RE: FW: Problem in configuring SSL with openldap
by Monica_Rana
Hi Sadique,
The problem is resolved now. Actually the root certificate created was
not valid until 17th Oct 10.00 PM. That is why I was facing the issue.
But I think, ideally the certificate created should be valid from the
time of creation itself.
Regards,
Monica Rana
-----Original Message-----
From: Sadique Puthen [mailto:xenguy@gmail.com]
Sent: Wednesday, October 18, 2006 12:31 PM
To: Monica_Rana; openldap-software(a)openldap.org
Subject: Re: FW: Problem in configuring SSL with openldap
This looks like a problem in the way you created CA, Key and
Certificate. Can you please explain how did you create it? That would be
helpful.
Regards,
Sadique
Monica_Rana wrote:
> Hi All,
>
> I have successfully installed and built openLDAP and openSSL.
> Now I need to configure SSL.
> I have followed the link
> http://www.proscrutiny.com/howtos/OpenLDAP.html#confssl-co.
>
> These are the settings in my "slapd.conf"
>
> TLSCipherSuite HIGH:MEDIUM TLSCertificateFile
> /usr/local/etc/openldap/certs/newcert.pem
> TLSCertificateKeyFile /usr/local/etc/openldap/certs/privkey.pem
> TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem
> TLSCACertificatePath /usr/local/ssl/misc/demoCA #TLSRandFile
> <filename> #TLSVerifyClient 0
> ----------------------------------------------------------------------
> --
> -----
>
> These are the settings in my "ldap.conf"
> # See ldap.conf(5) for details
> # This file should be world readable but not world wr
>
> HOST 10.152.72.5
> BASE dc=ad,dc=infosys,dc=com
> URI ldap://10.152.72.5 ldap://10.152.72.5:389
> BINDDN "cn=Manager,dc=ad,dc=infosys,dc=com"
>
> SIZELIMIT 12
> TIMELIMIT 25
> #DEREF never
> TLS_CACERT /usr/local/ssl/misc/demoCA/cacert.pem
> ~
>
> When I run the command "./slapd -h 'ldap://10.152.72.5:389/
> ldaps://10.152.72.5:636/' -d 255 ", and try to connect to the SSL
> port, I get the following error messages.
>
> TLS trace: SSL_accept:SSLv3 flush data
> tls_read: want=5, got=5
> 0000: 15 03 01 00 02 .....
> tls_read: want=2, got=2
> 0000: 02 30 .0
> TLS trace: SSL3 alert read:fatal:unknown CA TLS trace:
> SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca s3_pkt.c
> :1057
> connection_read(12): TLS accept failure error=-1 id=3, closing
> connection_closing: readying conn=3 sd=12 for close
> connection_close: conn=3 sd=12
> daemon: removing 12
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: select: listen=8 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: waked
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: select: listen=8 active_threads=0 tvp=NULL
>
> Could you please suggest what is the probable reason for this. Have I
> configured something incorrectly. Earlier I had tried with a different
> CA. But the issue was there. That's why I created the Demo
> Certification Authority(using openssl). But the issue persists.
>
> Regards,
> Monica Rana
>
>
>
> -----Original Message-----
> From: Sameer N Ingole [mailto:strike@proscrutiny.com]
> Sent: Thursday, October 12, 2006 6:03 PM
> To: Monica_Rana
> Subject: Re: Problem in configuring SSL with openldap
>
> Hi Monica,
>
> Replying off list because this is more of a Solaris/OpenSSL issue.
> Please ignore my last mail, it was obscure.
>
> If you are referring to Openssl installation, you may want to take a
> look at this http://www.sunfreeware.com/openssh8.html
>
> Else download OpenSSL from:
> ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/openssl-0.9.8d-sol8-spa
> rc
> -local.gz
>
>
>
> If you are referring to OpenSSL source installation (downloaded from
> openssl.org) then there are few things to note:
> Sun does not ship include libraries (for Solaris 9, I guess) You would
> want to compile shared version of libraries, it defaults to static By
> default it is compiled gnu-shared so and for solaris you need to
> specify solaris-shared instead of gnu-shared
>
> So generally you would do this:
> edit Configure script - find solaris-x86-gcc or solaris-sparcv9-gcc
> etc as suitable
> * Change "gnu-shared" to "solaris-shared".
