policy to a group a users

[Clément OUDOT]

Hello,

we often have the question on this list: how apply a policy to a branch
or a group of users?

I was thinking we could use autogroup we this kind of configuration:

dn: olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcAutomaticGroups
objectClass: olcOverlayConfig
olcOverlay: {9}autogroup
olcAGattrSet: pwdPolicy memberUrl seeAlso
olcAGmemberOfAd: pwdPolicySubentry

The goal is to have a memberUrl inside a pwdPolicy object, that can
target accounts that need to have this policy. For example:

dn: cn=default,ou=ppolicies,dc=example,dc=com
changetype: modify
replace: memberURL
memberURL: ldap:///ou=users,dc=example,dc=com??one?(uid=user*)

The autogroup "olcAGattrSet" is working well, I can see the seeAlso
values. But the "olcAGmemberOfAd" does not seem to be applied.

I don't know if this is a conflict with ppolicy overlay, or other
overlays (dynlist, memberof). I join a full debug log, maybe you can
find what is going wrong. We see that
"autogroup_member_search_modify_cb" function is called, but user entry
is not modified.

Do you think this configuration could work?

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb slap_listener_activate(7): 
5bbb13cb daemon: epoll: listen=7 busy
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb >>> slap_listener(ldap://127.0.0.1:389)
5bbb13cb daemon: listen=7, new connection on 14
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
5bbb13cb daemon: added 14r (active) listener=(nil)
5bbb13cb conn=1001 fd=14 ACCEPT from IP=127.0.0.1:36418 (IP=127.0.0.1:389)
5bbb13cb daemon: activity on 2 descriptors
5bbb13cb daemon: activity on: 14r
5bbb13cb daemon: read active on 14
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb connection_get(14)
5bbb13cb connection_get(14): got connid=1001
5bbb13cb connection_read(14): checking for input on id=1001
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
ber_get_next
ldap_read: want=8, got=8
  :  30 2c 02 01 01 60 27 020,...`'.  
ldap_read: want=38, got=38
  :  01 03 04 1a 63 6e 3d 61  64 6d 69 6e 2c 64 63 3d   cn=admin,dc=  
  0010:  65 78 61 6d 70 6c 65 2c  64 63 3d 63 6f 6d 80 06   example,dc=com..  
  0020:  73 65 63 72 65 74  secret
ber_get_next: tag 0x30 len 44 contents:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a580 end=0x7f293010a5ac len=44
  :  02 01 01 60 27 02 01 03  04 1a 63 6e 3d 61 64 6d   ...`'.cn=adm  
  0010:  69 6e 2c 64 63 3d 65 78  61 6d 70 6c 65 2c 64 63   in,dc=example,dc  
  0020:  3d 63 6f 6d 80 06 73 65  63 72 65 74   =com..secret  
5bbb13cb op tag 0x60, time 1538986955
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5bbb13cb conn=1001 op=0 do_bind
5bbb13cb daemon: activity on 1 descriptor
5bbb13cb daemon: activity on:
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a583 end=0x7f293010a5ac len=41
  :  60 27 02 01 03 04 1a 63  6e 3d 61 64 6d 69 6e 2c   `'.cn=admin,  
  0010:  64 63 3d 65 78 61 6d 70  6c 65 2c 64 63 3d 63 6f   dc=example,dc=co  
  0020:  6d 80 06 73 65 63 72 65  74m..secret 
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f293010a580 ptr=0x7f293010a5a4 end=0x7f293010a5ac len=8
5bbb13cb daemon: epoll: listen=7 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=8 active_threads=0 tvp=NULL
5bbb13cb daemon: epoll: listen=9 active_threads=0 tvp=NULL
  :  00 06 73 65 63 72 65 74..secret  
5bbb13cb >>> dnPrettyNormal: 
=> ldap_bv2dn(cn=admin,dc=example,dc=com,0)
<= ldap_bv2dn(cn=admin,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=example,dc=com)=0 
5bbb13cb <<< dnPrettyNormal: , 
5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" method=128
5bbb13cb do_bind: version=3 dn="cn=admin,dc=example,dc=com" method=128
5bbb13cb ==> mdb_bind: dn: cn=admin,dc=example,dc=com
5bbb13cb conn=1001 op=0 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
5bbb13cb do_bind: v3 bind: "cn=admin,dc=example,dc=com" to "cn=admin,dc=example,dc=com"
5bbb13cb send_ldap_result: conn=1001 op=0 p=3
5bbb13cb send_ldap_result: err=0 matched="" text=""
5bbb13cb => mdb_entry_get: ndn: "cn=admin,dc=

Re: Trigger-like function

[Clément OUDOT]

Le 23/09/2018 à 21:22, Ervin Hegedüs a écrit :
> Hi,
>
> On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
>> Ervin Hegedüs wrote:
>>> Hi,
>>>
>>> as I described in my previous thread[1], I have a web frontend
>>> tool, where user can modify its own password - here the password
>>> is a set of passwd attributes: userPassword, sambaNTPassword,
>>> sambaLMPassword.
>>>
>>> Is there any way that when I give access to users to modify its
>>> own password, and the user wants to modify it through LDAP(S),
>>> instead of out web frontend, the samba passwords also updated
>>> (with correct hash algorithm)?
>> Use the smbk5pwd overlay.
>
> I've tried it:
>
> dn: cn=module,cn=config
> cn: module
> objectClass: olcModuleList
> olcModulePath: /usr/lib/ldap/
> olcModuleLoad: smbk5pwd
>
>
> dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config
> changetype: add
> objectClass: olcSmbK5PwdConfig
> objectClass: olcOverlayConfig
> objectClass: olcConfig
> objectClass: top
> olcOverlay: smbk5pwd
> olcSmbK5PwdEnable: samba
>
> but when I changed the userPassword, the sambaNTPassword and
> sambaLMPassword attributes doesn't changed.
>
> What did I missed?

smbk5pwd overlay only works if password change has been made with
extended password modify operation (this operation is done with
ldappasswd, not with ldapmodify).


