Re: (ITS#6770) Proxy authorization fails with SASL-GSSAPI
by c.waeschenfelder@websale.de
Same problem here:
If I use the cn=config style, proxy authorization works directly after
configuring it.
If I reboot the slave server the authorization fails to work and the
bindmethod switches from SASL/GSSAPI to SIMPLE.
If I delete the configuration directory /etc/ldap/slapd.d and use a
simple /etc/ldap/slapd.conf and make the same configuration the old way
everything keeps working after reboots.
So I think there is a Problem while loading the cn=config configuration.
9 years, 9 months
(ITS#6995) Request for Contribution of Identity Access Management Software to OpenLDAP Project
by shawn.mckinney@jtstools.com
Full_Name: Shawn McKinney
Version: All
OS: All
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (99.34.198.251)
Hello,
We have created a new Identity and Access Management SDK, called Fortress, that
uses Java and OpenLDAP to provide authentication, RBAC, ARBAC, password
policies, auditing and more.
It has taken us 2.5 years of steady work to get it ready for this 1.0 release.
This SDK has approximately 50K lines of Java code of which approximately 25K are
dedicated to testing using JUnit automated tests to ensure it works correctly.
There are in excess of 100 public APIs available for use. There is also a Java
EE container plug-in that provides authentication and authorization services to
Websphere, Tomcat and JBoss app servers in a declarative fashion.
This product has not been published and we would like to release it as one of
the products under OpenLDAP family of products. The product will be released
under New BSD open source license (license information is contained in the
source archives on ftp server).
I have uploaded seven packages to our FTP server that contain the source,
documentation and other items for you to look at.
host: jtstools.com
user: jtsguest1
pw: OpenLd@p1
The packages are as follows:
Fortress Core SDK
1. source - fortressSrc-1.0.0-rc1.zip - 352K bytes
2. source - fortressTestSrc-1.0.0-rc1.zip - 159K bytes
3. tutorial/doc - fortressSamples-1.0.0-rc1.zip - 766K bytes
4. javadoc - fortressDoc-1.0.0-rc1.zip - 1.4M bytes
5. ldap (folder) - Fortress schema and OpenLDAP slapd.conf
Fortress Realm (Java EE Container plug-ins)
6. source - fortressRealmSrc-1.0.0-rc1.zip - 45K bytes
7. javadoc - fortressRealmDoc-1.0.0-rc1.zip - 76K bytes
Package 4 contains complete javadoc for the APIs.
In package 4, this link, ./fortressDoc-1.0.0-rc1/index.html, contains the
overall summary of the SDK.
this link, ./oamCore/trunk/dist/docs/api/index.html, contains package
descriptions along with detailed documentation describing the contents of the
SDK.
What we are requesting from the OpenLDAP foundation:
1. Source code repository to host the SDK and Realm packages.
2. Bug tracking.
3. Developer and User forums.
4. Wiki (this is a nice to have)
Our goal is to run the open source project with your organization and cultivate
a healthy developer and user community. We have high hopes for this product
(and OpenLDAP) and consider the 2 products together as an open source
alternative for IAM products that will compete with the commercial vendor
offerings.
Once 1.0 is released, we will begin working on 2.0 which will include UI's to
control Fortress and OpenLDAP along with a policy server to wrap the Fortress
Java APIs with HTTP/REST Web APIs to make it available to all platforms.
Thanks in advance for your consideration.
Shawn McKinney
JoshuaTree Software
shawn.mckinney(a)jtstools.com
9 years, 9 months
(ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups
by thibault.lemeur@supelec.fr
Full_Name: Thibault Le Meur
Version: 2.4.23-15
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (160.228.28.55)
Previously on my FC13 installation (openldap-servers-2.4.21-11) the main slapd
process used an X509 "server" while my syncrepl processes were using the
/etc/openldap/ldap.conf client configuration file in order to connect to my
LDAPs Syncrepl providers.
In my new RHEL6 setup (openldap-servers-2.4.23-15.el6.x86_64) is linked to
MozNSS and Syncrepl can't connect to my LDAPs providers anymore because it
complains about the TLS context not beeing intitialized correctly (the server's
certificate isn't accepted as a client certificate).