> * add "-R/usr/local/ssl/lib " just before "-lsocket"
>
> So now your configure command would look something like..
>
> ./Configure solaris-x86-gcc shared
>
>
> Some of the above things might be inconsistent as last time I worked
> on solaris was 11 months back.
>
> Regards,
>
> Sameer Ingole.
> http://weblogic.noroot.org/gallery2/
>
> Monica_Rana wrote:
>
>> Hi Sameer,
>>
>> I have followed the below mentioned steps:
>> 1. $ ./config
>> 2. $ make
>> 3. $ make test
>> 4. $ make install.
>>
>> All the options ran without any errors.
>> Do I need to do anything extra?
>>
>> Regards,
>> Monica Rana
>>
>> -----Original Message-----
>> From: Sameer N Ingole [mailto:strike@proscrutiny.com]
>> Sent: Thursday, October 12, 2006 2:34 PM
>> To: openldap-software(a)openldap.org
>> Cc: Monica_Rana
>> Subject: Re: Problem in configuring SSL with openldap
>>
>> Did you custom compile Openssl?
>> Did you install development libraries for Openssl?
>>
>> I suspect absence of development libraries is causing this problem.
>> Also read http://www.columbia.edu/~ariel/ssleay/rsaref.html
>>
>> Regards,
>>
>> Sameer Ingole.
>> http://weblogic.noroot.org/gallery2/
>>
>>
> <snip>
>
>>> -----Original Message-----
>>> From: Phillip [mailto:phuang@plasmon.cn]
>>> Sent: Thursday, October 12, 2006 1:07 PM
>>> To: Monica_Rana
>>> Cc: openldap-software(a)openldap.org
>>> Subject: Re: Problem in configuring SSL with openldap
>>>
>>> Monica,
>>>
>>> Maybe you've take a mistake in setting "env", just try:
>>>
>>> env CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include -
>>> I/usr/local/db4/include" LDFLAGS="-L/usr/local/ssl/lib -
>>> L/usr/local/db4/lib" ./configure --with-tls --with-cyrus-sasl
>>> --enable- wrappers --enable-crypt --enable-bdb
>>>
>>> You'd better verify the "include" and "lib" path for SSL and DB.
>>>
>>> Regards,
>>> Phillip
>>>
>>>
>>>
>>>
>>>
>>> On Thu, 2006-10-12 at 12:18 +0530, Monica_Rana wrote:
>>>
>>>
>>>
>>>> Hi All,
>>>>
>>>> I have the following installed on solaris 8.
>>>> openLDAP 2.3.27
>>>> openSSL 0.9.8b.
>>>>
>>>> when i try to configure using the command env
>>>> CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl -
>>>> I/usr/local/include/db4"
>>>> LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4"
>>>> ./configure --with-tls --with-cyrus-sasl --enable-wrappers --
>>>> enable-crypt --enable-bdb it throws the error checking for
>>>> openssl/ssl.h... yes checking for SSL_library_init in -lssl... no
>>>> checking for ssl3_accept in -lssl... no checking OpenSSL library
>>>> version (CRL checking capability)... yes
>>>> configure: error: Could not locate TLS/SSL package.
>>>>
>>>> Please let me know what could be the possible reson behind. PFA the
>>>> config.log file.
>>>>
>>>> Regards,
>>>> Monica Rana
>>>>
>>>>
>
>
> **************** CAUTION - Disclaimer ***************** This e-mail
> contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for
the use of the addressee(s). If you are not the intended recipient,
please notify the sender by e-mail and delete the original message.
Further, you are not to copy, disclose, or distribute this e-mail or its
contents to any other person and any such actions are unlawful. This
e-mail may contain viruses. Infosys has taken every reasonable
precaution to minimize this risk, but is not liable for any damage you
may sustain as a result of any virus in this e-mail. You should carry
out your own virus checks before opening the e-mail or attachment.
