openldap-software April 2007

openldap-software@openldap.org

90 participants
96 discussions

Different output with ldapsearch
by Amos Castelli 11 Apr '07

11 Apr '07

Hi all, can anybody tell me if the following is a bug or is a normal behavior? $ ldapsearch -x -H ldap://ldap.ex.com -b ou=People,dc=ex,dc=com |grep zhiling $ ldapsearch -x -H ldap://ldap.ex.com -b ou=People,dc=ex,dc=com "(uid=zhiling)" # extended LDIF # # LDAPv3 # base <ou=People,dc=ex,dc=com> with scope subtree # filter: (uid=zhiling) # requesting: ALL # # zhiling, People, ex.com dn: uid=zhiling,ou=People,dc=ex,dc=com uid: zhiling cn: Uela Zhiling objectClass: account objectClass: posixAccount objectClass: top loginShell: /usr/local/bin/bash uidNumber: 20893 gidNumber: 30484 homeDirectory: /users/zhiling gecos: Uela Zhiling, DCS # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 why I don't get any match with the grep command? ldap server version: 2.3.34 Thanks in advance, AMos

6 9

TLS/SSL problem - unsupported certificate
by Antonio Camacho 11 Apr '07

11 Apr '07

Hi list! I've an installation of OpenLDAP 2.3-19, I've a problem using TLS/SSL support: My master server seem to be work fine, but when I try to use the command " ldapsearch -x -H ldaps://master.mydomain 'filter' " , I get the following error: ldap_bind: Can't contact LDAP server (-1) additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate My slapd.conf configuration: # TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA TLSCertificateFile /etc/openldap/cacerts/master.pem TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSVerifyClient demand # My ldap.conf configuration: # Base=mydomain SIZELIMIT 0 TIMELIMIT 0 TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CERT /etc/openldap/cacerts/master.pem TLS_KEY /etc/openldap/cacerts/master-key.pem TLS_REQCERT demand # My .ldaprc configuration: # TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CERT /etc/openldap/cacerts/master.pem TLS_KEY /etc/openldap/cacerts/master-key.pem TLS_REQCERT demand # Error: TLS trace: SSL3 alert read:fatal:unsupported certificate TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate What does mean that? Which ones are supported certificates? I'm using the same certificate to my server and my client I googling and found that the error probably means: "This catch-all error message can mean a variety of things which all have to do with an invalid certificate for this connection. It is most frequently triggered when the CN of the certificate doesn't match the hostname of the entity communicating. It can also be a signal that your certificate is beyond its validity period" But my CN and validity period are ok. My cert is an x509v3 certificate and when I "read" it with openssl I get: So I can read it ok ============ openssl x509 -in master.pem.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:31:33:32:36 Signature Algorithm: sha1WithRSAEncryption Issuer: L=My location, ST=My state, C=My Country/postalCode=232312/streetAddress=My address, CN=Institute , OU=Unit, O=Institute /emailAddress= ca@mydomain Validity Not Before: Apr 4 00:00:00 2007 GMT Not After : Apr 3 00:00:00 2008 GMT Subject: L=My location, ST=My statte, C=My country, CN= master.mydomain, OU=Unit, O=Institute /emailAddress= ca(a)mydomain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:53:a7:53:60:2c:57:9b:b9:2a:c8:fa:f3:8e: 55:fb:a3:43:5e:9b:10:6a:2a:14:ac:0a:e3:18:2d: 86:51:5f:6e:da:da:12:39:de:96:e2:fc:39:bc:ba: b0:ff:10:68:91:88:d6:52:90:f3:c6:09:29:d1:24: 18:6c:e5:ea:82:ba:0b:f5:27:04:cd:19:df:9c:2e: 25:25:62:5c:d0:71:c8:0b:d4:aa:9c:55:b5:c7:72: 9c:83:fc:95:2a:69:e3:35:6e:85:19:db:3c:52:b0: 98:bd:48:ad:ba:b6:cb:d2:96:f4:7d:3c:43:4b:76: 45:f0:4b:64:1a:41:29:63:5f Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: OCSP - URI: http://1X.X:X:X:8082 X509v3 CRL Distribution Points: URI:http://url:getcrl X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement Netscape Cert Type: SSL Server Signature Algorithm: sha1WithRSAEncryption 2f:81:c3:38:3b:5b:2b:df:dd:52:10:1f:7e:fa:65:03:03:96: a3:07:9d:6b:ec:7d:7f:05:31:4d:55:81:9c:06:28:e2:21:df: b9:ae:1f:62:e0:01:d0:46:74:01:43:50:43:00:62:40:28:f9: be:b6:b2:14:25:00:b7:71:76:3c:20:54:30:8a:94:5b:29:52: af:50:ef:21:db:c7:54:6c:cd:d2:58:bc:4f:26:98:fa:b8:0d: b5:d1:1f:62:18:df:e2:02:3d:70:f1:a7:90:5a:40:74:f7:5f: c2:8f:5d:96:73:5f:4c:b4:1f:3f:b7:49:1c:7a:65:a7:90:c8: 7a:d0:dd:04:45:0b:65:31:a7:b7:18:f8:24:a2:4c:b5:2b:3d: 3e:cd:e3:f3:69:27:40:71:bb:a7:73:d9:99:c5:fa:73:d4:98: d3:46:2a:2e:d1:9a:45:50:36:f7:bb:f0:f9:86:95:52:d5:7d: cc:a7:a9:74:6c:e7:ef:56:a7:b3:f8:d7:e5:c8:81:ee:2d:3e: 01:20:e7:bb:e6:3e:20:66:55:a6:12:9d:8c:51:0b:93:d4:58: 86:57:ee:72:db:8a:f5:85:f2:73:b3:ad:6c:9d:e7:b1:3a:36: 0f:99:09:5f:31:ef:4c:3c:4d:e1:f2:ba:99:74:3e:78:be:97: de:4b:0b:0f ================ When i try ldapsearch in debug mode: # ldapsearch -x -H ldaps://master.mydomain "uid=user" -d1 ldap_create ldap_url_parse_ext(ldaps://master.mydomain) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP master.mydomain:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.X.X.X:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /bla bla bla .... TLS certificate verification: depth: 0, err: 0, subject: /bla bla bla ... TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL3 alert read:fatal:unsupported certificate TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate Thanks for your responses. -- @ntonio

