November 2006 - openldap-software

Duplicated username in Local users and LDAP

by Phillip

Hi all, I meet some trouble when there are duplicated username in both local users list and LDAP users list, and I think it may cause security problems, for example, in my case, "root" and "admin" account from LDAP could even control the whole system. I do not want this happens. Would you please give me some advices on how to dare with this duplicated username issue? Kind regards, Phillip

16 years, 7 months

3
2
0 / 0

open ldap with SASL & GSSAPI

by Maxwell Bottiger

Hello all, I've found lots of information about problems related to mine in the FAQ and around the net, but I don't have a solution yet. Here's my setup: Open Ldap 2.2 MIT Kerberos SASL 2.1.20 I'm using ldap to provide directory services and user info to some linux workstations. This was working, but after upgrading a test machine to Fedora 6 I've started having some serious problems. [sleepylight@minitop ~]$ ldapsearch -H ldap://ns.jive-turkey.net -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context I figure this is one of three possible problems. 1 - saslauthd isn't working right 2 - ldap isn't talking to sasl correctly 3 - I've done something wrong with my ldap quires. Kerberos seems to work fine. I can get my credentials with kinit, and the GSSAPI credentials are working for ssh logins. Also, I can use testsaslauthd and get a success from the authd server. [sleepylight@ns ~]$ /usr/sbin/testsaslauthd -r JIVE-TURKEY.NET -s ldap -u sleepylight -p ********* 0: OK "Success." So I think my problem is #2 or #3. I'm not sure which, so if anyone has some feedback I'm happy to try it out. I'll include some possibly relevant material at the end of this email. Thanks for reading! Some stuff from slapd.conf: sasl-host ns.jive-turkey.net sasl-secprops noanonymous,noplain,noactive saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=jive-turkey,dc=net # Default read access for everything else access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read Messages from slapd after an attempted login slapd startup: initiated. backend_startup: starting "dc=jive-turkey,dc=net" bdb_db_open: dbenv_open(/var/lib/ldap) slapd starting connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 12 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_bind: version=3 dn="" method=128 send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 10 do_bind: v3 anonymous bind connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 201 contents: ber_get_next ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <dc=jive-tukey,dc=net> ldap_err2string <= ldap_bv2dn(dc=jive-tukey,dc=net)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=jive-tukey,dc=net)=0 Success <<< dnPrettyNormal: <dc=jive-tukey,dc=net>, <dc=jive-tukey,dc=net> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=32 ber_flush: 14 bytes to sd 10 connection_get(10): got connid=0 connection_read(10): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 201 contents: ber_get_next do_search

16 years, 7 months

8
14
0 / 0

TCP pakages flow - LDAP or LDAPS replica slurpd

by Antonio Camacho

Hi list Anyone knows which is the TCP pakages flow in a LDAP or LDAPS replica with slurpd ? or where I could find some information about it ? Thanks! -- @ntonio

