openldap-software August 2008

openldap-software@openldap.org

70 participants
81 discussions

bind only with SSL or TLS
by Jeronimo Zucco 25 Aug '08

25 Aug '08

Is it possible one ACL that just allow bind for auth with SSL or TLS, but simple queries are allowed in plain ? -- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Universidade de Caxias do Sul - NPDU http://jczucco.blogspot.com

2 1

Build failure for 2.4.11 with BerkeleyDB.4.7 on Solaris
by Kim Culhan 24 Aug '08

24 Aug '08

Greetings- Seeing this build failure: cd back-bdb; make all rm -f version.c ../../../build/mkversion -v "2.4.11" back_bdb > version.c /bin/sh ../../..//libtool --tag=disable-shared --mode=compile cc -g -I../../../ include -I../../../include -I.. -I./.. -I/usr/local/BerkeleyDB.4.7/include -I/u sr/local/ssl/include -I/usr/include -c init.c cc -g -I../../../include -I../../../include -I.. -I./.. -I/usr/local/BerkeleyDB .4.7/include -I/usr/local/ssl/include -I/usr/include -c init.c -o init.o "init.c", line 509: undefined struct/union member: lk_handle "init.c", line 509: warning: improper pointer/integer combination: arg #1 "init.c", line 752: warning: argument #1 is incompatible with prototype: prototype: pointer to function(unsigned long, unsigned long) returning i nt : "/usr/local/BerkeleyDB.4.7/include/db.h", line 2461 argument : pointer to function(void) returning int cc: acomp failed for init.c Using the Sun Studio 11 compiler on Opensolaris b90 Compiling with gcc fails the same way Any help here is very greatly appreciated regards -kim --

2 1

ppolicy password lockout
by discip＠pjm.com 23 Aug '08

23 Aug '08

Hi, I am having trouble getting password lockout to work with openldap 2.3.32-0.27 on SLES 10 Service Pack 2. I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts. Below is what I've done so far to set this up (note: i have found no errors in any logs so far indicating that the overlay isnt working...) Any help would be greatly appreciated. Thanks, Paul As per the ppolicy documentation on the web, I've added the following lines to my slapd.conf: overlay ppolicy ppolicy_default "cn=stdWebPPolicy,ou=Policies,ou=Config,dc=pjm,dc=com" ppolicy_use_lockout Also, here is the ldif for my policy: dn: cn=stdWebPPolicy,ou=Policies,ou=Config,dc=pjm,dc=com cn: stdWebPPolicy objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value And here is the user I am testing against: dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: pwdPolicy objectClass: posixAccount uid: testuser cn: testuser givenName: Test sn: User pwdAttribute: userPassword gidNumber: 123 homeDirectory: /home/testuser uidNumber: 1234 userPassword: {SSHA}Lz+gz7+HomMnxxq1b+TZpgnxECEbfXs1

5 9

slapd with Kerberos and multihomed host
by JUNG, Christian 23 Aug '08

23 Aug '08

Hi, is there a possibility to configure slapd on a multihomed host to authenticate on the different interfaces with different Kerberos principals? Example: one host running linux with two NICs (eth0, eth1) and slapd eth0: IP 10.0.0.23, hostname ldap.sn-1.example.com eth1: IP 10.1.0.42, hostname ldap.sn-2.example.com A client which connects via hostname ldap.sn-1.example.com would request a ticket for the principal ldap/ldap.sn-1.example.com(a)EXAMPLE.COM and one connecting via ldap.sn-2.example.com would request a ticket for ldap/ldap.sn-2.example.com(a)EXAMPLE.COM. Does it suffice to store both keys in the keytab to enable slapd to authenticate for both principals, i.e. does it picks the right key? Which hostname should I define as sasl-host when using SASL to enable plain-text authentication over a SSL-secured connection or is it possible to set multiple sasl-hosts? bye Chris -- phone: +49 6898/10-4987 web : www.saarstahl.de mail : Hofstattstraße 106a D 66333 Voelklingen