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Insufficient acces in some cases

[Clément OUDOT]

Le 18/09/2018 à 23:10, Ervin Hegedüs a écrit :
> Hi,
>
> On Tue, Sep 18, 2018 at 10:34:55PM +0200, Clément OUDOT wrote:
>>
>> Le 18/09/2018 à 22:23, Ervin Hegedüs a écrit :
>>> But then I don't understand, why comes this error only few users
>>> (total number of users is about 200 now, we know about 2-3
>>> affected user).
>>>
>>> Anyway, I thought it also what you wrote, and switched back to
>>> native LDAP (instead of LDAPS), and make a capture at LDAP side.
>>>
>>> There aren't any garbage in packets, all request contains
>>> absolutely normal lines... If you interesting about it, I can
>>> send you a cap file - but that contains sensitive datas, of
>>> course.
>>>
>>> I just can share some screenshots about the traffic, hope it
>>> seems that no other garbage:
>>>
>>> https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa
>>
>> It would be be interesting to see how your OpenLDAP ACL are configured.
> the ACL system a little bit complicated (I guess), but I think it
> works as well:
>
> olcAccess: {0}to attrs=userPassword,shadowLastChange
>   by self write
>   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
>   by anonymous auth
>   by * none
> olcAccess: {1}to dn.subtree="ou=OU1,dc=service1,dc=bigcompany,dc=hu"
>   by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" 
> read
>   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
>   by * none
> olcAccess: {2}to 
> dn.regex="ou=(comp1|comp2|comp3),dc=service1,dc=bigcompany,dc=hu"
>   by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" 
> read
>   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
>   by * none
> olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu"
>   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" 
> read
>   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
>   by * none
> olcAccess: {4}to *
>   by self write
>   by anonymous auth
>   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
>   by * none
>
>
>> Are you sure that a user can modify userPassword and sambaNT/LM password
>> attributes?
> yes, I'm sure.
>
> The NT/LM password attribures aren't named any place, the
> userPassword is, but all user can modify its own - see ACL's above.

No, the olcAccess {3} deny all access inside dc=bigcompany,dc=hu, the
rule {4} is never evaluated.

> And as I wrote in first mail, the simple "ldapmodify" works as
> well.

Do you test to modify only userPassword attribute? Or your modification
is also on Samba attributes?

> And more important, the other users under the same OU can change
> their own userpassword/nt/lm password attributes through PHP.

I don't how, because your ACL allow only userPassword modification for
'self'.

> The service user (_srvuser1) also can modify (through PHP), but I'ld
> like to use as the logged user modify its own passwd.
>

I think you should merge your ACL like this:

olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu"
  by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu"
read
  by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu"
read
  by
dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
  by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
  by self write
  by * none

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com


Worteks | https://www.worteks.com

Re: Insufficient acces in some cases

[Clément OUDOT]

Le 18/09/2018 à 22:23, Ervin Hegedüs a écrit :
>
> But then I don't understand, why comes this error only few users
> (total number of users is about 200 now, we know about 2-3
> affected user).
>
> Anyway, I thought it also what you wrote, and switched back to
> native LDAP (instead of LDAPS), and make a capture at LDAP side.
>
> There aren't any garbage in packets, all request contains
> absolutely normal lines... If you interesting about it, I can
> send you a cap file - but that contains sensitive datas, of
> course.
>
> I just can share some screenshots about the traffic, hope it
> seems that no other garbage:
>
> https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa


It would be be interesting to see how your OpenLDAP ACL are configured.
Are you sure that a user can modify userPassword and sambaNT/LM password
attributes?


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Insufficient acces in some cases

[Clément OUDOT]

Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit :
> Hi, there is an interesting insufficient access problem...
>
> There are 3 (in dev environment 2) multimaster ldap node.
>
> There is a simple web frontend, written in PHP, where user can
> change its own password, or can get a link to set up a new pass
> if old one had lost.
>
> In some cases (some users) the user can't change the own password
> through PHP. When I change it from webserver with ldapmodify and
> a simple ldif file, it works as well.
>
> But when I try to modify the passwd through PHP, I got
> "Insufficient access" error, and these lines are in syslog:
>
>
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to 
> "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" 
> "objectClass" requested
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] 
> ou=djp,dc=wificloud,dc=company,dc=hu
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] 
> ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 
>
> (I replaced names and chars, so the match[dn0] numbers are not
> correct).
>
>
> Only few users can trigger this problem (don't know why), and
> only through PHP.
>
>
> What's the problem here?

Hello,

I would say that the PHP application is sending some garbage to the
directory. What application are you using for password change, is it LTB
Self Service Password ?

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Call fo Papers - Paris Open Source Summit

[Clément OUDOT]

Hello,

There is an important event about free software and open source in
Paris in december, with topics about identity management. The CFP is
here: http://cfp.opensourcesummit.paris/

It should close friday but I think the deadline will be reported.

Feel free to propose technical talks or customer success stories (for
example migration from proprietary softwares to free softwares).

Hope to see you soon,

Clément.

Re: replicating memberOf attribute

[Clément OUDOT]

Le 26/06/2018 à 12:13, Chris a écrit :
> Hi,
>
> We are using a provider and three consumers that are not syncing the
> memberOf attributes of inetOrgPerson entries.
>
> memberof and refint modules are loaded on the provider and
> inetOrgPersons' memberOf attributes are correctly updated on the provider.
>
> How can I troubleshoot this?

Reading slapo-memberof manpage:

   The memberof overlay may be used with any backend that provides
full read-write functionality, but it is mainly intended for use with
local  storage  back‐
   ends. The maintenance operations it performs are internal to the
server on which the overlay is configured and are never replicated.
Replica servers should
   be configured with their own instances of the memberOf overlay if
it is desired to maintain these memberOf attributes on the replicas.  
Note  that  slapo-
   memberOf  is  not compatible with syncrepl based replication, and
should not be used in a replicated environment. An alternative is to use
slapo-dynlist to
   emulate slapo-memberOf behavior.


But I already used this overlay with syncrepl and it seems to work. You
indeed need to configure the overlay on the consumers too.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Meta backend and attributes mapping

[Clément OUDOT]

Le 20/06/2018 à 15:14, ROY Grégory a écrit :
> Hello,
>
> I try somehow to do what I explain below. But without success...
> I think I'm doing badly for the attribute mapping, maybe it would be better 
> with the rwm overlay?
>
> Could someone put me on the right track?