Here is the lightly obfuscated log:
----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate [CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is
not valid - error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for certificate
named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication using PEM Token
#0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error -8101:Unknown
code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr
DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)
----------------------------------------------------------
Here is my syncrepl setup:
---------------------------------------------------------
syncrepl rid=125
provider=ldaps://otherldap.mydom.fr
type=refreshOnly
interval=00:00:03:00
retry="60 10 300 +"
searchbase="dc=subranch,dc=mydom,dc=fr"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
credentials="MyVerySecretPassword"
---------------------------------------------------------
My setup related to TLS:
---------------------------------------------------------
TLSCipherSuite HIGH
TLSCertificateFile /etc/ssl/certs/myldap.mydom.fr-cert.pem
TLSCertificateKeyFile /etc/ssl/keys/myldap.mydom.fr-key.pem
TLSCACertificateFile /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------
And my /etc/openldap/ldap.conf:
---------------------------------------------------------
TLS_CACERT /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------
Here is the obfuscated certificate:
---------------------------------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 221 (0xdd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=myst, L=myloc, O=myorg, OU=myou,
CN=myCA/emailAddress=myemail(a)mydom.fr
Validity
Not Before: Oct 2 16:42:15 2007 GMT
Not After : Dec 14 16:42:15 2012 GMT
Subject: C=FR, ST=myst, L=myloc, O=myorg, OU=myou, CN=myldap.mydom.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
...
X509v3 Authority Key Identifier:
keyid:...
DirName:/C=FR/ST=myst/L=myloc/O=myorg/OU=myou/CN=myCA/emailAddress=thibault.lemeur@supelec.fr
serial:00
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape SSL Server Name:
myldap.mydom.fr
X509v3 Subject Alternative Name:
DNS:ldap, DNS:ldapalias1, DNS:ldapalias2,
DNS:ldapalias1.mydom.fr, DNS:ldapalias2.mydom.fr, DNS:ldap.mydom.fr, DNS:myldap,
DNS:myldap.mydom.fr
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, Code Signing
Signature Algorithm: sha1WithRSAEncryption
...
---------------------------------------------------------
9 years, 9 months
(ITS#6993) Backend Connection problem
by yann.carre@alcatel-lucent.com
Full_Name: Yann Carre
Version: 2.4.26
OS: red hat 5 (64 bits)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (64.208.49.20)
I work on a specific Backend
I have provided in my back end a function to the bi_connection_init pointer.
This function adds a context needed in the operation backend function (search,
...)
When several connections start up, my LDAP server crashes.
The crash arrives because the context is not created before the call to
do_searh.
The connection is provided to the application Backend before my Back end
connection_init.
I have checked it with the debugger and see that the thread with initialize the
connection is suspend before the backend connection_init. In another thread, the
search function is executed without any context attached to the connection.
This problem seems to be bring because the connection mutex is freed before the
calling of the Back end connection_init in the function connection_init
(connection.c).
I have moved this mutex after the backend connection_init and it seems to work.
Would you confirm this analysis and take the correction in account?
Thanks
Regards
Yann
9 years, 9 months
Syncrepl using can't start ssl session because of refused certificate
by Thibault Le Meur
Hello,
I'm trying to upgrade an openLdap server from FC9
(openldap-servers-2.4.10-2.fc9.i386) to Redhat Enterprise 6
(openldap-servers-2.4.23-15.el6.x86_64).
In this new setup, my local database works but the Syncrepl replication
process fails to establish the "ldaps://" session to my
syncrepl-providers because the TLS layer fails.
Indeed, the TLS layer complains that my _server's certificate_ isn't a
valid _client certificate_ (with error 8101 -
SEC_ERROR_INADEQUATE_CERT_TYPE): but I don't want client-side
authentication!
In the past syncrepl didn't try to use the server certificate as a
client certificate, and I haven't seen any reference to this in the
documentation.
I first thought it could have been related to ITS#6791 but I don't think
so anymore because it only affects Syncrepl.
Don' hesitate to redirect me to the openldap-users list if I've missed
something simple.
Thanks in advance,
Thibault
Here is an excerpt of slapd in debug-mode:
----------------------------------------------------------
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 21 tm: -1 async: 0
TLS: loaded CA certificate file /etc/ssl/cacerts/cacert.pem.
TLS: certificate
[CN=myldap.mydom.fr,OU=myou,O=myorg,L=myloc,ST=myst,C=FR] is not valid -
error -8101:Unknown code ___f 91.
