Different output with ldapsearch
by Amos Castelli
Hi all,
can anybody tell me if the following is a bug or is a normal behavior?
$ ldapsearch -x -H ldap://ldap.ex.com -b ou=People,dc=ex,dc=com |grep zhiling
$ ldapsearch -x -H ldap://ldap.ex.com -b ou=People,dc=ex,dc=com
"(uid=zhiling)"
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=ex,dc=com> with scope subtree
# filter: (uid=zhiling)
# requesting: ALL
#
# zhiling, People, ex.com
dn: uid=zhiling,ou=People,dc=ex,dc=com
uid: zhiling
cn: Uela Zhiling
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /usr/local/bin/bash
uidNumber: 20893
gidNumber: 30484
homeDirectory: /users/zhiling
gecos: Uela Zhiling, DCS
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
why I don't get any match with the grep command?
ldap server version: 2.3.34
Thanks in advance,
AMos
16 years, 1 month
TLS/SSL problem - unsupported certificate
by Antonio Camacho
Hi list!
I've an installation of OpenLDAP 2.3-19, I've a problem using TLS/SSL
support:
My master server seem to be work fine, but when I try to use the command "
ldapsearch -x -H ldaps://master.mydomain 'filter' " , I get the following
error:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
My slapd.conf configuration:
#
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/cacerts/master.pem
TLSCertificateKeyFile /etc/openldap/cacerts/master- key.pem
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSVerifyClient demand
#
My ldap.conf configuration:
#
Base=mydomain
SIZELIMIT 0
TIMELIMIT 0
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY /etc/openldap/cacerts/master-key.pem
TLS_REQCERT demand
#
My .ldaprc configuration:
#
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CERT /etc/openldap/cacerts/master.pem
TLS_KEY /etc/openldap/cacerts/master-key.pem
TLS_REQCERT demand
#
Error:
TLS trace: SSL3 alert read:fatal:unsupported certificate
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
What does mean that? Which ones are supported certificates?
I'm using the same certificate to my server and my client
I googling and found that the error probably means:
"This catch-all error message can mean a variety of things which all have to
do with an invalid certificate for this connection. It is most frequently
triggered when the CN of the certificate doesn't match the hostname of the
entity communicating. It can also be a signal that your certificate is
beyond its validity period"
But my CN and validity period are ok.
My cert is an x509v3 certificate and when I "read" it with openssl I
get:
So I can read it ok
============
openssl x509 -in master.pem.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:30:31:33:32:36
Signature Algorithm: sha1WithRSAEncryption
Issuer: L=My location, ST=My state, C=My
Country/postalCode=232312/streetAddress=My address, CN=Institute , OU=Unit,
O=Institute /emailAddress= ca@mydomain
Validity
Not Before: Apr 4 00:00:00 2007 GMT
Not After : Apr 3 00:00:00 2008 GMT
Subject: L=My location, ST=My statte, C=My country, CN=
master.mydomain, OU=Unit, O=Institute /emailAddress= ca(a)mydomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:53:a7:53:60:2c:57:9b:b9:2a:c8:fa:f3:8e:
55:fb:a3:43:5e:9b:10:6a:2a:14:ac:0a:e3:18:2d:
86:51:5f:6e:da:da:12:39:de:96:e2:fc:39:bc:ba:
b0:ff:10:68:91:88:d6:52:90:f3:c6:09:29:d1:24:
18:6c:e5:ea:82:ba:0b:f5:27:04:cd:19:df:9c:2e:
25:25:62:5c:d0:71:c8:0b:d4:aa:9c:55:b5:c7:72:
9c:83:fc:95:2a:69:e3:35:6e:85:19:db:3c:52:b0:
98:bd:48:ad:ba:b6:cb:d2:96:f4:7d:3c:43:4b:76:
45:f0:4b:64:1a:41:29:63:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP - URI: http://1X.X:X:X:8082
