openldap-software December 2007

openldap-software@openldap.org

75 participants
90 discussions

Supported RFC's and "features"
by Clowser, Jeff (Contractor) 13 Jul '09

13 Jul '09

I'm currently doing a review to see how OpenLDAP compares, *feature wise* ATM, to other directory servers and specifically to the Sun DS - i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. For brevity, I haven't included all the potentially useful features of OpenLDAP, but have just focused on those associated with 1) RFC compliance (of which Sun may or may not meet) and 2) features to match the Sun DS (which it would be replacing). … [View More] So far, here's what I have for OpenLDAP: RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor. The following additional RFC's are supported in OpenLDAP: - RFC 2247 and RFC 3088 - RFC 2696 simple paged results - RFC 2849 ldif - RFC 3062 password mod op - RFC 3296 named referals, manageDSAit - RFC 3673 All Op attrs + feature - RFC 3687 Component matching rules - RFC 3866 Languange tag and range - RFC 3876 matched values control - RFC 4370 proxy auth - RFC 4522 binary encoding - RFC 4523 x.509 cert schema - RFC 4524 COSINE schema - RFC 4525 Mod-increment - RFC 4526 Absolute true/false filters - RFC 4527 pre/post read control - RFC 4528 assertion control - RFC 4529 request attrs by objectclass - RFC 4530 entryUUID - RFC 4532 whoamI - RFC 4533 Content Sync op (replication) RFC's NOT supported are: - RFC 2589 dds Seems with 2.4, this has gone from experimental to production quality? - RFC 2891 server side sorting - RFC 3671 collective attributes - RFC 3928 LCUP mainly for updating cached addressbooks, etc - not replication between servers - RFC 3384 looks like just reqs for replication, not an actual replication protocol - RFC 4533 is used instead Unknown: - RFC 3672 (subentries) - RFC 3698 and 3727 (additional matching rules) - RFC 3909 LDAP Cancel operation - RFC 5020 entryDN operational attribute (There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones) Other features not supported: - VLV browse indexes (per http://tools.ietf.org/html/draft-ietf-ldapext-ldapv3-vlv-09). Not an RFC, but supported by Sun and MS directories, and used by things like Outlook and Solaris. Other supported features: - dyngroup/dynlist/memberof overlay (A much more useful feature than Sun's groupOfURLs "dynamic" group and "roles" mechanism) - ppolicy overlay (matches Sun DS 5.x reasonably close, but is account lockout replicated to all servers? Sun DS 6.x claims to) - refint overlay (similar to Sun's referential integrity plugin) - unique overlay (similar to Sun's uniqueness plugin) - audit and accesslog overlays, syslog logging - much more useful/complete than Sun's access/audit/error logs. - live acl changes via LDAP Unknown features: - Per user resource limits (sizelimit, timelimit, idletimeout, etc). I think Howard Chu said OpenLDAP has some of this, but I haven't seen any reference to it or how to use it in the docs (does this functionality exist, and if so, is there any documentation?) - Tracking of last login (i.e. last successful ldap authentication) Is this still fairly accurate? The ones that are really problematic are the lack of: - VLV Browse indexes - RFC 2891 (server side sorting) - per user/entry resources limits (if they don't exist) Are there any unofficial updates/patches/overlays/plans for any of this functionality? Thanks, - Jeff [View Less]

11 29

using slapo-pcache with an empty attr list
by Toby Blake 05 Jun '08

05 Jun '08

Hi all, I'm doing a bit of playing with slapo-pcache and have it working fairly well (particularly once I realised that an individual attr can live in only one proxyattrset). However, there's one bit that I can't get working - is there any way to define a template that will match a search which doesn't provide an attr list? i.e. I can see quite a few searches (presumably from amd) of the following form (spacing and formatting changed by me to make it more readable): Jul 23 14:54:16 host1 … [View More]

3 8

Strange TLS behaviour with slapd 2.3.30 on Debian Etch
by Denis Sacchet 27 Feb '08

