"ldap_start_tls: Protocol error (2)" and I do not know why
by Nathan Huesken
Hi,
I created ssl certificates using this guide:
http://www.credentia.cc/certs/howto/openldap.html
Generating a slapd.cert and slapd.key file
I added:
olcTLSCertificateFile: /etc/ldap/ssl/slapd.cert
olcTLSCertificateKeyFile: /etc/ldap/ssl/slapd.key
olcTLSCRLCheck: none
olcTLSVerifyClient: never
to cn=config.ldif file.
I also put
TLS_REQCERT never
into /etc/ldap/ldap.conf
Now I try to search:
ldapsearch -x -D "cn=admin,dc=*********,dc=***" -b 'dc=**********,dc=***' '(objectclass=*)' -W -ZZ -v
ldap_initialize( <DEFAULT> )
ldap_start_tls: Protocol error (2)
I do not know what goes wrong, the log file does not tell me much:
Jan 30 23:20:56 ********** slapd[20043]: daemon: read active on 14
Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Jan 30 23:20:56 ********** slapd[20043]: connection_get(14)
Jan 30 23:20:56 ********** slapd[20043]: connection_get(14): got connid=4
Jan 30 23:20:56 ********** slapd[20043]: connection_read(14): checking for input on id=4
Jan 30 23:20:56 ********** slapd[20043]: ber_get_next on fd 14 failed errno=0 (Success)
Jan 30 23:20:56 ********** slapd[20043]: connection_read(14): input error=-2 id=4, closing.
Jan 30 23:20:56 ********** slapd[20043]: connection_closing: readying conn=4 sd=14 for close
Jan 30 23:20:56 ********** slapd[20043]: connection_close: conn=4 sd=14
Jan 30 23:20:56 ********** slapd[20043]: daemon: removing 14
Jan 30 23:20:56 ********** slapd[20043]: conn=4 fd=14 closed (connection lost)
Jan 30 23:20:56 ********** slapd[20043]: daemon: activity on 1 descriptor
Jan 30 23:20:56 ********** slapd[20043]: daemon: activity on:
Jan 30 23:20:56 ********** slapd[20043]:
Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Jan 30 23:20:56 ********** slapd[20043]: daemon: epoll: listen=9 active_threads=0 tvp=zero
What else could be wrong?
Thanks!
nathan
12 years, 10 months
Ldap configuration (Group permission)
by Miguel
Hello,
I m trying to configure the ldap . I have created two groups (contact
and administradores) within another one (people).
I would like administradores group to have all the permissions over
contacts group. I have modified the slapd.conf in this way, but it
doesn't work:
access to dn=".*,ou=contacts,ou=people,dc=mcm,dc=com"
by dn=".*,ou=administradores,ou=people,dc=mcm,dc=com" write
by * read
could anybody help me?
thank you in advance,
Miguel
12 years, 10 months
Securing cn=config
by Peter Mogensen
After hours of searching through mailing lists, reading man pages and
FAQs and the admin-guide and trying every possible combination I can
think of, I still can't find the answer on how to secure cn=config
The FAQ says that in slapd 2.4 cn=config respects ACLs, but I can't even
limit auth against the rootdn with an ACL.
There has to be a recommended way, but I can't find it. I guess a lot pf
people would have benefit from a FAQ example on how to do it.
I would have expected this to work:
database config
rootpw config
access to dn.exact="cn=config"
by peername="127.0.0.1" auth
by * none
but not...
/Peter
12 years, 10 months
openldap and dovecot-sasl
by Nathan Huesken
Hi,
is it possible to use dovecot-sasl for authentication instead of Cyrius Sasl?
If yes, what has to be done?
Thanks!
Nathan
12 years, 10 months
OpenLDAP/TLS main: TLS init def ctx failed: -207
by Technical Home
Hello,
I now try to add SSL/TLS support to my OpenLDAP server 2.4.11 .
So I create a CA and a signed certificate by this CA. This point seems
to be ok :
------------------------------------------------------------------------------------------------------------------------------------------------------
root@SERVER:~# openssl verify -CAfile /etc/ssl/certs/cacert.pem
/etc/ssl/certs/SERVER.crt
/etc/ssl/certs/SERVER.crt: OK
------------------------------------------------------------------------------------------------------------------------------------------------------
And i add it to my slapd configuration with following commands as
specified in the ubuntu documentation
(https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html#openldap-...)
