January 2009 - openldap-software

"ldap_start_tls: Protocol error (2)" and I do not know why

by Nathan Huesken

Hi, I created ssl certificates using this guide: http://www.credentia.cc/certs/howto/openldap.html Generating a slapd.cert and slapd.key file I added: olcTLSCertificateFile: /etc/ldap/ssl/slapd.cert olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd.key olcTLSCRLCheck: none olcTLSVerifyClient: never to cn=config.ldif file. I also put TLS_REQCERT never into /etc/ldap/ldap.conf Now I try to search: ldapsearch -x -D "cn=admin,dc=*********,dc=***" -b 'dc=**********,dc=***' '(objectclass=*)' -W -ZZ -v ldap_initialize( <DEFAULT> ) ldap_start_tls: Protocol error (2) I do not know what goes wrong, the log file does not tell me much: Jan 30 23:20:56 ********** slapd[20043]: daemon: read active on 14 Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=9 active_threads=0 tvp=zero Jan 30 23:20:56 ********** slapd[20043]: connection_get(14) Jan 30 23:20:56 ********** slapd[20043]: connection_get(14): got connid=4 Jan 30 23:20:56 ********** slapd[20043]: connection_read(14): checking for input on id=4 Jan 30 23:20:56 ********** slapd[20043]: ber_get_next on fd 14 failed errno=0 (Success) Jan 30 23:20:56 ********** slapd[20043]: connection_read(14): input error=-2 id=4, closing. Jan 30 23:20:56 ********** slapd[20043]: connection_closing: readying conn=4 sd=14 for close Jan 30 23:20:56 ********** slapd[20043]: connection_close: conn=4 sd=14 Jan 30 23:20:56 ********** slapd[20043]: daemon: removing 14 Jan 30 23:20:56 ********** slapd[20043]: conn=4 fd=14 closed (connection lost) Jan 30 23:20:56 ********** slapd[20043]: daemon: activity on 1 descriptor Jan 30 23:20:56 ********** slapd[20043]: daemon: activity on: Jan 30 23:20:56 ********** slapd[20043]: Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=8 active_threads=0 tvp=zero Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=9 active_threads=0 tvp=zero What else could be wrong? Thanks! nathan

14 years

1
0
0 / 0

Ldap configuration (Group permission)

by Miguel

Hello, I m trying to configure the ldap . I have created two groups (contact and administradores) within another one (people). I would like administradores group to have all the permissions over contacts group. I have modified the slapd.conf in this way, but it doesn't work: access to dn=".*,ou=contacts,ou=people,dc=mcm,dc=com" by dn=".*,ou=administradores,ou=people,dc=mcm,dc=com" write by * read could anybody help me? thank you in advance, Miguel

14 years

2
2
0 / 0

Securing cn=config

by Peter Mogensen

After hours of searching through mailing lists, reading man pages and FAQs and the admin-guide and trying every possible combination I can think of, I still can't find the answer on how to secure cn=config The FAQ says that in slapd 2.4 cn=config respects ACLs, but I can't even limit auth against the rootdn with an ACL. There has to be a recommended way, but I can't find it. I guess a lot pf people would have benefit from a FAQ example on how to do it. I would have expected this to work: database config rootpw config access to dn.exact="cn=config" by peername="127.0.0.1" auth by * none but not... /Peter

14 years

2
2
0 / 0

openldap and dovecot-sasl

by Nathan Huesken

Hi, is it possible to use dovecot-sasl for authentication instead of Cyrius Sasl? If yes, what has to be done? Thanks! Nathan

14 years

1
0
0 / 0

Syncrepl with back-sql provider (again)

by alessio

Here <http://www.openldap.org/lists/openldap-software/200708/msg00015.html> I can read that "Indeed back-sql was intended to loosely support acting as a syncrepl provider (limited to refreshOnly) it's currently broken, and it's never been fixed". Has this issue been fixed in openldap-2.4? Greetings, A

14 years

1
0
0 / 0

OpenLDAP/TLS main: TLS init def ctx failed: -207

by Technical Home

Hello, I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 . So I create a CA and a signed certificate by this CA. This point seems to be ok : ------------------------------------------------------------------------------------------------------------------------------------------------------ root@SERVER:~# openssl verify -CAfile /etc/ssl/certs/cacert.pem /etc/ssl/certs/SERVER.crt /etc/ssl/certs/SERVER.crt: OK ------------------------------------------------------------------------------------------------------------------------------------------------------ And i add it to my slapd configuration with following commands as specified in the ubuntu documentation (https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap-...) ------------------------------------------------------------------------------------------------------------------------------------------------------ root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W Enter LDAP Password: dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem modifying entry "cn=config" ------------------------------------------------------------------------------------------------------------------------------------------------------ But when restarting slapd, I always obtain this output : ------------------------------------------------------------------------------------------------------------------------------------------------------ root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636' -g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383 @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd main: TLS init def ctx failed: -207 slapd stopped. connections_destroy: nothing to destroy. ------------------------------------------------------------------------------------------------------------------------------------------------------ I search all my sunday long what could be this "main: TLS init def ctx failed: -207" but I was not able to find what causes it. In openssl file ssl.h, 207 code refers to the macro "#define SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to mean that it (slapd or openssl ?) can't verify my certificate string, but I just verified before my certificate with the openssl command which told it is OK. I'm lost. Can you help me ? Thanks in advance, Regards, Gilles

14 years

5
5
0 / 0

LDAP Crash while replication

by Andi Gorhan

Hello, I configured two Master LDAP Server and everything works perfect with replication. The database contains 10 000 entrys Now I want to simulate a Server Break so I stopped LDAP while adding 100 LDAP entrys (30000-30099) via ldapadd. All entrys are available on both Masters (so replication works) expect the last entry before break down LDAP (while entry 30050). So at Master 1 all entrys until 30050 are available, on Master 2 all entrys are available until 30049. LDAP was not able to sync it before break down. That is ok. Then I brought LDAP back on Master 1 and the Last entry (30050) was synced by LDAP to Master 2. All seems to work perfect but now I looked into the Debug Log and LDAP on Master 2 is rescan the whole Database: ... entry_decode: "uid=339,dc=local,dc=de" <= entry_decode(uid=339,dc=local,dc=de) entry_decode: "uid=340,dc=local,dc=de" <= entry_decode(uid=340,dc=local,dc=de) ... Is that normal because it takes a long long time. In the future I will have millions of user and a rescan would cost much time. Is it possible to avoid this behaviour of LDAP. Does anybody have experience with that? Thank you, Andi

14 years

1
0
0 / 0

Race condition when using slapo-unique?

by Magne Land

Hi, I am using OpenLDAP 2.3.43 with BDB 4.5.20 and recently encountered a problem where two different entries were created with the same mail attribute value. The problem is that the mail attribute was defined as unique in slapd.conf: index mail eq,sub overlay unique unique_attributes mail The two similar entries were created about 300 milliseconds apart. To add to the confusion, an ldapsearch for the same mail value occurred at roughly the same time. So far I have not been able to reproduce this, which indicates that it is a race condition. I hope someone can help me, or direct me to some documentation. Regards, Magne Land

