openldap and valgrind
by Brian Hechinger
I'm having an interesting time running my code through valgrind.
Valgrind tell me this:
==31309== Conditional jump or move depends on uninitialised value(s)
==31309== at 0x4033004: ldap_first_attribute (in /usr/lib/libldap-2.3.so.0.2.15)
==31309== by 0x8053F45: ldap_to_xmlrpc (mod_ldap.c:504)
Line 504 of mod_lda.c is:
attr = ldap_first_attribute(mod_ldap_conn[thread_id], entry, attr_pointer);
Earlier, attr_pointer is declared:
BerElement **attr_pointer;
If I set it null at declaration:
BerElement **attr_pointer = NULL;
Valgrind stops complaining, but then the call to ldap_first_attribute()
hangs and never returns.
Is there a way I can make both of these happy?
-brian
--
"Coding in C is like sending a 3 year old to do groceries. You gotta
tell them exactly what you want or you'll end up with a cupboard full of
pop tarts and pancake mix." -- IRC User (http://www.bash.org/?841435)
15 years, 8 months
use of ldap_str2dn()
by Arthur de Jong
I'm the maintainer of nss_ldapd [1] which is a replacement for nss_ldap.
I have been trying to get rid of using deprecated functions while
compiling with OpenLDAP 2.4.7.
One of the changes I made was using ldap_str2dn() instead of
ldap_explode_dn() and ldap_explode_rdn() to parse the DN of entries
returned. However, I ran into the following.
The relevant definitions for ldap_str2dn() in OpenLDAP 2.4.7 are:
typedef struct ldap_ava {
[...]
} LDAPAVA;
typedef LDAPAVA** LDAPRDN;
typedef LDAPRDN* LDAPDN;
LDAP_F( int )
ldap_str2dn LDAP_P((
LDAP_CONST char *str,
LDAPDN *dn,
unsigned flags ));
While OpenLDAP 2.1.30 (another version I would like to support) there
is:
typedef struct ldap_ava {
[...]
} LDAPAVA;
typedef LDAPAVA** LDAPRDN;
typedef LDAPRDN** LDAPDN;
LDAP_F( int )
ldap_str2dn LDAP_P((
LDAP_CONST char *str,
LDAPDN **dn,
unsigned flags ));
This changes the second parameter from struct ldap_ava ******dn
to struct ldap_****dn.
What is the best way to use lpap_str2dn() and still be able to compile
(and run correctly because it is only a warning with most compilers)
with both versions of OpenLDAP? Or would it be better to avoid the
function completely?
Thanks.
[1] http://ch.tudelft.nl/~arthur/nss-ldapd/
--
-- arthur - arthur(a)ch.tudelft.nl - http://ch.tudelft.nl/~arthur --
15 years, 8 months
smbk5pwd and ppolicy working together
by Ryan Steele
Hello,
I've got the smbk5pwd and ppolicy modules working, but I'm not entirely
sure I've got them working together.
I say this because clients joined to the domain (run by a Samba PDC with
an OpenLDAP backend) can change their passwords and it updates the NT/LM
passwords in LDAP, thus verifying the functionality of smk5pwd, but it
does not appear to enforce ppolicy restrictions. On the flip side of
the coin, the user can change their LDAP password by invoking ldappasswd
from a shell on the server, and are bound by the restrictions set forth
by ppolicy (password length, strength, historical passwords, etc.).
But, I cannot seem to get ppolicy and smbk5pwd to operate in conjunction
with one another - when changed from a Windows client, only smbk5pwd
seems to work. I was initially thinking this was maybe because Windows
was sending the passwords already hashed to OpenLDAP, but if I send a
password such as 'a', I get this message:
"Your password must be at least 5 characters, cannot
repeat any of your previous 0 passwords and must be at least 0 days
old. Please type a different password. Type a password that meets
these requirements in both text boxes."
However, I have no idea where it's getting those requirements or that
text from, though I'm wondering it's a Windows policy. In any case,
it's certainly not what ppolicy requires, as is the case from a shell on
the server.