------------------------------------------------------------------------------------------------------------------------------------------------------
root@SERVER:~# ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/SERVER.crt
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/cakey.pem
modifying entry "cn=config"
------------------------------------------------------------------------------------------------------------------------------------------------------
But when restarting slapd, I always obtain this output :
------------------------------------------------------------------------------------------------------------------------------------------------------
root@SERVER:~# slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.1.200:636'
-g openldap -u openldap -F /etc/ldap/slapd.d/ -d 16383
@(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
main: TLS init def ctx failed: -207
slapd stopped.
connections_destroy: nothing to destroy.
------------------------------------------------------------------------------------------------------------------------------------------------------
I search all my sunday long what could be this "main: TLS init def ctx
failed: -207" but I was not able to find what causes it. In openssl file
ssl.h, 207 code refers to the macro "#define
SSL_F_SSL_VERIFY_CERT_CHAIN 207". It seems to mean
that it (slapd or openssl ?) can't verify my certificate string, but I
just verified before my certificate with the openssl command which told
it is OK. I'm lost. Can you help me ?
Thanks in advance,
Regards,
Gilles
12 years, 10 months
LDAP Crash while replication
by Andi Gorhan
Hello,
I configured two Master LDAP Server and everything works perfect with replication.
The database contains 10 000 entrys
Now I want to simulate a Server Break so I stopped LDAP while adding 100 LDAP entrys (30000-30099)
via ldapadd. All entrys are available on both Masters (so replication works) expect the last
entry before break down LDAP (while entry 30050). So at Master 1 all entrys until 30050 are available, on Master
2 all entrys are available until 30049. LDAP was not able to sync it before break down. That is ok.
Then I brought LDAP back on Master 1 and the Last entry (30050) was synced by LDAP to
Master 2. All seems to work perfect but now I looked into the Debug Log and LDAP on Master
2 is rescan the whole Database:
...
entry_decode: "uid=339,dc=local,dc=de"
<= entry_decode(uid=339,dc=local,dc=de)
entry_decode: "uid=340,dc=local,dc=de"
<= entry_decode(uid=340,dc=local,dc=de)
...
Is that normal because it takes a long long time. In the future I will
have millions of user and a rescan would cost much time. Is it possible to avoid this
behaviour of LDAP.
Does anybody have experience with that?
Thank you,
Andi
12 years, 10 months
Race condition when using slapo-unique?
by Magne Land
Hi,
I am using OpenLDAP 2.3.43 with BDB 4.5.20 and recently encountered a
problem where two different entries were created with the same mail
attribute value.
The problem is that the mail attribute was defined as unique in slapd.conf:
index mail eq,sub
overlay unique
unique_attributes mail
The two similar entries were created about 300 milliseconds apart. To add to
the confusion, an ldapsearch for the same mail value occurred at roughly
the same time.
So far I have not been able to reproduce this, which indicates that it is a
race condition.
I hope someone can help me, or direct me to some documentation.
Regards,
Magne Land
12 years, 10 months
64bit compile fails on Solaris 10
by John Center
Hi,
I'm trying to compile OpenLDAP v2.4.13 on Solaris 10 using Sun Studio
12. Everything is building fine until it gets to slapd itself. It
fails linking .libs/slapdS.o:
rm -f .libs/slapd.nm .libs/slapd.nmS .libs/slapd.nmT
creating .libs/slapdS.c
(cd .libs && cc -c "slapdS.c")
rm -f .libs/slapdS.c .libs/slapd.nm .libs/slapd.nmS .libs/slapd.nmT
cc -g -fast -fsimple=0 -fns=no -xtarget=ultraT1 -xarch=sparcvis2 -m64
-xipo -mt -xcode=pic32 -xpagesize=default -xlic_lib=sunperf
.libs/slapdS.o -o .libs/slapd
main.o globals.o bconfig.o config.o daemon.o connection.o search.o
filter.o add.o cr.o attr.o entry.o backend.o backends.o result.o
operation.o dn.o compare.o modify.o delete.o modrdn.o ch_malloc.o
value.o ava.o bind.o unbind.o abandon.o filterentry.o phonetic.o acl.o
