openldap-software December 2006

openldap-software@openldap.org

60 participants
65 discussions

slappasswd question
by Greg Martin 01 Jan '07

01 Jan '07

I have slapd configured with password-hash {SSHA}. I'm uusing slappasswd to generate passwords and notice that if I run it twice with the same secret that I get different results. I guess I don't understand this, but how does slapd verify a password if each time I generate it I get something different? Confused! \\Greg $OpenLDAP: slapd 2.3.27 (Oct 13 2006 09:16:43)

3 4

Question about DB_CONFIG (set_lg_bsize)
by TechnoSophos 29 Dec '06

29 Dec '06

If my directory routinely stores large chunks of data (like images) that are over two megs in size, should I raise the value for set_lg_bsize to reflect the max size of these files? Matt

2 1

Setting dbnosync: do I need to set a checkpoint?
by TechnoSophos 29 Dec '06

29 Dec '06

Using an HDB backend, if I set the dbnosync parameter in slapd.conf, how often will modifications be flushed to the underlying database? I did not find the Berkeley DB documentation to be terribly helpful in this case. It mentions that more frequent checkpointing can help: (http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_set…) Should I be using the checkpoint parameter in slapd.conf? I was under the impression (based on threads I have seen in other mailing lists) that checkpoint didn't actually do anything anymore. (And I have not had much luck with using txn_checkpoint in the DB_CONFIG file -- it produces errors). I'm not asking for troubleshooting help on fixing checkpointing. I just want to know how risky it is to use dbnosync, and if checkpointing can help minimize risks. Matt

2 1

Re: cetificate issue with ldaps
by jerrrry＠voila.fr 29 Dec '06

29 Dec '06

thank you for your help. but i still don't understand why the ssl connection works without any CA in TLS_CACERT whereas i put TLS_REQCERT "demand" ? Thomas > Message du 29/12/06 à 18h28 > De : "Owen DeLong" > A : "Rafal (sxat)" > Copie à : openldap-software(a)openldap.org > Objet : Re: cetificate issue with ldaps > > Small correction: > > TLS_CACERT must be the certificate from a ROOT Certificate Authority or > a Certificate Authority certification signed by a known parent CA. CA > means "Certificate Authority". There can be multiple levels of > Certificate > authority. > > Every certificate has an Issuer (Certificate Authority) which signed the > certificate, and, a Subject whose public key and other data is signed > by the CA. If the certificate has the correct attributes, then, it > can be > used to sign subordinate certificates. > > A certificate which has the same issuer and subject is a ROOT > certificate > because there is no parent certificate. > > You might want to check if there is also a TLS_CACERTDIR directive > or similar which could still allow the client to locate the CA > Certificate. > > Owen > > On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote: > > >> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem > >> TLS_REQCERT demand > >> My issue is that the ssl connexion still works if i comment the > >> line with > >> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem. > >> and it should not because without this certificate authority my > >> openldap > > proxy should not be able to >check the certificate sent by the > > backend ldap. > >> TLS certificate verification: Error, self signed certificate in > >> certificate > > chain > >> but it works with this error. > > > > You must have your root CA -> selfsigned after you create > > - CA and key for your LDAP server > > - CA anad key for client > > > > both CA(client,server) you must sign by your CA root certificate > > > > pozdr > > rafal > > > > > > [ smime.p7s (2.8 Ko) ]

1 0

cetificate issue with ldaps
by jerrrry＠voila.fr 29 Dec '06

29 Dec '06

Hi, i'm using openldap as a ldap proxy to an an other ldap server. I'd like to get a ldaps connexion between this 2 servers. so, i configured ldap.conf like this: TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem TLS_REQCERT demand My issue is that the ssl connexion still works if i comment the line with TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem. and it should not because without this certificate authority my openldap proxy should not be able to check the certificate sent by the backend ldap. the only difference that i see without this line is in debug mode (slapd -d 1): TLS certificate verification: Error, self signed certificate in certificate chain but it works with this error. so, do you have an idea to force the ssl connexion to fail if the certificate sent by the other ldap server is not signed by my certificate authority ? Thanks, Thomas

3 2

my LDAP crash with SASL authentication
by Rafal (sxat) 29 Dec '06

29 Dec '06

Hello I am compile last version of LDAP with SASL and TLS for use with SQL (without berkley DB) and when I running authentication with sasl is OK but if I success login to ldap with SASL - ldap always crashes (in file backend.c function select_backend) because ->bv-len is large numer (about 4564564321) how configure SASL for ldap? regard Rafal sxat

1 0

RE: Slapd fails to terminate
by Lesley Walker 28 Dec '06

28 Dec '06

Never mind, I eventually twigged that "connections_shutdown" was the name of a function and found the right line. > -----Original Message----- > I know just about enough C to be able to comment out the > line. How do I identify it?

