Final update:
Once I added " objectClass: olcFrontendConfig" I could apply "olcPasswordHash:
{SSHA256}" to "olcDatabase={-1}frontend,cn=config".
Kind regards,"
Ulrich Windl
> -----Original Message-----
> From: Windl, Ulrich <[email protected]>
> Sent: Monday, March 17, 2025 9:05 AM
> To: Ondřej Kuzník <[email protected]>
> Cc: [email protected]
> Subject: [EXT] RE: Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify:
> Object class violation (65) additional info: attribute 'olcPasswordHash' not
> allowed"
>
> Ondřej,
>
> as you might understand, first you try what you thank should work, and if it
> doesn't, you start wild experimenting (while not knowing better) 😉
>
> I read adding it to frontend (olcFrontendConfig) should work (and it's also
> conforming to the schema I see). However it would not work, so I had
> opened a support case with SUSE. After more than a week wehere it who't
> work, I started some desparate exeriments, and according to the schema,
> olcPasswordHash is also allowed in olcGlobal, and when trying to add it
> there,. It worked (using a single value).
>
> I just retried the test:
> After loading a fresh cn=config and starting slapd, I could apply
> dn: cn=module{0},cn=config
> changetype: modify
> add: olcModuleLoad
> olcModuleLoad: {4}pw-sha2.so
>
> but applying
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> replace: olcPasswordHash
> olcPasswordHash: {SSHA256}
>
> fails with:
> modifying entry "olcDatabase={-1}frontend,cn=config"
> ldap_modify: Object class violation (65)
> additional info: attribute 'olcPasswordHash' not allowed
>
> Do I have to add olcFrontendConfig explicitly?
>
> My frontend has (from 2.4):
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {-1}frontend
>
> In case this is no longer correct ,the upgrade guide for 24-to-2.5 should be
> updated.
>
> Kind regards,
> Ulrich Windl
>
> > -----Original Message-----
> > From: Ondřej Kuzník <[email protected]>
> > Sent: Friday, March 14, 2025 1:29 PM
> > To: Windl, Ulrich <[email protected]>
> > Cc: [email protected]
> > Subject: [EXT] Re: Re: Trying to set 'olcPasswordHash' I get "ldap_modify:
> > Object class violation (65) additional info: attribute 'olcPasswordHash' not
> > allowed"
> >
> > On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
> > > Ondřej,
> > >
> > > Did the location of olcPasswordHash change? I found instutions to add
> > > it to the frontend database, but failed, so I had opened a support
> > > case for SLES15 SP6. Even support had no idea what is wrong, until I
> > > desparately tried another locarion (cn=config), and that worked.
> >
> > Hi Ulrich,
> > both places have to allow it because of what the 2.3 schema looked like,
> > but you're supposed to put it int he frontend because of when
> > moduleload happens.
> >
> > > Errors were like this:
> > > dn: cn=module{0},cn=config
> > > changetype: modify
> > > add: olcModuleLoad
> > > olcModuleLoad: {4}pw-sha2.so
> > >
> > > dn: olcDatabase={-1}frontend,cn=config
> > > changetype: modify
> > > replace: olcPasswordHash
> > > olcPasswordHash: {SSHA256}
> > > olcPasswordHash: {SSHA}
> > >
> > > However I'm getting an error like:
> > > # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif
> > > Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash'
> > not allowed
> > > slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65)
> > attribute 'olcPasswordHash' not allowed
> > > Closing DB...
> >
> > You are on 2.5/2.6 right? There it's definitely allowed by
> > olcFrontendConfig.
> >
> > > (Before I had also tried ldapmodify instead of slapmodify)
> > >
> > > Still support had claimed that it would work there like this:
> > > # cat /tmp/change
> > > dn: olcDatabase={-1}frontend,cn=config
> > > changetype: modify
> > > replace: olcPasswordHash
> > > olcPasswordHash: {SSHA256}
> > > olcPasswordHash: {SSHA}
> >
> > I said it before, don't specify more than one olcPasswordHash, you've
> > seen first hand that ppolicy will not be happy so I don't understand why
> > you're still trying...
> >
> > > # ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change
> > > SASL/EXTERNAL authentication started
> > > SASL username:
> > gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > > SASL SSF: 0
> > > modifying entry "olcDatabase={-1}frontend,cn=config"
> >
> > So you're saying it succeeds with ldapmodify and fails with slapmodify?
> > Confused here.
> >
> > > Sorry, I cannot explain what's going on: I also tried to replace the
> > > schemata.
> >
> > Certainly can't replace a schema that's compiled in (e.g. most of dynamic
> > config options).
> >
> > Regards,
> >
> > --
> > Ondřej Kuzník
> > Senior Software Engineer
> > Symas Corporation http://www.symas.com
> > Packaged, certified, and supported LDAP solutions powered by OpenLDAP
