Re: [EXT] Re: Trying to set 'olcPasswordHash' I get "ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed"

[Ondřej Kuzník]

On Fri, Mar 14, 2025 at 11:11:46AM +0000, Windl, Ulrich wrote:
> Ondřej,
> 
> Did the location of olcPasswordHash change? I found instutions to add
> it to the frontend database, but failed, so I had opened a support
> case for SLES15 SP6. Even support had no idea what is wrong, until I
> desparately tried another locarion (cn=config), and that worked.

Hi Ulrich,
both places have to allow it because of what the 2.3 schema looked like,
but you're supposed to put it int he frontend because of when
moduleload happens.

> Errors were like this:
> dn: cn=module{0},cn=config
> changetype: modify
> add: olcModuleLoad
> olcModuleLoad: {4}pw-sha2.so
> 
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> replace: olcPasswordHash
> olcPasswordHash: {SSHA256}
> olcPasswordHash: {SSHA}
> 
> However I'm getting an error like:
> # slapmodify -n0 -F /etc/openldap/slapd.d -S 5 -w -l add-sha256.ldif
> Entry (olcDatabase={-1}frontend,cn=config), attribute 'olcPasswordHash' not 
> allowed
> slapmodify: dn="olcDatabase={-1}frontend,cn=config" (line=1): (65) attribute 
> 'olcPasswordHash' not allowed
> Closing DB...

You are on 2.5/2.6 right? There it's definitely allowed by
olcFrontendConfig.

> (Before I had also tried ldapmodify instead of slapmodify)
> 
> Still support had claimed that it would work there like this:
> # cat /tmp/change 
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> replace: olcPasswordHash
> olcPasswordHash: {SSHA256}
> olcPasswordHash: {SSHA}

I said it before, don't specify more than one olcPasswordHash, you've
seen first hand that ppolicy will not be happy so I don't understand why
you're still trying...

> # ldapmodify -Y EXTERNAL -H ldapi://%2ftmp%2fldapi -f /tmp/change
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={-1}frontend,cn=config"

So you're saying it succeeds with ldapmodify and fails with slapmodify?
Confused here.

> Sorry, I cannot explain what's going on: I also tried to replace the
> schemata.

Certainly can't replace a schema that's compiled in (e.g. most of dynamic
config options).

Regards,

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP