openldap-software March 2007

openldap-software@openldap.org

68 participants
83 discussions

OpenLDAP 2.4 && SASL Auths
by Turbo Fredriksson 17 Mar '07

17 Mar '07

I've setting up a new primary server and choosed 2.4 (HEAD) as server for that... Might not be a good idea to use 2.4 on a production environment, but... :) Anyway, I set up a authz-regexp as I have on my 2.2 servers like this: ----- s n i p ----- authz-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth ldap:///c=SE??sub?krb5PrincipalName=$1@BAYOUR.COM ----- s n i p ----- Unfortunatly, ldapwhoami/slapd doesn't mapp this to my DN. An anonymous LDAP search will retreive my object correctly: ----- s n i p ----- root@rigel# ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider krb5PrincipalName=turbo(a)BAYOUR.COM dn SASL/GSSAPI authentication started SASL username: turbo(a)BAYOUR.COM SASL SSF: 56 SASL data security layer installed. dn: uid=turbo,ou=People,o=Fredriksson,c=SE root@rigel# ldapsearch -x -LLL -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider krb5PrincipalName=turbo(a)BAYOUR.COM dn dn: uid=turbo,ou=People,o=Fredriksson,c=SE ----- s n i p ----- And ldapwhoami shows: ----- s n i p ----- root@rigel# ldapwhoami -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider SASL/GSSAPI authentication started SASL username: turbo(a)BAYOUR.COM SASL SSF: 56 SASL data security layer installed. dn:uid=turbo,cn=bayour.com,cn=gssapi,cn=auth ----- s n i p ----- Running slapd with '-d -1' shows this when it tries to map my ticket/authzID (?): ----- s n i p ----- [...] put_simple_filter: "krb5PrincipalName=turbo(a)BAYOUR.COM" begin get_filter EQUALITY [...] slap_sasl2dn: performing internal search (base=c=se, scope=2) => hdb_search bdb_dn2entry("c=se") => access_allowed: auth access to "c=SE" "entry" requested => dn: [1] => dn: [2] cn=log1 => dn: [3] cn=log1 => dn: [4] cn=monitor => dn: [5] cn=subschema => dn: [6] cn=config => acl_get: [8] attr entry => acl_mask: access to entry "c=SE", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dynacl <= check a_dynacl: aci <= aci_list_get_attr_rights test objectClass#public# for entry -> failed <= aci_list_get_attr_rights test objectClass#public# for [all] -> failed <= aci_list_get_attr_rights test userReference#public# for entry -> failed <= aci_list_get_attr_rights test userReference#public# for [all] -> failed <= aci_list_get_attr_rights test entry#public# for entry -> ok <= aci_list_get_attr_rights rights r,s,c;entry#public# to mask 0x39 <= aci_list_get_attr_rights test entry#public# for [all] -> failed <= aci_list_get_attr_rights test useControls#users# for entry -> failed <= aci_list_get_attr_rights test useControls#users# for [all] -> failed <= aci_list_get_attr_rights test useEzmlm#users# for entry -> failed <= aci_list_get_attr_rights test useEzmlm#users# for [all] -> failed <= aci_list_get_attr_rights test useBind9#users# for entry -> failed <= aci_list_get_attr_rights test useBind9#users# for [all] -> failed <= aci_list_get_attr_rights test useWebSrv#users# for entry -> failed <= aci_list_get_attr_rights test useWebSrv#users# for [all] -> failed <= aci_list_get_attr_rights test autoReload#users# for entry -> failed <= aci_list_get_attr_rights test autoReload#users# for [all] -> failed <= aci_list_get_attr_rights test allowServerChange#users# for entry -> failed <= aci_list_get_attr_rights test allowServerChange#users# for [all] -> failed <= aci_list_get_attr_rights test whoAreWe#users# for entry -> failed <= aci_list_get_attr_rights test whoAreWe#users# for [all] -> failed <= aci_list_get_attr_rights test language#users# for entry -> failed <= aci_list_get_attr_rights test language#users# for [all] -> failed <= aci_list_get_attr_rights test hostMaster#users# for entry -> failed <= aci_list_get_attr_rights test hostMaster#users# for [all] -> failed <= aci_list_get_attr_rights test ezmlmBinaryPath#users# for entry -> failed <= aci_list_get_attr_rights test ezmlmBinaryPath#users# for [all] -> failed <= aci_list_get_attr_rights test krb5RealmName#users# for entry -> failed <= aci_list_get_attr_rights test krb5RealmName#users# for [all] -> failed <= aci_list_get_attr_rights test krb5AdminServer#users# for entry -> failed <= aci_list_get_attr_rights test krb5AdminServer#users# for [all] -> failed <= aci_list_get_attr_rights test krb5PrincipalName#users# for entry -> failed <= aci_list_get_attr_rights test krb5PrincipalName#users# for [all] -> failed <= aci_list_get_attr_rights test krb5AdminKeytab#users# for entry -> failed <= aci_list_get_attr_rights test krb5AdminKeytab#users# for [all] -> failed <= aci_list_get_attr_rights test krb5AdminCommandPath#users# for entry -> failed <= aci_list_get_attr_rights test krb5AdminCommandPath#users# for [all] -> failed <= aci_list_get_attr_rights test controlBaseDn#users# for entry -> failed <= aci_list_get_attr_rights test controlBaseDn#users# for [all] -> failed <= aci_list_get_attr_rights test ezmlmAdministrator#users# for entry -> failed <= aci_list_get_attr_rights test ezmlmAdministrator#users# for [all] -> failed <= aci_list_get_attr_rights test controlsAdministrator#users# for entry -> failed <= aci_list_get_attr_rights test controlsAdministrator#users# for [all] -> failed <= aci_list_get_attr_rights test useACI#users# for entry -> failed <= aci_list_get_attr_rights test useACI#users# for [all] -> failed <= aci_list_get_attr_rights test [all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se for entry -> failed <= aci_list_get_attr_rights test [all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se for [all] -> ok <= aci_list_get_attr_rights rights w,r,s,c,x;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se to mask 0x37d <= aci_mask grant =rsc deny =0 <= acl_mask: [2] applying +rsc (stop) <= acl_mask: [2] mask: =rsc => slap_access_allowed: auth access denied by =rsc => access_allowed: no more rules ----- s n i p ----- So question number one is: why does it start in my suffix? And why does it fail, even though it succeeded in what it was looking for (attr 'entry')? Oh, another thing that would be _nice_ (not that I need it now, but you never know :). The following authz-regexp don't work (because krb5Principalname is case sensitive - ?): ----- s n i p ----- authz-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///c=SE??sub?krb5PrincipalName=$1@$2 ----- s n i p ----- Any ideas on how to do this (without having multiple authz-regexp's)?

1 1

confusion with two ldap.conf in a single system
by JOYDEEP 16 Mar '07

16 Mar '07

Dear list, I am using Suse 10.1 with openldap2-2.3.19-18. I am very much confused to see the two ldap.conf file in my system one is located at /etc/ldap.conf and the other is at /etc/openldap/ldap.conf Which file should I modify to get the effect ? thanks.

5 7

dnattr
by Bernhard D Rohrer 15 Mar '07

15 Mar '07

regarding my ACL problem i have tried to solve it by using this ACL: # Access to groups addressbooks # allow read of addressbook by members and egwadmin account access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read by dn.regex="cn=admin,dc=graylion,dc=net" write by users none # allow members to create entries in their group addressbooks; no-one else can a ccess it # needs write access to the entries ENTRY attribute ... access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha by dnattr=memberUid write # by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none # ... and the entries CHILDREN access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$" attrs=children by dnattr=memberUid write # by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write by users none the group looks like this: dn: cn=GraylionEnterprises,ou=groups,dc=graylion,dc=net cn: GraylionEnterprises gidNumber: 7 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: ... objectClass: top objectClass: posixGroup and on restarting slapd I get: Starting OpenLDAP: running BDB recovery, slapd - failed: /usr/share/egroupware/addressbook/doc/acl_addressbook.conf: line 37: dnattr "memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26 thanks Bernhard -- Graylion's Fetish & Fashion Store Goth and Kinky Boots, Clothing and Jewellery http://www.graylion.net

1 0

slapd stopping with no error message
by Douglas B. Jones 15 Mar '07

15 Mar '07

About three times in the last several days, ldap-2.3.33 (RHEL4) has just stopped. No core or error messages in the log files. The last entry in the log file is just a search entry, with nothing common in the search from 'crash' to 'crash'. I have even tried the searches and they worked fine. I restart it notes an unclean shutdown detected and attempts recovery and appears to do so. My question is what is the proper way to debug this. If I do -d, it will not fork, but since it fails at random times I probably will not be there to see the output. Is this the best way to try to see what is happening? If so, what is the recommended debug level? It was built with: ./configure \ --prefix=/usr/local/openldap-2.3.33 \ --includedir=/usr/local/lib/BerkleyDB.4.5.20.NC/include \ --enable-crypt \ --enable-cleartext \ --enable-debug \ --enable-meta=yes \ --enable-monitor=yes \ --enable-relay=yes \ --enable-ldap=yes \ --enable-rewrite=yes \ --enable-overlays=yes \ -exec-prefix=/usr/local/openldap-2.3.33 I see that there is 2.3.34 out and that it can use BDB 4.5. Is the best course of action to upgrade? The 2.3.27 version we have been running has not had a problem like this. The 2.3.27 runs on port 900, the 2.3.33 runs on port 389. Thanks for any help!

5 22

ldap_sasl_bind_s and overriding .ldaprc
by Wyatt Neal 15 Mar '07

15 Mar '07

i'm working with sasl binding to my ldap server. is there some way i can override where the sasl "EXTERNAL" method is looking for the TLS_CERT and TLS_KEY directives? i'm basing this on a per-machine basis and serveral services will be using the library so it doesn't make sense to have each service run as a seperate user and different ldap certs on the machine. thanks, wyatt

1 0

Problem on MAKE.
by Duarte Lázaro 15 Mar '07

15 Mar '07

Hi all, I having a problem on "make" openldap. /configure --prefix=/usr/local/openldap --with-tls --enable-slapd --with-cyrus-sasl --enable-crypt --enable-bdb on make : Entering subdirectory libldap make[2]: Entering directory `/usr/local/pkgs/openldap-2.3.34/libraries/libldap' /bin/sh ../..//libtool --mode=link cc -static -g -O2 -L/usr/local/BerkeleyDB.4.5/lib -o apitest apitest.o libldap.la ../../libraries/liblber/liblber.la ../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt -lresolv cc -g -O2 -o apitest apitest.o -L/usr/local/BerkeleyDB.4.5/lib ./.libs/libldap.a /usr/local/pkgs/openldap-2.3.34/libraries/liblber/.libs/liblber.a ../../libraries/liblber/.libs/liblber.a ../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto -lcrypt -lresolv ./.libs/libldap.a(os-ip.o): In function `ldap_pvt_is_socket_ready': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/os-ip.c:205: warning: `sys_errlist' is deprecated; use `strerror' or `strerror_r' instead /usr/local/pkgs/openldap-2.3.34/libraries/libldap/os-ip.c:205: warning: `sys_nerr' is deprecated; use `strerror' or `strerror_r' instead ./.libs/libldap.a(tls.o): In function `sb_tls_bio_write': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:703: undefined reference to `BIO_clear_flags' /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:707: undefined reference to `BIO_set_flags' ./.libs/libldap.a(tls.o): In function `sb_tls_bio_read': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:676: undefined reference to `BIO_clear_flags' /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:680: undefined reference to `BIO_set_flags' ./.libs/libldap.a(tls.o): In function `ldap_pvt_tls_init_def_ctx': /usr/local/pkgs/openldap-2.3.34/libraries/libldap/tls.c:374: undefined reference to `SSL_CTX_set_info_callback' collect2: ld returned 1 exit status make[2]: *** [apitest] Error 1 make[2]: Leaving directory `/usr/local/pkgs/openldap-2.3.34/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/usr/local/pkgs/openldap-2.3.34/libraries' make: *** [all-common] Error 1 any ideias, if someone needs more info about this problem, just ask for data. Thanks, Duarte Lázaro

1 0

LDAP proxy cache configuration
by Amos Castelli 15 Mar '07

15 Mar '07

Hi everybody, I have setup a ldap proxy cache (2.3.34), but somehow I cannot write into the proxy database. When I first search into the directory, I get the following in the log file: slapd[450]: QUERY NOT ANSWERABLE slapd[450]: QUERY CACHEABLE This tells me that at least the proxyTemplate is set up correctly, then I run the second time the search command, and I get: slapd[518]: QUERY ANSWERABLE I suppose ldap found in the cache the search output, but I get no result. After searching a little bit, I also found this messages, after the first search: ==> bdb_add: uid=dummy,ou=People,dc=cscs,dc=com bdb_add: entry failed op attrs add: no structural object class provided (65) send_ldap_result: conn=2 op=1 p=3 send_ldap_result: err=65 matched="" text="no structural object class provided" ENTRY ADDED/MERGED, CACHED ENTRIES=0 Somehow I cannot write into the directory.. this is my slapd.conf file: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args loglevel -1 threads 8 idletimeout 240 lastmod off database ldap suffix "ou=people,dc=cscs,dc=com" rootdn "cn=ldapadm,dc=cscs,dc=com" uri ldap://ldap2.cscs.com/ou=people%2cdc=cscs%2cdc=com overlay pcache proxyCache bdb 100000 2 1000 60 proxyAttrset 0 uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass proxyAttrset 1 cn userPassword memberUid uniqueMember gidNumber proxyTemplate (&(objectClass=)(uid=)(description=)) 0 300 proxyTemplate (&(objectClass=)(uidNumber=)(description=)) 0 300 proxyTemplate (&(objectClass=)(description=)) 0 300 proxyTemplate (&(objectClass=)(cn=)) 1 300 proxyTemplate (&(objectClass=)) 1 300 proxyTemplate (&(objectClass=)(gidNumber=)) 1 300 proxyTemplate (&(objectClass=)(memberUid=)) 1 300 cachesize 50000 directory /usr/local/openldap/var/openldap-data index objectClass eq index uid eq index uidNumber eq index gidNumber eq index memberUid eq index description eq index cn pres,eq,sub Can anybody help me? Thanks in advance, Amos

2 2

SASL authentication with open ldap
by JOYDEEP 14 Mar '07

14 Mar '07

Dear Philip, Greg, Tony, Louis and the list, Thanks for the guidance so far. I have got little success but still away from my target. here I'm describing every thing. 1> I have executed "saslpasswd2 admin" to create the user admin in the sasldb2 2> "sasldblistusers2" shows as below admin(a)linux.kolkatainfoservices.in: userPassword 3> now the command *ldapsearch -H ldaps://* when asks the password I gave the admin password stored in sasldb2. and now it is working. 4> I may be allowed to provide the log here ======================================================= Mar 12 12:26:12 linux slapd[6783]: conn=2 fd=15 ACCEPT from IP=127.0.0.1:36689 (IP=0.0.0.0:636) Mar 12 12:26:12 linux slapd[6783]: conn=2 fd=15 TLS established tls_ssf=256 ssf=256 Mar 12 12:26:12 linux slapd[6783]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Mar 12 12:26:12 linux slapd[6783]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Mar 12 12:26:12 linux slapd[6783]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 12 12:26:12 linux slapd[6783]: conn=2 op=1 BIND dn="" method=163 Mar 12 12:26:12 linux slapd[6783]: conn=2 op=1 RESULT tag=97 err=14 text= Mar 12 12:26:12 linux ldapsearch: DIGEST-MD5 client step 2 Mar 12 12:26:14 linux ldapsearch: DIGEST-MD5 client step 2 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 BIND dn="" method=163 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 BIND authcid="admin" authzid="admin" Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 BIND dn="uid=admin,cn=digest-md5,cn=auth" mech=DIGEST-MD5 ssf=128 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=2 RESULT tag=97 err=0 text= Mar 12 12:26:14 linux ldapsearch: DIGEST-MD5 client step 3 Mar 12 12:26:14 linux slapd[6783]: conn=2 op=3 SRCH base="ou=Users,dc=kolkatainfoservices,dc=in" scope=2 deref=0 filter="(objectClass=*)" Mar 12 12:26:14 linux slapd[6783]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=7 text= Mar 12 12:26:14 linux slapd[6783]: conn=2 op=4 UNBIND Mar 12 12:26:14 linux slapd[6783]: conn=2 fd=15 closed ============================================================== please note the ["uid=admin,cn=digest-md5,cn=auth" mech=DIGEST-MD5 ssf=128] 5> BUT when I added entry for Manager ( as per root dn) and provide the password of manager it is not working. even it is not working for any other uesrs which I have added in sasldb2. How can I fix the problem ? PS: here is my ldif as attachment dn: dc=kolkatainfoservices,dc=in objectClass: domain dc: kolkatainfoservices structuralObjectClass: domain dn: ou=adrbook-GER,dc=kolkatainfoservices,dc=in ou: adrbook-GER objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=adrbook-IND,dc=kolkatainfoservices,dc=in ou: adrbook-IND objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Users,dc=kolkatainfoservices,dc=in ou: Users objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Passwd,dc=kolkatainfoservices,dc=in ou: Passwd objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit dn: ou=Groups,dc=kolkatainfoservices,dc=in ou: Groups objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit

2 4

New superior without new RDN
by Dave Horsfall 14 Mar '07

14 Mar '07

OpenLDAP 2.3.32 How do I move an entry to a new superior without changing the RDN as well? I cannot find any examples of this (at least, none that works). dn: uid=dhtest,dc=coreng,dc=com,dc=au changeType: modDN newRDN: dhtest deleteOldRDN: 1 newSuperior: ou=systems,dc=coreng,dc=com,dc=au - Fails with: ldapmodify: invalid format (line 6) entry: "uid=dhtest,dc=coreng,dc=com,dc=au" Failed to update entry. as does: dn: uid=dhtest,dc=coreng,dc=com,dc=au changeType: modDN newRDN: uid=dhtest deleteOldRDN: 1 newSuperior: ou=systems,dc=coreng,dc=com,dc=au - I already discovered that I need "newRDN" i.e. just "newSuperior" won't cut it. Or must I use "ldapmodrdn", and risk a race condition if making several changes to the same entry? -- Dave Horsfall DTM VK2KFU daveh(a)ci.com.au Ph: +61 2 9552-5509 (d) -5500 (sw) Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

8 13

Problem when activation TLSVerifyClient demand
by JOYDEEP 13 Mar '07

13 Mar '07

dear list, I have no problem to execute the command ldapsearch -H ldaps:// -u "uid=anupam" -x here is my TLS part of slapd.conf ---------------------------------------- TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/openldap/myca/servercert.pem TLSCertificateKeyFile /etc/openldap/myca/serverkey.pem TLSCACertificateFile /etc/openldap/myca/cacert.pem TLSVerifyClient never ----------------------------------------------------------- Now when I change the [TLSVerifyClient never] to [TLSVerifyClient demand] and try to execute the same command * ldapsearch -H ldaps:// -u "uid=anupam" -x * it gives errors like ldap_bind: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Could any one suggest the problem I have here and the solution please ?

2 4

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software March 2007