16 years, 7 months

3
4
0 / 0

Speed of slapadd for BDB on a Linux machine

by Ralf Narozny

Hello, I'm trying to migrate about 19 million entries from OpenLDAP 2.0 to the new 2.3. Conversion and such things are done, but inserting the data takes days. I hope someone can point me to some helpful direction, because 22 Entries/sec is not too good, especially not for real life use... I'm using the following to insert the data slapadd -q -v -c My DB_CONFIG looks like this: set_cachesize 1 524288000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 Our OpenLDAP version is 2.3.27. The speed is like following (took that from the output of my insertion script): *********************************************************** Started run at: 1161817043 Partly run took 642 seconds for 577552 entries Avg.: 899,614 entries/second Partly run took 715 seconds for 577519 entries Avg.: 807,719 entries/second Partly run took 1001 seconds for 607053 entries Avg.: 606,447 entries/second Partly run took 1639 seconds for 610732 entries Avg.: 372,625 entries/second Partly run took 3311 seconds for 610547 entries Avg.: 184,4 entries/second Partly run took 7078 seconds for 610305 entries Avg.: 86,2256 entries/second Partly run took 13104 seconds for 610531 entries Avg.: 46,5912 entries/second Partly run took 19093 seconds for 610394 entries Avg.: 31,9695 entries/second Partly run took 22353 seconds for 610609 entries Avg.: 27,3166 entries/second Partly run took 23831 seconds for 610425 entries Avg.: 25,6147 entries/second Partly run took 24903 seconds for 610223 entries Avg.: 24,504 entries/second Partly run took 25121 seconds for 610223 entries Avg.: 24,2913 entries/second Partly run took 25382 seconds for 610177 entries Avg.: 24,0398 entries/second Partly run took 25013 seconds for 610042 entries Avg.: 24,389 entries/second Partly run took 25048 seconds for 610250 entries Avg.: 24,3632 entries/second Partly run took 24881 seconds for 610460 entries Avg.: 24,5352 entries/second Partly run took 24587 seconds for 610152 entries Avg.: 24,816 entries/second Partly run took 24907 seconds for 610252 entries Avg.: 24,5012 entries/second Partly run took 24841 seconds for 610605 entries Avg.: 24,5805 entries/second Partly run took 24627 seconds for 610432 entries Avg.: 24,7871 entries/second Partly run took 24344 seconds for 610229 entries Avg.: 25,0669 entries/second Partly run took 23958 seconds for 610343 entries Avg.: 25,4755 entries/second Partly run took 24186 seconds for 610629 entries Avg.: 25,2472 entries/second Partly run took 24349 seconds for 610377 entries Avg.: 25,0678 entries/second Partly run took 24634 seconds for 610679 entries Avg.: 24,7901 entries/second Partly run took 24897 seconds for 610230 entries Avg.: 24,5102 entries/second Partly run took 24902 seconds for 610258 entries Avg.: 24,5064 entries/second Partly run took 25800 seconds for 610327 entries Avg.: 23,6561 entries/second Partly run took 26605 seconds for 610478 entries Avg.: 22,946 entries/second Partly run took 27022 seconds for 610301 entries Avg.: 22,5853 entries/second Partly run took 27535 seconds for 610207 entries Avg.: 22,1611 entries/second Finished run at: 1162437948 Run took 620309 seconds for 18914119 entries Avg.: 30,4914 entries/second *********************************************************** We are using the following machine: Linux ldaprep4 2.6.15.3 #1 SMP Mon Feb 13 09:18:43 CET 2006 i686 GNU/Linux MemTotal: 5975412 kB SwapTotal: 2150152 kB 2 * Intel(R) Pentium(R) III CPU family 1133MHz The slapd.conf is as follows (Don't mind the /tmp as path, I changed that ;-)): -------------------------------------------------------------------------------------------------- include /tmp/etc/openldap/schema/core.schema include /tmp/etc/openldap/schema/freenet.schema pidfile /tmp/var/ldap/run/slapd.pid argsfile /tmp/var/ldap/run/slapd.args modulepath /tmp/lib moduleload back_bdb.la access to * by * write loglevel 0 sizelimit 10000 timelimit 3600 cachesize 1000000 backend bdb ####################################################################### # BDB database definitions ####################################################################### # first database definition & config directives database bdb directory /var/lib/ldap/ replogfile /tmp/log/replica.log rootdn "cn=root,o=....." rootpw ..... suffix "o=....." #replica uri=ldap://ldaprep1:389 binddn="cn=root,o=..." bindmethod=simple credentials=... #replica uri=ldap://ldaprep2:389 binddn="cn=root,o=..." bindmethod=simple credentials=... #replica uri=ldap://ldaprep3:389 binddn="cn=root,o=..." bindmethod=simple credentials=... #attribute homeDirectory ces #attribute folderName ces #attribute locked ces # index cid pres,eq index cn pres,eq,sub index objectClass pres,eq index folderName pres,eq index locked pres,eq -------------------------------------------------------------------------------------------------- Thans in advance, Ralf

16 years, 7 months

5
9
0 / 0

Don't want to be prompted for the password

by Sadique Puthen

Hi, We are using SASL/DIGEST-MD5 for authentication to ldap database and don't want to be prompted for the password and need the password to be taken from a file. Can we specify it in /etc/ldap.conf globally or in .ldaprc individually? I expect it to work like SASL/GSSAPI when we run an ldapsearch after retrieving the ticket for the user. Is it possible? Regards, Sadique

