openldap-software June 2007

openldap-software@openldap.org

86 participants
106 discussions

Backend meta as a module errors
by Alexandre DUVAL 19 Jun '07

19 Jun '07

Hello, I tried hard but I can't manage to get back-meta to work as a module with OpenLDAP 2.3.34 to 2.3.35. (I'm actually trying to backport the Debian last "slapd-2.3.35" to "Etch" ) However, compiling back-meta and back-ldap --enable-ldap --enable-meta seems to solve my problem ... but why ? Here's the error message I get : @(#) $OpenLDAP: slapd 2.3.35 (Jun 15 2007 09:41:15) $ root@Lena:/root/openldap/sources/openldap-2.3.35/servers/slapd /usr/local/2.3.35/slapd-meta.conf: line 61: "pseudorootdn", "pseudorootpw" are no longer supported; use "idassert-bind" and "idassert-authzFrom" instead. /usr/local/2.3.35/libexec/slapd: symbol lookup error: /usr/local/2.3.35/libexec/ldap/back_meta-2.3.so.0: undefined symbol: slap_idassert_parse_cf The build options : ./configure --prefix=/usr/local/2.3.35 --exec-prefix=/usr/local/2.3.35 --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-local --enable-slapd --enable-aci --enable-cleartext --enable-crypt --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-slp --enable-wrappers --enable-backends=mod --enable-ldbm=no --enable-overlays=mod --enable-slurpd --with-subdir=ldap --with-cyrus-sasl --with-threads --with-tls The config file : include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/nis.schema pidfile /var/run/slapd/slapd2.3.35.pid argsfile /var/run/slapd/slapd2.3.35.args loglevel stats # Where the dynamically loaded modules are stored modulepath /usr/local/2.3.35/libexec/ldap moduleload back_ldap.la moduleload back_meta.la database meta suffix "o=test,c=fr" rootdn "cn=proxy,o=test,c=fr" rootpw secretlies uri "ldap://10.56.20.30:389/ou=toto,o=test,c=fr" pseudorootdn cn=proxy,ou=applications,ou=tata,o=test,c=fr pseudorootpw secret2 uri "ldap://10.65.23.19:389/ou=tata,o=test,c=fr" pseudorootdn cn=proxy,ou=applications,ou=toto,o=test,c=fr pseudorootpw secret3 map attribute affe sage Thanks for your advices ... Alexandre DVL ___________________________________________________________________________________ You snooze, you lose. Get messages ASAP with AutoCheck in the all-new Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_html.html

6 6

Re: Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
by Markus Moeller 19 Jun '07

19 Jun '07

Howard, I use OpenSuse 10.2 with libldap-2.3.so.0.2.15 and if I have an empty ~/.ldaprc file ldap_start_tls_s comes back with error -11 Connect error ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error while setting start_tls for ldap server: Connect error(-11) ldap_free_connection 1 1 ldap_send_unbind When I add tls_reqcert allow to ~/.ldaprc I get ldap_int_select read1msg: ld 0x8054608 msgid 1 all 1 read1msg: ld 0x8054608 msgid 1 message type extended-result read1msg: ld 0x8054608 0 new referrals read1msg: mark request completed, ld 0x8054608 msgid 1 request done: ld 0x8054608 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS certificate verification: depth: 0, err: 27, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject: /CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. Successfully set up TLS protected connection to ldap server w2k3.windows2003.home:389 So, this setting definitely does something !! Regards Markus ----- Original Message ----- From: "Howard Chu" <hyc(a)symas.com> Newsgroups: gmane.network.openldap.general To: "Markus Moeller" <huaraz(a)moeller.plus.com> Cc: <openldap-software(a)openldap.org> Sent: Tuesday, June 19, 2007 12:33 AM Subject: Re: Question about ldap_init, ldap_initialize, start_tls,LDAP_OPT_X_TLS_ALLOW and TLS/SSL > Markus Moeller wrote: >> But it is allowed to be set in ldap.conf, > > That doesn't necessarily mean anything. Lots of things can be set in > ldap.conf that don't mean anything at all, since the parser ignores any > keywords it doesn't recognize. > > What evidence do you have that this particular setting actually does > anything? A quick scan of the source code proves that it actually does > nothing. > >> so why can't or shouldn't I be able to set it in my client without the >> pain of checking all the different config files ldap.conf, .ldaprc, >> ldaprc ... I'd like to be able to control my client options without the >> use of config files. > > Go ahead and do that then. But don't waste time with options that don't > actually have any meaning. >> >> Regards >> Markus >> >> ----- Original Message ----- >> From: "Howard Chu" <hyc(a)symas.com> >> To: "Markus Moeller" <huaraz(a)moeller.plus.com> >> Cc: <openldap-software(a)openldap.org> >> Sent: Tuesday, June 19, 2007 12:01 AM >> Subject: Re: Question about ldap_init, ldap_initialize, start_tls, >> LDAP_OPT_X_TLS_ALLOW and TLS/SSL >> >> >>> Markus Moeller wrote: >>>> Does anybody have some sample code of how to use LDAP_OPT_X_TLS_ALLOW >>>> in a client program with ldap_start_tls_s ? >>>> Is it a bug if it doesn't work ? >>> The LDAP_OPT_X_TLS option is incompatible with ldap_start_tls. You >>> cannot use both together. In general, the LDAP_OPT_X_TLS option is >>> deprecated and should not be used at all. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >

2 2

Question about ldap_init, ldap_initialize, start_tls, LDAP_OPT_X_TLS_ALLOW and TLS/SSL
by Markus Moeller 19 Jun '07

19 Jun '07

I am new to Openldap and TLS/SSL. I have two small test programs (see details below). The first uses ldap_init the second ldap_initalize. My observation is: 1) Using ldap_init, ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf) It does not connect on port 389 nor 636 2) Using ldap_init,ldap_start_tls_s and set LDAP_OPT_X_TLS_ALLOW (emprty ldap.conf and only TLS_REQCERT ALL in ldaprc) It does not connect on port 636 but it does on port 389 3) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf) It does not connect on port 389 nor 636 4) Using ldap_initialize and set LDAP_OPT_X_TLS_ALLOW (empty ldap.conf and only TLS_REQCERT ALL in ldaprc) It does not connect on port 389 but it does on port 636 My first question is why does val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val); not work ? Secondly why behaves ldap_init different to ldap_initialize ? Thirdly what do I need to do to be able to use TLS/SSL on either port 389 or 636 ? Thank you Markus +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ldap_debug = -1 /*LDAP_DEBUG_ANY */ ; (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); if (strstr(argv[1],"://") ) { hostname=strstr(argv[1],"://")+3; ssl=strstr(argv[1],"ldaps://"); host=strdup(hostname); port=389; if ((p=strchr(host,':'))) { *p='\0'; p++; port=atoi(p); } } ld = (LDAP *)ldap_init(host,port); val = LDAP_VERSION3; (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val); (void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); ldap_start_tls_s(ld, NULL, NULL); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val); . . . ./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c90 msgid 1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 636 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:02:11 2007 ** ld 8065c90 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 ber_get_next failed. ldap_err2string ldap_test Error while setting start_tls for ldap server: Can't contact LDAPserver ldap_free_request (origid 1, msgid 1)ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed ./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_createldap_extended_operation_s ldap_extended_operation ldap_send_initial_requestldap_new_connection 1 1 0 ldap_int_open_connectionldap_connect_to_host: TCP w2k3.windows2003.home:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c90 msgid 1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:00:34 2007 ** ld 8065c90 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 read1msg: ld 8065c90 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 8065c90 0 new referrals read1msg: mark request completed, ld 8065c90 msgid 1 request done: ld 8065c90 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer:/DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string ldap_free_connection 1 1 ldap_send_unbind ldap_free_connection: actually freed With ~/.ldaprc TLS_REQCERT ALLOW ./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_createldap_extended_operation_sldap_extended_operationldap_send_initial_requestldap_new_connection 1 1 0ldap_int_o pen_connection ldap_connect_to_host: TCP w2k3.windows2003.home:389 ldap_new_socket: 4ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c90 msgid 1 ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 1 (infinite timeout) wait4msg continue ld 8065c90 msgid 1 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:04:26 2007 ** ld 8065c90 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty ldap_chkResponseList ld 8065c90 msgid 1 all 1 ldap_chkResponseList returns ld 8065c90 NULL ldap_int_select read1msg: ld 8065c90 msgid 1 all 1 read1msg: ld 8065c90 msgid 1 message type extended-result new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 8065c90 0 new referrals read1msg: mark request completed, ld 8065c90 msgid 1 request done: ld 8065c90 msgid 1res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ldap_parse_result ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificateTLS certificate verification: depth: 0, err: 27, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificate TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer ertificate. ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ldap_result ld 8065c90 msgid 2 ldap_chkResponseList ld 8065c90 msgid 2 all 1 ldap_chkResponseList returns ld 8065c90 NULL wait4msg ld 8065c90 msgid 2 (infinite timeout) wait4msg continue ld 8065c90 msgid 2 all 1 ** ld 8065c90 Connections: * host: w2k3.windows2003.home port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 5 23:04:26 2007 ** ld 8065c90 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c90 Response Queue: Empty +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ldap_debug = -1 /*LDAP_DEBUG_ANY */ ; (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); ldap_initialize(ld,argv[1]); val = LDAP_VERSION3; (void)ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &val); (void)ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld,LDAP_OPT_X_TLS, &val); . . . ./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer:/DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Can'tcontact LDAP server ./ldap_test ldaps://w2k3.windows2003.home:389 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:389) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS: can't connect. ldap_err2string Can'tcontact LDAP server With ~/.ldaprc TLS_REQCERT ALLOW ./ldap_test ldaps://w2k3.windows2003.home:636 "DC=WINDOWS2003,DC=HOME""CN=Markus,CN=USERS,DC=WINDOWS2003,DC=HOME" Passwd ldap_create ldap_url_parse_ext(ldaps://w2k3.windows2003.home:636) ldap_err2string ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP w2k3.windows2003.home:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 192.168.1.5:636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to get local issuer certificateTLS certificate verification: depth: 0, err: 27, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, certificate not trusted TLS certificate verification: depth: 0, err: 21, subject:/CN=w2k3.windows2003.home, issuer: /DC=home/DC=windows2003/CN=Windows2003CA TLS certificate verification: Error, unable to verify the first certificateTLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec ATLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A TLS trace: SSL3 alert write:warning:bad certificate TLS: unable to get peer certificate. ldap_open_defconn: successful ldap_send_server_request ldap_result ld 8065c58 msgid 1 ldap_chkResponseList ld 8065c58 msgid 1 all 1 ldap_chkResponseList returns ld 8065c58 NULL wait4msg ld 8065c58 msgid 1 (infinite timeout) wait4msg continue ld 8065c58 msgid 1 all 1 ** ld 8065c58 Connections: * host: w2k3.windows2003.home port: 636 (default) refcnt: 2 status: Connected last used: Tue Jun 5 22:55:02 2007 ** ld 8065c58 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 8065c58 Response Queue: Empty