2 1

openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
by Ben Wailea, openldap-software 23 Aug '08

23 Aug '08

i've set up openldap for use with TLS. it launches ok, ps ax | grep slapd 27182 pts/1 S<+ 0:00 tail -f slapd.log 31441 ? S<sl 0:00 /usr/lib/openldap/slapd -h ldap://ldap.domain.com:389 -f /etc/openldap/slapd.conf -u ldap -g ldap -4 -o slp=on ldapadd & ldapsearch seem to work over TLS as well, ldapadd -ZZ -x -D "cn=admin,dc=domain,dc=com" -f /etc/openldap/admin.ldif -w 'secret' adding new entry "dc=domain,dc=com" adding new entry "cn=admin,dc=domain,dc=com" ldapsearch -v -ZZ -x -D 'cn=admin,dc=domain,dc=com' -b 'dc=domain,dc=com' '(objectclass=*)' -w 'secret' ldap_initialize( <DEFAULT> ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=domain,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # domain.com dn: dc=domain,dc=com objectClass: dcObject objectClass: organization o: DOMAIN dc: domain # admin, domain.com dn: cn=admin,dc=domain,dc=com objectClass: organizationalRole cn: admin # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2 with slapd.log showing, Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 ACCEPT from IP=192.168.1.17:34861 (IP=192.168.1.17:389) Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 STARTTLS Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=0 RESULT oid= err=0 text= Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 TLS established tls_ssf=256 ssf=256 Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=1 BIND dn="cn=admin,dc=domain,dc=com" method=128 Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=1 BIND dn="cn=admin,dc=domain,dc=com" mech=SIMPLE ssf=0 Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=1 RESULT tag=97 err=0 text= Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=2 SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)" Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text= Aug 22 11:17:07 ldap slapd[31441]: conn=12 op=3 UNBIND Aug 22 11:17:07 ldap slapd[31441]: conn=12 fd=12 closed but, on slapd service (re)start, i see in slapd.log, Aug 22 11:02:47 ldap slapd[31441]: slapd starting Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 ACCEPT from IP=192.168.1.17:42320 (IP=192.168.1.17:389) Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 BIND dn="" method=128 Aug 22 11:02:48 ldap slapd[31441]: conn=0 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:48 ldap slapd[31441]: conn=0 fd=12 closed (connection lost) Aug 22 11:02:49 ldap slapd[31441]: conn=1 fd=12 ACCEPT from IP=192.168.1.17:42321 (IP=192.168.1.17:389) Aug 22 11:02:49 ldap slapd[31441]: conn=1 op=0 BIND dn="" method=128 Aug 22 11:02:49 ldap slapd[31441]: conn=1 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:49 ldap slapd[31441]: conn=1 fd=12 closed (connection lost) Aug 22 11:02:50 ldap slapd[31441]: conn=2 fd=12 ACCEPT from IP=192.168.1.17:42322 (IP=192.168.1.17:389) Aug 22 11:02:50 ldap slapd[31441]: conn=2 op=0 BIND dn="" method=128 Aug 22 11:02:50 ldap slapd[31441]: conn=2 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:50 ldap slapd[31441]: conn=2 fd=12 closed (connection lost) Aug 22 11:02:51 ldap slapd[31441]: conn=3 fd=12 ACCEPT from IP=192.168.1.17:42323 (IP=192.168.1.17:389) Aug 22 11:02:51 ldap slapd[31441]: conn=3 op=0 BIND dn="" method=128 Aug 22 11:02:51 ldap slapd[31441]: conn=3 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:51 ldap slapd[31441]: conn=3 fd=12 closed (connection lost) Aug 22 11:02:52 ldap slapd[31441]: conn=4 fd=12 ACCEPT from IP=192.168.1.17:42324 (IP=192.168.1.17:389) Aug 22 11:02:52 ldap slapd[31441]: conn=4 op=0 BIND dn="" method=128 Aug 22 11:02:52 ldap slapd[31441]: conn=4 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:52 ldap slapd[31441]: conn=4 fd=12 closed (connection lost) Aug 22 11:02:53 ldap slapd[31441]: conn=5 fd=12 ACCEPT from IP=192.168.1.17:42325 (IP=192.168.1.17:389) Aug 22 11:02:53 ldap slapd[31441]: conn=5 op=0 BIND dn="" method=128 Aug 22 11:02:53 ldap slapd[31441]: conn=5 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:53 ldap slapd[31441]: conn=5 fd=12 closed (connection lost) Aug 22 11:02:54 ldap slapd[31441]: conn=6 fd=12 ACCEPT from IP=192.168.1.17:42326 (IP=192.168.1.17:389) Aug 22 11:02:54 ldap slapd[31441]: conn=6 op=0 BIND dn="" method=128 Aug 22 11:02:54 ldap slapd[31441]: conn=6 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:54 ldap slapd[31441]: conn=6 fd=12 closed (connection lost) Aug 22 11:02:55 ldap slapd[31441]: conn=7 fd=12 ACCEPT from IP=192.168.1.17:42327 (IP=192.168.1.17:389) Aug 22 11:02:55 ldap slapd[31441]: conn=7 op=0 BIND dn="" method=128 Aug 22 11:02:55 ldap slapd[31441]: conn=7 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:55 ldap slapd[31441]: conn=7 fd=12 closed (connection lost) Aug 22 11:02:56 ldap slapd[31441]: conn=8 fd=12 ACCEPT from IP=192.168.1.17:42328 (IP=192.168.1.17:389) Aug 22 11:02:56 ldap slapd[31441]: conn=8 op=0 BIND dn="" method=128 Aug 22 11:02:56 ldap slapd[31441]: conn=8 op=0 RESULT tag=97 err=13 text=TLS confidentiality required Aug 22 11:02:56 ldap slapd[31441]: conn=8 fd=12 closed (connection lost) what are these multiple connection "text=TLS confidentiality required" errors due to? i'm guessing it has to do with security restrictions set in slapd.conf. reading @ http://www.openldap.org/doc/admin24/security.html, i've, ... security ssf=256 tls=256 update_tls=256 simple_bind=256 disallow tls_2_anon require bind LDAPv3 ... are these settings correct, and/or are they resposible for those slapd.log messages? something else?