Infosys reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from
this e-mail address may be stored on the Infosys e-mail system.
> ***INFOSYS******** End of Disclaimer ********INFOSYS***
>
>
>
16 years, 11 months
FW: Problem in configuring SSL with openldap
by Monica_Rana
Hi All,
I have successfully installed and built openLDAP and openSSL.
Now I need to configure SSL.
I have followed the link
http://www.proscrutiny.com/howtos/OpenLDAP.html#confssl-co.
These are the settings in my "slapd.conf"
TLSCipherSuite HIGH:MEDIUM TLSCertificateFile
/usr/local/etc/openldap/certs/newcert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/certs/privkey.pem
TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem
TLSCACertificatePath /usr/local/ssl/misc/demoCA
#TLSRandFile <filename>
#TLSVerifyClient 0
------------------------------------------------------------------------
-----
These are the settings in my "ldap.conf"
# See ldap.conf(5) for details
# This file should be world readable but not world wr
HOST 10.152.72.5
BASE dc=ad,dc=infosys,dc=com
URI ldap://10.152.72.5 ldap://10.152.72.5:389
BINDDN "cn=Manager,dc=ad,dc=infosys,dc=com"
SIZELIMIT 12
TIMELIMIT 25
#DEREF never
TLS_CACERT /usr/local/ssl/misc/demoCA/cacert.pem
~
When I run the command "./slapd -h 'ldap://10.152.72.5:389/
ldaps://10.152.72.5:636/' -d 255 ", and try to connect to the SSL port,
I get the following error messages.
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed
in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c
:1057
connection_read(12): TLS accept failure error=-1 id=3, closing
connection_closing: readying conn=3 sd=12 for close
connection_close: conn=3 sd=12
daemon: removing 12
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
Could you please suggest what is the probable reason for this. Have I
configured something incorrectly. Earlier I had tried with a different
CA. But the issue was there. That's why I created the Demo Certification
Authority(using openssl). But the issue persists.
Regards,
Monica Rana
-----Original Message-----
From: Sameer N Ingole [mailto:strike@proscrutiny.com]
Sent: Thursday, October 12, 2006 6:03 PM
To: Monica_Rana
Subject: Re: Problem in configuring SSL with openldap
Hi Monica,
Replying off list because this is more of a Solaris/OpenSSL issue.
Please ignore my last mail, it was obscure.
If you are referring to Openssl installation, you may want to take a
look at this http://www.sunfreeware.com/openssh8.html
Else download OpenSSL from:
ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/openssl-0.9.8d-sol8-sparc
-local.gz
If you are referring to OpenSSL source installation (downloaded from
openssl.org) then there are few things to note:
Sun does not ship include libraries (for Solaris 9, I guess) You would
want to compile shared version of libraries, it defaults to static By
default it is compiled gnu-shared so and for solaris you need to specify
solaris-shared instead of gnu-shared
So generally you would do this:
edit Configure script - find solaris-x86-gcc or solaris-sparcv9-gcc etc
as suitable
* Change "gnu-shared" to "solaris-shared".
* add "-R/usr/local/ssl/lib " just before "-lsocket"
So now your configure command would look something like..
./Configure solaris-x86-gcc shared
Some of the above things might be inconsistent as last time I worked on
solaris was 11 months back.
Regards,
Sameer Ingole.
http://weblogic.noroot.org/gallery2/
Monica_Rana wrote:
> Hi Sameer,
>
> I have followed the below mentioned steps:
> 1. $ ./config
> 2. $ make
> 3. $ make test
> 4. $ make install.
>
> All the options ran without any errors.
> Do I need to do anything extra?
>
> Regards,
> Monica Rana
>
> -----Original Message-----
> From: Sameer N Ingole [mailto:strike@proscrutiny.com]
> Sent: Thursday, October 12, 2006 2:34 PM
> To: openldap-software(a)openldap.org
> Cc: Monica_Rana
> Subject: Re: Problem in configuring SSL with openldap
>
> Did you custom compile Openssl?
> Did you install development libraries for Openssl?