I also see this in the sambaPasswordHistory attribute, which (possibly?)
indicates that ppolicy isn't working properly in conjunction with
smbk5pwd, and possibly explains why isn't not triggering on the
historical passwords:
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
That doesn't explain, though, why the strength and length checks aren't
working. I've ramped up the debugging on the back end, but all I see is
Samba happily updating with weak passwords and no mention of password
lengths (even when that dialog pops up on the Windows client side). I'd
appreciate any insight anybody might have.
Thanks,
Ryan
15 years, 8 months
Embedding Other LDAP Server in OpenLDAP for User Authentification [Virus checked]
by ems@Sparkassen-Informatik.de
Hello,
I've a tricky problem to solve. We are working with OpenLDAP 2.2.30. To
improve the end user comfort we like to configure a special behavior of
our LDAP.
The authentification-request which our LDAP gets should first forwarded to
an other LDAP server (primary LDAP). Just if the authentification failed
on the primary LDAP server our LDAP should try to authentificate by
himself.
Background: The primary LDAP server is very inflexible. We just can use it
for user authentification. For authorization we have to use our good old
own LDAP ;-)
Has anyone a clue how I've to configure our OpenLDAP ?
Every hint is welcome.
Thanks in advance,
Klaus
15 years, 8 months
slap_sl_malloc of X bytes failed, using ch_malloc
by kevin montuori
hi all -- i have a problem with a 2-multi-master, 1-replica setup. my
master servers' directories sync up and stay replicated without too many
issues; however, when i start up the replica i get this message on the
master that i'm sync'ing the replica from:
slap_sl_malloc of 138718824 bytes failed, using ch_malloc
and, of course, the slapd dies. this is 100% repeatable.
i noticed that this has been an issue in the past (it cropped up on the
mailing list around december 2007) and was curious if it's a known issue or
a misconfiguration or what.
i'm running 2.4.8 on linux 2.6.18.8-32bit-5-xenU.
thanks for any insight.
k.
--
kevin montuori
montuori(a)gmail.com
15 years, 8 months
Re: C coding secured LDAP
by Digambar Sawant
Hi,
To work with secure LDAP following stuff is required:
1. Server must be running with certificates installed on server. Check TLS
options in slapd.conf
2. The CA certificate must be present on Client side, which can verify the
sever certificate during SSL handshake.
3. If server has intermediate certificate then client must have all the
intermediate CA certificate to verify the server certificate.
Now point 1,
How to install server on secure port ie 636: Example is OpenLDAP server
slapd.conf must have following TLS directives:
TLSCertificateFile /root/Digambar/intermediate_try/userCert.pem
TLSCertificateKeyFile /root/Digambar/intermediate_try/new.cert.key
TLSCACertificateFile /root/Digambar/intermediate_try/cacert.pem
Use following to create CA and server cetrificates:
A. /usr/share/ssl/misc/CA -newca
To creat server cert request
B openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
To sign the server cert
C. /usr/share/ssl/misc/CA -sign
Start the server as : /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h
ldaps:/// &
This will start secure LDAP.
Now to verify that the above stuff is working: try following from some
another host:
i. copy the ca-certificate file to the host.
ii. Edit the /etc/ldap.conf with TLS_CACERT with the ca-cert path.
iii. Try with ldapsearch -x -H ldaps://server-FQDN-hostname:636 -b
"dc=my-domain,dc=com"
"(&(uid=testadmin1)(objectClass=inetOrgPerson))"
If this goes throu then it will indicate that the server is installed
properly.
++++++++++++++++++++++++++++++++++++++
Now Try to do ldapsearch using C program:
LDAP *pLdapObj = NULL;
ldap_initialize(&pLdapObj, ldaps://server-FQDN-hostname:636);
ldap_set_option( pLdapObj, LDAP_OPT_PROTOCOL_VERSION, &ldapversion);
ldap_set_option( pLdapObj, LDAP_OPT_NETWORK_TIMEOUT, (void
*)&stTimeoutVal);
ldap_set_option( pLdapObj, LDAP_OPT_TIMELIMIT, (void *)&stTimeLimit);
ldap_set_option( pLdapObj, LDAP_OPT_SIZELIMIT, (void *)&(LdapSizeLimit));
ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, aucServerCertFileName);//
specify the CA certificate file path which was copied on the client side.
// After this try whatever operation you want to try like ldap_searcg or
ldap_bind etc
Let me know if you want help somewhere.