5 10

search practice
by Piotr Wadas 19 Jun '07

19 Jun '07

Hello, Using openldap 2.3.35. I have some simpleString like "aaaBBBcccDDDeeeFFF", and I want to find entries, in which a specified attribute "mySearchAttr" has values like entry 1: mySearchAttr=aaaBBBcccDD entry 2: mySearchAttr=aa entry 3: mySearchAttr=aaaBBBc entry 4: mySearchAttr=aaaBBBcccDDDeeeFFF and example entries which should NOT be covered by search: entry 5: mySearchAttr=aaaBBBcccDDDeeeFFFgggHHH entry 6: mySearchAttr=XXXyyyZZZaaaBBBcccDDDeeeFFFxxxYYYzzz entry 7: mySearchAttr=XXXyyyZZZaaaBBBcccXXXyyyZZZ and so on. In other words, I want to find all entries having a value of mySearchAttr attribute starting with the same characters as simpleString, and shorter than or equal to simpleString. What would be best practice to do such search? I imagined three versions: a. iterate over simpleString from 0 to strlen(simpleString) - 1, and do a search for "mySearchAttr=a", then for "mySearchAttr=aa", ..., then for "mySearchAttr=aaaBBBcccDDD" and so on until end of simpleString is reached. But this would be probably inefficient, regarding number of searches. b. iterate over simpleString from 0 to strlen(simpleString) -1, and build a really long filter from all partial strings, like (|(mySearchAttr=a)(mySearchAttr=aa)(mySearchAttr=aaa)...) but the string may be even 100+ characters long, so filter would have 100+ conditions in it, which also seems not so well). c. find all entries which have (myAttrSearch=*), sort by myAttrSearch, and then iterate over search result, to extract final set of entries, which have myAttrSearch matching all partial strings of simpleString. But actually I don't even need to know all strings, I need only the first one found. On one hand - simpleString may be long. on the other hand - number of entries (c) may hundreds, or even thousands of entries, and all partial strings of simpleString should be compared to each value of mySearchAttr attribute. Finally I search for mySearchAtt=*, then I sort, next I iterate over search result, and for each entry, and each attribute value, next if the value is shorter than or equal to simpleString, I iterate over all partial strings (starting from left), and matching by some strcasecmp - all of this until the first is found. Even some regex value matching wouldn't be solution for "aa", ..., "aaaBBB",... Any hints ? Actually mySearchAttr keeps for me some filesystem object name string. Knowing some fsobject name like /some/dir/subfileordir, I want to find all entries, which are related to objects _above_ my fsobject in filesystem directory tree. I have no special characters in directory and file names, only letters, digits and slashes. This actually is used to check some fs directory access permissions - to determine whether access to /some/sub/dir/or/file should be granted, I need to make sure, that there's no above object which restricts access, it should work like http access control. Isn't there really some filter to cover this? Did I miss something trivial? :) Regards, Piotr