3 4

Re: openldap+TLS 'works', but slapd.log reports "err=13 text=TLS confidentiality required" @ slapd start
by Quanah Gibson-Mount 23 Aug '08

23 Aug '08

--On Friday, August 22, 2008 1:52 PM -0700 "Ben Wailea, openldap-software" <bwailea+10(a)gmail.com> wrote: You're entirely missing my point. You've noted what your setup is, and the changes you made. Once you made those changes and restarted the server, some connections started failing. Your logs show what IP address those connections are coming from, but since they are being blocked by the changes you made, there's really no data on what client is making those connections. The only person who can track down what clients are trying to bind *without* TLS is you. You may not like that answer, but it isn't going to change. You're original question posed at the end of your email was is this the expected behavior for those settings, and the answer is yes. If you block clients that are not using TLS from binding, then they are going to fail to bind once the changes are in effect. Now, does your ldapsearch command with -ZZ continue to work after there restart? What other processes have you configured to access the LDAP server from the local host? nscd? nss_ldap? etc. Look at those things. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

Error during ./configure
by Philip Gabrielsen 23 Aug '08

23 Aug '08

Hi I get an error i can't get away from, when running ./configure Error i get: philip@zimba:/usr/local/openldap-2.4.11$ ./configure Configuring OpenLDAP 2.4.11-Release ... checking build system type... i686-pc-linux-gnulibc1 checking host system type... i686-pc-linux-gnulibc1 checking target system type... i686-pc-linux-gnulibc1 checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes checking configure arguments... done checking for ar... ar checking for style of include used by make... GNU checking for gcc... /usr/lib/gcc/i486-linux-gnu/4.0.3/cc1 checking for C compiler default output file name... conftest.s checking whether the C compiler works... configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details. Config.log (interesting place) gives me: configure:4052: checking for style of include used by make configure:4080: result: GNU configure:4151: checking for gcc configure:4177: result: /usr/lib/gcc/i486-linux-gnu/4.0.3/cc1 configure:4421: checking for C compiler version configure:4424: /usr/lib/gcc/i486-linux-gnu/4.0.3/cc1 --version </dev/null >&5 GNU C version 4.0.3 (Ubuntu 4.0.3-1ubuntu5) (i486-linux-gnu) compiled by GNU C version 4.0.3 (Ubuntu 4.0.3-1ubuntu5). GGC heuristics: --param ggc-min-expand=64 --param ggc-min-heapsize=64440 configure:4427: $? = 0 configure:4429: /usr/lib/gcc/i486-linux-gnu/4.0.3/cc1 -v </dev/null >&5 ignoring nonexistent directory "/usr/local/include/i486-linux-gnu" ignoring nonexistent directory "/usr/include/i486-linux-gnu" #include "..." search starts here: #include <...> search starts here: /usr/local/include /usr/lib/gcc/i486-linux-gnu/4.0.3/include /usr/include End of search list. Execution times (seconds) TOTAL : 0.01 0.00 0.01 configure:4432: $? = 0 configure:4434: /usr/lib/gcc/i486-linux-gnu/4.0.3/cc1 -V </dev/null >&5 cc1: error: unrecognized command line option "-V" Execution times (seconds) TOTAL : 0.00 0.00 0.00 configure:4437: $? = 1 configure:4460: checking for C compiler default output file name configure:4463: /usr/lib/gcc/i486-linux-gnu/4.0.3/cc1 conftest.c >&5 main Execution times (seconds) TOTAL : 0.00 0.02 0.01 configure:4466: $? = 0 configure:4512: result: conftest.s configure:4517: checking whether the C compiler works configure:4523: ./conftest.s ./configure: line 4524: ./conftest.s: Permission denied configure:4526: $? = 126 configure:4535: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details. I run this as root.... Best Regards Philip Gabrielsen Mob: 99384335

3 2

how to migrate openldap from one server to another
by Naveen.X1.Sarabu＠chase.com 22 Aug '08

22 Aug '08

Hi I am very new to linux and openLDAP. Can any one please let me know how can I migrate openLDAP from one server to another. here is the description: currently we have a master LDAP and a slave. we are in the process of building 2 new servers to migrate the existing LDAP to the new servers. so can any one please let me know the steps need be taken to achieve this task. OS ( New server ) : RHEL AS 4 open ldap version ( on old server ) : 2.2.13-6.4E open ldap version ( on new server ) : 2.2.13-8.el4_6.4 please let me know if you need any conf information. Thanks in advance. -NS ----------------------------------------- This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you.

3 2

OpenLDAP on Windows XP possible?
by Administrator 22 Aug '08

22 Aug '08

I have an assignment to get OpenLDAP up and running on WindowsXP for a demo. The only thing I can find is a tar.gz which I unpacked, so now how do I get it installed on XP? I mostly see documentation for Unix/Linux systems but nothing as far as "Getting Started on XP" or anything windows related. thanks JavaTek

6 5

slapd hangs
by Curt Blank 21 Aug '08

21 Aug '08

Version 2.2.28 Periodically the slapd daemon hangs. I did a gstack (attached) which doesn't contain a lot of information but the one thing that stands out is at the top it says "Thread 18" and I have threads set to 16, is it somehow trying to create more then it is suppose to thus causing a problem? -- Curt Blank Systems Administrator Technical Services Specialist University Information Technology Services University of Wisconsin-Milwaukee e-mail: curt(a)uwm.edu phone : (414) 229-3814

3 3

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software August 2008