>
> I suspect absence of development libraries is causing this problem.
> Also read http://www.columbia.edu/~ariel/ssleay/rsaref.html
>
> Regards,
>
> Sameer Ingole.
> http://weblogic.noroot.org/gallery2/
>
<snip>
>> -----Original Message-----
>> From: Phillip [mailto:phuang@plasmon.cn]
>> Sent: Thursday, October 12, 2006 1:07 PM
>> To: Monica_Rana
>> Cc: openldap-software(a)openldap.org
>> Subject: Re: Problem in configuring SSL with openldap
>>
>> Monica,
>>
>> Maybe you've take a mistake in setting "env", just try:
>>
>> env CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include -
>> I/usr/local/db4/include" LDFLAGS="-L/usr/local/ssl/lib -
>> L/usr/local/db4/lib" ./configure --with-tls --with-cyrus-sasl
>> --enable- wrappers --enable-crypt --enable-bdb
>>
>> You'd better verify the "include" and "lib" path for SSL and DB.
>>
>> Regards,
>> Phillip
>>
>>
>>
>>
>>
>> On Thu, 2006-10-12 at 12:18 +0530, Monica_Rana wrote:
>>
>>
>>> Hi All,
>>>
>>> I have the following installed on solaris 8.
>>> openLDAP 2.3.27
>>> openSSL 0.9.8b.
>>>
>>> when i try to configure using the command env
>>> CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl -
>>> I/usr/local/include/db4"
>>> LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4"
>>> ./configure --with-tls --with-cyrus-sasl --enable-wrappers --
>>> enable-crypt --enable-bdb it throws the error checking for
>>> openssl/ssl.h... yes checking for SSL_library_init in -lssl... no
>>> checking for ssl3_accept in -lssl... no checking OpenSSL library
>>> version (CRL checking capability)... yes
>>> configure: error: Could not locate TLS/SSL package.
>>>
>>> Please let me know what could be the possible reson behind. PFA the
>>> config.log file.
>>>
>>> Regards,
>>> Monica Rana
>>>
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
16 years, 11 months
Re: Trying to figure out access policies
by Jason Lixfeld
Between Roy and Kurt's replies, I think I have enough information to
go forward.
It is now very apparent to me that I went off-topic by including
portions of an ldap.conf that had nss configuration directives in
it. I apologize for going off-topic -- I did not do so intentionally.
On 27-Jun-06, at 2:32 PM, Roy Ledochowski wrote:
>
> Jason--
>
> I'm not quite certain what you're trying to do, but if it's setup
> nss_ldap and pam_ldap to use a proxy user for those libraries.
> nss_ldap & pam_ldap are the client libraries which Linux (dunno
> about FreeBSD & other PC *nix use) uses for LDAP user
> authentication & authorization. These libraries use /etc/ldap.conf
> (on Redhat) and /etc/libnss-ldap.conf & /etc/libpam.conf (on
> Debian). nss_ldap & pam_ldap use /etc/ldap.secret for rootbinddn's
> pwd. These files are configured at build time.
>
> That being said, the openLDAP client libraries & binaries such as
> ldapsearch, ldappasswd, etc, also use ldap.conf, but it's a
> *different file*. On Redhat it's in /etc/openldap. On Debian it's
> in /etc/ldap. Point is, you have to configure the right one for
> the right task. openLDAP does not use /etc/ldap.secret.
>
> Your ACL needs a bit of help:
> access to attrs=userPassword
> by dn="cn=Proxyuser,dc=example,dc=ca" read
>
> -->you also need at least "by * auth". There is an implied "by *
> none" at the end of each access directive.
>
> Rootbinddn is how nss_ldap will bind to do "root" operations. This
> functions pretty much like passwd & group. Users can read but root
> (=proxy) can edit. Binddn if I remember right is for proxy users
> if you do not allow anonymous binds.
>
> For your ldapsearch, I notice that you are trying to bind as your
> proxy user but did not includ a password or server to bind to it
> probably failed probably because
> A) your ldap.conf wasn't configured correctly (no URL or HOST
> directive. This is the default server to bind to)
> B) you didn't include a passwd (-w or -W)
> C) If you are not using SASL (ie only simple binds), you need the -
> x switch.