1 1

Api OpenLdap C++
by Eder 19 Jun '07

19 Jun '07

Hello all, I am having problems to compile the code below with C++, in the version oldest of the OpenLdap I did not have this problem. =============code==================== extern "C" { #include <stdio.h> #include <ldap.h> } #define HOSTNAME "ldap://ldap.cb.sc.gov.br:389" #define PORTNUMBER 389 int main(int argc, char *argv[]) { LDAP *ld; char *dn; int version, rc; const char *root_dn = "uid=edm,ou=Users,dc=cb,dc=sc,dc=gov,dc=br"; char *root_pass = "passtest"; printf("Connecting %s in port %d...\n\n", HOSTNAME, PORTNUMBER); rc = ldap_initialize(&ld, HOSTNAME); if ( rc != LDAP_SUCCESS ) { printf("Error !"); } version = LDAP_VERSION3; ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version); rc = ldap_simple_bind_s(ld, root_dn, root_pass, LDAP_AUTH_SIMPLE ); if (rc != LDAP_SUCCESS) { fprintf(stderr, "Error: %s\n", ldap_err2string(rc)); return (1); } ldap_unbind(ld); return(0); } ============end==================== % c++ -I/usr/local/include -L/usr/local/lib -lldap test_ldap.cpp -o test_ldap test_ldap.cpp: In function `int main(int, char**)': test_ldap.cpp:31: error: `ldap_simple_bind_s' was not declared in this scope test_ldap.cpp:40: error: `ldap_unbind' was not declared in this scope devel:% uname -a FreeBSD devel.cb.sc.gov.br 6.2-STABLE FreeBSD 6.2-STABLE #0: Mon May 28 08:58:45 BRT 2007 root@devel.cb.sc.gov.br:/usr/src/sys/i386/compile/DEVEL i386 Used --> openldap-client-2.3.35 Open source LDAP client implementation One another question, exists a API of the OpenLdap for C++? Thanks, edm. -- Ederson de Moura

2 2

Replication: 1 DN for all slaves.
by lauro＠npd.ufsc.br 19 Jun '07

19 Jun '07

Hi, Do you think it's a bad practice to have one DN shared between all slaves? Of course this DN is different from the rootdn. My ideas why it's not: - I have to worry about one pair dn/pass, I still have to worry about security on all slave server machines, that's the main problem, I know, but there are so many passwords, minimize that can be good. - If someone manages to get the DN pass, he/she can write to the master (since on the master that DN has write access to "*", then all the slaves, even the ones not hacked, will get that new compromised tree. If replication were not automatic, having one dn/pass to each slave would allow me to have some slaves with a "good" tree on the event someone gets the dn/pass of a slave, and then writing on the master would not affect all slaves. Since it is automatic.. and I have no reason to make happen by human interaction, one slave affected means all slaves and the server affected, even with different DN's/passwords. Did I miss anything? thanks, Lauro ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

2 2

bdb_index_read: failed (-30989)
by JOYDEEP 19 Jun '07

19 Jun '07

Dear list, what does this error mean ? ------------------------------------ bdb_index_read: failed (-30989) ----------------------------------------- and how can I fix it ? here is the index portion of my slapd.conf -------------------------------------------------- # Indices to maintain index objectClass eq index accountActive,virtualDomain eq index mail eq ------------------------------------------------------ thanks

3 4

Problem with chain overlay crashing consumer slapd
by Simon Gao 18 Jun '07

18 Jun '07

Hi, I am having a problem with changing password against consumer server. However, the problem would be gone if the loglevel is set to "1" or "-1" on the consumer server. If loglevel is set to other value, slapd would crash upon last communication during password changing process. Such problem does not appear on provider, on which I can set loglevel to any value without issue. Consumer server has chain overlay setup. Here are the commands I used for testing: ldappasswd -v -H ldap://provider -D "uid=user1,ou=people,dc=example,dc=com" -W -S -x -A (Works all the time) ldappasswd -v -H ldap://consumer -D "uid=user1,ou=people,dc=example,dc=com" -W -S -x -A (Works only when loglevel set to 1 or -1) The servers run 2.3.35 with bdb-4.5.20_p2. Client runs 2.3.27. Could this be related to chain overlay setup? or something else? What's so confusing is that it worked under certain situations, but not others. Simon

3 4

Apparent character loss in Windows implementation
by Jack Emmerichs 18 Jun '07

18 Jun '07

We have just succeeded in creating a Windows (Windows XP Professional SP2) implementation of the current stable version (2.3.32) by building all the source code (back end, openSSL, OpenLDAP, etc.) within the MinGw Windows build environment in order to enable the ppolicy options. We are using the standard BDB back-end. Oddly enough, it seems to have worked, and I can execute the slapd.exe file, which seems to run normally. I know Windows is a non-standard environment, but as I understand it, the underlyling OpenLDAP code is suppose to work correctly. Whether we have achieved that or not remains to be seen. The test database we are using has a standard test Manager account in a database structure defined as dn="cn=Manager,dc=my-domain,dc=com". In trying to attach a browser to the LDAP, I seem to be getting a connection to the database, but something seems to be stripping the initinal character from the db structure definition leaving the decoded "dc" component as: "c=my-domain,dc=com". Here is the trace of the attempted connection to the LDAP: slapd starting >>>slap_listener(ldap:///) connection_get(420): got connid=0 connection_read(420): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 49 contents: ber_get_next do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>>dnPrettyNormal: <cn=Manager, dc=my-domain,dc=com> <<< dnPrettyNormal: <cn=Manager,dc=my-domain,dc=com>, <cn=manager,dc=my-domain,d c=com> do_bind: version=3 dn="cn=Manager,dc=my-domain,dc=com" method=128 do_bind: v3 bind: "cn=Manager,dc=my-domain,dc=com" to "cn=Manager,dc=my-domain,d c=com" send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 420 connection_get(420): got connid=0 connection_read(420): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 69 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber: >>>dnPrettyNormal: <dc=my-domain,dc=com> <<< dnPrettyNormal: <dc=my-domain,dc=com>, <dc=my-domain,dc=com> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => bdb_search bdb_dn2entry("dc=my-domain,dc=com") => bdb_dn2id("dc=my-domain,dc=com") <= bdb_dn2id: got id=0x01000000 entry_decode: "c=my-domain,dc=com" <= entry_decode: str2ad(orsName): AttributeDescription contains inappropriate ch aracters <= entry_decode: slap_str2undef_ad(orsName): AttributeDescription contains inapp ropriate characters send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=80 ber_flush: 28 bytes to sd 420 The problem is about seven lines up from the end of the trace. It has the flavor of trying to insert a newline into the full dn=... text and having Unix insert a single expected character while Windows inserts two characters, thereby overlaying the first character of the following text. Does anybody know of any gotchas in a Windows environment related to this problem, or any other information about it? The build options we used were: OPENLDAPCONF="--disable-static --enable-shared --enable-dynamic --enable-lmpasswd --enable-bdb --disable-ldap --disable-ldbm --disable-meta --disable-monitor --disable-null --disable-sql --enable-ppolicy" Any suggestions, including a known impossibility of getting this to work, would be appreciated. Thanks. JFE. _________________________________________________________________ Get a preview of Live Earth, the hottest event this summer - only on MSN http://liveearth.msn.com?source=msntaglineliveearthhm

2 1

olcReferral cannot be configured
by renato oliveira 18 Jun '07

18 Jun '07

Hi all, I´m using openldap 2.3.30 and I´m trying to configure a distributed directory. In a first server I´ve "dc-br" and in the other server I´ve "ou=go,dc=br". I normally add referral entry in "dc=br" pointing to "ou=go,dc=br" server, it´s ok. Then, I configure "olcSuffix", "olcRootDN" and "olcRootPW" in "olcDatabase{1}bdb,cn=config" on "ou=go,dc=br" and it´s ok too. But, when I try to configure "olcReferral" pointing do "dc=br" server, the directory server returns that "olcReferral" is not Allowed. For all configurations, I´m using ldapmodify tool. If I configure "olcDatabase{1}bdb,cn=config" ldif configuration file and restart the OpenLDAP, it works but I need to use ldapmodify tool. Somebody can help me? att, Renato.

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
11
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2007