16 years, 7 months

2
1
0 / 0

DN syntax question

by Miek Gieben

Hello, I'm not sure this is the correct list, but here it goes. I'm creating a ldap tree with the usual layout: o=companyName,ou=relations,dc=xxx,dc=yy,dc=zz Where companyName is a customer. Adding entries with this DN works and I can query the tree, etc. etc. Now some customers can also have clients which should also be represented in this tree. This would lead to the following DN to be created: o=client,ou=Organizations,o=companyName,ou=relations,dc=xxx,dc=yy,dc=zz So: 'o=client,ou=Organizations' is placed below 'o=companyName'. Now when I try to add this to openldap I get this in the logs: slapd[3418]: connection_get(10) slapd[3418]: do_add: dn (o=client,ou=Organizations,o=companyName,ou=relations,dc=xxx,dc=yy,dc=zz) slapd[3418]: ==> bdb_add: o=client,ou=Organizations,o=companyName,ou=relations,dc=xxx,dc=yy,dc=zz slapd[3418]: send_ldap_result: err=64 matched="" text="value of naming attribute 'o' is not present in entry" where the ldif added is: [0] => dn: o=client,ou=Organizations,o=companyName,ou=relations,dc=xxx,dc=yy,dc=zz [1] => objectClass: top [2] => objectClass: Organization [3] => deleted: FALSE [4] => o: client:companyName [5] => cn: test test test What I'm I doing wrong? Can't you have two 'o=' attributes in a DN? And why does it complain about a missing attribute 'o', when in fact is looks to be there? Thanks, -- Met vriendelijke groet, R. Gieben | BIT BV | http://www.bit.nl PGP: 6A3C F450 6D4E 7C6B C23C F982 258B 85CF 3880 D0F6

16 years, 7 months

3
3
0 / 0

back_bdb-2.3.so.0: undefined symbol: db_version with make test on 2.3.28 - test000-rootdse

by Gavin Henry

Dear All, Having a bit of trouble with 2.3.28 on Ubuntu Breezy Server: 2.6.12-10-amd64-xeon #1 SMP Fri Sep 15 16:20:29 UTC 2006 x86_64 GNU/Linux Versions: libtool-1.5.22 db-4.2.52 with patch.4.2.52.1 to 5 openldap-2.3.28 libtool like so: 456 ./configure 458 make 460 sudo make install db compiled like so: 372 tar -xzvf db-4.2.52.tar.gz 373 cd db-4.2.52 374 ls 375 patch -p0 < ../patch.4.2.52.1 376 patch -p0 < ../patch.4.2.52.2 377 patch -p0 < ../patch.4.2.52.3 378 patch -p0 < ../patch.4.2.52.4 379 patch -p0 < ../patch.4.2.52.5 380 cd build_unix/ 381 env CC=gcc CFLAGS='-O2' CXXFLAGS='-O2' ../dist/configure 382 make 383 sudo make install openldap-2.3.28 like so: env CC=gcc CPPFLAGS="-I/usr/local/BerkeleyDB.4.2/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.2/lib" LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.2/lib" ./configure --prefix=/usr/local --enable-slapd --enable-syslog --with-cyrus-sasl=yes --enable-dynamic --enable-rewrite --disable-ipv6 --disable-shell --disable-sql --with-threads --enable-modules --enable-backends=mod --enable-overlays=mod make depend make suretec@suretec:~/openldap/openldap-2.3.28$ env SLAPD_DEBUG=1 make test cd tests; make test make[1]: Entering directory `/home/suretec/openldap/openldap-2.3.28/tests' make[2]: Entering directory `/home/suretec/openldap/openldap-2.3.28/tests' Initiating LDAP tests for BDB... Cleaning up test run directory leftover from previous run. Running ./scripts/all... >>>>> Executing all LDAP tests for bdb >>>>> Starting test000-rootdse ... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ./scripts/test000-rootdse: line 66: kill: (29965) - No such process ldap_bind: Can't contact LDAP server (-1) >>>>> Test failed >>>>> ./scripts/test000-rootdse failed (exit 1) make[2]: *** [bdb-mod] Error 1 make[2]: Leaving directory `/home/suretec/openldap/openldap-2.3.28/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/home/suretec/openldap/openldap-2.3.28/tests' make: *** [test] Error 2 Entries from log: suretec@suretec:~/openldap/openldap-2.3.28$ cat tests/testrun/slapd.1.log @(#) $OpenLDAP: slapd 2.3.28 (Nov 7 2006 13:15:15) $ suretec@netdev1:/home/suretec/openldap/openldap-2.3.28/servers/slapd daemon_init: listen on ldap://localhost:9011/ daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap://localhost:9011/) daemon: listener initialized ldap://localhost:9011/ daemon_init: 1 listeners opened lt-slapd init: initiated server. slap_sasl_init: initialized! => str2entry: "dn: vendorName: The OpenLDAP Project <http://www.openldap.org/> " >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> <= str2entry() -> 0x65a580 bdb_back_initialize: initialize BDB backend /home/suretec/openldap/openldap-2.3.28/servers/slapd/.libs/lt-slapd: symbol lookup error: ../servers/slapd/back-bdb/.libs/back_bdb-2.3.so.0: undefined symbol: db_version I'm at a bit of a loss here. Any pointers? I've just configured and installed 2.3.28 with all the same options on RHEL4, and that went fine. Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