Hello Grégory,

I don't think this is possible with meta backend and rwm overlay. You
can give a try to translucent overlay but the man page says it is
designed to work with a local database and a remote database, not
several remote database.

For your needs, my approach would have been to create a new LDAP
directory that is synchronized with your remote data. You can use for
example LSC (https://lsc-project.org/) to do this.


-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: performance problem

[Clément OUDOT]

Le 07/06/2018 à 20:18, Mark Tilmes a écrit :
>
> LDAP list,
>

Hello Mark,

>
> I have been trying to figure out this problem for a few weeks, I have
> been reading the archives and searching google to no avail.
>
>  
>
> We have a high load at the beginning of every minute due to automated
> processes authenticating.  During this time, authentications take from
> about 5 seconds to as much as 12 seconds.  I can even run an ldapwho
> command directly on the ldap server and see the slowness.
>
>  Looking at netstat, there are as many as 500 connections coming in to
> each server around that time.  The load has been processed within 20
> seconds.
>
>  
>
> Here is some info on what I am running:
>
> RHEL 6.9 os
>
> Openldap 2.4.40 from the RHEL rpm
>


I think the first thing to answer is: you are running an old version,
please upgrade. You can stay on RHEL 6.9 if you need to, but you should
use a recent version of OpenLDAP, for example with LTB packages:
https://ltb-project.org/documentation/openldap-rpm


>  
>
> These systems have 16 cpu’s but they are ~90% idle.  The ldap database
> is on mdb, it is 52M.  There are 3657 entries.
>

> The systems have 32G of memory each, after buffers and cache, 12G is
> free.  I think just about everything this system does for disk is
> cached in memory.
>
> The only other thing running on these servers is dns and ntp, but when
> we turn those off, we still see the slowness.
>
> See below for my openldap configuration.
>
>
> I am trying to figure out if this is an unreasonable load for these
> servers and I just need more servers, or if there is some tuning I can
> do to help with this?
>
>  
>
> When I look at cn=threads,cn=monitor I see active threads go up to 16
> and pending threads go up to 127 or so.
>
> I increased threads but saw a similar result, all threads are active,
> many are still pending.
>
> When increasing threads to 128, I ended up with this error message:
>
> mdb_opinfo_get: err MDB_READERS_FULL: Environment maxreaders limit
> reached(-30790)
>
> I'm not sure what I can do about that.
>
> I'm also not sure if I also need to increase listener threads?  Seems
> like not since the threads are all active during the traffic burst.
>
>
> We have 4 ldap servers, one handles writes and then syncs to the other
> 3, so there are no writes on the other 3, and very few writes on the
> master, just when we add users or change group memberships which is
> infrequent, just a few times a month.
>
>  
>
> Any advice is appreciated.
>
>  
>


You are using mdb backend but it is not loaded in cn=modules. Did you
recompile slapd to have mdb in slapd binary?

MDB backend is very performant by default, but you can tune it with some
options like maxreaders or envflags.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com


Worteks | https://www.worteks.com

Re: pwdRESET not working

[Clément OUDOT]

Le 21/05/2018 à 17:10, Net Warrior a écrit :

Hello
When I force the expiration changing pwdMaxAge what I can see in the
log is the following:

  ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired
password: 0 grace logins

I test the login, I get two warning as configured but the user is
never  forced to change it and can login as usual, any hint on this?



Seems you are mixing OpenLDAP ppolicy and shadow policy.

Anyway, if the OpenLDAP ppolicy has expired the password, you should not 
be able to log in, unless you set some cache or failback on local account.



You should test with ldapsearch or ldapwhoami command to understand the 
behavior of OpenLDAP ppolicy. Then you can configure pam/sssd to fit 
your needs.


--
Clément Oudot | Identity Solutions Manager

Worteks | https://www.worteks.com

Re: pwdRESET not working

[Clément OUDOT]

Le 03/05/2018 à 16:23, Net Warrior a écrit :
> Hello there guys, when setting the pwsReset  to TRUE I cannot login to
> the system anymore, just get the permission denied, then I found this.
>
> https://github.com/pwm-project/pwm/issues/155
>
> Did I face that bug or maybe  it's something else?


It's not a bug. If pwdReset is set to TRUE, the BIND will be successful
but you will not be allowed to do another operation but changing
password. If your application is doing a SEARCH just after the BIND, you
will be denied.



-- 
Clément Oudot | Identity Solutions Manager

Worteks | https://www.worteks.com

LDAP Tool Box RPM and Debian packages for OpenLDAP 2.4.46

[Clément OUDOT]

Hi,

LDAP Tool Box project just released packages for OpenLDAP 2.4.46, that
can be downloaded here: https://ltb-project.org/download#openldap

You can also use our yum and apt repositories to install them.

Changes on packaging can be found here:
* https://github.com/ltb-project/openldap-rpm/releases/tag/v2.4.46
* https://github.com/ltb-project/openldap-deb/releases/tag/v2.4.46

Thanks to Michael Ströder for the help and David Coutadeur for Debian
packages and improvements on ppm module and init script.

Clément.

Re: Using virtual IP and N-way mutlimaster mode

[Clément OUDOT]

2018-01-15 10:05 GMT+01:00 Michael Ströder <mich...@stroeder.com>:
> Jephte Clain wrote:
>> 2018-01-15 10:38 GMT+04:00 Clément OUDOT <clem.ou...@gmail.com>:
>>> I would like to use the N-way mutlimaster mode and a virtual IP to
>>> manage failover for applications. The virtual IP will be configured
>>> trough keepalived.
>>
>> I have exactly this configuration and I didn't have to do anything
>> particular
>>
>> ldap is started on each node with "slapd -h ldap://; and it works
>
> As Clément wrote he has multiple values configured for olcServerID in
> cn=config (aka serverID in slapd.conf). So he can't just use
> "slapd -h ldap://; because the parameter value -h is used by slapd to
> determine the actual server ID to be used.
>
> Well, that's one of the reasons why I avoid to set multiple serverID
> values. And of course that means that you cannot use a replicated cn=config.


Does that mean that we can set MMR replication for data (not
cn=config) with only one value in olcServerID? In this case we don't
have the constraint to start the daemon on a dedicated LDAP URI? Would
we still be able to define all olcSyncrepl statements in the database
or do we need to set only those not concerning the current node?

Clément.

Using virtual IP and N-way mutlimaster mode

[Clément OUDOT]

Hello,

I would like to use the N-way mutlimaster mode and a virtual IP to
manage failover for applications. The virtual IP will be configured
trough keepalived.

To work with N-way mutlimaster, we must start OpenLDAP process on the
LDAP URI defined in cn=config olcServerID parameter. So we can't use
ldap://* to start the service. On the machine running the virtual IP,
I can of course listen on this IP by adding an LDAP URI in the start
command:
slapd -h ldap://master1.example.com ldap://virtual.example.com

But this command will not work it the virtual IP is not set on the
node as OpenLDAP refuses to start on an unknown IP.

Does anyone already face this issue and found a solution?

Clément.

Re: Openldap Password Reset Portal

[Clément OUDOT]

2017-12-15 11:32 GMT+01:00 John Lewis :
> I was looking for something like this. Can it do email-based self-
> registration?

No, it just handles password modification (and SSH key modification).


The SSO software LemonLDAP::NG has a this feature, but it is a big
installatio to do if you only need this simple feature:
https://lemonldap-ng.org/documentation/latest/register


Clément.

Re: Openldap Password Reset Portal

[Clément OUDOT]

2017-12-14 18:56 GMT+01:00 Douglas Duckworth :

> 2) Has anyone found other solutions besides PWM that do the same thing?


Hello,

I am the developer of LTB Self Service Password:
* https://ltb-project.org/documentation/self-service-password
* https://github.com/ltb-project/self-service-password

You can give it a try.


Clément.

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

[Clément OUDOT]

2017-11-20 11:59 GMT+01:00 Turbo Fredriksson :
> You’ve never had the issue I’m having? Or heard about it?

No but I don't use Kerberos authentication.

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

[Clément OUDOT]

2017-11-19 18:09 GMT+01:00 Turbo Fredriksson :

> Have anyone tried running OpenLDAP behind HAProxy? Anything special
> one needs to do?

I do this often, without any particular issue. If you use LDAPS, you
can add option ssl-hello-chk.

Here is a sample configuration file:

global
log 127.0.0.1 local5 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
quiet

defaults
log global
option  dontlognull
option  ldap-check
retries 3
modetcp
balance roundrobin
option redispatch

listen  openldap :389
 server ldap1 IP_LDAP1:390 check
 server ldap2 IP_LDAP2:390 check
 server ldap3 IP_LDAP3:390 check

defaults
log global
option  dontlognull
retries 3
modetcp
balance roundrobin
option redispatch
option ssl-hello-chk

listen  openldap-ssl :636
 server ldap1 IP_LDAP1:637 check
 server ldap2 IP_LDAP2:637 check
 server ldap3 IP_LDAP3:637 check




Clément.

Re: Admin roles by group membership per OU

[Clément OUDOT]

Le 12/10/2017 à 17:32, Ervin Hegedüs a écrit :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by 
dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by 
group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by self write by 
anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read
olcAccess: {3}to * by * read




What is the DN of your replication user? Here you have one in 
dc=core,dc=hdt,dc=hu and the other in dc=mycompany,dc=hu. Just set read 
right to the appropriate user



--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Re: Admin roles by group membership per OU

[Clément OUDOT]

Le 12/10/2017 à 16:39, Ervin Hegedüs a écrit :

Hi Clément,

thanks for your help,

On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:


Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous 
auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by 
group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth

The rule {2} catches all requests (to *  by *) so rule {3} is never applied.

You can do :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu"
write by * none
olcAccess: {3}to * by * read

whit these rules, I could't read with anonymous nor authenticated
user from the DB, only the self record.

So, I've modified your idea like this:


olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by 
dn="uid=repuser,dc=mycompany,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by 
group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by 
anonymous auth
olcAccess: {3}to * by * read

Whith this rules, I can modify the user attributes, except the
userPassword.

But after the modificítion (on master node), de slave can't
replicates the new entries...

Without rule {2}, the slave works as well with repuser dn.

What did I made badly?


Just add by dn="uid=repuser,dc=mycompany,dc=hu" read in rule {2}



Clément.

Re: Admin roles by group membership per OU

[Clément OUDOT]

Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous 
auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by * read
olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by 
group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth


The rule {2} catches all requests (to *  by *) so rule {3} is never applied.

You can do :

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by 
anonymous auth by * none

olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by 
self write by group.exact="cn=groupabcadmin,ou=ABC 
Customer,dc=mycompany,dc=hu" write by * none

olcAccess: {3}to * by * read


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Re: Email based self registration

[Clément OUDOT]

Le 01/10/2017 à 04:17, John Lewis a écrit :

Is there an application that supports both email based self
registration and OpenLDAP storage of the account data?


Hello,

maybe not the solution you are looking for, but LemonLDAP::NG, a WebSSO 
product, has a self-register feature that uses email and store data in 
the LDAP directory, see 
https://lemonldap-ng.org/documentation/latest/register


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Re: Using overlay rwm to rewrite search base depending on search filter

[Clément OUDOT]

Le 13/09/2017 à 16:29, Clément OUDOT a écrit :


Hello,

I am playing with overlay rwm to try to change the base DN of a search 
depending on a value in search filter.


The goal is to rewrite base "dc=example,dc=com" to 
"dc=test,dc=example,dc=com" if I have (uid=login@test) in the LDAP 
filter. Has someone already done this?



My configuration for the moment is the following, but I don't 
understant how to capture a value in searchFilter context to use it in 
searchDN context:


dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine on
olcRwmRewrite: rwm-rewriteContext searchFilter
olcRwmRewrite: rwm-rewriteRule "uid=(.*@)(.*)" "uid=$0$1" ":"
olcRwmRewrite: rwm-rewriteContext searchDN
olcRwmRewrite: rwm-rewriteRule "dc=example,dc=com" 
"dc=${searchFilter($1)},dc=example,dc=com" ":"





Hello all,

I just wanted to know if my use case is something that can be achieved 
with rwm overlay or if I need to find another solution.


Thanks,

Clément.

