Ondřej,
Did the location of olcPasswordHash change? I found instutions to add it to the
frontend database, but failed, so I had opened a support case for SLES15 SP6.
Even support had no idea what is wrong, until I desparately tried another
locarion (cn=config), and that worked.
Errors were like this:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {4}pw-sha2.so
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
However I'm getting an error like:
# slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif
Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash' not
allowed
slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65) attribute
'olcPasswordHash' not allowed
Closing DB...
(Before I had also tried ldapmodify instead of slapmodify)
Still support had claimed that it would work there like this:
# cat /tmp/change
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
# ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={-1}frontend,cn=config"
# ldapsearch -LLL -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -b
'olcDatabase={-1}frontend,cn=config'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.exact="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
olcAccess: {2}to dn.base="cn=schema,cn=config" by * read
olcPasswordHash: {SSHA256}
olcPasswordHash: {SSHA}
Sorry, I cannot explain what's going on: I also tried to replace the schemata.
Kind regards,
Ulrich Windl
> -----Original Message-----
> From: Ondřej Kuzník <[email protected]>
> Sent: Friday, March 14, 2025 11:57 AM
> To: Windl, Ulrich <[email protected]>
> Cc: [email protected]
> Subject: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object
> class violation (65) additional info: attribute 'olcPasswordHash' not allowed"
>
> On Thu, Mar 13, 2025 at 02:37:55PM +0000, Windl, Ulrich wrote:
> > Hi!
> >
> > Even after having opened a support case with SUSE, it took about two
> > weeks until I got any further:
> >
> > Essentially you cannot add the values to
> > "olcDatabase={-1}frontend,cn=config", but only to "cn=config".
> >
> > However after that I got a new message when trying to change a user's
> password:
> >
> > Result: Constraint violation (19)
> > Additional info: Password policy only allows one password value
> >
> > At that time I had two values assigned, but even after assigning only
> > one value, the message did not change.
> >
> > Even more, slapd suddenly had exited and refused to restart with the
> messages:
> >
> > slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> scheme not
> available ({SSHA256})
> > slapd[13769]: olcPasswordHash: value #0: <olcPasswordHash> no valid
> hashes found
> > slapd[13769]: config error processing cn=config: <olcPasswordHash> no
> valid hashes found
> > ...
> >
> > slapd[13769]: slapd stopped.
> >
> > Changes actually applied were:
> >
> > dn: cn=module{0},cn=config
> > changetype: modify
> > add: olcModuleLoad
> > olcModuleLoad: {4}pw-sha2.so
> >
> > dn: cn=config
> > changetype: modify
> > replace: olcPasswordHash
> > olcPasswordHash: {SSHA256}
>
> Hi Ulrich,
> you should be storing your olcPasswordHash on the frontend database, not
> the 'cn=config' entry (because the module isn't loaded yet while that's
> being processed). What error do you get when trying to write to
> `olcDatabase={-1}frontend,cn=config`?
>
> Regards,
>
> --
> Ondřej Kuzník
> Senior Software Engineer
> Symas Corporation http://www.symas.com
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP
