Fwd: Problem in configuring SSL with openldap
by FRLinux
On 10/12/06, Monica_Rana <Monica_Rana(a)infosys.com> wrote:
>
>
> Hi All,
>
> I have the following installed on solaris 8.
> openLDAP 2.3.27
> openSSL 0.9.8b.
>
> when i try to configure using the command
> env CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl -I/usr/local/include/db4"
> LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4"
> ./configure --with-tls --with-cyrus-sasl --enable-wrappers --enable-crypt --enable-bdb
> it throws the error
> checking for openssl/ssl.h... yes
> checking for SSL_library_init in -lssl... no
> checking for ssl3_accept in -lssl... no
> checking OpenSSL library version (CRL checking capability)... yes
> configure: error: Could not locate TLS/SSL package.
Please consider writing plain text emails, html is bad for you.
Back in the days, here's what we had :
setenv LDFLAGS "-L/usr/local/lib -R/usr/local/lib"
setenv CPPFLAGS "-I/opt/local/include -I/usr/local/ssl/include"
setenv CC "gcc"
Our libssl was back then installed in /usr/local. This worked well for us.
Steph
16 years, 11 months
Problem in configuring SSL with openldap
by Monica_Rana
Hi All,
I have the following installed on solaris 8.
openLDAP 2.3.27
openSSL 0.9.8b.
when i try to configure using the command
env CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl
-I/usr/local/include/db4"
LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4"
./configure --with-tls --with-cyrus-sasl --enable-wrappers
--enable-crypt --enable-bdb
it throws the error
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... no
checking for ssl3_accept in -lssl... no
checking OpenSSL library version (CRL checking capability)... yes
configure: error: Could not locate TLS/SSL package.
Please let me know what could be the possible reson behind. PFA the
config.log file.
Regards,
Monica Rana
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
16 years, 11 months
Trying to limit acces to an attribute
by Andres Tarallo
I'm setting an OpenLDAP server, for small company For historical reason each
users in ths company has two email address user@domain and user@olddomain.
Both address are used for sending and receiving email Howver we want to make
sure that only the user@domain ones are show in the address book of
squirellmail So I thaught of an ACL like this
access to attrs=mail matchingRule.regex="\@domain"
by peername "ip.of.web.mail" none
by * read
But this seems to have no effect. I need some example or tips for debugging
this problem. Thanks
Andres
--
A/P Andres Tarallo
Universidad ORT Uruguay
16 years, 11 months
Caching empty results
by Daniel Montero Motilla
Hi, I'm using 'meta' backend on openldap 2.2.26 with proxycache
activated, but it is not working as I expected, let's suppose I have
the following configuration:
proxyattrset 0 mail postaladdress telephonenumber
proxytemplate (uid=) 0 3600
If I do a search "(uid=foo)" and 'foo' user exist on the external
configured ldap server, the search is cached and the next time I try
that search the result is obtained from cache, but if I do a search
"(uid=bar)" and there is no entry with that uid, this "negative"
result is not cached, and every time I try that search, slapd
translates the search to the external ldap server. Is it somehow
possible to configure slapd proxycache to cache searches with no
results so slapd returns the client the answer instead asking external
ldap server everytime?
Thanks in advance,
Dani.
16 years, 11 months
replacement for ldap_url_search
by Kenneth Rogers
Hi,
It appears that ldap_url_search() hasn't existed since 2.0, is there a
replacement for it?
Or is it necessary to use ldap_url_parse and then get all the
information from the LDAPURLDesc for use in the traditional
initialize, bind and search calls?
KR
--
"Linux doesn't exist." -- Kieren O'Shaghnessy (Director of SCO Australia)
16 years, 11 months
slapd replication doesn't work
by chechu chechu
hi¡¡
I have working openldap, and I want to add replication, I follow hpwtos
from many maillist but it doesn't works, my slapd.conf files are:
MASTER:
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/samba.schema
#include /etc/ldap/schema/autofs.schema
#include /etc/ldap/schema/krb5-kdc.schema
#include /etc/ldap/schema/unixtng.schema
#include /etc/ldap/schema/krb5-kdc.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_ldbm
sasl-realm IRONMAN.ES
sasl-host shogun.ironman.es
#################TLS/SSL####################
# Certificado firmado de una entidad certificadora y
# el certificado del servidor
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateKeyFile /etc/ldap/ssl/server.pem
# Si desea que el cliente necesite autentificaci�,
# descomente la siguiente l�ea
#TLSVerifyClient demand
# ... si no, descomente esta otra
TLSVerifyClient never
#######################################################################
# Specific Backend Directives for ldbm:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend ldbm
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type ldbm:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database ldbm
# The base of your directory in database #1
suffix "dc=ironman,dc=es"
rootdn "cn=admin,dc=ironman,dc=es"
rootpw secret
#########REPLICA#############
replica host=shinobi.ironman.es:636
tls=yes bindmethod=sasl
binddn="cn=replicauser,dc=ironman,dc=es"
saslmech=gssapi
replogfile /var/lib/ldap/openldap-master-replog
##############################
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
# Requerido por OpenLDAP
index objectclass eq
index default sub
index cn pres,sub,eq
index sn pres,sub,eq
# Requerido para soportar pdb_getsampwnam
index uid pres,sub,eq
# Requerido para soportar pdb_getsambapwrid()
index displayName pres,sub,eq
# Descomente las siguientes l�eas si est�almacenando entradas
# posixAccount y posixGroup en el directorio
index uidNumber eq
index gidNumber eq
index memberUid eq
# Samba 3.*
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
# Include the access lists
include /etc/ldap/slapd.access
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
#access to attrs=userPassword
# by dn="cn=admin,dc=ironman,dc=es" write
# by anonymous auth
# by self write
# by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
#access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
#access to *
# by dn="cn=admin,dc=ironman,dc=es" write
# by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=ironman,dc=es" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be ldbm
too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
SLAVE
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/samba.schema
#include /etc/ldap/schema/autofs.schema
#include /etc/ldap/schema/krb5-kdc.schema
#include /etc/ldap/schema/unixtng.schema
#include /etc/ldap/schema/krb5-kdc.schema
# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck on
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd.args
# Read slapd.conf(5) for possible values
loglevel 0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_ldbm
sasl-realm IRONMAN.ES
sasl-host shogun.ironman.es
#################TLS/SSL####################
# Certificado firmado de una entidad certificadora y
# el certificado del servidor
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateKeyFile /etc/ldap/ssl/server.pem
# Si desea que el cliente necesite autentificaci�,
# descomente la siguiente l�ea
#TLSVerifyClient demand
# ... si no, descomente esta otra
TLSVerifyClient never
#######################################################################
# Specific Backend Directives for ldbm:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend ldbm
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type ldbm:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database ldbm
# The base of your directory in database #1
suffix "dc=ironman,dc=es"
rootdn "cn=admin,dc=ironman,dc=es"
rootpw secret
#########ESCLAVO#############
updatedn cn=replicauser,dc=ironman,dc=es
updateref ldaps://shogun.ironman.es
##############################
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Indexing options for database #1
# Requerido por OpenLDAP
index objectclass eq
index default sub
index cn pres,sub,eq
index sn pres,sub,eq
# Requerido para soportar pdb_getsampwnam
index uid pres,sub,eq
# Requerido para soportar pdb_getsambapwrid()
index displayName pres,sub,eq
# Descomente las siguientes l�eas si est�almacenando entradas
# posixAccount y posixGroup en el directorio
#index uidNumber eq
#index gidNumber eq
#index memberUid eq
# Samba 3.*
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
# Include the access lists
#include /etc/ldap/slapd.access
access to *
by dn=cn=replicauser,dc=ironman,dc=es write
by * read
# Save the time that the entry gets modified, for database #1
lastmod on
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
#access to attrs=userPassword
# by dn="cn=admin,dc=ironman,dc=es" write
# by anonymous auth
# by self write
# by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
#access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
#access to *
# by dn="cn=admin,dc=ironman,dc=es" write
# by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=ironman,dc=es" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be ldbm
too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
I add user replicauser to ldap, and I add the key to kerberos database
by:
kadmin.local -q "addprinc -randkey replicauser(a)IRONMAN.ES"
kadmin.local -q "ktadd -k /etc/krb5.keytab.slurpd replicauser"
kinit -r 7d -k -t /etc/krb5.keytab.slurpd replicauser(a)IRONMAN.ES
thanks
16 years, 11 months
trouble getting entry from ldap server using ldap_search_ext_s
by Erich Titl
Hi everybody
I am trying to fix an authentication plugin for openvpn using the
openldap library. I am new to the library, so I may lack some understanding.
Here is the situation
The openldap version is 2.3.27
If I try to find a user with a base dn of
"ou=mnd999,dc=asp,dc=ruf,dc=ch"
which is the correct base dn for this user, the operation works correctly.