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Clément OUDOT]

Le 19/09/2017 à 18:45, Robert Heller a écrit :

I am having a hard time setting a user password using ldap (OpenLDAP
2.4.40-13.el7) on a CentOS 7 system.

I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and client),
nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
created a user in the ldap database, and getent works just fine -- the uid and
gid are seen, etc. But I cannot set the user's password in a way that works
for su (and presumably login/slogin, etc.).  I am using ldappasswd to set the
user's password.

I am thinking that PAM and ldappasswd are using *different* oneway encryption
methods and I am guessing I need to update a configuration somewhere (either
for pam, sssd, or nslcd), but I am not finding it.


PAM is an LDAP client so does not read the password, it just sends BIND 
requests and OpenLDAP server then check the passsword by using the 
hashing method corresponding to the current password value.


Can you check in your server ACLs (olcAccess parameter) that anonymous 
users have the 'auth' right on userPassword attribute?


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Using overlay rwm to rewrite search base depending on search filter

[Clément OUDOT]

Hello,

I am playing with overlay rwm to try to change the base DN of a search 
depending on a value in search filter.


The goal is to rewrite base "dc=example,dc=com" to 
"dc=test,dc=example,dc=com" if I have (uid=login@test) in the LDAP 
filter. Has someone already done this?



My configuration for the moment is the following, but I don't understant 
how to capture a value in searchFilter context to use it in searchDN 
context:


dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine on
olcRwmRewrite: rwm-rewriteContext searchFilter
olcRwmRewrite: rwm-rewriteRule "uid=(.*@)(.*)" "uid=$0$1" ":"
olcRwmRewrite: rwm-rewriteContext searchDN
olcRwmRewrite: rwm-rewriteRule "dc=example,dc=com" 
"dc=${searchFilter($1)},dc=example,dc=com" ":"


Thanks for your help!


Clément.

Re: OpenLDAP as Proxy

[Clément OUDOT]

Le 21/08/2017 à 16:51, Palacios, Christian a écrit :


Hi there,

We need to find out if OpenLDAP will allow us to use it as a proxy so 
it can retrieve users from three different Windows Active Directory 
Domains?  These three domains do not have any similar users.  The user 
retrieval process needs to work like this:


-The application that needs this LDAP connection will point to the 
OpenLDAP server using an LDAP address such as 
ldap://server.example.com:389/OU=users…etc


-This application will also need to retrieve the sAMAccountName from 
each user retrieved via the OpenLDAP server


-The application’s LDAP connection settings also need to specify an 
Administrator’s DN and password, but I’m confused about this because I 
don’t know what Administrator account to use.  Like I said, each 
domain has their own set of users so they don’t have any Administrator 
accounts in common.  How would this work?


If you need any more information, please let me know!!



Hello Christian,

I am implementing such service for a customer right now.

You need to use OpenLDAP back-meta and define a uri parameter for each 
AD. In this uri parameter, you will be able to set which account is used 
to request AD.


Here is a very simple configuration sample:


databasemeta
suffix  "dc=example,dc=com"
rootdn  "cn=manager,dc=example,dc=com"
rootpw  secret

uri ldap://ad1.example.com/dc=ad1,dc=example,dc=com
suffixmassage dc=ad1,dc=example,dc=com dc=acme,dc=com
idassert-bind bindmethod="simple" 
binddn="cn=demo,cn=Users,dc=acme,dc=com" credentials="secret" 
mode="self" flags="non-prescriptive"


overlay rwm
rwm-map attribute uid sAMAccountName
rwm-map attribute * *


You can also find some hints on back-meta configuration on this page: 
https://ltb-project.org/documentation/general/sasl_delegation or with 
OpenLDAP manpage : man slapd-meta



Another solution is to create a central LDAP Directory by synchronizing 
data from all AD into it. The LSC project can help you to do that: 
https://lsc-project.org/documentation/start



Hope it helps,

--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Re: How to enable memberOf overlay with posixGroup?

[Clément OUDOT]

Le 08/09/2016 à 09:45, Clément OUDOT a écrit :



Le 08/09/2016 à 04:52, Ryan Tandy a écrit :

On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote:
I also figured that memberOf would need groupOfNames groups, while I 
need posixGroup type groups. I evaluated the possibility to use 
groupOfNames, but it lacks the necessary gidNumber attribute which 
is a requirement for Unix groups.


This is the key issue.

A draft schema known as "rfc2307bis" exists, which replaces (!) the 
published RFC2037 schema with one compatible with groupOfNames.


A published solution to this problem does not currently exist. In the 
past year there have been some discussions on the ldapext list. You 
can find the archives of that list at:


https://www.ietf.org/mailman/listinfo/ldapext



Hi,

as a workaround, I often create a small connector that synchronises 
posixGroup objects into groupOfNames. It's really easy to do with LSC 
(http://www.lsc-project.org).


With this, you only manage POSIX groups, and standard groups are 
updated automatically. You can then use the memberOf overlay on 
groupOfNames.




In case this solution interest someone, I wrote a small tutorial to 
configure LSC for it: 
https://lsc-project.org/documentation/tutorial/synchronizeposixgroupstogroupofnames


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

OpenLDAP 2.4.45 LTB packages available

[Clément OUDOT]

Hello,

the LDAP Tool Box team has published RPM and Debian packages for
OpenLDAP 2.4.45.

You can download them directly or use APT/YUM repositories:
https://ltb-project.org/download

Documentation:
* https://ltb-project.org/documentation/openldap-deb
* https://ltb-project.org/documentation/openldap-rpm

GitHub projects:
* https://github.com/ltb-project/openldap-deb
* https://github.com/ltb-project/openldap-rpm


Clément.

Re: Re: OpenLDAP / Active directory cohabitation

[Clément OUDOT]

2017-05-30 8:10 GMT+02:00 Ulrich Windl :

> I have one question: Why is hte AD admin accound needed to authenticate? I see
> a problem with the AD admin password being stored in cleartext in the 
> saslauthd
> configuration...


You don't need AD admin password, you just need a standard AD account
that can read user entries (no write access required).

Clément.