str2filter.o aclparse.o init.o user.o lock.o controls.o extended.o
passwd.o schema.o schema_check.o schema_init.o schema_prep.o
schemaparse.o ad.o at.o mr.o syntax.o oc.o saslauthz.o oidm.o starttls.o
index.o sets.o referral.o root_dse.o sasl.o module.o mra.o mods.o
sl_malloc.o zn_malloc.o limits.o operational.o matchedValues.o cancel.o
syncrepl.o backglue.o backover.o ctxcsn.o ldapsync.o frontend.o
slapadd.o slapcat.o slapcommon.o slapdn.o slapindex.o slappasswd.o
slaptest.o slapauth.o slapacl.o component.o aci.o alock.o txn.o
version.o -xarch=v9 -L/opt/python2/lib/sparcv9 -L/opt/perl5/lib/sparcv9
-L/opt/heimdal/lib/sparcv9 -L/opt/db/lib/sparcv9 -L/opt/gnu/lib/sparcv9
-L/opt/local/lib/sparcv9 -L/usr/sfw/lib/sparcv9 -L/usr/lib/sparcv9
libbackends.a liboverlays.a ../../libraries/liblunicode/liblunicode.a
../../libraries/librewrite/librewrite.a
../../libraries/liblutil/liblutil.a
../../libraries/libldap_r/.libs/libldap_r.so
/opt/ws/dists/Services/openldap-2.4.13/libraries/liblber/.libs/liblber.so
-L/opt/db/lib ../../libraries/liblber/.libs/liblber.so -mt
/opt/gnu/lib/sparcv9/libltdl.so /opt/db/lib/sparcv9/libdb-4.7.so
-L/opt/tcl/lib/sparcv9 -lrt -L/opt/SUNWspro/prod/lib/v9
-L/usr/ccs/lib/sparcv9 -L/opt/AS/perl5/lib/CORE -lperl -ldl
-lm -lpthread -licuuc -licudata -lsasl /opt/heimdal/lib/libgssapi.so
/opt/heimdal/lib/libheimntlm.so /opt/heimdal/lib/libkrb5.so
/opt/heimdal/lib/libhx509.so /opt/heimdal/lib/libwind.so -ldoor
/opt/heimdal/lib/libhcrypto.so /opt/heimdal/lib /libasn1.so
/opt/heimdal/lib/libcom_err.so /opt/heimdal/lib/libroken.so -ldb-4 -
lssl -lcrypto -lresolv -lgen -lnsl -lsocket -ldb -lumem
-R/opt/openldap/lib/sparcv9 -R/opt/gnu/lib/sparcv9 -R/opt/db/lib/sparcv9
-R/opt/heimdal/lib -R/opt/python2/lib/sparcv9 -R/opt/perl5/lib/sparcv9
-R/opt/heimdal/lib/sparcv9 -R/opt/local/lib/sparcv9
-R/usr/sfw/lib/sparcv9 -R/usr/lib/sparcv9 -R/opt/AS/perl5/lib/CORE
cc: Warning: -xarch=v9 is deprecated, use -m64 to create 64-bit programs
ld: fatal: file .libs/slapdS.o: wrong ELF class: ELFCLASS32
I think slapdS.c is generated dynamically by ltmain.sh, seen in the line:
(cd .libs && cc -c "slapdS.c")
I don't know what slapdS.c does, but I think "-m64" needs to be passed
to cc here; unfortunately I don't know how to do it. I've searched
through the mail archives w/o much luck. Could someone please explain
to me what I'm missing?
Thanks.
-John
--
John Center
Villanova University
12 years, 10 months
Configuration of slapo-rwm with cn=config scheme
by Master_Proper@gmx.de
Dear all,
I am currently trying to figure out how to configure the slapo-rwm overlay with the cn=config scheme. So far I was unable to find any documentation on this. The only way I could help myself is by using a "fake" slapd-conf file and converting it with slaptest -f fake.slapd.conf -F testconfig.d/
What I managed to do:
1. I created a file with the following content:
$ cat rwm_moduleLoad.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm.so
and loaded it with ldapmodify -D "cn=admin,cn=config" -x -W -f rwm_moduleLoad.ldif
2. I tried to do the same with this file:
$ cat rwm_activate.ldif
dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine "on"
olcRwmRewrite: rwm-rewriteMap "ldap" "attr2dn" "ldap://localhost/o=org?dn?sub"
olcRwmRewrite: rwm-rewriteContext "bindDN"
olcRwmRewrite: rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
olcRwmTFSupport: no
olcRwmNormalizeMapped: FALSE
When I wanted to add this file with ldapadd -D "cn=admin,cn=config" -x -W -f rwm_activate.ldif the following error message was returned:
adding new entry "olcOverlay=rwm,olcDatabase={1}hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcRwmRewrite> handler exited with 1
Adding a file with only the follwing content suceeded:
$ cat rwm_activate.ldif
dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
Can anybody help me on how to proceed? My goal is to get the sample configuration from the slapo-rwm man page working which rewrites the bindDN if an email-address is given.
I am using
@(#) $OpenLDAP: slapd 2.4.11 (Oct 24 2008 23:44:05) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
- the standard build on Ubuntu 8.10 (Intrepid Ibex).
Thanks in advance for your support!
Best regards,
Proper
--
Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
12 years, 10 months
