Ondřej,
as you might understand, first you try what you thank should work, and if it
doesn't, you start wild experimenting (while not knowing better) 😉
I read adding it to frontend (olcFrontendConfig) should work (and it's also
conforming to the schema I see). However it would not work, so I had opened a
support case with SUSE. After more than a week wehere it who't work, I started
some desparate exeriments, and according to the schema, olcPasswordHash is also
allowed in olcGlobal, and when trying to add it there,. It worked (using a
single value).
I just retried the test:
After loading a fresh cn=config and starting slapd, I could apply
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {4}pw-sha2.so
but applying
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SSHA256}
fails with:
modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Object class violation (65)
additional info: attribute 'olcPasswordHash' not allowed
Do I have to add olcFrontendConfig explicitly?
My frontend has (from 2.4):
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {-1}frontend
In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be
updated.
Kind regards,
Ulrich Windl
> -----Original Message-----
> From: Ondřej Kuzník <[email protected]>
> Sent: Friday, March 14, 2025 1:29 PM
> To: Windl, Ulrich <[email protected]>
> Cc: [email protected]
> Subject: [EXT] Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify:
> Object class violation (65) additional info: attribute 'olcPasswordHash' not
> allowed"
>
> On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
> > Ondřej,
> >
> > Did the location of olcPasswordHash change? I found instutions to add
> > it to the frontend database, but failed, so I had opened a support
> > case for SLES15 SP6. Even support had no idea what is wrong, until I
> > desparately tried another locarion (cn=config), and that worked.
>
> Hi Ulrich,
> both places have to allow it because of what the 2.3 schema looked like,
> but you're supposed to put it int he frontend because of when
> moduleload happens.
>
> > Errors were like this:
> > dn: cn=module{0},cn=config
> > changetype: modify
> > add: olcModuleLoad
> > olcModuleLoad: {4}pw-sha2.so
> >
> > dn: olcDatabase={-1}frontend,cn=config
> > changetype: modify
> > replace: olcPasswordHash
> > olcPasswordHash: {SSHA256}
> > olcPasswordHash: {SSHA}
> >
> > However I'm getting an error like:
> > # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif
> > Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash'
> not allowed
> > slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65)
> attribute 'olcPasswordHash' not allowed
> > Closing DB...
>
> You are on 2.5/2.6 right? There it's definitely allowed by
> olcFrontendConfig.
>
> > (Before I had also tried ldapmodify instead of slapmodify)
> >
> > Still support had claimed that it would work there like this:
> > # cat /tmp/change
> > dn: olcDatabase={-1}frontend,cn=config
> > changetype: modify
> > replace: olcPasswordHash
> > olcPasswordHash: {SSHA256}
> > olcPasswordHash: {SSHA}
>
> I said it before, don't specify more than one olcPasswordHash, you've
> seen first hand that ppolicy will not be happy so I don't understand why
> you're still trying...
>
> > # ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change
> > SASL/EXTERNAL authentication started
> > SASL username:
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > SASL SSF: 0
> > modifying entry "olcDatabase={-1}frontend,cn=config"
>
> So you're saying it succeeds with ldapmodify and fails with slapmodify?
> Confused here.
>
> > Sorry, I cannot explain what's going on: I also tried to replace the
> > schemata.
>
> Certainly can't replace a schema that's compiled in (e.g. most of dynamic
> config options).
>
> Regards,
>
> --
> Ondřej Kuzník
> Senior Software Engineer
> Symas Corporation http://www.symas.com
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP
