Questions tagged as ['openldap']

OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. LDAP is a platform-independent protocol for querying and modifying data using directory services running over TCP/IP.
Score: 0
wg21908 avatar
ldap_add - Invalid Syntax - Additional Info: ObjectClass - Value #1 Invalid Peer Syntax
cn flag

I have the following content in adam.ldif

dn: uid=adam,ou=users,dc=wesgibbs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

I then attempt to add the above adam user to m ...

Score: 0
Twister avatar
Creating an OpenLdap specific administrator group on LDAP
bm flag

I'am trying to create a simple specific administrator group on my OpenLdap server that is running slapd. There is currently no slapd file, and I have been working with the cn=config format.

I want to create a group with a user in it who can only manage what is in this group or below.

For example:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="cn=cry,ou=gr ...
Score: 0
Authenticate on other apps with OpenLDAP user still working after user password expired
au flag

I'm trying to figure out why is this still possible. For example, we have icinga(web)2 and users are still able to login without promting to change the password. Also, other apps that are not using ssh auth are still able to complete the login.

On ssh it prompts the user to change his password, which is the normal behavior.

Any clue why is this happening? If any config files are required, please let ...

Score: 0
U. Windl avatar
Migrating SLES OpenLDAP to 389-DS using openldap_to_ds
it flag

As SLES15 stopped support of OpenLDAP, suggesting to use 389-DS instead, I tried to migrate my databases following the guide provided with SLES15 SP3. However the command to (test-)convert the configuration failed with a double fault like this:

# openldap_to_ds TEST1 /tmp/slapd.d /tmp/dump.ldif
Examining OpenLDAP Configuration ...
Traceback (most recent call last):
  File "/usr/sbin/openldap_to_ds", ...
Score: 0
nobledukex avatar
what are these OpenLDAP directories used for
ru flag

I have remove an openldap installation from my centos7 server and discovered that these directories are left /run/openldap /usr/lib64/openldap /usr/libexec/openldap please what are these openldap directories used for and are they created when openldap is installed

Score: 0
Ronnie Hines avatar
Openldap mirror mode not working
jp flag

I have two openldap servers running v2.4.57 on Solaris. I'm trying to setup replication.

The first system, France, is setup and running. I then created Spain and ran ldapmodify on Spain using this ldif. I expected Spain to start replicating but nothing happens. I was expecting replication to just start. Any help is appreciated.


dn: olcDatabase={1}mdb,cn=config

changetype: modify add: olcSyncRepl ...

Score: 0
SparkC avatar
Admin user not show under base dc after setup openldap on debian
ar flag

After install the openldap (slapd) from Debian package repository (using the version 2.4.57+dfsg-3~bpo10+1), I could not found the admin user (cn=admin,dc=company,dc=com) in the phpldapadmin dashboard. I also tried using Apache Directory Studio to access the LDAP directory, still couldn't find the admin user.

screenshot of empty entry under my dc

However, using ldapwhoami (ldapwhoami -vvv -h ldap.comp ...

Score: 0
Eric Meyer avatar
Export and import ldap user smbantpassword did not work
cn flag

i have a problem with ldap, so we use the synololgy nas ldap server for some reason for auhtentication with filemaker.

The user i am syncing from a debian server with openldap 2.4 with the lsc tool. But i could not logon to filmaker with error "invalid credentials" i make some test with phpldapadmin and following hapend:

  1. a fresh transfered user could not login with error 49 the password in debian lda ...

Score: 0
Arne Fallisch avatar
OpenLDAP Access handling
in flag

I have installed OpenLDAP on Ubuntu Server 20.04. It works fine so far. Now I want to restrict access to the server, as by now anyone can read all entries e.g. in Thunderbird. Therefore I created a ldif file like this:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword
  by self write
  by anonymous auth
  by * none
olcAccess: to attrs=shadowLast ...
Score: 0
OpenLDAP ppolicy load error
be flag

I'm going to try run of openldap. I created master-slave server and everything is ok. However when I load the ppolicy module I get an error like below

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifying entry "cn=module{0},cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: <olcMod ...
Score: 0
termux avatar
Active Directory/LDAP replication Windows/Ubuntu
cn flag

I am trying to setup replication between a Windows AD and OpenLDAP on Ubuntu.