4 6

documentation for security ssf-settings
by Matthias Nagl 11 Apr '07

11 Apr '07

Is there any more comprehensive documentation for the security strength factors in the security statement than the man-page entry? "The minssf=<factor> property specifies the minimum acceptable security strength factor as an integer approximate to effective key length used for encryption. 0 (zero) implies no protection, 1 implies integrity protection only, 56 allows DES or other weak ciphers, 112 allows triple DES and other strong ciphers, 128 allows RC4, Blowfish and other modern strong ciphers. The default is 0." I am espacially interested which consequences the different ssf-settings exactly have. What is really checked if I set for example security transport=x sasl=y tls=z ?? Additionally I'd like to know if it is possible to set special security-settings for localhost-connections as they are always secure and won't need encryption. Thanks Matthias

2 1

slapo-ppolicy container question
by Joshua M. Miller 10 Apr '07

10 Apr '07

What is the proper structural objectClass to add a password policy object as? I have the following that works, although I reverted to a device for lack of a better idea: dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: device pwdMaxAge: 7776000 pwdAttribute: userPassword Thanks, -- Joshua M. Miller - RHCE,VCP

1 1

posixgroup and groupofnames
by James Tran 10 Apr '07

10 Apr '07

i want to be able to make a group that is authorized to be admins to the ldap database but it seems i cant do it with posixgroups. i saw that you can edit posixgroups to be groupofnames to enable this but i dont want to go back and edit a bunch of posixgroups that are already structured so i want to just add objectclass groupofnames to one group that's enabled as admins. i heard that the rfc2307bis.schema can let me do this but i can't find the file anywhere. Any help please?