If I just use "dc=asp,dc=ruf,dc=ch"
the operation times out. I am using subtree search and I can see on a
packet dump on the line that there is a reply from the ldap server.
The difference between the replies is that in the case of the correct DN
just a search entry and a search result message is returned, whereas in
the case of the incomplete DN a search entry, a number of search result
references end a search result are returned. In both cases, the search
result yields success.
The code calls
if ((err = ldap_search_ext_s(ldapConn, [base cString],
LDAP_SCOPE_SUBTREE, [filter cString], attrArray, 0, NULL, NULL,
&timeout, 5000, &res)) != LDAP_SUCCESS) {
[TRLog error: "LDAP search failed: %d: %s", err,
ldap_err2string(err)];
goto finish;
}
This call times out and returns -5.
I can provide tcpdump files if needed.
Thanks
Erich
16 years, 11 months
Re: DB buggy after Reboot
by Matthias Spork
Hallo Howard,
thanks for your help.
After a couple of days, it will be like before. Pleae look at my
directory-listing
for my database, why there are no changes the last days?
Sep 24 18:53 DB_CONFIG
Oct 1 21:09 __db.001
Oct 1 21:09 __db.002
Oct 1 21:09 __db.003
Oct 1 21:09 __db.004
Oct 1 21:09 __db.005
Oct 4 20:02 alock
Oct 1 20:58 dn2id.bdb
Oct 1 20:58 gidNumber.bdb
Oct 1 21:09 id2entry.bdb
Oct 1 20:58 memberUid.bdb
Oct 1 20:58 objectClass.bdb
Sep 28 09:38 sambaDomainName.bdb
Oct 1 20:58 sambaPrimaryGroupSID.bdb
Oct 1 20:58 sambaSID.bdb
Sep 28 09:38 sn.bdb
Sep 24 18:54 transactionlog
Oct 1 20:58 uid.bdb
Matthias
Howard Chu schrieb:
> Matthias Spork wrote:
>> Howard Chu schrieb:
>
>>> It looks like some transactions got rolled back, probably because
>>> there wasn't a recent enough checkpoint and the logs for the latest
>>> transactions didn't get flushed to disk. Setting a more frequent
>>> checkpoint interval would probably help.
>>>
>> How could I set this checkpoints?
>
> You could read the slapd-bdb(5) manpage.
>
16 years, 11 months
A Few Newbie Questions...
by Ted Johnson
Hi;
I've just read the documentation twice and still have a few questions that should be relatively easy to answer:
The following should be put in DB_CONFIG, but where is that file??
olcDbConfig: set_cachesize 0 10485760 0
olcDbConfig: set_lg_bsize 2097512
olcDbConfig: set_lg_dir /var/tmp/bdb-log
olcDbConfig: set_flags DB_LOG_AUTOREMOVE
What do these attibutes mean, how are they applicable and why would I want to index them? I understand SQL notation. Could someone give me a similar example?
pres (present),eq (equality),approx (approximate),sub (substring)
This line causes an equality index for the objectClass attribute type, but what does that mean? Can you give me an example?
index objectClass eq
Why does one define this:
dn: cn="example"
and later in the same entry define this:
cn=example
Can one preface non-Standard Track names with numbers or number/letter combinations?
TIA,
Ted2
---------------------------------
Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
16 years, 11 months
RE: Write to Disk?
by Golden Butler
I'm running openldap version 2.2.24 which is the version that ships with SLES9 SP3. How do I determine which backend is being used?
- Golden
-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@stanford.edu]
Sent: Friday, October 06, 2006 2:12 PM
To: Golden Butler;openldap-software(a)openldap.org
Subject: Re: Write to Disk?
--On Friday, October 06, 2006 11:46 AM -0500 Golden Butler <golden(a)cnt.org>
wrote:
>
>
> Yesterday, we lost power due to an power outage and our openldap server
> went down. When power was restored and the server was back up,
>
> I noticed that a lot of entries that I have entered over a period of time
> (about two months) were gone! Is there a way to ensure that openldap
> write changes to the database to disk instantly? Any help or suggestions
> would be greatly appreciated, thanks.
Hi,
You don't say what backend you are using, but I'll assume bdb or hdb, since
you don't want to use ldbm. See the "checkpoint" directive in the
slapd-bdb(5) man page. This issue has been discussed many many times on
the software list. Of course, I recommend you be using OpenLDAP 2.3 as
well, since IIRC, the checkpoint directive didn't function entirely as
intended in OpenLDAP 2.2.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
16 years, 11 months