Re: OpenLDAP / Active directory cohabitation

[Clément OUDOT]

2017-05-29 19:00 GMT+02:00 Dan White :
> On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:
>>
>> I am in a environment where we use both OpenLDAP and Active Directory.
>> All Linux servers authenticate against OpenLDAP where we have user group,
>> unix group (...)
>
>
>> This means that if perform a BIND and a search, the BIND should be
>> performed against the AD but the search result should from OpenLDAP.
>> (anonymous search is fine)
>
>
>> The short username are used in in OpenLDAP like this:
>>
>> uid=john01,ou=People,dc=example,dc=com
>>
>> While the AD uses the long username. From my test when binding to AD, only
>> the "DN" is simply set to the username.
>>
>> john.sm...@example.com
>
>
> Pass-through authentication should work if you're performing simple binds.
> Chapter 14 of the admin guide has a good example.

You can also find a tutorial here:
https://ltb-project.org/documentation/general/sasl_delegation

Clément.

Re: Can I do this with openldap ?

[Clément OUDOT]

2017-05-26 11:18 GMT+02:00 Dieter Klünter :
> Am Tue, 23 May 2017 17:16:22 +
> schrieb Roelof Wobben :
>
>> Hello,
>>
>>
>> My boss wants to run everything from a server.
>>
>> But he wants also that I can take care of that some of the software
>> is only used by some people.  So the cad software is only used by the
>> drawers and not by the financial people.
>>
>>
>> Can I do this with openldap or if it cannot be done , which software
>> can I then use the best.
>
> In fact that depends on the software in question. If the software,
> or some controlling tool, is able to require authentication and
> authorization via ldap, you may go ahead.

Indeed. A lot of applications are able to use LDAP directory for
authentication, but less are able to use it for authorization.
Authorization often rely on groups present in the LDAP directory.

If you have an application that is able to use an LDAP filter for
authentication, then you can use the memberOf overlay in OpenLDAP and
use the memberOf value in LDAP filter to restrict access to this
group.

Now, if you have some time to investigate, you should take a look to
WebSSO and Access Management softwares. A lot are Free Softwares and
works great with OpenLDAP.

Personally I am a developer of LemonLDAP::NG, so I could do nothing
else than recommend this software. But there are a lot more, like
Gluu, WSO2, CAS, Shibboleth, simpleSAMLphp... You need to try them to
find the one that fits your needs.


Clément.

Re: Unable to load the lastbind module with 2.4.44 (custom build)

[Clément OUDOT]

2017-04-12 13:37 GMT+02:00 mailing lists :
> Hello all,
>
> What I'm trying to do is enable the lastbind module in a centos7 server, so I 
> applied this patch to the rpmbuild process:
>
>
>
> # cat /root/rpmbuild/SOURCES/openldap-lastbind-overlay.patch
> --- a/servers/slapd/overlays/Makefile.in2017-04-12 12:14:46.617978071 
> +0100
> +++ b/servers/slapd/overlays/Makefile.in2017-04-12 12:21:12.569292484 
> +0100
> @@ -36,6 +36,7 @@
> valsort.c \
> smbk5pwd.c \
> allop.c \
> +lastbind.c \
> sha2.c slapd-sha2.c
> OBJS = statover.o \
> @SLAPD_STATIC_OVERLAYS@ \
> @@ -56,7 +57,7 @@
> UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
>
> LIBRARY = ../liboverlays.a
> -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la
> +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la 
> lastbind.la
>
> XINCPATH = -I.. -I$(srcdir)/..
> XDEFS = $(MODULES_CPPFLAGS)
> @@ -140,6 +141,12 @@
> allop.la : allop.lo
> $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell 
> pkg-config openssl --libs)
>
> +lastbind.lo : lastbind.c
> +   $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell 
> pkg-config openssl --cflags) $<
> +
> +lastbind.la : lastbind.lo
> +   $(LTLINK_MOD) -module -o $@ lastbind.lo version.lo $(LINK_LIBS) 
> $(shell pkg-config openssl --libs)
> +
> sha2.lo : sha2.c
> $(LTCOMPILE_MOD) $<
>
>
> any idea about where I make the mistake?
>

Hi,

I think you don't need -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL for
lastbind, but that would not explain you issue.

Note that we build lastbind overlay in LTB OpenLDAP RPMs with:

cd lastbind
make clean
make %{?_smp_mflags} "prefix=%{ldapserverdir}" "LDAP_LIB="
cd ..

and

cd lastbind
make install "prefix=%{buildroot}%{ldapserverdir}"
cd ..

You can find our SPEC file here:
https://github.com/ltb-project/openldap-rpm/blob/master/SPECS/openldap-ltb.spec


Clément.

Re: "Dynamic" authentication passthrough?

[Clément OUDOT]

Le 30/03/2017 à 15:27, Curtiss Howard a écrit :

Hi,

I've got two Active Directory servers that are being proxied through 
OpenLDAP and their respective trees are being merged into one.  So 
far, so good.


Now I want to allow users to bind to the OpenLDAP server and pass the 
authentication through to the appropriate AD and let it do the 
password checking.


I see a lot of documentation on using SASL for passthrough, but where 
I'm stuck is that this requires every user to have an account in the 
OpenLDAP server in order to see if the userPassword attribute is 
specially formatted.  In my case, this isn't really a palatable 
solution because I'm using the OpenLDAP server with the meta backend 
and using it as a "live view" into the data contained in the ADs.  
Other applications can talk directly to the ADs and in order to do the 
SASL approach there'd have to be some syncing from the ADs to the 
OpenLDAP server every time a user is created/deleted.


I would think that surely there must be some way to pass through the 
authentication in a more obvious manner -- i.e., if the user doesn't 
exist locally, try to bind against each proxied server in succession.  
But I can't seem to find a way to do this, all references point to the 
SASL approach.


Is there a way to do this?




Hi,

as far as I know, you need to have a local entry with a SASL password to 
do authentifcation passtrough. I wrote a documentation on that subject: 
https://ltb-project.org/documentation/general/sasl_delegation


To synchronize AD entries to OpenLDAP, you can use LSC, see 
https://lsc-project.org/


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

Re: Dynamic groups/lists

[Clément OUDOT]

2017-02-21 15:09 GMT+01:00 Saša-Stjepan Bakša :
> Hi,
>
> I have access to LDAP server which doesn't have any groups defined. All
> users have only attributes which are used to distinguish to which type of
> users they belong and for application which I have intention to use groups
> are necessary.
>
> I don't have authority to change that but I can create my own LDAP proxy
> server and direct my application to it.
>
> Question is, can I create dynamic groups which will reside only on that
> proxy server. I am already familiar with translucent and ordinary proxy
> servers.
>

I don't have a direct answer for your question, but an alternate
solution that is to sync data in a local OpenLDAP with LSC :
https://lsc-project.org/



Clément.

Re: PID File

[Clément OUDOT]

2016-12-20 23:40 GMT+01:00 Quanah Gibson-Mount :
> Actually to start with, try using the correct db_recover binary while in the 
> data directory. If that fails, then remove the alock file and see if slapd 
> will start. Sadly not uncommon for alock to report problems incorrectly.

Note that with LTB OpenLDAP init script, you can launch the db_recover
utility with "service slapd db_recover"


Clément.

Re: PID File

[Clément OUDOT]

2016-12-20 22:35 GMT+01:00 Singley, Norman :
> Thanks.  Here are the results. I can start googling this result, but I am 
> kind of a newbie at openldap, so if you know something obvious, let me know. 
> Thank you very much.
>
>
> # service slapd debug
> slapd: [INFO] Using /etc/default/slapd for configuration
> slapd: [INFO] Halting OpenLDAP...
> slapd: [INFO] Can't read PID file, to stop OpenLDAP try: /etc/init.d/slapd 
> forcestop
> slapd: [INFO] No db_recover done
> slapd: [INFO] Launching OpenLDAP...
> slapd: [OK] File descriptor limit set to 1024
> 5859a359 @(#) $OpenLDAP: slapd 2.4.36 (Apr  8 2014 12:06:19) $
> usern...@itds120.umt.edu:/u01/app/openldap-2.4.36/servers/slapd
> 5859a359 hdb_db_open: database "dc=umt,dc=edu": alock package is unstable.
> 5859a359 backend_startup_one (type=hdb, suffix="dc=umt,dc=edu"): bi_db_open 
> failed! (-1)
> 5859a359 slapd stopped


The database seems corrupted.

You can try to slapcat to get a backup of the data (or try service
slapd backup). Then remove all files and reimport data with slapadd
(or try service slapd restore).


You should then try to upgrade to 2.4.44 and use LMDB backend.


Clément.

Re: PID File

[Clément OUDOT]

2016-12-20 19:34 GMT+01:00 Singley, Norman :
> Hi Folks –
>
>
>
> I am getting the No PID file for openLDAP error when starting/stopping
> slapd.
>
>
>
> run]# /etc/init.d/slapd stop
>
> slapd: [INFO] Using /etc/default/slapd for configuration
>
> slapd: [INFO] Halting OpenLDAP...
>
> slapd: [INFO] Can't read PID file, to stop OpenLDAP try: /etc/init.d/slapd
> forcestop
>
> [root@itds120 run]# /etc/init.d/slapd forcestop
>
> slapd: [INFO] Using /etc/default/slapd for configuration
>
> slapd: [INFO] Killing OpenLDAP with force...
>
> slapd: [INFO] Found no OpenLDAP process running with
> ldap://oldap.umt.edu:389 ldaps://oldap.umt.edu:636
>
> slapd: [INFO] Killing OpenLDAP replication with force...
>
> slapd: [INFO] Found no slurpd process running
>
> [root@itds120 run]# ps -ea | grep slapd
>
> 6723 ?00:00:00 slapd
>
> [root@itds120 run]# /etc/init.d/slapd start
>
> slapd: [INFO] Using /etc/default/slapd for configuration
>
> slapd: [INFO] Launching OpenLDAP configuration test...
>
> slapd: [OK] OpenLDAP configuration test successful
>
> slapd: [INFO] No db_recover done
>
> slapd: [INFO] Launching OpenLDAP...
>
> slapd: [OK] File descriptor limit set to 1024
>
> slapd: [ALERT] No PID file for OpenLDAP
>
> [root@itds120 run]# ps -ea | grep slapd
>
> 6723 ?00:00:00 slapd
>
>
>
>
>
> It seems to show that openLDAP is running on this box, but I can’t connect
> to it.
>
>
>
> The slapd.conf file is attached.
>
>
>
> I see a lot of results about this error out there on the web, but most of
> the fixes like manually creating the pid file don’t seem to work.  If anyone
> has any tips I can try, it would be greatly appreciated.
>
>
>
> This is a standalone (test oldap, running 2.4.36) on redhat 6.
>
>

Hi,

seems you are using LTB OpenLDAP packages, or at least LTB OpenLDAP
init script. Try to run:
# service slapd debug

You should get information on why it is not starting.


Clément.

Re: LTB Dwbian packages [was] Re: Creating suffix aliases with OpenLDAP

[Clément OUDOT]

2016-09-18 11:29 GMT-04:00 Ralf Mattes <r.mat...@mh-freiburg.de>:
>
> Am Sonntag, 18. September 2016 16:55 CEST, Clément OUDOT 
> <clem.ou...@gmail.com> schrieb:
>
>
>>
>> Hi,
>>
>> you are right, we did not publish sources as Debian source packages
>> and we should do it.
>>
>> For the moment, you can get the source files here:
>> http://tools.ltb-project.org/projects/ltb/repository/show/openldap-deb/trunk/debian
>
> Is this substantially different from
>
>  git://anonscm.debian.org/pkg-openldap/openldap.git
>
> That one seems to compile fine on Debian stable and contains the patch for
> back-relay that I need so urgent.
>

Yes, LDAP Tool Box just takes the latest OpenLDAP stable release and
publish RPM/Debian packages. It does not provide development versions
of OpenLDAP, unless there is a big issue that need to be patched
before OpenLDAP official release.

Clément.

Re: enforce TLS 1.2 in OpenLDAP server side

[Clément OUDOT]

Le 11/09/2016 à 03:25, Steve Zeng a écrit :

Thanks for the note. So we need to rebuild it against OpenSSL?