X509v3 CRL Distribution Points:
URI:http://url:getcrl
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Key
Agreement
Netscape Cert Type:
SSL Server
Signature Algorithm: sha1WithRSAEncryption
2f:81:c3:38:3b:5b:2b:df:dd:52:10:1f:7e:fa:65:03:03:96:
a3:07:9d:6b:ec:7d:7f:05:31:4d:55:81:9c:06:28:e2:21:df:
b9:ae:1f:62:e0:01:d0:46:74:01:43:50:43:00:62:40:28:f9:
be:b6:b2:14:25:00:b7:71:76:3c:20:54:30:8a:94:5b:29:52:
af:50:ef:21:db:c7:54:6c:cd:d2:58:bc:4f:26:98:fa:b8:0d:
b5:d1:1f:62:18:df:e2:02:3d:70:f1:a7:90:5a:40:74:f7:5f:
c2:8f:5d:96:73:5f:4c:b4:1f:3f:b7:49:1c:7a:65:a7:90:c8:
7a:d0:dd:04:45:0b:65:31:a7:b7:18:f8:24:a2:4c:b5:2b:3d:
3e:cd:e3:f3:69:27:40:71:bb:a7:73:d9:99:c5:fa:73:d4:98:
d3:46:2a:2e:d1:9a:45:50:36:f7:bb:f0:f9:86:95:52:d5:7d:
cc:a7:a9:74:6c:e7:ef:56:a7:b3:f8:d7:e5:c8:81:ee:2d:3e:
01:20:e7:bb:e6:3e:20:66:55:a6:12:9d:8c:51:0b:93:d4:58:
86:57:ee:72:db:8a:f5:85:f2:73:b3:ad:6c:9d:e7:b1:3a:36:
0f:99:09:5f:31:ef:4c:3c:4d:e1:f2:ba:99:74:3e:78:be:97:
de:4b:0b:0f
================
When i try ldapsearch in debug mode:
# ldapsearch -x -H ldaps://master.mydomain "uid=user" -d1
ldap_create
ldap_url_parse_ext(ldaps://master.mydomain)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP master.mydomain:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.X.X.X:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /bla bla bla ....
TLS certificate verification: depth: 0, err: 0, subject: /bla bla bla ...
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:unsupported certificate
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094413:SSL
routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate
Thanks for your responses.
--
@ntonio
16 years, 1 month
documentation for security ssf-settings
by Matthias Nagl
Is there any more comprehensive documentation for the security strength
factors in the security statement than the man-page entry?
"The minssf=<factor> property specifies the minimum acceptable security
strength factor as an integer approximate to effective key length used for
encryption. 0 (zero) implies no protection, 1 implies integrity protection
only, 56 allows DES or other weak ciphers, 112 allows triple DES and other
strong ciphers, 128 allows RC4, Blowfish and other modern strong ciphers.
The default is 0."
I am espacially interested which consequences the different ssf-settings
exactly have. What is really checked if I set for example
security transport=x sasl=y tls=z ??
Additionally I'd like to know if it is possible to set special
security-settings for localhost-connections as they are always secure and
won't need encryption.
Thanks
Matthias
16 years, 1 month
slapo-ppolicy container question
by Joshua M. Miller
What is the proper structural objectClass to add a password policy
object as?
I have the following that works, although I reverted to a device for
lack of a better idea:
dn: cn=default,ou=Policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
pwdMaxAge: 7776000
pwdAttribute: userPassword
Thanks,
--
Joshua M. Miller - RHCE,VCP
16 years, 1 month
posixgroup and groupofnames
by James Tran
i want to be able to make a group that is authorized to be admins to the
ldap database but it seems i cant do it with posixgroups.
i saw that you can edit posixgroups to be groupofnames to enable this
but i dont want to go back and edit a bunch of posixgroups that are
already structured so i want to just add objectclass groupofnames to one
group that's enabled as admins.
i heard that the rfc2307bis.schema can let me do this but i can't find
the file anywhere.
Any help please?
