Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by michael@stroeder.com
abartlet(a)samba.org wrote:
> Samba4 always uses SASL credentials these days (trying to avoid simple
> binds).
libsasldb2.so is not required for a SASL bind with password-based
mechanism. You can store the passwords in attribute userPassword (in
clear-text). So the security consideration is more about password
storage than SASL vs. simple bind on the wire.
> Perhaps it's time to investigate EXTERNAL
That would be good anyway since in Samba4 the result of standard
provision is LDAPI access anyway. So you could directly map the Unix
user smbd is running as (root?) with authz-regexp to directory user
samba-admin. Well, we already discussed that.. ;-)
Ciao, Michael.
14 years, 3 months
Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by hyc@symas.com
Michael Ströder wrote:
> hyc(a)symas.com wrote:
>> Further testing with Andrew's kvm image shows the hang only occurs when Cyrus
>> SASL's libsasldb2.so plugin is present.
>
> Probably you already checked whether there's a BDB library mix.
Yes, the version is the same, BDB 4.7. However it's possible that BDB 4.7
doesn't like being initialized multiple times, as occurs here. I haven't yet
looked more deeply to see what the real cause is.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
14 years, 3 months
Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by abartlet@samba.org
--=-oqpE6PlbXuzML9/ubGjQ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Tue, 2009-05-26 at 04:26 -0700, Howard Chu wrote:
> abartlet(a)samba.org wrote:
> > Full_Name: Andrew Bartlett
> > Version: CVS HEAD
> > OS: Fedora 10
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (59.167.251.137)
> >
> >
> > Samba4's provision and 'make test' seems to create some internal situat=
ion in
> > OpenLDAP slapd where it will not accept any more connections over ldapi=
:///
> >
> > This is best seen by building Samba4, and running
> >
> > TEST_LDAP=3Dyes OPENLDAP_ROOT=3D/usr/local make test
> >
> > The slapd does not crash, but simply stops accepting new connections. =
Samba4
> > currently then crashes due to some other bug (the LDAP backend not resp=
onding is
> > clearly untested code in Samba4).
> >
> > It isn't a Samba4 client bug, as ldapsearch also fails to respond.
> >
> > This seems very, very similar to ITS#5261
>=20
> Further testing with Andrew's kvm image shows the hang only occurs when C=
yrus=20
> SASL's libsasldb2.so plugin is present. I always remove that plugin from =
my=20
> installs, since I only use in-directory SASL secrets. That's probably why=
I=20
> wasn't seeing the reported behavior before.
Very interesting result!
> Also a note - it's still not clear we've been talking about the same thin=
g up=20
> to this point. Even when the samba test suite hangs, I see that ldapsearc=
h=20
> still works fine against slapd. At any rate, currently all of the samba4 =
tests=20
> pass for me.
Samba4 always uses SASL credentials these days (trying to avoid simple
binds). Perhaps it's time to investigate EXTERNAL if it would avoid
some of this pain (but we should also try and fix the real bug here, if
at all possible). =20
Andrew Bartlett
--=20
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
--=-oqpE6PlbXuzML9/ubGjQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQBKG99Zz4A8Wyi0NrsRAmqZAJ9Oh4eSbVP7nbGAn0b8tp2hVMbWKQCfZ4Lr
pIs94kn/tBYQYq0Qr1uSX44=
=CZuG
-----END PGP SIGNATURE-----
--=-oqpE6PlbXuzML9/ubGjQ--
14 years, 3 months
Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by michael@stroeder.com
hyc(a)symas.com wrote:
> Further testing with Andrew's kvm image shows the hang only occurs when Cyrus
> SASL's libsasldb2.so plugin is present.
Probably you already checked whether there's a BDB library mix.
Ciao, Michael.
14 years, 3 months
Re: (ITS#6056) Samba4 breaks OpenLDAP over ldapi
by hyc@symas.com
abartlet(a)samba.org wrote:
> Full_Name: Andrew Bartlett
> Version: CVS HEAD
> OS: Fedora 10
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (59.167.251.137)
>
>
> Samba4's provision and 'make test' seems to create some internal situation in
> OpenLDAP slapd where it will not accept any more connections over ldapi:///
>
> This is best seen by building Samba4, and running
>
> TEST_LDAP=yes OPENLDAP_ROOT=/usr/local make test
>
> The slapd does not crash, but simply stops accepting new connections. Samba4
> currently then crashes due to some other bug (the LDAP backend not responding is
> clearly untested code in Samba4).
>
> It isn't a Samba4 client bug, as ldapsearch also fails to respond.
>
> This seems very, very similar to ITS#5261
Further testing with Andrew's kvm image shows the hang only occurs when Cyrus
SASL's libsasldb2.so plugin is present. I always remove that plugin from my
installs, since I only use in-directory SASL secrets. That's probably why I
wasn't seeing the reported behavior before.
Also a note - it's still not clear we've been talking about the same thing up
to this point. Even when the samba test suite hangs, I see that ldapsearch
still works fine against slapd. At any rate, currently all of the samba4 tests
pass for me.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
14 years, 3 months
LDAP add *.ldif errors
by Pastore Annamaria
Goodmornig,
I load a version 2.4 of LDAP (that support overlay-memberof).
Ldap it start ok, and the network was ok.
I start to configure a memberof scenarios and after few errors started.
For don't touch anymore, I cleanup all /var/lib/ldap...and I try to load
A single *.ldif....
but when I try to load a .ldif (core, cosine..) I have few errors :
1. With ldap online :
ldapadd -x -D "cn=Manager,dc=pippo,dc=it" -W -f core.ldif
Enter LDAP Password:
adding new entry "cn=core,cn=schema,cn=config"
ldap_add: Insufficient access (50)
In /var/lib/ldap there is a DB_CONFIG (before DB_CONFIG.exemple) and the
owner of directory is ldap, just I read few threads about this sort of
bug.