>
> Hope that helps,
> roy
>
>
>
>
> Jason Lixfeld <jason+lists.openldap(a)lixfeld.ca>
> Sent by: owner-openldap-software(a)OpenLDAP.org
> 06/27/2006 09:38 AM
>
> To
> OpenLDAP software list <openldap-software(a)OpenLDAP.org>
> cc
> Subject
> Trying to figure out access policies
>
>
>
>
>
> I think I'm somewhat versed in the basics of OpenLDAP, but the
> concept of access policies eludes me because they are far beyond my
> current level of comprehension. That being said, I'm doing some
> trial by fire to try to make sense of how they work and hopefully
> will then be able to relate some of what I read in the manual to what
> I've made happen in tests...
>
> I'm trying to get a proxyuser working so I don't have to do
> everything as Manager.
>
> I put this entry into my slapd.conf as per some tutorials I read:
>
> access to attrs=userPassword
> by dn="cn=Proxyuser,dc=example,dc=ca" read
>
> and likewise, these entries into my ldap.conf:
>
> binddn cn=Proxyuser,dc=example,dc=ca
> bindpw ****
> rootbinddn cn=Proxyuser,dc=example,dc=ca
>
> and finally, the Proxyuser password in /etc/ldap.secret.
>
> Being unsure if the lookups for ldap.conf and ldap.secret is in /etc
> or /usr/local/etc (Using a FreeBSD system here), I symlinked each so
> they are available in both locations.
>
> After that was all said and done, I restarted slapd and tried to do a
> search using the proxyuser as the binddn:
>
> # ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b
> 'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> # all.log
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from
> IP=127.0.0.1:54632 (IP=0.0.0.0:389)
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND
> dn="cn=Proxyuser,dc=example,dc=ca" method=128
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 err=49
> text=
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed (connection
> lost)
>
> It would seem to me that it's not complaining about the password, so
> I assume it's complaining about the access entry in slapd.conf. I
> removed the access entry from slapd.conf and was able to perform the
> same search as above without a problem.
>
> Anyone have any pointers on what I can look at as the source of this
> problem?
>
> Also, I'm a little confused about the difference between binddn and
> rootbinddn. If I understand correctly, rootbinddn is the DN used to
> bind if the user executing the command is root, while binddn is the
> DN used to bind if the user executing the command is any user other
> than root. Is this correct? I ask because if I run ldapsearch as
> root with no additional arguments and check the logs, it seems to
> bind anonymously so I'm not sure if my understanding of binddn vs.
> rootbinddn is correct:
>
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from
> IP=127.0.0.1:58244 (IP=0.0.0.0:389)
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0
> text=
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" scope=2
> deref=0 filter="(objectClass=*)"
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT tag=101
> err=32 nentries=0 text=
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed
>
> Thanks in advance for any insight on either or both of these points...
>
16 years, 11 months
slurpd for windows
by Mitch Bart
We need to replicate two OpenLDAP servers running on Windows - I have
searched everywhere for a Slurpd windows port. I've seen a few
references to a "slurpd.exe" file but have been unable to locate it or
any associated documentation.
Thanks in advance for you help.
Mitch Bart
16 years, 11 months
Some More Newbie Questions
by Ted Johnson
75Hi;
Here are some more questions I have in setting up my slapd.conf file:
* How does one incorporate a user certificate? Where does one incorporate strongAuthenticationUser, certificationAuthority?
* Since my server is a stand-alone unit and I am the only administrator, I see no need for using Kerberos. However, TLS requires anonymous bind, and anonymous bind presents the problem of possible DoS attacks. Are there work-arounds with this, or, if I'm concerned about the same, is this reason enough to use Kerberos?
* What are limits? Is this just for syncrepl? I have no replication.
* Where does one set limits? In the database config file?
* Access scope has three potential values: base, subtree and children. Does "children" go down the entire subtree, such that the only difference between "subtree" and "children" is that the former includes the base?