Thanks,
Digambar Sawant
On 4/2/08, Arkady Shoyhet <Arkady.Shoyhet(a)aladdin.com> wrote:
>
> Hi,
>
> I have to implement SSL LDAP communication using standard LDAP C API.
>
> I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G.
>
> Can you reference me to some code examples ?
>
> Thanks in advance,
>
> Arkady Shoyhet
>
>
> **************************************************************************************************
> The contents of this email and any attachments are confidential.
> It is intended for the named recipient(s) only.
> If you have received this email in error please notify the system manager
> or the
> sender immediately and do not disclose the contents to anyone or make
> copies.
> ** eSafe scanned this email for viruses, vandals and malicious content **
>
> **************************************************************************************************
>
>
15 years, 8 months
userCertificate:certificateExactMatch: problem
by networm@mail15.com
Hi! I use OpenLdap 2.39. I need to find the certificate with sn
61a430c600000000000c and issuer email adm(a)test.com, but then i try
this search:
(userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in
dec?
15 years, 8 months
Re: C coding secured LDAP
by Hallvard B Furuseth
Arkady Shoyhet writes:
> I have to implement SSL LDAP communication using standard LDAP C API.
> I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G.
> Can you reference me to some code examples ?
openldap-2.3.41/clients/tools/*.c spring to mind...
It's basically this code in common.c (which is linked together with each
of the ldap*.c files):
rc = ldap_initialize( &ld, ldapuri );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"Could not create LDAP session handle for URI=%s (%d): %s\n",
ldapuri, rc, ldap_err2string(rc) );
exit( EXIT_FAILURE );
}
and
protocol = LDAP_VERSION3;
...
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol )
!= LDAP_OPT_SUCCESS )
{
fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
protocol );
exit( EXIT_FAILURE );
}
if ( use_tls ) {
rc = ldap_start_tls_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
tool_perror( "ldap_start_tls", rc, NULL, NULL, NULL, NULL );
if ( use_tls > 1 ) {
exit( EXIT_FAILURE );
}
}
}
Set use_tls > 1, since it's a bad idea to continue after StartTLS fails.
ldapuri is something like "ldap://hostname/" where the hostname is the
server's fully qualified hostname (same name as occurs in CN or Subject
Alt Name in the server certificate).
You need to tell the client the server's CA certifiate, see TLS_CACERT
in man ldap.conf. Also man ldap_start_tls_s.
Or if you use an "ldaps:" instead of "ldap:" URL, and the server
listens to "ldaps:" (probably in addition to "ldap:"), then the
connection starts out in TLS (alias SSL) mode and you should not call
ldap_start_tls_s().
--
Hallvard
15 years, 8 months
Re: ldapsearch: not compiled with TLS support
by Dieter Kluenter
Hi,
"Arkady Shoyhet" <Arkady.Shoyhet(a)aladdin.com> writes:
> Hi,
>
> I have configured openldap 2.3.41 ,with the following command: ./configure
> --prefix=/usr --with-tls --enable-cript --enable-syslog --sysconfdir=/etc
>
> Everything was OK. Then I called make depends and make install. Everything was
> fine.Of course OPENSSL-0.9.8G configured and installed too.
>
> BerkleyDB 4.5.20 configured,installed and started by command ./slapd -h 'ldap:
> // ldaps://' -d1. Everything fine.
>
> But when I try to run ldapsearch –Z then following error message is printed
> out: ldapsearch: not compiled with TLS support.
>
> Why ? What can I do ?
ldd slapd will show you wether it is linked with libssl.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
15 years, 8 months
openldap on Centos 5.1 with TLS
by David Hláčik
Hi, sorry for the stupid question,
but however i am following all howtos and tutorials it is not working
1) i have created CA certificate - /etc/pki/tls/misc/CA -newca
2) i have generated a new request - /etc/pki/tls/misc/CA -newreq
3) i have signed certificate /etc/pki/tls/misc/CA -signreq
SO i have CA in /etc/pki/CA
i have newkey.pem
i have newcert.pem
i have also cealrkey.pem (without passphrase)
*$ openssl rsa < newkey.pem > clearkey.pem*
What to do next?? What to put in slapd.conf in order to make it work?? What
to put in ldap.conf in order to communicate
Really thanks in advance!!
David
15 years, 8 months