27 Feb '08

Hello, I have a strange behaviour regarding TLS encryption with an LDAP server. Everything works like a charm for a while, and without any sign, the server begins to not respond for TLS traffic. As the server is partially open on internet, I force TLS, so it is very annoying for us. I change a lot of parameters, I already read several thread about that (and more specially, the one with exactly the same error message as me, where it was solved by specifying the same ciphers in slapd.conf … [View More]and ldap.conf, but it doesn't work for me ...) You will find all my parameters below, hope I forget nothing. I can provide more log files with and without the problem on demand. The ldap server is used by apache, postfix, saslauthd, pam_ldap, nss_ldap ... Thanks in advance if someone can found a solution for me !!! Best regards Denis Sacchet =================== Here are all the information I can give you : @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 05:43:02) $ on a Debian Etch server, here are the link information for slapd: linux-gate.so.1 => (0xffffe000) libldap_r-2.3.so.0 => /usr/lib/libldap_r-2.3.so.0 (0xb7f41000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f35000) libiodbc.so.2 => /usr/lib/libiodbc.so.2 (0xb7eed000) libslp.so.1 => /usr/lib/libslp.so.1 (0xb7ede000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ec8000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e89000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d4f000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7d21000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7d0d000) libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7cfb000) libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb7cf4000) libwrap.so.0 => /lib/libwrap.so.0 (0xb7cec000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7bbb000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7bb7000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7ba0000) libz.so.1 => /usr/lib/libz.so.1 (0xb7b8c000) /lib/ld-linux.so.2 (0xb7f88000) The same for ldapsearch : linux-gate.so.1 => (0xffffe000) libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0xb7f8d000) liblber-2.3.so.0 => /usr/lib/liblber-2.3.so.0 (0xb7f81000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f6a000) libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7f2b000) libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7df1000) libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7dc3000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7db0000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c7f000) libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7c7a000) libz.so.1 => /usr/lib/libz.so.1 (0xb7c66000) /lib/ld-linux.so.2 (0xb7fca000) A part of my slapd.conf (no acl, no pass :) ) : include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/mozillaabpersonalpha.schema include /etc/ldap/schema/evolutionperson.schema include /etc/ldap/schema/ouba.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_bdb moduleload smbk5pwd backend bdb checkpoint 512 30 sizelimit 500 tool-threads 1 security ssf=128 disasllow bind_anon password-hash {SHA} TLSCACertificateFile /etc/ssl/certs/<hiddendomain>.pem TLSCertificateFile /etc/ldap/ssl/ldap.<hiddendomain>.com.crt TLSCertificateKeyFile /etc/ldap/ssl/ldap.<hiddendomain>.com.key TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP TLSVerifyClient never TLSCRLCheck none TLSRandFile /dev/hwrng loglevel any ####################################################################### # <hiddendomain>.com database database bdb overlay smbk5pwd suffix "dc=<hiddendomain>,dc=com" rootdn "cn=Manager,dc=<hiddendomain>,dc=com" directory "/var/lib/ldap/<hiddendomain>.com" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq uid uidNumber memberUid gidNumber service lastmod on replogfile /var/lib/ldap/<hiddendomain>.com/replog My ldap.conf file : TLS_CACERT /etc/ssl/certs/<hiddendomain>.pem TLSCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP BASE dc=<hiddendomain>, dc=com URI ldap://ldap.<hiddendomain>.com:389 A trace of ldapsearch when there is the problem : ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)" ldap_create ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 88.191.47.236:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057558 msgid 1 ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL wait4msg ld 0x8057558 msgid 1 (infinite timeout) wait4msg continue ld 0x8057558 msgid 1 all 1 ** ld 0x8057558 Connections: * host: ldap.<hiddendomain>.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 10 08:21:46 2007 ** ld 0x8057558 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057558 Response Queue: Empty ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL ldap_int_select read1msg: ld 0x8057558 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x8057558 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057558 0 new referrals read1msg: mark request completed, ld 0x8057558 msgid 1 request done: ld 0x8057558 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS certificate verification: depth: 0, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure The same just after a fresh restart : # ldapsearch -D "uid=dsacchet,ou=accounts,dc=<hiddendomain>,dc=com" -h "ldap.<hiddendomain>.com" -ZZ -W -x -d 9 "(objectClass=*)" ldap_create ldap_url_parse_ext(ldap://ldap.<hiddendomain>.com) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap.<hiddendomain>.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 88.191.47.236:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 3 ldap_result ld 0x8057558 msgid 1 ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL wait4msg ld 0x8057558 msgid 1 (infinite timeout) wait4msg continue ld 0x8057558 msgid 1 all 1 ** ld 0x8057558 Connections: * host: ldap.<hiddendomain>.com port: 389 (default) refcnt: 2 status: Connected last used: Mon Dec 10 08:22:20 2007 ** ld 0x8057558 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x8057558 Response Queue: Empty ldap_chkResponseList ld 0x8057558 msgid 1 all 1 ldap_chkResponseList returns ld 0x8057558 NULL ldap_int_select read1msg: ld 0x8057558 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x8057558 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 0x8057558 0 new referrals read1msg: mark request completed, ld 0x8057558 msgid 1 request done: ld 0x8057558 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS certificate verification: depth: 0, err: 0, subject: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=smtp.<hiddendomain>.com/emailAddress=it@<hiddendomain>.com, issuer: /C=FR/ST=Lorraine/L=Nancy/O=<hiddencompany>/OU=<hiddencompany>/CN=<hiddencompany> Root C.A./emailAddress=it@<hiddendomain>.com TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A Enter LDAP Password: -- Denis Sacchet aka. Ouba ("`-/")_.-'"``-._ . . `; -._ )-;-,_`) "Computers are like air conditionners (v_,)' _ )`-.\ ``-' They stop working properly when you _.- _..-_/ / ((.' open Windows !!!" ((,.-' ((,/ [View Less]