You can give a try to LDAP Tool Box packages which are built against 
OpenSSL:

* http://ltb-project.org/wiki/documentation/openldap-rpm
* http://ltb-project.org/wiki/download#openldap

--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot

Re: How to enable memberOf overlay with posixGroup?

[Clément OUDOT]

Le 08/09/2016 à 04:52, Ryan Tandy a écrit :

On Wed, Sep 07, 2016 at 11:10:30PM +0200, MegaBrutal wrote:
I also figured that memberOf would need groupOfNames groups, while I 
need posixGroup type groups. I evaluated the possibility to use 
groupOfNames, but it lacks the necessary gidNumber attribute which is 
a requirement for Unix groups.


This is the key issue.

A draft schema known as "rfc2307bis" exists, which replaces (!) the 
published RFC2037 schema with one compatible with groupOfNames.


A published solution to this problem does not currently exist. In the 
past year there have been some discussions on the ldapext list. You 
can find the archives of that list at:


https://www.ietf.org/mailman/listinfo/ldapext



Hi,

as a workaround, I often create a small connector that synchronises 
posixGroup objects into groupOfNames. It's really easy to do with LSC 
(http://www.lsc-project.org).


With this, you only manage POSIX groups, and standard groups are updated 
automatically. You can then use the memberOf overlay on groupOfNames.


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot

Re: Change Defaulth ssha passoword encryption algorithm

[Clément OUDOT]

Le 25/08/2016 à 18:12, Net Warrior a écrit :


Hi Guys

I need some guidance on this, I configured a ppolicy for a DIT which 
has all the users in plain password, I added to following to the policy


changetype: modify
replace: olcPPolicyHashCleartext
olcPPolicyHashCleartext: FALSE

When the user reset it password, it changes from clear password to 
encrypted using ssha but I want to store them using md5crypt, what do 
I need to change in my configuration?




See olcPasswordHash parameter.

From man slapd-config :

   olcPasswordHash:  [...]
  This  option  configures  one  or more hashes to be used 
in generation of user passwords stored in the userPassword attribute 
during processing of LDAP
  Password Modify Extended Operations (RFC 3062).  The 
 must be one of {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, and  
{CLEARTEXT}.   The  default  is

  {SSHA}.

  {SHA} and {SSHA} use the SHA-1 algorithm (FIPS 160-1), 
the latter with a seed.


  {MD5} and {SMD5} use the MD5 algorithm (RFC 1321), the 
latter with a seed.


  {CRYPT} uses the crypt(3).

  {CLEARTEXT} indicates that the new password should be 
added to userPassword as clear text.


  Note  that  this  option  does not alter the normal user 
applications handling of userPassword during LDAP Add, Modify, or other 
LDAP operations.  This

  setting is only allowed in the frontend entry.



--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot

Re: Modification of objectClass failing: how can I get details?

[Clément OUDOT]

Le 02/08/2016 à 15:32, Côme Chilliet a écrit :


Hello,

I’m trying to modify an LDAP node to change its objectClasses:

dn: cn=canon-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx

cn: canon-c5250

description:: Q2Fub24gSVIgQURWIEM1MjUwIA==

labeledURI: ipp://127.0.0.1

ipHostnumber: 127.0.0.1

macAddress: 12:12:12:12:12:12

objectClass: top

objectClass: gotoPrinter

I want to remove gotoPrinter objectClass which is flagged as OBSOLETE 
and instead use fdPrinter, ipHost and ieee802Device.


I try with an ldif with the following content:

dn: cn=canon-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx

changetype: modify

replace: objectClass

objectClass: fdPrinter

objectClass: ieee802Device

objectClass: ipHost

objectClass: top

I get:

ldapadd -D cn=admin,dc=xxx,dc=xxx -f modify.ldif -W

ldap_modify: Object class violation (65)

How can I get more information? I don’t know which violation that 
could be, as I am able to insert a second object with no problem which 
looks like what I want:


dn: cn=test-print,ou=printers,ou=systems,dc=xxx,dc=xxx

changetype: add

cn: test-print

description: test

labeledURI: ipp://127.0.0.1

ipHostnumber: 127.0.0.1

macAddress: 12:22:12:12:22:22

objectClass: fdPrinter

objectClass: ieee802Device

objectClass: ipHost

objectClass: top

Here are the classes definitions:

objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter'

DESC 'GOto - Gonicus Terminal Concept, objectclass' SUP top STRUCTURAL

OBSOLETE

MUST ( cn )

MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $ 
ipHostNumber $ gotoUserPrinter $


gotoUserAdminPrinter $ gotoGroupPrinter $ gotoGroupAdminPrinter $

printerWindowsInfFile $ printerWindowsDriverDir $ 
printerWindowsDriverName) )


objectclass ( 1.3.6.1.4.1.38414.16.2.5 NAME 'fdPrinter'

DESC 'FusionDirectory printer class'

MUST ( cn )

MAY ( labeledURI $

fdPrinterWindowsInfFile $ fdPrinterWindowsDriverDir $ 
fdPrinterWindowsDriverName $


fdPrinterUsers $ fdPrinterAdminUsers))




Hello,

you can't replace the default structural objectClass of an object (this 
objectClass is listed in structuralObjectClass operational attribute). 
You can do it with the relax extension if needed, else, simply remove 
and add the entry.


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot

Re: ContextCSN showing Junk Characters

[Clément OUDOT]

Le 07/07/2016 19:38, Aaron Richton a écrit :

On Thu, 7 Jul 2016, scn...@yahoo.com wrote:


Hi,

My ldapmaster ContextCSN showing Junk Characters. Please advice how 
can reset to valid one.


contextCSN:: 0CKRuTQrAAA=

CentOS 5.8
Openldap Version is OpenLDAP: slapd 2.3.43


Perhaps some unfortunate corruption bug, but seeing as OpenLDAP 2.3.43 
was released 2008/07/16 there's a good chance you can get the 
appropriate bug fix just by upgrading. Somebody else has probably 
already contributed the hard work in the past eight years.


So upgrade to the latest version of OpenLDAP from www.openldap.org, 
and then any write to the database should write a fresh contextCSN...





If you are stuck in CentOS 5 and want to install a recent OpenLDAP with 
packages, take a look at http://ltb-project.org/wiki/download#openldap


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Blog: http://sflx.ca/coudot