14 years

2
3
0 / 0

64bit compile fails on Solaris 10

by John Center

Hi, I'm trying to compile OpenLDAP v2.4.13 on Solaris 10 using Sun Studio 12. Everything is building fine until it gets to slapd itself. It fails linking .libs/slapdS.o: rm -f .libs/slapd.nm .libs/slapd.nmS .libs/slapd.nmT creating .libs/slapdS.c (cd .libs && cc -c "slapdS.c") rm -f .libs/slapdS.c .libs/slapd.nm .libs/slapd.nmS .libs/slapd.nmT cc -g -fast -fsimple=0 -fns=no -xtarget=ultraT1 -xarch=sparcvis2 -m64 -xipo -mt -xcode=pic32 -xpagesize=default -xlic_lib=sunperf .libs/slapdS.o -o .libs/slapd main.o globals.o bconfig.o config.o daemon.o connection.o search.o filter.o add.o cr.o attr.o entry.o backend.o backends.o result.o operation.o dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o value.o ava.o bind.o unbind.o abandon.o filterentry.o phonetic.o acl.o str2filter.o aclparse.o init.o user.o lock.o controls.o extended.o passwd.o schema.o schema_check.o schema_init.o schema_prep.o schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o oidm.o starttls.o index.o sets.o referral.o root_dse.o sasl.o module.o mra.o mods.o sl_malloc.o zn_malloc.o limits.o operational.o matchedValues.o cancel.o syncrepl.o backglue.o backover.o ctxcsn.o ldapsync.o frontend.o slapadd.o slapcat.o slapcommon.o slapdn.o slapindex.o slappasswd.o slaptest.o slapauth.o slapacl.o component.o aci.o alock.o txn.o version.o -xarch=v9 -L/opt/python2/lib/sparcv9 -L/opt/perl5/lib/sparcv9 -L/opt/heimdal/lib/sparcv9 -L/opt/db/lib/sparcv9 -L/opt/gnu/lib/sparcv9 -L/opt/local/lib/sparcv9 -L/usr/sfw/lib/sparcv9 -L/usr/lib/sparcv9 libbackends.a liboverlays.a ../../libraries/liblunicode/liblunicode.a ../../libraries/librewrite/librewrite.a ../../libraries/liblutil/liblutil.a ../../libraries/libldap_r/.libs/libldap_r.so /opt/ws/dists/Services/openldap-2.4.13/libraries/liblber/.libs/liblber.so -L/opt/db/lib ../../libraries/liblber/.libs/liblber.so -mt /opt/gnu/lib/sparcv9/libltdl.so /opt/db/lib/sparcv9/libdb-4.7.so -L/opt/tcl/lib/sparcv9 -lrt -L/opt/SUNWspro/prod/lib/v9 -L/usr/ccs/lib/sparcv9 -L/opt/AS/perl5/lib/CORE -lperl -ldl -lm -lpthread -licuuc -licudata -lsasl /opt/heimdal/lib/libgssapi.so /opt/heimdal/lib/libheimntlm.so /opt/heimdal/lib/libkrb5.so /opt/heimdal/lib/libhx509.so /opt/heimdal/lib/libwind.so -ldoor /opt/heimdal/lib/libhcrypto.so /opt/heimdal/lib /libasn1.so /opt/heimdal/lib/libcom_err.so /opt/heimdal/lib/libroken.so -ldb-4 - lssl -lcrypto -lresolv -lgen -lnsl -lsocket -ldb -lumem -R/opt/openldap/lib/sparcv9 -R/opt/gnu/lib/sparcv9 -R/opt/db/lib/sparcv9 -R/opt/heimdal/lib -R/opt/python2/lib/sparcv9 -R/opt/perl5/lib/sparcv9 -R/opt/heimdal/lib/sparcv9 -R/opt/local/lib/sparcv9 -R/usr/sfw/lib/sparcv9 -R/usr/lib/sparcv9 -R/opt/AS/perl5/lib/CORE cc: Warning: -xarch=v9 is deprecated, use -m64 to create 64-bit programs ld: fatal: file .libs/slapdS.o: wrong ELF class: ELFCLASS32 I think slapdS.c is generated dynamically by ltmain.sh, seen in the line: (cd .libs && cc -c "slapdS.c") I don't know what slapdS.c does, but I think "-m64" needs to be passed to cc here; unfortunately I don't know how to do it. I've searched through the mail archives w/o much luck. Could someone please explain to me what I'm missing? Thanks. -John -- John Center Villanova University

14 years

3
9
0 / 0

Configuration of slapo-rwm with cn=config scheme

by Master_Proper＠gmx.de

Dear all, I am currently trying to figure out how to configure the slapo-rwm overlay with the cn=config scheme. So far I was unable to find any documentation on this. The only way I could help myself is by using a "fake" slapd-conf file and converting it with slaptest -f fake.slapd.conf -F testconfig.d/ What I managed to do: 1. I created a file with the following content: $ cat rwm_moduleLoad.ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: rwm.so and loaded it with ldapmodify -D "cn=admin,cn=config" -x -W -f rwm_moduleLoad.ldif 2. I tried to do the same with this file: $ cat rwm_activate.ldif dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine "on" olcRwmRewrite: rwm-rewriteMap "ldap" "attr2dn" "ldap://localhost/o=org?dn?sub" olcRwmRewrite: rwm-rewriteContext "bindDN" olcRwmRewrite: rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I" olcRwmTFSupport: no olcRwmNormalizeMapped: FALSE When I wanted to add this file with ldapadd -D "cn=admin,cn=config" -x -W -f rwm_activate.ldif the following error message was returned: adding new entry "olcOverlay=rwm,olcDatabase={1}hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcRwmRewrite> handler exited with 1 Adding a file with only the follwing content suceeded: $ cat rwm_activate.ldif dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm Can anybody help me on how to proceed? My goal is to get the sample configuration from the slapo-rwm man page working which rewrites the bindDN if an email-address is given. I am using @(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd - the standard build on Ubuntu 8.10 (Intrepid Ibex). Thanks in advance for your support! Best regards, Proper -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger

14 years

3
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2009