8 19

account locking strategy
by Guillaume Rousse 21 Feb '08

21 Feb '08

Hello list. I have to handle account locking on our directory, so as to keep accounts from people not working here anymore. On Buchan's suggestion, I used ppolicy sofar, with pwdAccountLockedTime attribute set to 000001010000Z to lock unused account. This is really handy to handle unix account and web applications account at once. However, they are also some drawbacks: - this is an operational account, thus a bit difficult to retrieve/edit (additional search options needed) - its … [View More]

4 4

Need help:slapd crashed in syncrepl and mirror mode when deleting entry
by Savithri 02 Jan '08

02 Jan '08

Hi, Im using OpenLDAP 2.4.7 and using the mirrormode and syncrepl. My setup has 2 LDAP nodes, one as master and other as slave through a VIP. When the master goes down, the slave will become master and vice-versa. At any point to keep both the LDAP in sync I'm using mirror mode and syncrepl. When one node , say A is up (that is the active node) and the other node B is down, I delete some LDAP entry from node A. THen when i start node B, the slapd on node B crashes and i see a … [View More]

2 3

write, then read delay with syncrepl/slapo-chain ?
by Peter Mogensen 02 Jan '08

02 Jan '08

Hi, I haev a quick question which I haven't been able to find an answer to in the docs: I have a slapd master with a couple of slaves (syncrepl refreshAndPersist). I can get updates to be diverted to the master with the chain overlay, but as the FAQ says there'll be a small delay before the changes are replicated back to the slaves. Is there anyway to automatically direct subsequent reads of the changed attributes to the master? Else I guess I'll have to implement referral chasing logic … [View More]

3 6

Overlay chain formatting
by Justin Lambert 02 Jan '08

02 Jan '08

I have spent the last week off and on trying to figure out why my chain overlay was not working correctly. I tried all combinations of it that I could find and finally found out that the parser of the slapd.conf file is picky about spacing. I was trying to make my config file look nice by indenting the options under "overlay chain" only to find after many frustrating hours that you cannot do that! I didn't find anywhere that that was explicitly documented (even though all of the examples … [View More]

