openldap-software April 2008

openldap-software@openldap.org

77 participants
72 discussions

openldap and valgrind
by Brian Hechinger 05 Apr '08

05 Apr '08

I'm having an interesting time running my code through valgrind. Valgrind tell me this: ==31309== Conditional jump or move depends on uninitialised value(s) ==31309== at 0x4033004: ldap_first_attribute (in /usr/lib/libldap-2.3.so.0.2.15) ==31309== by 0x8053F45: ldap_to_xmlrpc (mod_ldap.c:504) Line 504 of mod_lda.c is: attr = ldap_first_attribute(mod_ldap_conn[thread_id], entry, attr_pointer); Earlier, attr_pointer is declared: BerElement **attr_pointer; If I set it null at declaration: BerElement **attr_pointer = NULL; Valgrind stops complaining, but then the call to ldap_first_attribute() hangs and never returns. Is there a way I can make both of these happy? -brian -- "Coding in C is like sending a 3 year old to do groceries. You gotta tell them exactly what you want or you'll end up with a cupboard full of pop tarts and pancake mix." -- IRC User (http://www.bash.org/?841435)

2 2

use of ldap_str2dn()
by Arthur de Jong 05 Apr '08

05 Apr '08

I'm the maintainer of nss_ldapd [1] which is a replacement for nss_ldap. I have been trying to get rid of using deprecated functions while compiling with OpenLDAP 2.4.7. One of the changes I made was using ldap_str2dn() instead of ldap_explode_dn() and ldap_explode_rdn() to parse the DN of entries returned. However, I ran into the following. The relevant definitions for ldap_str2dn() in OpenLDAP 2.4.7 are: typedef struct ldap_ava { [...] } LDAPAVA; typedef LDAPAVA** LDAPRDN; typedef LDAPRDN* LDAPDN; LDAP_F( int ) ldap_str2dn LDAP_P(( LDAP_CONST char *str, LDAPDN *dn, unsigned flags )); While OpenLDAP 2.1.30 (another version I would like to support) there is: typedef struct ldap_ava { [...] } LDAPAVA; typedef LDAPAVA** LDAPRDN; typedef LDAPRDN** LDAPDN; LDAP_F( int ) ldap_str2dn LDAP_P(( LDAP_CONST char *str, LDAPDN **dn, unsigned flags )); This changes the second parameter from struct ldap_ava ******dn to struct ldap_****dn. What is the best way to use lpap_str2dn() and still be able to compile (and run correctly because it is only a warning with most compilers) with both versions of OpenLDAP? Or would it be better to avoid the function completely? Thanks. [1] http://ch.tudelft.nl/~arthur/nss-ldapd/ -- -- arthur - arthur(a)ch.tudelft.nl - http://ch.tudelft.nl/~arthur --

3 3

smbk5pwd and ppolicy working together
by Ryan Steele 04 Apr '08

04 Apr '08

Hello, I've got the smbk5pwd and ppolicy modules working, but I'm not entirely sure I've got them working together. I say this because clients joined to the domain (run by a Samba PDC with an OpenLDAP backend) can change their passwords and it updates the NT/LM passwords in LDAP, thus verifying the functionality of smk5pwd, but it does not appear to enforce ppolicy restrictions. On the flip side of the coin, the user can change their LDAP password by invoking ldappasswd from a shell on the server, and are bound by the restrictions set forth by ppolicy (password length, strength, historical passwords, etc.). But, I cannot seem to get ppolicy and smbk5pwd to operate in conjunction with one another - when changed from a Windows client, only smbk5pwd seems to work. I was initially thinking this was maybe because Windows was sending the passwords already hashed to OpenLDAP, but if I send a password such as 'a', I get this message: "Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes." However, I have no idea where it's getting those requirements or that text from, though I'm wondering it's a Windows policy. In any case, it's certainly not what ppolicy requires, as is the case from a shell on the server. I also see this in the sambaPasswordHistory attribute, which (possibly?) indicates that ppolicy isn't working properly in conjunction with smbk5pwd, and possibly explains why isn't not triggering on the historical passwords: sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000 That doesn't explain, though, why the strength and length checks aren't working. I've ramped up the debugging on the back end, but all I see is Samba happily updating with weak passwords and no mention of password lengths (even when that dialog pops up on the Windows client side). I'd appreciate any insight anybody might have. Thanks, Ryan

