ldap_add: Other (e.g., implementation specific) error (80) when adding pw-sha2.la module
I am quite confident the following will be inserted without errors:
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap/
olcModuleLoad: pw-sha2
My confidence arises from the fact it is the exact ldif
I used to enable the module.
As an aside: if you want a password schema be the default, modify PasswordHash
on frontend
:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcPasswordHash
olcPasswordHash: {SHA256}
Related videos on Youtube
Leo
I’m a Senior Site Reliability Engineer at Autonomic. I do Golang, Ruby, JS, Python, Elixir, as well as web scale devops with Terraform, Ansible, Kubernetes and Docker.
Updated on September 18, 2022Comments
-
Leo over 1 year
I'm getting this error when trying to add a module to OpenLDAP:
# ldapadd -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./module.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1
Here's the ldif:
# cat module.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulePath: /usr/local/libexec/openldap olcModuleLoad: pw-sha2.la
It's the slapd-sha2.so module. The readme instructions seem out of date.
Here are the module directory contents:
# ls /usr/local/libexec/openldap pw-sha2.a pw-sha2.la pw-sha2.so pw-sha2.so.0 pw-sha2.so.0.0.0
Here's a different module currently in OpenLDAP:
# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=module{0},cn=config' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=module{0},cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}syncprov.la # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
I tried suffixing module with {1} in the ldif to no success.
OpenLDAP version:
# slapd -V @(#) $OpenLDAP: slapd 2.4.40 (Sep 29 2015 10:26:27) $ [email protected]:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd
I followed the steps below to compile the module.
Install prerequisites:
yum -y install git libtool openldap-devel nss nss-devel openssl openssl-devel db4 db4-devel
Get module source:
git clone https://github.com/gcp/openldap.git
Build the module:
cd openldap ./configure make depend make cd contrib/slapd-modules/passwd/sha2/ make make install
Is the module already loaded? I do not see it in cn=config.
How do I add it to the OpenLDAP configuration?
@473183469 suggested this ldif:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap/ olcModuleLoad: pw-sha2
When I try it, I get this error:
# ldapadd -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./module.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module{0},cn=config" ldap_add: Naming violation (64)
Edit 2:
Just to be clear, I'm trying to use pw-sha2 compiled from the github source repo with the
slapd
from CentOS package repos.ls -laFtr /usr/local/libexec/openldap/ total 124 -rwxr-xr-x 1 root root 46158 Nov 6 11:53 pw-sha2.so.0.0.0* lrwxrwxrwx 1 root root 16 Nov 6 11:53 pw-sha2.so.0 -> pw-sha2.so.0.0.0* lrwxrwxrwx 1 root root 16 Nov 6 11:53 pw-sha2.so -> pw-sha2.so.0.0.0* -rw-r--r-- 1 root root 910 Nov 6 11:53 pw-sha2.la -rw-r--r-- 1 root root 61274 Nov 6 11:53 pw-sha2.a drwxr-xr-x 2 root root 4096 Nov 6 11:53 ./ drwxr-xr-x. 3 root root 4096 Nov 19 14:19 ../
Official CentOS slapd:
# slapd -VVV @(#) $OpenLDAP: slapd 2.4.40 (Nov 10 2015 09:41:16) $ [email protected]:/builddir/build/BUILD/openldap-2.4.40/openldap-2.4.40/build-servers/servers/slapd Included static backends: config ldif monitor bdb hdb ldap mdb meta null passwd relay shell sock
slapd
built from source:# /usr/local/libexec/slapd -VVV @(#) $OpenLDAP: slapd 2.X (Nov 19 2015 14:18:36) $ root@my_hostname.my_domain.com:/root/openldap/servers/slapd Included static overlays: syncprov Included static backends: config ldif monitor bdb hdb mdb relay
-
Leo over 8 yearsI get an
ldap_add: Naming violation (64)
with that ldif. I've added diagnostic output to the question -
473183469 over 8 yearsI suspect the index {0} of modules is already used. Can you list your modules? sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b cn=config 'objectClass=olcModuleList'
-
473183469 over 8 yearsIt would be most useful the server log output: the client output is not very enlightening.
-
Leo over 8 yearsThanks! There was a
{0}
module. Adding a{1}
module showed a file not found error in the slapd logs. I added.la
toolcModuleLoad: pw-sha2.la
and adding the module as{1}
worked. -
Leo over 8 yearsI spoke too soon. Getting
file not found
forpw-sha2
,pw-sha2.la
andpw-sha2.so
-
473183469 over 8 yearswhat is
ls -laFtr /usr/local/libexec/openldap/
? While doingconfigure
did you change the PREFIX? -
Leo over 8 yearsDetails added to question. Note that I was trying to use the official CentOS slapd with a pw-sha2 compiled from Github source.
-
Aas over 6 years@Leons Have you found a solution? Can you please post LDIF that worked for you? You have done the same steps as I did and I have come to the same dead end as you did.