The access in slapd.con is :
#access to dn="" by * read
access to attrs=userPassword
by anonymous auth
by self write
by * auth
# by * none
access to *
by self write
by * read
# by * none
But anymore I try also whit "by * write" and nothing change.
Other parameter is :
directory /var/lib/ldap
2. With ldap offline :
[root@itmit2vl5 schema]# slapadd -l core.ldif -f ../slapd.conf
bdb(dc=telecom,dc=it): Program version 4.4 doesn't match environment
version 4.6
bdb_db_open: Database cannot be opened, err -30971. Restore from backup!
bdb(dc=pippo,dc=it): DB_ENV->lock_id_free interface requires an
environment configured for the locking subsystem
bdb(dc=pippo,dc=it): txn_checkpoint interface requires an environment
configured for the transaction subsystem
bdb_db_close: txn_checkpoint failed: Invalid argument (22)
backend_startup_one: bi_db_open failed! (-30971)
slap_startup failed
But the bdb version not appears anywhere!!!
I try also the command "od -j12 -N8 -tx4 log.0000000001" and the result
was 4.6!
What I must to do, for going on ?
Thank you very much at all, and sorry for my newbie expierence.....
Internet E. Mail Confidentiality Footer
-----------------------------------------------------------------------------------------------------
La presente comunicazione, con le informazioni in essa contenute e ogni documento o file allegato, e' rivolta unicamente alla/e persona/e cui e' indirizzata ed alle altre da questa autorizzata/e a riceverla. Se non siete i destinatari/autorizzati siete avvisati che qualsiasi azione, copia, comunicazione, divulgazione o simili basate sul contenuto di tali informazioni e' vietata e potrebbe essere contro la legge (art. 616 C.P., D.Lgs n. 196/2003 Codice in materia di protezione dei dati personali). Se avete ricevuto questa comunicazione per errore, vi preghiamo di darne immediata notizia al mittente e di distruggere il messaggio originale e ogni file allegato senza farne copia alcuna o riprodurne in alcun modo il contenuto.
This e-mail and its attachments are intended for the addressee(s) only and are confidential and/or may contain legally privileged information. If you have received this message by mistake or are not one of the addressees above, you may take no action based on it, and you may not copy or show it to anyone; please reply to this e-mail and point out the error which has occurred.
14 years, 3 months
Compile error on tru64 5.1b
by Didier Godefroy
Hello,
Compiling openldap 2.4.26 on tru64 unix v5.1b, using the native compilers
and gmake.
I'm getting an error as follows:
Entering subdirectory liblunicode
gmake[2]: Entering directory
`/usr/local/openldap/openldap-2.4.16/libraries/liblunicode'
cc -O4 -g3 -w -I../../include -I../../include -pthread
-I/usr/local/include -pthread -I/usr/local/include -c -o ure.o ure.c
cc: Fatal: A memory access violation (bus error or segmentation fault)
has occurred. Please submit a problem report.
gmake[2]: *** [ure.o] Error 1
I retried, just in case, and got the same error again.
I'm not a C programmer and I have no idea how to fix this.
What can I try and send to get this fixed?
Thanks,
--
Didier Godefroy
mailto:dg@ulysium.net
Support anti-Spam legislation.
Join the fight http://www.cauce.org/
14 years, 3 months
Re: (ITS#6131) "TLSVerifyClient try" not working with GNU TLS
by hyc@symas.com
subbarao(a)computer.org wrote:
> Full_Name: Kartik Subbarao
> Version: 2.4.16
> OS: Debian 5.0.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (76.99.175.5)
>
>
> When TLSVerifyClient is set to "try", OpenLDAP improperly rejects SSL
> connections without a client certificate. The problem appears to start with this
> section of code in tls.c around line 1564:
>
> #ifdef HAVE_GNUTLS
> if ( ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
> err = tls_cert_verify( ssl );
> if ( err&& ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW
> )
> return err;
> }
> #endif
>
> tls_cert_verify() calls gnutls_certificate_verify_peers2(), which appears to
> return error 49 when no client certificate is presented. tls_cert_verify()
> doesn't seem to distinguish between this case, and the case of an invalid client
> certificate, returning -1 in both cases.
>
This bug report makes no sense; the code you quoted is not part of OpenLDAP
2.4.16. The relevant code is in function tlsg_session_accept() in tls_g.c, and
there is no such bug in that function.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
14 years, 3 months
(ITS#6140) nadf.schema: AttributeType not found: "lastModifiedTime"
by michael@stroeder.com
Full_Name: Michael Ströder
Version: RE24
OS: Linux
URL:
Submission from: (NULL) (84.163.124.107)
When including nadf.schema slapd does not start and prints error message:
/opt/openldap-RE24/etc/openldap/schema/nadf.schema: line 111 objectclass:
AttributeType not found: "lastModifiedTime"
/etc/openldap/slapd.conf: line 17: <include> handler exited with 1!
Analyzing this I found this commented declaration in cosine.schema:
## Deprecated in favor of modifyTimeStamp
#attributetype ( 0.9.2342.19200300.100.1.23 NAME 'lastModifiedTime'
# DESC 'RFC1274: time of last modify, replaced by modifyTimestamp'
# OBSOLETE
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.53
# USAGE directoryOperation )
So it seems nadf.schema is not usable at the moment.
14 years, 3 months