TLS: error: unable to set up client certificate authentication for
certificate named PEM Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: unable to set up client certificate authentication using PEM
Token #0:myldap.mydom.fr-cert.pem - 0
TLS: error: could not initialize moznss security context - error
-8101:Unknown code ___f 91
TLS: can't create ssl handle.
slap_client_connect: URI=ldaps://otherldap.mydom.fr
DN="cn=myreplicationAccount,dc=mydom,dc=fr" ldap_sasl_bind_s failed (-1)
do_syncrepl: rid=125 rc -1 retrying (9 retries left)
----------------------------------------------------------
Here is my syncrepl setup:
---------------------------------------------------------
syncrepl rid=125
provider=ldaps://otherldap.mydom.fr
type=refreshOnly
interval=00:00:03:00
retry="60 10 300 +"
searchbase="dc=subranch,dc=mydom,dc=fr"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=myreplicationAccount,dc=mydom,dc=fr"
credentials="MyVerySecretPassword"
---------------------------------------------------------
And eventually my /etc/openldap/ldap.conf:
---------------------------------------------------------
TLS_CACERT /etc/ssl/cacerts/cacert.pem
---------------------------------------------------------
9 years, 9 months
connection init crash
by Yann Carre
Hello
I have encountered a crash with OPENLDAP 2.4.22
I have provided in my back end a function to the bi_connection_init pointer.
This function sets some parameter needed in the operation backend
function (search, ...)
My server crashes because my backend connection init function is not
called before the operation backend function.
It seems that the connection is provided to the application before the
end of all backend connection init
May be in the function connection_init (connection.c), the connection
mutex should be unlock when all the backend connection init should be done?
Thanks
Regards
Yann
9 years, 9 months
Re: (ITS#6992) ldapsync.c empty initializer
by masarati@aero.polimi.it
On 07/08/2011 07:45 AM, tim(a)multitalents.net wrote:
> Full_Name: Tim Rice
> Version: 2.4.26
> OS: Solaris 10& UnixWare 7.1.4
> URL:
> Submission from: (NULL) (173.164.249.129)
>
>
> The solaris native compilers complain about empty initializer in
> servers/slapd/ldapsync.c
A fix is in git master, please test and report.
p.
9 years, 9 months
(ITS#6992) ldapsync.c empty initializer
by tim@multitalents.net
Full_Name: Tim Rice
Version: 2.4.26
OS: Solaris 10 & UnixWare 7.1.4
URL:
Submission from: (NULL) (173.164.249.129)
The solaris native compilers complain about empty initializer in
servers/slapd/ldapsync.c
...........
cc -fast -xtarget=ultra -xcode=pic32 -g -I../../include
-I/opt/src/networking/openldap-2.4.26/servers/slapd
-I/opt/src/networking/openldap-2.4.26/servers/slapd/slapi -I.
-I/opt/src/networking/openldap-2.4.26/include -I/opt/include
-I/usr/sfw/include -c -o ldapsync.o
/opt/src/networking/openldap-2.4.26/servers/slapd/ldapsync.c
"/opt/src/networking/openldap-2.4.26/servers/slapd/ldapsync.c", line 172:
warning: syntax error: empty initializer
"/opt/src/networking/openldap-2.4.26/servers/slapd/ldapsync.c", line 174:
warning: syntax error: empty initializer
"/opt/src/networking/openldap-2.4.26/servers/slapd/ldapsync.c", line 175:
warning: syntax error: empty initializer
"/opt/src/networking/openldap-2.4.26/servers/slapd/ldapsync.c", line 180:
warning: syntax error: empty initializer
...........
It does compile on Solaris, but on UnixWare it is an error so fails to compile.
...........
cc -g -Kpthread -I../../include -I. -I./slapi -I. -I../../include -c -o
ldapsync.o ldapsync.c
UX:acomp: ERROR: "ldapsync.c", line 172: Syntax error before or at: }
UX:acomp: ERROR: "ldapsync.c", line 178: syntax error, probably missing ",", ";"
or "="
UX:acomp: WARNING: "ldapsync.c", line 178: parameter mismatch: 6 declared, 3
defined
UX:acomp: WARNING: "ldapsync.c", line 178: syntax error: empty declaration
UX:acomp: ERROR: "ldapsync.c", line 179: cannot recover from previous errors
gmake[2]: *** [ldapsync.o] Error 1
...........
9 years, 9 months
Re: (ITS#6987) cn=config renumbers indexes on startup without modrdn-ing them
by ondrej.kuznik@acision.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/07/2011 11:16 AM, masarati(a)aero.polimi.it wrote:
>> When storing cn=config entries whose rdns use different attributes,
>> they may be received in a different order during startup. This will
>> mess with their "{}" numbering and since a change like that is not
>> anticipated in the code, it is never pushed to the underlying
>> database either.
>>
>> This leads to a state when the cn=config database and underlying
>> on-disk representation are out of sync, making modification (and
>> maybe deletion) of the affected entries impossible.
