slappasswd question
by Greg Martin
I have slapd configured with password-hash {SSHA}. I'm uusing
slappasswd to generate passwords and notice that if I run it twice with
the same secret that I get different results. I guess I don't
understand this, but how does slapd verify a password if each time I
generate it I get something different?
Confused!
\\Greg
$OpenLDAP: slapd 2.3.27 (Oct 13 2006 09:16:43)
16 years, 9 months
Question about DB_CONFIG (set_lg_bsize)
by TechnoSophos
If my directory routinely stores large chunks of data (like images)
that are over two megs in size, should I raise the value for
set_lg_bsize to reflect the max size of these files?
Matt
16 years, 9 months
Setting dbnosync: do I need to set a checkpoint?
by TechnoSophos
Using an HDB backend, if I set the dbnosync parameter in slapd.conf,
how often will modifications be flushed to the underlying database?
I did not find the Berkeley DB documentation to be terribly helpful in
this case. It mentions that more frequent checkpointing can help:
(http://www.oracle.com/technology/documentation/berkeley-db/db/api_c/env_s...)
Should I be using the checkpoint parameter in slapd.conf? I was under
the impression (based on threads I have seen in other mailing lists)
that checkpoint didn't actually do anything anymore. (And I have not
had much luck with using txn_checkpoint in the DB_CONFIG file -- it
produces errors).
I'm not asking for troubleshooting help on fixing checkpointing. I
just want to know how risky it is to use dbnosync, and if
checkpointing can help minimize risks.
Matt
16 years, 9 months
Re: cetificate issue with ldaps
by jerrrry@voila.fr
thank you for your help.
but i still don't understand why the ssl connection works without any CA in TLS_CACERT whereas i put TLS_REQCERT "demand" ?
Thomas
> Message du 29/12/06 à 18h28
> De : "Owen DeLong"
> A : "Rafal (sxat)"
> Copie à : openldap-software(a)openldap.org
> Objet : Re: cetificate issue with ldaps
>
> Small correction:
>
> TLS_CACERT must be the certificate from a ROOT Certificate Authority or
> a Certificate Authority certification signed by a known parent CA. CA
> means "Certificate Authority". There can be multiple levels of
> Certificate
> authority.
>
> Every certificate has an Issuer (Certificate Authority) which signed the
> certificate, and, a Subject whose public key and other data is signed
> by the CA. If the certificate has the correct attributes, then, it
> can be
> used to sign subordinate certificates.
>
> A certificate which has the same issuer and subject is a ROOT
> certificate
> because there is no parent certificate.
>
> You might want to check if there is also a TLS_CACERTDIR directive
> or similar which could still allow the client to locate the CA
> Certificate.
>
> Owen
>
> On Dec 29, 2006, at 5:32 AM, Rafal ((sxat)) wrote:
>
> >> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
> >> TLS_REQCERT demand
> >> My issue is that the ssl connexion still works if i comment the
> >> line with
> >> TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
> >> and it should not because without this certificate authority my
> >> openldap
> > proxy should not be able to >check the certificate sent by the
> > backend ldap.
> >> TLS certificate verification: Error, self signed certificate in
> >> certificate
> > chain
> >> but it works with this error.
> >
> > You must have your root CA -> selfsigned after you create
> > - CA and key for your LDAP server
> > - CA anad key for client
> >
> > both CA(client,server) you must sign by your CA root certificate
> >
> > pozdr
> > rafal
> >
>
> >
> [ smime.p7s (2.8 Ko) ]
16 years, 9 months
cetificate issue with ldaps
by jerrrry@voila.fr
Hi,
i'm using openldap as a ldap proxy to an an other ldap server.
I'd like to get a ldaps connexion between this 2 servers.
so, i configured ldap.conf like this:
TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem
TLS_REQCERT demand
My issue is that the ssl connexion still works if i comment the line with TLS_CACERT /usr/local/etc/raddb/RTFE/conca.pem.
and it should not because without this certificate authority my openldap proxy should not be able to check the certificate sent by the backend ldap.
the only difference that i see without this line is in debug mode (slapd -d 1):
TLS certificate verification: Error, self signed certificate in certificate chain
but it works with this error.
so, do you have an idea to force the ssl connexion to fail if the certificate sent by the other ldap server is not signed by my certificate authority ?
Thanks,
Thomas
16 years, 9 months
my LDAP crash with SASL authentication
by Rafal (sxat)
Hello
I am compile last version of LDAP with SASL and TLS for use with SQL
(without berkley DB)
and when I running authentication with sasl is OK but if I success login to
ldap with SASL - ldap always crashes (in file backend.c function
select_backend) because ->bv-len is large numer (about 4564564321)
how configure SASL for ldap?
regard
Rafal
sxat
16 years, 9 months
RE: Slapd fails to terminate
by Lesley Walker
Never mind, I eventually twigged that "connections_shutdown" was the name of
a function and found the right line.
> -----Original Message-----
> I know just about enough C to be able to comment out the
> line. How do I identify it?
16 years, 9 months
Slapd fails to terminate
by Lesley Walker
Running 2.3.31, I'm seeing the behaviour described in ITS4790, in which
Pierangelo Masarati wrote:
>> Apparently, one thread is unable to terminate correctly...
