1 Topic by irma

  • irma
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 50

Topic: OpenLDAP error "Undefined attribute type (17)"

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: CentOS Linux release 7.6.1810 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi iRedMail Pros!

I tried out the ppolicy feature. Implementation went fine, but then I noticed that you cannot change user passwords anymore by LDAPadmin GUI or by shell. Changing user passwords works only by SOGo Web GUI.

So I want to roll back the ppolicy feature.

I performed the following steps in order to roll back, but since then I receive the following error message trying to change user passwords either way by LDAPadmin GUI or shell:

Undefined attribute type (17)

1) Removed the following lines from /etc/openldap/slapd.conf

[...]
include     /etc/openldap/schema/ppolicy.schema
[...]
moduleload ppolicy.la
[...]
overlay ppolicy
ppolicy_default "cn=ppolicy,dc=mycompany,dc=com"
[...]

2) Removed the following line from /etc/sogo/sogo.conf

[...]
passwordPolicy = YES;
[...]

3) Removed the ppolicy.ldif and ppolicy.schema files from /etc/openldap/schema

4) Restarted the slapd and the sogod daemons

I assume that the ppolicy schema has to be removed additionaly by an ldapmodify command, because during implementation I also had to perform an ldapmodify command providing an LDIF file:

This was the command:

ldapmodify -x -a -H ldap://localhost -D cn=Manager,dc=mycompany,dc=com -w hdeki38dj23ghesui3idfhu3kidfoi3eudui -f /etc/openldap/schema/ppolicy.ldif

This was the LDIF file:

dn: cn=ppolicy,dc=mycompany,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 12
pwdInHistory: 0
pwdMaxFailure: 5
pwdFailureCountInterval: 3600
pwdLockout: TRUE
pwdLockoutDuration: 10
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

I guess that I have to create a new LDIF file and then invoke an ldapmodify command in order to purge the ppolicy schema from the LDAP.

Can you help me to create the proper LDIF file and command?

Thank you very much!

Best Regards,
IRMA

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: OpenLDAP error "Undefined attribute type (17)"

If you added some attributes offered by the ppolicy schema file, you need to remove these attributes before removing the schema.

3 Reply by irma

  • irma
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 50

Re: OpenLDAP error "Undefined attribute type (17)"

ZhangHuangbin wrote:

If you added some attributes offered by the ppolicy schema file, you need to remove these attributes before removing the schema.

I cannot see any ppolicy related attributes within the users' datasets.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: OpenLDAP error "Undefined attribute type (17)"

How did you verify that no ppolicy related attributes were added to some mail account?
You can try to dump the LDIF data of whole server first, then check the ldif file. for example:

slapcat -f /etc/openldap/slapd.conf > all.ldif

5 Reply by irma

  • irma
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 50

Re: OpenLDAP error "Undefined attribute type (17)"

ZhangHuangbin wrote:

How did you verify that no ppolicy related attributes were added to some mail account?

I checked the users' datasets in LDAPadmin.

I also exported the entire LDAP as you proposed and searched it again for strings "pwd" and "ppol". No ppolicy related matches.

I know that it is a prerequisite to delete all ppolicy related attributes from the datasets in order to remove successfully the ppolicy schema. We should assume now, that there aren't left any.

I think that I just need the proper LDIF file and ldapmodify command to roll back the previously executed ldapmodify command during the implementation of the policy.

Do you have an idea how the proper LDIF file + ldapmodify command look like?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: OpenLDAP error "Undefined attribute type (17)"

I suggest following your old instruction to enable ppolicy again, but do not modify any ldif data this time. Then run 'slapcat' again and check whether it has any ppolicy related attributes.

If you have a backup copy under /var/vmail/backup/ldap/ which you can safely restore, maybe that's a good source to get your ldap service back:

- Remove all files under /var/lib/ldap/<domain>/, but do not remove /var/lib/ldap/<domain> itself.
- Stop slapd service.
- Start slapd service again.
- Run 'slapadd' with the backup ldif file to restore the data.

NOTE: if you don't have any experience with slapcat/slapadd, try it on a testing machine first.
I don't take any responsibility if you lose the data. big_smile

7 Reply by irma

  • irma
  • Member
  • Offline
  • Registered: 2018-07-17
  • Posts: 50

Re: OpenLDAP error "Undefined attribute type (17)"

Please mark this thread as SOLVED. I won't remove the ppolicy on the production server.