7 21

Embedding Other LDAP Server in OpenLDAP for User Authentification [Virus checked]
by ems＠Sparkassen-Informatik.de 04 Apr '08

04 Apr '08

Hello, I've a tricky problem to solve. We are working with OpenLDAP 2.2.30. To improve the end user comfort we like to configure a special behavior of our LDAP. The authentification-request which our LDAP gets should first forwarded to an other LDAP server (primary LDAP). Just if the authentification failed on the primary LDAP server our LDAP should try to authentificate by himself. Background: The primary LDAP server is very inflexible. We just can use it for user authentification. For authorization we have to use our good old own LDAP ;-) Has anyone a clue how I've to configure our OpenLDAP ? Every hint is welcome. Thanks in advance, Klaus

2 1

slap_sl_malloc of X bytes failed, using ch_malloc
by kevin montuori 03 Apr '08

03 Apr '08

hi all -- i have a problem with a 2-multi-master, 1-replica setup. my master servers' directories sync up and stay replicated without too many issues; however, when i start up the replica i get this message on the master that i'm sync'ing the replica from: slap_sl_malloc of 138718824 bytes failed, using ch_malloc and, of course, the slapd dies. this is 100% repeatable. i noticed that this has been an issue in the past (it cropped up on the mailing list around december 2007) and was curious if it's a known issue or a misconfiguration or what. i'm running 2.4.8 on linux 2.6.18.8-32bit-5-xenU. thanks for any insight. k. -- kevin montuori montuori(a)gmail.com

5 12

Re: C coding secured LDAP
by Digambar Sawant 02 Apr '08

02 Apr '08

Hi, To work with secure LDAP following stuff is required: 1. Server must be running with certificates installed on server. Check TLS options in slapd.conf 2. The CA certificate must be present on Client side, which can verify the sever certificate during SSL handshake. 3. If server has intermediate certificate then client must have all the intermediate CA certificate to verify the server certificate. Now point 1, How to install server on secure port ie 636: Example is OpenLDAP server slapd.conf must have following TLS directives: TLSCertificateFile /root/Digambar/intermediate_try/userCert.pem TLSCertificateKeyFile /root/Digambar/intermediate_try/new.cert.key TLSCACertificateFile /root/Digambar/intermediate_try/cacert.pem Use following to create CA and server cetrificates: A. /usr/share/ssl/misc/CA -newca To creat server cert request B openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem To sign the server cert C. /usr/share/ssl/misc/CA -sign Start the server as : /usr/sbin/slapd -f /etc/openldap/slapd.conf -d 127 -h ldaps:/// & This will start secure LDAP. Now to verify that the above stuff is working: try following from some another host: i. copy the ca-certificate file to the host. ii. Edit the /etc/ldap.conf with TLS_CACERT with the ca-cert path. iii. Try with ldapsearch -x -H ldaps://server-FQDN-hostname:636 -b "dc=my-domain,dc=com" "(&(uid=testadmin1)(objectClass=inetOrgPerson))" If this goes throu then it will indicate that the server is installed properly. ++++++++++++++++++++++++++++++++++++++ Now Try to do ldapsearch using C program: LDAP *pLdapObj = NULL; ldap_initialize(&pLdapObj, ldaps://server-FQDN-hostname:636); ldap_set_option( pLdapObj, LDAP_OPT_PROTOCOL_VERSION, &ldapversion); ldap_set_option( pLdapObj, LDAP_OPT_NETWORK_TIMEOUT, (void *)&stTimeoutVal); ldap_set_option( pLdapObj, LDAP_OPT_TIMELIMIT, (void *)&stTimeLimit); ldap_set_option( pLdapObj, LDAP_OPT_SIZELIMIT, (void *)&(LdapSizeLimit)); ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTFILE, aucServerCertFileName);// specify the CA certificate file path which was copied on the client side. // After this try whatever operation you want to try like ldap_searcg or ldap_bind etc Let me know if you want help somewhere. Thanks, Digambar Sawant On 4/2/08, Arkady Shoyhet <Arkady.Shoyhet(a)aladdin.com> wrote: > > Hi, > > I have to implement SSL LDAP communication using standard LDAP C API. > > I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G. > > Can you reference me to some code examples ? > > Thanks in advance, > > Arkady Shoyhet > > > ************************************************************************************************** > The contents of this email and any attachments are confidential. > It is intended for the named recipient(s) only. > If you have received this email in error please notify the system manager > or the > sender immediately and do not disclose the contents to anyone or make > copies. > ** eSafe scanned this email for viruses, vandals and malicious content ** > > ************************************************************************************************** > >

1 0

userCertificate:certificateExactMatch: problem
by networm＠mail15.com 02 Apr '08

02 Apr '08

Hi! I use OpenLdap 2.39. I need to find the certificate with sn 61a430c600000000000c and issuer email adm(a)test.com, but then i try this search: (userCertificate:certificateExactMatch:=61a430c600000000000c$email=adm@test.com), OpenLdap prints this error: filter=(?=undefined). I have understood that sn should be in dec form, but converting hex->dec not helped. How correctly convert sn in dec?

2 4

Re: C coding secured LDAP
by Hallvard B Furuseth 02 Apr '08

02 Apr '08

Arkady Shoyhet writes: > I have to implement SSL LDAP communication using standard LDAP C API. > I have Linux version 2.4.21-20.EL ,openldap 2.3.41 and OPENSSL-0.9.8G. > Can you reference me to some code examples ? openldap-2.3.41/clients/tools/*.c spring to mind... It's basically this code in common.c (which is linked together with each of the ldap*.c files): rc = ldap_initialize( &ld, ldapuri ); if( rc != LDAP_SUCCESS ) { fprintf( stderr, "Could not create LDAP session handle for URI=%s (%d): %s\n", ldapuri, rc, ldap_err2string(rc) ); exit( EXIT_FAILURE ); } and protocol = LDAP_VERSION3; ... if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &protocol ) != LDAP_OPT_SUCCESS ) { fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", protocol ); exit( EXIT_FAILURE ); } if ( use_tls ) { rc = ldap_start_tls_s( ld, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { tool_perror( "ldap_start_tls", rc, NULL, NULL, NULL, NULL ); if ( use_tls > 1 ) { exit( EXIT_FAILURE ); } } } Set use_tls > 1, since it's a bad idea to continue after StartTLS fails. ldapuri is something like "ldap://hostname/" where the hostname is the server's fully qualified hostname (same name as occurs in CN or Subject Alt Name in the server certificate). You need to tell the client the server's CA certifiate, see TLS_CACERT in man ldap.conf. Also man ldap_start_tls_s. Or if you use an "ldaps:" instead of "ldap:" URL, and the server listens to "ldaps:" (probably in addition to "ldap:"), then the connection starts out in TLS (alias SSL) mode and you should not call ldap_start_tls_s(). -- Hallvard

1 0

Re: ldapsearch: not compiled with TLS support
by Dieter Kluenter 02 Apr '08

02 Apr '08

Hi, "Arkady Shoyhet" <Arkady.Shoyhet(a)aladdin.com> writes: > Hi, > > I have configured openldap 2.3.41 ,with the following command: ./configure > --prefix=/usr --with-tls --enable-cript --enable-syslog --sysconfdir=/etc > > Everything was OK. Then I called make depends and make install. Everything was > fine.Of course OPENSSL-0.9.8G configured and installed too. > > BerkleyDB 4.5.20 configured,installed and started by command ./slapd -h 'ldap: > // ldaps://' -d1. Everything fine. > > But when I try to run ldapsearch –Z then following error message is printed > out: ldapsearch: not compiled with TLS support. > > Why ? What can I do ? ldd slapd will show you wether it is linked with libssl. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

openldap on Centos 5.1 with TLS
by David Hláčik 01 Apr '08

01 Apr '08

Hi, sorry for the stupid question, but however i am following all howtos and tutorials it is not working 1) i have created CA certificate - /etc/pki/tls/misc/CA -newca 2) i have generated a new request - /etc/pki/tls/misc/CA -newreq 3) i have signed certificate /etc/pki/tls/misc/CA -signreq SO i have CA in /etc/pki/CA i have newkey.pem i have newcert.pem i have also cealrkey.pem (without passphrase) *$ openssl rsa < newkey.pem > clearkey.pem* What to do next?? What to put in slapd.conf in order to make it work?? What to put in ldap.conf in order to communicate Really thanks in advance!! David

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2008