1 0

Slapd fails to terminate
by Lesley Walker 28 Dec '06

28 Dec '06

Running 2.3.31, I'm seeing the behaviour described in ITS4790, in which Pierangelo Masarati wrote: >> Apparently, one thread is unable to terminate correctly... >> but then slapd hangs forever in ldap_pvt_thread_pool_destroy(). and Howard responded: > This is a bad patch to connections_shutdown in RE23, there is a > "continue" after checking for a client session that shouldn't be > there. This line is not present in HEAD and the bug doesn't exist > in HEAD. Strange that it got there since we just recently sync'd > RE23 with HEAD's connection.c. Ok, so the problem line is in connection.c, right? I know just about enough C to be able to comment out the line. How do I identify it? I need to fix this pronto, as I have already rolled out the bad code to about half of our ~80 replicas. Cheers, Lesley W (I can just hear "I told you so..." coming from my employer when he hears about this) -- Lesley Walker Linux Systems Administrator Opus International Consultants Ltd Email lesley.walker(a)opus.co.nz Tel +64 4 471 7002, Fax +64 4 473 3017 http://www.opus.co.nz Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343 Wellington, New Zealand

1 0

custome schema does not work
by Sadique Puthen 26 Dec '06

26 Dec '06

Hi, I have a new schema file with the below entries, [root@host128 schema]# cat local.schema attributeType: ( 2.16.840.1.113730.3.1.241 NAME 'passworduser' DESC 'Custome Testing' SYNTAX 1.3.6.1.4.1.146.6.115.121.1.40 SINGLE-VALUE X-ORIGIN 'user defined' ) objectClass: ( 2.16.840.1.113730.3.2.2 NAME 'custome' SUP top STRUCTURAL MUST passworduser) Added in slapd.conf and restarted. trying to add below ldif file. dn: uid=guest20,ou=People,dc=example,dc=com uid: guest20 cn: guest20 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: passworduser passworduser: {crypt}$1$gFu78wyt$F1VXME32hviAXfrHDuObi/ shadowLastChange: 13473 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 600 gidNumber: 600 homeDirectory: /home2/guest20 dn: cn=guest20,ou=Group,dc=example,dc=com objectClass: posixGroup objectClass: top cn: guest20 userPassword: {crypt}x gidNumber: 600 Throws the below error message. [root@host128 schema]# ldapadd -f /root/ldif1 SASL/GSSAPI authentication started SASL username: guest2(a)TEST.EXAMPLE.COM SASL SSF: 56 SASL installing layers adding new entry "uid=guest20,ou=People,dc=example,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #4 invalid per syntax If anyone can pinpoint what is wrong, I would appreciate. Regards, Sadique

2 2

small problem with ldap with tls and sasl
by Rafal (sxat) 26 Dec '06

26 Dec '06

Hello how configure slapd.conf but i try setting SASL authentication on running slapd but ldap alway is crash "slapd in free(): error: junk pointer, too high to make sense" or crash on this line in source code file: saslauthz.c: Debug(LDAP_DEBUG_TRACE,'==>slap_sasl_authorized can %s become %s') I am running ./slapd -d -1 on first console on other console I running ldapsearch -I SASL/CRAM-MD5 authentication started SASL Interaction Please enter your authentication name: test Please enter your password: **** <enter> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) and ldapd on first console: >>> dnNormalize: <uid=test,dc=example,dc=com> => ldap_bv2dn(uid=test,dc=example,dc=com,0) <= ldap_bv2dn(uid=test,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=test,dc=example,dc=com)=0 <<< dnNormalize: <uid=test,dc=example,dc=com> <==slap_sasl2dn: Converted SASL name to uid=test,dc=example,dc=com slap_sasl_getdn: dn:id converted to uid=test,dc=example,dc=com SASL Canonicalize [conn=0]: slapAuthcDN="uid=test,dc=example,dc=com" SASL proxy authorize [conn=0]: authcid="test" authzid="test" <== slap_sasl_authorized: return 48 SASL proxy authorize after_5a [conn=0]: SASL Proxy Authorize [conn=0]: proxy authorization disallowed (48) SASL [conn=0] Failure: not authorized slapd in free(): error: junk pointer, too high to make sense my installed version is: OpenLDAP: slapd 2.3.31 - SASL cyrus-sasl-2.1.21 <- this library is ok - i have running postfix with sasl - unixODBC-2.2.11 - MyODBC-3.51.11 - FreeBSD 5.X openldap normal working without tls and auth sasl but if I activate sasl and write bad password when I logged to ldap is ok, all crash is alway when I write correct user and password when i login please help me..... ------------------ my slapd.conf: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel -1 #allow bind_anon_cred #defaultaccess none #readonly off TLSCertificateFile /tmp/ldap.crt TLSCertificateKeyFile /tmp/ldap.key TLSCACertificateFile /tmp/ca.crt TLSCipherSuit HIGH authzTo: uid=[^,]*,dc=example,dc=com authz-regexp uid=([^,]*),cn=[^,]*,cn=auth uid=$1,dc=example,dc=com ####################################################################### # sql database definitions ####################################################################### database sql suffix "dc=example,dc=com" rootdn "cn=test,dc=example,dc=com" #rootpw secret dbname ldap dbuser ldap dbpasswd ldap subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)" insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)" has_ldapinfo_dn_ru no access to attrs=userPassword by * auth

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2006