16 years, 7 months

2
3
0 / 0

CRL Certificate

by Turbo Fredriksson

I've been playing with OpenSwan the last week and learned how to revoke certificates in the process. Usage of the CRL cert... In my slapd.conf's I have: TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/ldapsrv?_domain_tld.pub TLSCertificateKeyFile /etc/ldap/ldapsrv?_domain_tld.prv TLSVerifyClient try Where would the CRL cert fit in this? From what I can tell of the man page, nowhere. I have authentication with X.509 certificates enabled (not that anyone's using that at the moment, but...) so I would like the chance of making sure to reject revoked certificates...

16 years, 7 months

4
8
0 / 0

Error from replica getting changes from master server

by Manuel Molina Cuberos

Hello all! Here at Ya.com we have a structure of directory service based on OpenLDAP 2.0.27. There's ldapm01, the master server, and three replicas. We want to add a new replica (smtpmaq) running OpenLDAP 2.3.27 with bdb backend, populated thru slapcat / slapadd. Our purpose is to migrate all servers to the new version. All this worked fine, but now we get the following error in the new replica: Nov 8 13:09:16 smtpmaq slapd[23815]: conn=0 op=3093 ADD dn="mailID=ya9999999(a)ya.com,ou=ya.com,o=XXXXXX" Nov 8 13:09:16 smtpmaq slapd[23815]: conn=0 op=3093 RESULT tag=105 err=20 text=attribute 'objectClass' provided more than once When we add a new entry, we do the following at the master server: dn: mailID=ya9999999(a)ya.com,ou=ya.com,o=XXXXXX changetype: add mailID: ya9999999(a)ya.com mailHost: ya.com userPassword:: XXXXXXXXXXXX= mailMessageStorePath: /some/disk/path mailStatus: 1 mailServices: 0000000000001000 [...] objectClass: mailClass objectClass: top Some notes: -The server, running the old version, works fine with this. The old replicas also work fine with this. -The new replica refuse this kind of changes, but accept any other kind of operations. -If I try something like: ... objectClass: mailClass ... without "objectClass: top", the master server and all the replicas accept the change. What do you think about instantiating only mailClass in the new entries ? Are we doing something wrong ? -- Regards, Manuel Molina Cuberos ya.com Internet Factory 91 141 7931

16 years, 7 months

2
1
0 / 0

Problem with ACL's: can't bind as a non-root DN

by Frank Van Damme

Hello list, I am a sysadmin with limited experience with LDAP, and I am having a little issue with ACL's on an openldap server. The server has been running for more than a year as an auth. backend for Plone. However, recently I wanted to use the same user name/password information for other purposes and then I ran into a problem: I can not bind to the server as a non-root DN. More concrete example: # ldapsearch -D "cn=my_own_user_id,dc=example,dc=be" -x (&(cn=editors)(uniqueMember=cn=someuser,dc=example,dc=be))" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) I'll paste the acl's from my slapd.conf file: access to attrs=userPassword by dn="cn=admin,dc=example,dc=be" write by anonymous auth by self write #by * none #access to dn.base="" by * read access to * by dn="cn=admin,dc=example,dc=be" write by dn="cn=admin,dc=example,dc=be" read by * read I would think that normally, "by anonymous auth" would allow any user (inetOrgPerson) to bind to the server? Can anyone help? Thanks in advance. -- Frank Van Damme "All PCs are compatible. But some of them are more compatible than others." [Onbekend]

16 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software November 2006