>>
>> If needed, I can create a minimal overlay showing these symptoms.
>
> Please, do. I find this report quite unclear, as I could not understand
> what the actual issue is.
ftp://ftp.openldap.org/incoming/ondrej-kuznik-20110707.c
has an example of such overlay. To try it, initialize the overlay and
add these entries:
dn: olcTestAttrOne=zero,$OVERLAY_DN
objectclass: olcTestOne
dn: olcTestAttrTwo=one,$OVERLAY_DN
objectclass: olcTestTwo
dn: olcTestAttrOne=two,$OVERLAY_DN
objectclass: olcTestOne
dn: olcTestAttrTwo=three,$OVERLAY_DN
objectclass: olcTestTwo
After a restart compare the output of slapcat -n0 with the output of
ldapsearch -b cn=config, you should see at least one different entry.
You might also try to modify the entries before and after the restart.
For those that do not match you get "no such object" as the dn is no
longer in the ldif database.
- --
Ondrej Kuznik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk4Vs7IACgkQ9GWxeeH+cXs3rwCeP4DpQv+YNzWSt3sEgTZRVsYK
1ZYAoKiZeHPPWQ/kGirlkLMXitToxYqd
=nAEI
-----END PGP SIGNATURE-----
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
9 years, 9 months
RE: (ITS#6985) sssvlv / greaterThanOrEqual problem
by ctcard@hotmail.com
> > > >
> > > > I am running slapd built from HEAD on June 30th 2011, with back-sql
> > >
> > > Can you confirm this issue with another backend, e.g. back-bdb? Bugs
> > > specific to back-sql or to interaction with it could receive only marginal
> > > attention.
> > >
> > > p.
> > >
> >
> > I've imported my data into a server with a bdb backend, and I see the same problem.
> >
> > Looking at the code in sssvlv.c, it uses tavl_find3() to search the values, but the
> > code in tavl_find3() looks to me that it only works properly with an exact match
> > type of matching rule:
> >
> > Avlnode *
> > tavl_find3( Avlnode *root, const void *data, AVL_CMP fcmp, int *ret )
> > {
> > int cmp = -1, dir;
> > Avlnode *prev = root;
> >
> > while ( root != 0 && (cmp = (*fcmp)( data, root->avl_data )) != 0 ) {
> > prev = root;
> > dir = cmp > 0;
> > root = avl_child( root, dir );
> > }
> > *ret = cmp;
> > return root ? root : prev;
> > }
> >
> > since the while loop terminates when the fcmp function returns 0 (i.e. exact match).
> >
>
> I think I've worked out where the problem is.
> Firstly, there's a comment before tavl_find3() saying
> /*
> * tavl_find2 - returns Avlnode instead of data pointer.
> * tavl_find3 - as above, but returns Avlnode even if no match is found.
> * also set *ret = last comparison result, or -1 if root == NULL.
> */
>
> but the "or -1 if root == NULL" is not done.
>
> Secondly, if no exact match is found, prev is returned which may point to a node which is less than the search
> node, depending on what the tree looks like, but we really want a pointer to the last node which was greater than
> the search node to be returned.
>
> Once these fixes are done, the correct node is returned by tavl_find3 to the call in send_list() in sssvlv.c (line 523).
>
> There is another bug in send_list() in sssvlv.c, at lines 535-544:
>
> if ( i > 0 ) {
> tmp_node = tavl_end(so->so_tree, TAVL_DIR_RIGHT);
> dir = TAVL_DIR_LEFT;
> } else {
> tmp_node = tavl_end(so->so_tree, TAVL_DIR_LEFT);
> dir = TAVL_DIR_RIGHT;
> }
> for (i=0; tmp_node != cur_node;
> tmp_node = tavl_next( tmp_node, dir ), i++);
> so->so_vlv_target = i;
> This code is ok if the cur_node is in the left hand side of the tree, but if it is in the rhs of the tree so_vlv_target is set
> to an offset from the end of the list, rather than the beginning.
>
One more issue: the most recent draft spec for vlv (http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09) states that the offset field in the vlv request has range 1..maxInt whereas the targetPosition in the vlv response has range 0..maxInt.
However, my interpretation of the spec is that offset and targetPosition represent the same thing, i.e. the position of the target entry in the list, with the first entry having offset/targetPosition = 1.
If that interpretation is correct, the assignment of so_vlv_target in the code above is off by one, since i will be zero if cur_node is at the beginning of the list.
Chris
9 years, 9 months