4 4

slap_sl_malloc failed, using ch_malloc
by Marcel Chastain 30 Dec '07

30 Dec '07

Hello all, I have a set of 11 servers setup with syncrepl, all running openldap 2.4.6: 1 syncrepl provider, and 10 consumers. The provider is having a hard time staying up for more than 18-24 hours at a time - it will either stop responding, or just die. I'm working on getting the debug log output right before it dies, but for now, about 60% of my provider's log is filled with messages such as this: Dec 28 15:04:15 ldapm01 slapd[10335]: slap_sl_malloc of 32 bytes failed, using ch_malloc Dec … [View More]28 15:04:15 ldapm01 slapd[10335]: slap_sl_malloc of 56 bytes failed, using ch_malloc Dec 28 15:04:15 ldapm01 slapd[10335]: slap_sl_malloc of 56 bytes failed, using ch_malloc The logs are quite copious, but I haven't seen anything else indicative of an error. I've been researching for over a week, and attempting to tweak my settings, but I can't find any data on this. Does this have anything to do with the 'searchstack' setting? I looked in the source code, and noticed that it didn't seem like a terrible error, but this is the only output I have for the time being. Any help would be greatly appreciated, as these are production machines. If the information I provided doesn't help, please tell me what you would need to understand the problem better. ########Provider: database bdb suffix "dc=testbox,dc=net" directory "/var/lib/ldap/master/" mode 0600 cachesize 20000 idlcachesize 60000 index objectClass eq index ou eq index entryCSN,entryUUID eq index uid,uidNumber,gidNumber eq idletimeout 30 overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 1000 syncprov-reloadhint TRUE lastmod on ############Consumer: database bdb suffix "dc=testbox,dc=net" directory "/var/lib/ldap/slave/" mode 0600 cachesize 10000 idlcachesize 30000 #### Consumer checkpoint 512 5 index uid,uidNumber,gidNumber,member pres,eq index ou,objectClass,entryCSN,entryUUID,homeDirectory,dc,contextCSN,associatedDomain,cn eq idletimeout 30 lastmod on syncrepl rid=233 provider=ldaps://ldapm01.testbox.net type=refreshOnly retry="10 100 30 +" interval="00:00:05:00" searchbase="dc=eigbox,dc=net" filter="(!(entryDN:dnSubtreeMatch:=ou=unwanted,ou=pub,dc=testbox,dc=net))" scope=sub attrs="*,+" schemachecking=off bindmethod=simple binddn="cn=sync-user,dc=testbox,dc=net" credentials=secret ############# Thanks in advance! ------------------------------------------ Marcel Chastain Senior Systems Administrator Endurance International Group Email: Marcel.Chastain(a)Gmail.com ------------------------------------------ [View Less]

4 5

Segmentation fault
by sf.techguy＠gmail.com 29 Dec '07

29 Dec '07

[ I posted this to the OpenLDAP tech list, and they suggested re-posting here. It was suggested to upgrade to a newer version of OpenLDAP, but for various reasons, upgrading to is problematic, and I'm willing to endure an unreasonable amount of pain to try to get it working with my ancient version. :) ] Running OpenLDAP 2.2.19 on Darwin kernel v. 8.11.1, and when I issue: /usr/sbin/slapcat -d 5 -v -l /Users/localadmin/Desktop/bkup.ldif I get the following output: <snip>... # id=… [View More]

2 1

Chaining ppolicy state attributes
by Ben Spencer 28 Dec '07

28 Dec '07

Looking at http://www.openldap.org/lists/openldap-software/200701/msg00149.html and http://www.openldap.org/lists/openldap-software/200704/msg00050.html it would seem as if it might be impossible/tricky to chain state related ppolicy attribute (ex: pwdAccountLockedTime) updates of a consumer to the master and then back down to the other consumers in OpenLDAP 2.3 Has anyone successfully done this with OpenLDAP 2.3 (2.3.39)? Are these attributes exchanged in 2.4 in a multimaster … [View More]

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2007