openldap-software May 2007

openldap-software@openldap.org

85 participants
123 discussions

TLS authentication for slurpd
by Adam Brandizzi 14 May '07

14 May '07

Hello! Is it possible to configure slurpd for authenticating on its slave slapd servers using TLS/SASL EXTERNAL? If so, how do I configure it to use a specific X.509 certificate? Thangs in advance! -- Adam Victor Nazareth Brandizzi http://brandizzi.googlepages.com

3 2

acl entry causes segfault
by Markus Krause 14 May '07

14 May '07

Hi list! i am using OpenLDAP 2.3.34-5.2 on a SLES10 server. in my LDAP database i am using the attribute "description" in some cases to store information which i do not want to be readable by everyone. to prevent it for all users but "admin" is use the following acl entry in slapd.conf: ---- slapd.conf access to attrs=description by dn="cn=Admin,o=test" write by group.exact="cn=Admingroup,ou=ACL,o=test" write by * none ---- slapd.conf this works but denies access to all but admin and members of group admingroup. the i tried to set the following acl which should only deny access to the description field in a subtree: ---- slapd.conf access to dn.subtree="ou=people,o=test" attrs=description by dn="cn=Admin,o=test" write by group.exact="cn=Admingroup,o=test" write by * none ---- slapd.conf this leads to a segmentation fault, the last lines of the debug output is: --- slapd -d 65535 config_build_entry: "cn={9}misc" config_build_entry: "olcDatabase={-1}frontend" Segmentation fault --- so i obviously am doing something very wrong! how can i allow or deny access to some attributes in a specific subtree? thanks in advance for any hints! regards markus +-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause(a)biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause(a)mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause(a)mac.com | +--------------------------------+--------------------------------+ ---------------------------------------------------------------------- This message was sent using https://webmail2.biochem.mpg.de If you encounter any problems please report to rz-linux(a)biochem.mpg.de

2 5

slapd cores
by Dmitriy Kirhlarov 14 May '07

14 May '07

Hi, list. I'm using openldap-server-2.3.35 on FreeBSD 6.2-STABLE (Feb 19). I have reproduceble crash of slapd on this host. But I can't reproduce it on other server (FreeBSD 6.1-STABLE Aug 2). Database is fine (I dump and restore it), changing thread library doesn't help too. Some information from core: (gdb) bt 0x2837f537 in pthread_testcancel () from /lib/libpthread.so.2 0x2836e89a in sigaction () from /lib/libpthread.so.2 0x2836888d in pthread_kill () from /lib/libpthread.so.2 0x28368256 in raise () from /lib/libpthread.so.2 0x28442e34 in abort () from /lib/libc.so.6 0x2841f060 in __assert () from /lib/libc.so.6 0x080aad9e in entry_schema_check () 0x286908a3 in bdb_add (op=0xcecfa0c0, rs=0xcecfa080) at add.c:63 0x080ec0b5 in overlay_init () 0x080db272 in glue_sub_init () 0x08080a75 in slap_req2res () 0x080818ac in slap_send_ldap_result () 0x08113e35 in translucent_initialize () 0x080db309 in overlay_op_walk () 0x080db543 in overlay_op_walk () 0x080db650 in overlay_op_walk () 0x0808b0c6 in fe_op_modify () 0x0808a33e in do_modify () 0x0806fb84 in connection_done () 0x281b36ad in ldap_int_thread_pool_wrapper () from /usr/local/lib/libldap_r-2.3.so.2 0x283703a5 in pthread_create () from /lib/libpthread.so.2 0x2842e3df in _ctx_start () from /lib/libc.so.6 (gdb) info threads 6 Thread 0x818b000 (sleeping) 0x28377f9b in pthread_mutexattr_init () from /lib/libpthread.so.2 5 Thread 0x8267200 (LWP 100039) 0x2837f4f7 in pthread_testcancel () from /lib/libpthread.so.2 4 Thread 0x8267a00 (runnable) 0x2844658b in select () from /lib/libc.so.6 3 Thread 0x8267c00 (sleeping) 0x28377f9b in pthread_mutexattr_init () from /lib/libpthread.so.2 * 2 Thread 0x8267e00 (LWP 100141) 0x2837f537 in pthread_testcancel () from /lib/libpthread.so.2 1 Thread 0x8274000 (sleeping) 0x28377f9b in pthread_mutexattr_init () from /lib/libpthread.so.2 Can somebody help me? WBR Dmitriy

5 7

Re: backend relay with empty suffix
by Pierangelo Masarati 14 May '07

14 May '07

Nikos Voutsinas wrote: > Is there is going to be a 2.3.36 release? When motivated and ready, yes. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

ldap rwm-rewriteMap binddn
by greg3d＠free.fr 14 May '07

14 May '07

Hi, I am in the configuration described in the slapo-rwm man pages : # Bind with email instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion) rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub" My problem is for doing this query ( obtains the dn of the personn from his mail attribut ), I need to be "bindded". I have the binddn and the password but I don't know how to specify it the ldap:// URI Could you indicate me, how to specify the binddn and the password in the URI ? Thanks you Gregory

2 4

auth-regexp with SASL/EXTERNAL
by Dieter Kluenter 12 May '07

12 May '07

Hi, I'm testing OpenLDAP-2.4.4alpha, this is my ~/.ldaprc, please note the URI statement: ,----[ .ldaprc ] | TLS_REQCERT try | TLS_CACERT /home/dieter/certs/kluenterCA.pem | BASE o=avci,c=de | URI ldapi://%2Fusr%2Flocal%2Fvar%2Frun%2Fldapi `---- and this is part of cn=config ,----[ cn=config ] | olcAuthzRegexp: {1}"gidNumber=(.*)\+uidNumber=(.*),cn=peercred,cn=external,cn= | auth" "ldap:///o=avci,c=de??sub?(&(uidNumber=$2)(gidNumber=$1))" `---- When doing ldapwhoami I get ,----[ ldapwhoami ] | :~> ldapwhoami -Yexternal | SASL/EXTERNAL authentication started | SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth | SASL SSF: 0 | dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth `---- while ldapsearch supplies the correct answer: ,----[ ldapsearch ] | :~> ldapsearch -LLL -Ydigest-md5 "(&(uidNumber=1000)(gidNumber=100))" dn | SASL/DIGEST-MD5 authentication started | Please enter your password: | SASL username: dieter | SASL SSF: 128 | SASL data security layer installed. | dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de `---- the slapd auth-regexp has not been changed for ages and worked perfectly until now, what has changed that makes my auth-regexp not working anymore? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

slapd + TLS + verify client is not working as expected
by Andreas Roth 12 May '07

12 May '07

Hello, i'm using slapd 2.3.30 on a Ubuntu 7.04 AMD64 machine and i've have some trouble to get it running with TLS. When the slapd daemon is started during the system start-up i cannot connect to the LDAP server with TLS. After a long search i figured out, that the slapd daemon requests a client certificate, but i haven't configured the server to do so. Here is the TLS configuration of slapd: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSVerifyClient never TLSCACertificateFile /etc/ldap/certs/root.crt #TLSCACertificatePath /etc/ldap/certs TLSCertificateFile /etc/ldap/certs/ldap.arsoft.homeip.net.crt TLSCertificateKeyFile /etc/ldap/private/ldap.arsoft.homeip.net.pem And here's what the server says when i connect to it using ldapsearch -x -ZZ ... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5 error=Resource temporarily unavailable TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A daemon: select: listen=6 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read activity on 11 connection_get(11) connection_get(11): got connid=187 connection_read(11): checking for input on id=187 tls_read: want=5, got=5 0000: 16 03 01 00 07 ..... tls_read: want=7, got=7 0000: 0b 00 00 03 00 00 00 ....... tls_write: want=7, written=7 0000: 15 03 01 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in SSLv3 read client certificate B TLS: can't accept. TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate s3_srvr.c:2455 connection_read(11): TLS accept failure error=-1 id=187, closing connection_closing: readying conn=187 sd=11 for close connection_close: conn=187 sd=11 The interesting thing is, that when i restart the slapd daemon manually, the server works fine and TLS is also working. I don't known if this porblem is really a bug or not, but i don't know how to solve this problem by myself. Any help or advise is welcomed. Thanks, A. Roth

1 0

cn=schema,cn=config schema insertion
by Eric Irrgang 11 May '07

11 May '07

My impression was that the ordered elements in cn=config were supposed to get dynamically updated such that adding an entry with a specific cn={number}commonname... would cause the entries of 'number' and higher to be incremented. Is that correct? In openldap 2.3.34, when I ldapadd cn={14}customschemaC,cn=schema,cn=config, the cn={14}customschemaB,cn=schema,cn=config entry is not renumbered. Is that appropriate? Is that okay or likely to break something? Has this been fixed or should I file an ITS? -- Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342

3 2

Minimal OpenLDAP server source
by Joe Flowers 11 May '07

11 May '07

Sorry for the OpenLDAP noob question: Analogous to the OpenSSL "minimal ssleay server" (minimal SSL server) at /openssl-0.9.8e.tar/openssl-0.9.8e/demos/ssl/serv.cpp, is there a "minimal" OpenLDAP server source code snippet as well? Thank you! Joe

4 10

backend relay with empty suffix
by Nikos Voutsinas 11 May '07

11 May '07

Hi all, I tried the following (please note the empty suffix in relay's database definition) with an openldap-2.3.35: #------------- database bdb suffix "dc=real,dc=naming,dc=context" access to * attrs=userPassword by anonymous auth by * none # other database specific ACLs access to * by * none #-------------- database relay suffix "" relay "dc=real,dc=naming,dc=context" massage access to * attrs=userPassword by anonymous auth by * none # translated the previous set of ACLs as slapd-relay manual indicates access to * by * none #----------------- Access to the real naming context (using BindDN and BasedDN on top of dc=real,dc=naming,dc=context) fails with the following error => bdb_search bdb_dn2entry("dc=real,dc=naming,dc=context,dc=real,dc=naming,dc=context") => bdb_dn2id("dc=real,dc=naming,dc=context") <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) at the same time access to the virtual naming context (binddn: uid=myuid, basedn: uid=myuid) operates as expected. Normal access to the real naming context is restored by removing the declaration of relay database. Questions: 1. What is the status with the usage of empty suffixes? Is this the cause of the problem here? 2. How the relay,massage pair differs from overlay,suffixmassage in relay database? 3. Could slapo-rwm be used as a workaround to this problem? BTW: slapd segfaults when I replace the relay,massage pair with overlay,suffixmassage. Thanks,

2 1

← Newer
1
...
6
7
8
9
10
11
12
13
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software May 2007