>> but then slapd hangs forever in ldap_pvt_thread_pool_destroy().
and Howard responded:
> This is a bad patch to connections_shutdown in RE23, there is a
> "continue" after checking for a client session that shouldn't be
> there. This line is not present in HEAD and the bug doesn't exist
> in HEAD. Strange that it got there since we just recently sync'd
> RE23 with HEAD's connection.c.
Ok, so the problem line is in connection.c, right?
I know just about enough C to be able to comment out the line. How do I
identify it?
I need to fix this pronto, as I have already rolled out the bad code to
about half of our ~80 replicas.
Cheers,
Lesley W
(I can just hear "I told you so..." coming from my employer when he hears
about this)
--
Lesley Walker
Linux Systems Administrator
Opus International Consultants Ltd
Email lesley.walker(a)opus.co.nz
Tel +64 4 471 7002, Fax +64 4 473 3017
http://www.opus.co.nz
Level 9 Majestic Centre, 100 Willis Street, PO Box 12 343
Wellington, New Zealand
16 years, 9 months
custome schema does not work
by Sadique Puthen
Hi,
I have a new schema file with the below entries,
[root@host128 schema]# cat local.schema
attributeType: ( 2.16.840.1.113730.3.1.241 NAME 'passworduser'
DESC 'Custome Testing'
SYNTAX 1.3.6.1.4.1.146.6.115.121.1.40 SINGLE-VALUE
X-ORIGIN 'user defined' )
objectClass: ( 2.16.840.1.113730.3.2.2 NAME 'custome'
SUP top STRUCTURAL
MUST passworduser)
Added in slapd.conf and restarted.
trying to add below ldif file.
dn: uid=guest20,ou=People,dc=example,dc=com
uid: guest20
cn: guest20
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: passworduser
passworduser: {crypt}$1$gFu78wyt$F1VXME32hviAXfrHDuObi/
shadowLastChange: 13473
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 600
gidNumber: 600
homeDirectory: /home2/guest20
dn: cn=guest20,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: guest20
userPassword: {crypt}x
gidNumber: 600
Throws the below error message.
[root@host128 schema]# ldapadd -f /root/ldif1
SASL/GSSAPI authentication started
SASL username: guest2(a)TEST.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
adding new entry "uid=guest20,ou=People,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #4 invalid per syntax
If anyone can pinpoint what is wrong, I would appreciate.
Regards,
Sadique
16 years, 9 months
small problem with ldap with tls and sasl
by Rafal (sxat)
Hello
how configure slapd.conf but i try setting SASL authentication on running
slapd but ldap alway is crash
"slapd in free(): error: junk pointer, too high to make sense"
or crash on this line in source code
file: saslauthz.c: Debug(LDAP_DEBUG_TRACE,'==>slap_sasl_authorized can %s
become %s')
I am running ./slapd -d -1 on first console
on other console I running ldapsearch -I
SASL/CRAM-MD5 authentication started
SASL Interaction
Please enter your authentication name: test
Please enter your password: **** <enter>
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
and ldapd on first console:
>>> dnNormalize: <uid=test,dc=example,dc=com>
=> ldap_bv2dn(uid=test,dc=example,dc=com,0)
<= ldap_bv2dn(uid=test,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=test,dc=example,dc=com)=0
<<< dnNormalize: <uid=test,dc=example,dc=com>
<==slap_sasl2dn: Converted SASL name to uid=test,dc=example,dc=com
slap_sasl_getdn: dn:id converted to uid=test,dc=example,dc=com
SASL Canonicalize [conn=0]: slapAuthcDN="uid=test,dc=example,dc=com"
SASL proxy authorize [conn=0]: authcid="test" authzid="test"
<== slap_sasl_authorized: return 48
SASL proxy authorize after_5a [conn=0]: SASL Proxy Authorize [conn=0]: proxy
authorization disallowed (48)
SASL [conn=0] Failure: not authorized
slapd in free(): error: junk pointer, too high to make sense
my installed version is: OpenLDAP: slapd 2.3.31
- SASL cyrus-sasl-2.1.21 <- this library is ok - i have running postfix with
sasl
- unixODBC-2.2.11
- MyODBC-3.51.11
- FreeBSD 5.X
openldap normal working without tls and auth sasl but if I activate sasl and
write bad password when I logged to ldap is ok, all crash is alway when I
write correct user and password when i login
please help me.....
------------------
my slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -1
#allow bind_anon_cred
#defaultaccess none
#readonly off
TLSCertificateFile /tmp/ldap.crt
TLSCertificateKeyFile /tmp/ldap.key
TLSCACertificateFile /tmp/ca.crt
TLSCipherSuit HIGH
authzTo: uid=[^,]*,dc=example,dc=com
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,dc=example,dc=com
#######################################################################
# sql database definitions
#######################################################################
database sql
suffix "dc=example,dc=com"
rootdn "cn=test,dc=example,dc=com"
#rootpw secret
dbname ldap
dbuser ldap
dbpasswd ldap
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval)
VALUES (?,?,?,?)"
has_ldapinfo_dn_ru no
access to attrs=userPassword
by * auth
16 years, 9 months