4 5

Issues with LDAP Replication
by Steven Bambling 10 Apr '07

10 Apr '07

From: steven.bambling(a)sunrocket.com Subject: Issue with changes using updateref Date: April 9, 2007 6:57:43 PM EDT To: openldap-software(a)openldap.org All, I've been racking my brain for a while googling and reading like mad. I've come to a wall. I have 2 OpenLdap servers setup 1 as a master and the other as a slave. This are now working about 50%. When I make a change on the master is is replicated down to the slave without a problem. Yet when I make a change on the slave it doesn't seem to carry back up to the master. I've tried changing the userpassword manually through a ldap browser and get this effect On the Master server I have the following configuration replica host=jupiter2.company.com:389 suffix="dc=sunrocket,dc=com" binddn="cn=copycat2,dc=company,dc=com" credentials=deargod2 bindmethod=simple tls=yes On the Slave Server I have ####################################################################### # BDB database definitions ####################################################################### database bdb checkpoint 1024 5 cachesize 1000000 suffix "dc=sunrocket,dc=com" rootdn "cn=copycat2,dc=sunrocket,dc=com" # Slave data updatedn "cn=copycat2,dc=sunrocket,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw "deargod2" Any suggestions to point me in the correct direction? Thanks, STEVE

5 8

An ACL question
by Rob Tanner 10 Apr '07

10 Apr '07

Hi, I understand the general rule for ordering ACLs, but the application still sometimes throws me. In my people hierarchy, I need several attributes to be visible to anonymous connections: uid and mail. Here's my original set of ACLs: access to dn.one="ou=people,o=linfield.edu" attrs=userpassword by anonymous auth access to dn.one="ou=people,o=linfield.edu" by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa administrators,ou=People,o=linfield.edu" read by self read access to dn.one="ou=people,o=linfield.edu" attrs=userPassword,maillocaladdress,useDefaultAlias,spamDisposition,checkForDirtyWords by self write I have added the following ACL in every conceivable location (the top, the bottom, and the two in-betweens) and I still can't access the fields anonymously: access to dn.one="ou=people,o=linfield.edu" attrs=uid,mail by * read What am I doing wrong here? Thanks, Rob -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR

2 1

nisNetgroupTriple trouble
by Ryan Lovett 09 Apr '07

09 Apr '07

I turned up the logging on the OpenLDAP server and spotted several instances of: get_ava: illegal value for attributeType nisNetgroupTriple I've looked over RFC 2307 and the values stored in OpenLDAP seem to be consistent with the defined syntax. Additionally, the server did not object when I inserted the data so I don't know why there is a problem when reading it. Is there a specific loglevel setting that will tell me more precisely what is going on? I bumped it up enough for it to show me: slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple slapd[26143]: end get_filter 0 slapd[26143]: begin get_filter slapd[26143]: EQUALITY slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple slapd[26143]: end get_filter 0 slapd[26143]: begin get_filter slapd[26143]: SUBSTRINGS slapd[26143]: begin get_ssa slapd[26143]: error=18 slapd[26143]: end get_filter 0 slapd[26143]: begin get_filter slapd[26143]: get_filter: unknown filter type=130 slapd[26143]: end get_filter 0 slapd[26143]: begin get_filter slapd[26143]: EQUALITY slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple slapd[26143]: end get_filter 0 slapd[26143]: begin get_filter slapd[26143]: EQUALITY slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple slapd[26143]: end get_filter 0 "error=18" and "unknown filter type=130" searches haven't led me to a solution. Thanks for your time, Ryan

2 2

I have a tool to contribute Can I post it here
by Leung Tak Yin 09 Apr '07

09 Apr '07

A tool to create tables, metadatas and functions for using backsql with mysql ver 5.0 _________________________________________________________________ Learn English via Shopping Game, FREE! http://www.linguaphonenet.com/BannerTrack.asp?EMSCode=MSN06-03ETFJ-0211E

2 1

LDIF format question for Openldap-2.3.27
by Venkat Reddy Valluri 06 Apr '07

06 Apr '07

Hi I installed Openldap-2.3.27. how can I create ldif format file for "cn=testApp, cn=jdbc, dc=production, dc=net" which worked for old Openldap server. I was able to create a ldif file for "cn=jdbc, dc=production, dc=net" which inturn produces entries with out giving any problem but if I use two "cn" names in ldif it is giving problems Thks&Rgds --Venkat

5 16

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2007