* Can someone give me a clear explanation with an example of "dnattr" and where it is used (i.e. slapd.conf or slapd.d/cn=control)?
* Can someone give me a clear explanation with an example of how and where to use "ssf"? How can this be configured for someone authorizing via SSH2? How about an internal daemon?
* Why is the default timelimit so high (3600)? I mean, if slapd can't find what it's looking for in 300 seconds, something's wrong!
* I had to specially install bdb to use bdb. Do I have to specially install monitor to use monitor? If so, where do I find it?
TIA,
Ted
16 years, 11 months
Proper Deinit? ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed
by Michael B Allen
Hey,
What is the proper method for deinitializing an LDAP * context if the binding fails?
Consider the following code:
ret = ldap_initialize(&ld, buf);
if (ret) {
ERR("ldap_initialize: %s: %s", buf, ldap_err2string(ret));
}
ret = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
if (ret) {
ERR("ldap_set_option: %s", ldap_err2string(ret));
} else {
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &v3);
if (ret) {
ERR("ldap_set_option: %s", ldap_err2string(ret));
} else {
if (my_ldap_bind_gssapi(ld, flags) == 0) {
return 0;
}
}
}
ldap_unbind_ext(lx->ld, NULL, NULL);
If the bind fails, the ldap_unbind_ext function asserts:
unbind.c:49: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed.
Aborted
What am I doing wrong?
Thanks,
Mike
16 years, 11 months
syncrepl: no update referral
by Sepp
Hello,
we have the following consumer syncrepl config
(V 2.3.25, Suse Linux SLES 9):
database bdb
suffix "o=test,c=de"
rootdn "cn=dirmgr,o=test,c=de"
...
syncrepl rid=1
provider=ldap://testserver:389
type=refreshOnly
interval=00:00:01:00
searchbase="ou=repltree,o=test,c=de"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=dirmgr,o=test,c=de"
credentials=xxx
The intention is to replicate only a part of the DIT ("ou=repltree,o=test,c=de"),
Other parts of the database should be alterable on the consumer
(e.g. "localtree,o=test,c=de").
But when we try add an entry, we get the error message:
LDAP Error updating entry 'ou=testentry,cn=localtree,o=test,c=de'.
Code:53. Message:shadow context; no update referral
Any ideas ?
Thanks in advance,
Sepp
16 years, 11 months
Non SASL authentication without -x option
by Sadique Puthen
Hi All,
Is it possible to do simple authentication - non SASL - using LDAPS
without explicitly passing "-x" option with ldapclient commands like
ldapsearch, ldapadd and etc... Is it possible by making any changes in
/etc/ldap.conf or /etc/ldap/ldap.conf or /etc/sysconfig/ldap. I believe
this is hardcoded. If you anybody have any idea on how this can be
accomplised, please share with me.
Regards,
Sadique
16 years, 11 months
Avoid binding with external directory for cached results
by Daniel Montero Motilla
Hi, I'm using slapd 2.3.27 as a metadirectory with two external active
directory servers and pcache overlay enabled. The pcache overlay is
working ok, but when I do a non-anonymous search and slapd gets the
results from local cache, it establishes a new connection to the
external directory, tries to bind and then closes the connection.
Altough I understand that this is the logical behaviour, I'm looking
for some way to avoid this binding against the external directory if
the results of the search are going to be obtained from slapd cache,
in order to increase performance (in my scenario validating
credentials for cached results is not a priority).
If that is not possible, i'd like to know if there is a way to make
slapd stablish a permanent connection to the external directory with
the purpose of doing those credentials validations (instead
establishing a new tcp connection on every search).
Thank you in advance.
16 years, 11 months
userPKCS12 and storage format
by Wyatt Neal
when i store a userPKCS12 binary file into the ldap directory using base64
encoding using the C LDAP API, the next time I try to retrieve the data, it
is returned in base64 format; however, if insert the certificate using an
ldif file from the command line and request the file using C, it comes back
in binary format. i'm using the binary values as my LDAPMod ops, what am I
doing wrong?
wyatt
16 years, 11 months
