Skip to main content
Home It's only 1 step 2 your solution!

OpenLDAP - 'simpleSecurityObject' requires attribute 'userPassword'

During the setup of a Master-Slave OpenLDAP environment we had to deal with a "strange" error log message on the slave server.
The server logged:

Jun 25 06:57:02 ldapsrv02 slapd[11808]: Entry (cn=vwxyz,dc=vwxyz,dc=xy): object class 'simpleSecurityObject' requires attribute 'userPassword'

 

In the first step of figuring out what is causing this issue we consulted Google and found a lot of articles/questions dealing with the same problem. But none of the results was providing the right hint to solve it.

 

So: what is the problem here?

 

One sentence answer:

By default only the built-in administrator is allowed to read the attributes userPassword and shadowLastChange.

 

How to deal with this issue?

1. Use the built-in administrator for replication purposes. This is the bad way to do it even if it will work right away!

2. Create an object (user) which is used for replication purposes and assign/adjust access rights correctly.

 

What does this mean when using option #2?

1. Create an object (user) which is going to be used for replication purposes (master server):

        dn: cn=ldaprepluser,dc=vwxyz,dc=xy
        objectClass: simpleSecurityObject
        objectClass: organizationalRole
        cn: ldaprepluser
        description: LDAP Replication User
        userPassword: YOURPASSWORD-TO-BE-CHANGED

2. assign general access rights to the synchronization user (master server):

        dn: olcDatabase={0}config,cn=config
        changetype: modify
        add: olcAccess
        olcAccess: to * by dn.base="cn=ldaprepluser,dc=vwxyz,dc=xy" read by * +0 break

3. now - this is the "magic stuff" - modify access rights for the attribute "userPassword" (master server):

        dn: olcDatabase={1}mdb,cn=config
        changetype: modify
        replace: olcAccess
        olcAccess: {0}to attrs=userPassword 
          by dn="cn=ldaprepluser,dc=vwxyz,dc=xy" read
          by anonymous auth 
          by self write 
          by * none
        olcAccess: {1}to attrs=shadowLastChange
          by self write
          by * read
        olcAccess: {2}to *
          by * read

4. On the slave server: load the synchronization module and enable database as well as configuration synchronization:

        dn: olcDatabase={1}mdb,cn=config
        changetype: modify
        add: olcSyncrepl
        olcSyncrepl: {0}rid=020 provider=ldap://ldapsrv01
          type=refreshAndPersist
          bindmethod=simple
          binddn="cn=ldaprepluser,dc=vwxyz,dc=xy"
          credentials=YOURPASSWORD-TO-BE-CHANGED
          interval="00:00:03:00"
          retry="30 10 300 +"
          timeout=1
          tls_reqcert=never
          schemachecking=on
          searchbase="dc=vwxyz,dc=xy"

        dn: olcDatabase={0}config,cn=config
        changetype: modify
        add: olcSyncrepl
        olcSyncrepl: {0}rid=021 provider=ldap://ldapsrv01
          type=refreshAndPersist
          bindmethod=simple
          binddn="cn=ldaprepluser,dc=vwxyz,dc=xy"
          credentials=YOURPASSWORD-TO-BE-CHANGED
          interval="00:00:03:00"
          retry="30 10 300 +"
          timeout=1
          tls_reqcert=never
          schemachecking=on
          searchbase="cn=config"

 

What is the source/idea for this solution?

Simply said: read the documentation!

slapd.conf says:

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="@ADMIN@" write
        by anonymous auth
        by self write
        by * none

 

All of the above mentioned ldifs can be dynamically added to the database/configuration by using ldapadd or ldapmodify.