Access to the Windows AD server seems to work OK, the OpenLDAP on Ubuntu also seems to work, however I am getting stuck on setting up the replication between both - I am new to AD/LDAP and there might be some concepts I'm missing.

I am able to list users on the remote (Windows) AD:

ldapsearch -x -h -D 'CN=LDAP Ope ...
Score: 0
How to increase OpenLDAP DN max length?
cn flag

The maximum length of an OpenLDAP DN seems to be 255 characters.

How can this value can be increased?

Score: 0
KDC has no support for encryption type while authentication to OpenLDAP
fr flag

I'm running a Kerberos / LDAP authentication server for many years. Kerberos data is stored inside LDAP. Now, I have a second site and want to mirror the server to the new site. This basically works, but there is a strange side effect. Each server has a KDC and a LDAP running. KDC talks to LDAP using local ldapi:///.

If I use the original KDC I can authenticate to the master LDAP and th ...

Score: 0
Enforce TLS1.2 in sssd client
cm flag

In one of our environments Linux servers are set up with sssd / OpenLDAP for OS login. To support older servers our OpenLDAP server has to support TLSv1.0 and TLSv1.1 still.

RedHat 8 does no longer support TLS levels below TLSv1.2, and thus the standardized /etc/sssd/sssd.conf failed to connect to the LDAP server.

Error message:

sssd_be[1236697]: Could not start TLS encryption. error:14094410:SSL rout ...
Score: 1
LDAP finds user, but "permission denied" when logging in
aw flag

I am setting up an LDAP client in Red Hat 8.

After setting up the config files I did an LDAP user test and it came back successfully:

# id myusername
uid=666(myusername) gid=510(active_users) groups=510(active_users)

If I run an ldapsearch it returns successfully with the expected results:

# ldapsearch -x -ZZ -h -b dc=example,dc=com

But if I try to ssh to the Red Hat 8 machine fr ...

Score: 0
openldap master/slave replication configuration return TLS error from slave
cn flag

I am trying to add a TLS secured replication between a master and a slave ldap server. The replication without TLS work well.

I encounter this error from the slave : slapd_client_connect: URI=ldap:// Error, ldap_start_tls failed (-11)

Here is my configuration :

----- Master -----
  URI            ldap://
  TLS_CACERT     /etc/ssl/cacert.pem
  TLS_ ...
Score: 0
freeradius and openldap : vlan attribution working with radtest but not with wpa_supplicant
cn flag

Both of my services freeradius and openldap are on the same server. The schema Freeradius is loaded into openldap.

I configured the radiusProfileDN of a user to link to a group. In this group, I have radiusReplyAttribute set to give the informations of the vlan.

  • When I use the command radtest in local (or from the remote and already authenticated client), I recieve an Access-Accept packet (radius protoco ...
Score: 0
syncrepl_message_to_entry: rid=002 mods check (objectClass: value #1 invalid per syntax)
cn flag

I have a problem with my master master config database replication (i will add the data replication after this one). I am running on each master, openldap and freeradius. To have freeradius working with openldap, I created ldif schema on each server.

For info : rid=001 is the master n1 and rid=002 is the master n2

When starting slapd on both servers, I get on the master n1 this error : syncrepl_message_ ...

Score: 0
not2savvy avatar
Rekerberize fails with: Could not retrieve auth record
ar flag

We use Apple Open Directory (which is openLDAP actually), and we are experiencing a problem that for some users, user authentication fails with ldap_bind: Insufficient access (50).

Attempting to rekerberize, as recommended on

$ sudo mkdir /var/db/openldap/migration/ 
$ sudo touch /var/db/openldap/migration/.rekerberize 
$ sudo slapconfig -firstboot

However, the la ...

Score: 1
Cannot build a working docker image for an openldap service
cn flag

I'm new to docker and I'm doing a little bit of experimenting with it.

I was trying to create a docker image for an openldap service. I tried creating the image starting from debian:latest image provided from the official docker repos.

This is the content of my Dockerfile

FROM debian
RUN DEBIAN_FRONTEND="noninteractive" apt-get update
RUN DEBIAN_FRONTEND="noninteractive" apt-get install --yes --no-instal ...
Score: 2
libpam-ldapd - LDAP authentication on Debian 11 not working
ke flag

I saw several other questions here regarding a similar issue - but I haven't found something that actually worked for me.

My goal is to authenticate (mainly for SSH) all Debian maschines against an UCS (OpenLDAP) directory - in the future only when the user is member of an specific ldap group. But I'm currently struggeling to make it even work without an groupmembership.

I always get the error:

nslcd: [7 ...
Score: 0
David W avatar
OpenLDAP push replication via proxy - Guide to setup syncrepl
cn flag

I have some basic experience interacting with & troubleshooting OpenLDAP as well as 389-ds, but I don't have a whole lot of experience setting them up or configuring an OpenLDAP server.

My goal is to setup replication from a Primary inside a trusted network outwards to a Replica that is in an untrusted network, without allowing the replica any direct access to the primary, due to firewall flo ...

Score: 1
OpenLDAP: interpreting username@domainname as uid=username,ou=domainname
au flag

Is that possible to tweak some settings that would make OpenLDAP always interpreting uid=username@domainname as uid=username,ou=domainname in authentication queries?

Of course, making the clients to do this job would be a much more ecological way, but this would be a less preferable option in my case.

Score: 0
Sami Hulkko avatar
Apple client unable to login with LDAP backend and GSSAPI or PLAIN
ck flag

I have a OpenLDAP server with Kerberos5 for authentication and on Linux/Unix/Windows environments I am able to login without a problem. The LDAP server is configured to use GSSAPI or PLAIN that passes trough SASL2 the password to PAM that authenticates against KERBEROS. This is due some server software do not support GSSAPI directly yet. On macOS (latest Monterey) I am able to get ID of the users and do ...

Score: 0
Allow any user with specific uid to manager an entire OU
au flag

I have a domain (let's call it dc=example,dc=org)

The domain has a branch (ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org).

There's a simpleSecurityObject in this domain (uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org).

I need the uid=admin,*** user to have full (manage) access to the ou=users,*** branch, so I added the following olcAccess ...

Score: 0
OpenLDAP: a custom base DN for a user
au flag

Is that possible to make OpenLDAP provide with different base DNs for different users?

Let me explain what exactly I want to acheive.

I have a domain (let's say, dc=example,dc=org).

I also have a phpLDAPadmin instance which purpose is to help me to manage this domain.

I also have a branch somewhere within this domain (let's say, ou=foo,ou=bar,dc=baz,dc=example,dc=org).

I also have a user (let's say,

Score: 0
OpenLDAP syncrepl with plaintext authentication
ht flag

I'm trying to set up a syncrepl relationship between two openldap servers. The data they serve is not secret and they are used only in an enclosed network, so I'd like to avoid the hassle of setting up SSL. However it seems syncrepl refuses to work with a simple plaintext authentication. Is this correct, or am I being misled by some other authentication issue?

Score: 0
Iggy avatar
every LDAP user gives "permission denied" with LDAP and sssd (Centos7)
in flag

I am trying to limit LDAP logins to the "admin" group.

This is my /etc/sssd/sssd.conf file:

autofs_provider = ldap
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=example,dc=com
id_provider = ldap
ldap_default_bind_dn = cn=moder ...
Score: 0
BorbaB avatar
openldap searchIng memberOf group ( overlay groupOfUniqueNames )
ng flag

Struggling with retrieving all memberOf a group, even though memberOf shows up when querying the user(s) and also shows when displaying the group.

(1) When searching the user it shows memberOf of the group

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b "dc=ldapmaster,dc=guarani,dc=com" cn=cissys memberOf

dn: cn=cissys,ou=systemacct,dc=ldapmaster,dc=guarani,dc=com

memberOf: cn=cisusers,ou=groups,dc=ldapmaster ...

Score: 0
Migrating OpenLDAP data from 2.4 to 2.5
au flag

I have gone through documentation online and on some forums but I am stuck on importing data from ldap 2.4 to 2.5 (Migrating to a new server as well). Here are the steps I did and the error I am receiving. (There were multiple other errors but that is fixed now

Installation that I performed for 2.5:

sudo ./configure --prefix=/usr --sysconfdir=/etc --disable-static --enable-debug --with-tls=openssl - ...