16 years, 1 month
Issues with LDAP Replication
by Steven Bambling
From: steven.bambling(a)sunrocket.com
Subject: Issue with changes using updateref
Date: April 9, 2007 6:57:43 PM EDT
To: openldap-software(a)openldap.org
All,
I've been racking my brain for a while googling and reading like
mad. I've come to a wall. I have 2 OpenLdap servers setup 1 as a
master and the other as a slave.
This are now working about 50%. When I make a change on the master
is is replicated down to the slave without a problem. Yet when I
make a change on the slave it doesn't seem to carry back up to the
master.
I've tried changing the userpassword manually through a ldap browser
and get this effect
On the Master server I have the following configuration
replica host=jupiter2.company.com:389
suffix="dc=sunrocket,dc=com"
binddn="cn=copycat2,dc=company,dc=com"
credentials=deargod2
bindmethod=simple
tls=yes
On the Slave Server I have
#######################################################################
# BDB database definitions
#######################################################################
database bdb
checkpoint 1024 5
cachesize 1000000
suffix "dc=sunrocket,dc=com"
rootdn "cn=copycat2,dc=sunrocket,dc=com"
# Slave data
updatedn "cn=copycat2,dc=sunrocket,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw "deargod2"
Any suggestions to point me in the correct direction?
Thanks,
STEVE
16 years, 1 month
An ACL question
by Rob Tanner
Hi,
I understand the general rule for ordering ACLs, but the application
still sometimes throws me.
In my people hierarchy, I need several attributes to be visible to
anonymous connections: uid and mail. Here's my original set of ACLs:
access to dn.one="ou=people,o=linfield.edu"
attrs=userpassword
by anonymous auth
access to dn.one="ou=people,o=linfield.edu"
by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read
by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa
administrators,ou=People,o=linfield.edu" read
by self read
access to dn.one="ou=people,o=linfield.edu"
attrs=userPassword,maillocaladdress,useDefaultAlias,spamDisposition,checkForDirtyWords
by self write
I have added the following ACL in every conceivable location (the top,
the bottom, and the two in-betweens) and I still can't access the fields
anonymously:
access to dn.one="ou=people,o=linfield.edu"
attrs=uid,mail
by * read
What am I doing wrong here?
Thanks,
Rob
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
16 years, 1 month
nisNetgroupTriple trouble
by Ryan Lovett
I turned up the logging on the OpenLDAP server and spotted several
instances of:
get_ava: illegal value for attributeType nisNetgroupTriple
I've looked over RFC 2307 and the values stored in OpenLDAP seem to be
consistent with the defined syntax. Additionally, the server did not object
when I inserted the data so I don't know why there is a problem when
reading it.
Is there a specific loglevel setting that will tell me more precisely what
is going on? I bumped it up enough for it to show me:
slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple
slapd[26143]: end get_filter 0
slapd[26143]: begin get_filter
slapd[26143]: EQUALITY
slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple
slapd[26143]: end get_filter 0
slapd[26143]: begin get_filter
slapd[26143]: SUBSTRINGS slapd[26143]: begin get_ssa
slapd[26143]: error=18
slapd[26143]: end get_filter 0
slapd[26143]: begin get_filter
slapd[26143]: get_filter: unknown filter type=130
slapd[26143]: end get_filter 0
slapd[26143]: begin get_filter
slapd[26143]: EQUALITY
slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple
slapd[26143]: end get_filter 0
slapd[26143]: begin get_filter
slapd[26143]: EQUALITY
slapd[26143]: get_ava: illegal value for attributeType nisNetgroupTriple
slapd[26143]: end get_filter 0
"error=18" and "unknown filter type=130" searches haven't led me to a
solution.
Thanks for your time,
Ryan
16 years, 1 month
LDIF format question for Openldap-2.3.27
by Venkat Reddy Valluri
Hi
I installed Openldap-2.3.27. how can I create ldif format file
for "cn=testApp, cn=jdbc, dc=production, dc=net" which worked for old Openldap server.
I was able to create a ldif file for "cn=jdbc, dc=production, dc=net" which inturn produces entries with out giving any problem
but if I use two "cn" names in ldif it is giving problems
Thks&Rgds
--Venkat
16 years, 2 months
