Linuxtag 2009
by Dieter Kluenter
Hi,
same procedure as every year.
I am calling for volunteers at Linuxtag
http://www.linuxtag.org/2009
As in the last 5 years, the OpenLDAP Project will have a booth. I
would appreciate one to two volunteers.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
14 years, 7 months
Another Lock Table question
by Sn!per
db-4.5.20
openldap-2.3.39
This is the first time that I noticed the message "Lock table is out
of available locker entries" in my ldap.log file.
I googled for help and found this link:
http://www.openldap.org/faq/data/cache/893.html . Unfortunately those
explaination are very alien to me. While reading some other links from
the Google search, I decided to try putting these lines into my
DB_CONFIG and restarted slapd
set_lk_max_locks 8000
set_lk_max_lockers 8000
set_lk_max_objects 8000
(heck I don't have the slightest clue what they are for)
All applications that are dependant on ldap are now working. Is/are
there a possibility that I will encounter this same problem again in
the future? Is yes, is there anything that I can do to totally
eliminate it?
I really appreciate all help. TIA.
--
Roger
--
Sign Up for free Email at http://ureg.home.net.my/
14 years, 7 months
Re: Application data is sent but not received in OpenLDAP server in case of SSL session reuse
by Chris G. Sellers
I'm not sure the slapd.logs will show that. You will want to do a
network trace on the TCP port you are using and see if the connection
is closed by the TCP stack by one side or the other and your
application tries to re-use that TCP connection but it's closed on the
server side.
On Feb 9, 2009, at 11:14 AM, Krisztian Nagy-Varga wrote:
> Hi,
>
> Thanks for your reply.
> I am not able to upgrade the openldap version to a higher one.
>
> From the slapd logs I see, that this case (your client has left a
> connection open but the server (TCP) has closed the session and has
> not told the client to close the TCP session) does not occur. There
> is an other problem.
>
> The following are the LDAP and SSL libraries used by the client
> program:
> - iPlanet LDAP SDK for C, version 5.0
> - OpenSSL 0.9.7
> Krisztián Nagy-Varga
>
> Software Developer
>
>
>
> Ericsson Hungary Ltd.
>
>
> Chris G. Sellers wrote:
>>
>> OpenLDAP 2.0 is very old (circa 2000) and being 9 years old is
>> going to give you problems.
>>
>> It sounds like your problem is session based, and it may be your
>> client has left a connection open but the server (TCP) has closed
>> the session and has not told the client to close the TCP session.
>>
>> First step for you - upgrade.
>>
>> Sellers
>>
>>
>>
>> On Feb 9, 2009, at 3:33 AM, Krisztian Nagy-Varga wrote:
>>
>>> My server uses
>>> - openldap 2.0.6
>>> - openssl 0.9.6
>>
>>
14 years, 7 months
Application data is sent but not received in OpenLDAP server in case of SSL session reuse
by Krisztian Nagy-Varga
1 1 0.0091 (0.0091) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
2 1 0.0023 (0.0023) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 2 0.0247 (0.0156) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b ae 50 0a 42 8c 73 ef 03 04 40 e1 97 dd
f0 2c ac 0e 75 d0 5c 04 49 1d b6 69 4f c6 b1 98
session_id[32]=
a6 a2 aa 1a d7 e8 4e 0a 9b ee 29 6c 32 ca 25 ed
31 7c 33 1c c8 48 d4 15 d8 aa f9 cb 29 af 14 55
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0247 (0.0000) S>CV3.1(812) Handshake
Certificate
1 4 0.0247 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
1 5 0.0327 (0.0080) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
79 fe 8e d2 52 ef 42 0c 26 96 b2 57 27 2c e8 4f
7b e6 78 f1 05 22 bf ab c3 0e 0b b5 ee 5c e3 46
ce e5 0a 43 27 f6 d8 bf b0 a6 94 b8 0a 6c 03 40
57 36 48 2b c0 28 ec ac c7 72 55 82 9e 94 b6 f2
39 1c 99 2d 16 37 46 c7 fe cf d3 f9 01 13 7a 38
3e 26 6e 16 9b 8c 21 d0 ec 80 d1 13 ab 73 15 52
74 dd d3 46 c6 44 dd 74 5a f5 11 42 c9 e3 6e 3d
1d 9d 36 91 9b eb 75 c9 5c a6 e4 72 7e 48 ec 02
1 6 0.0327 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 7 0.0327 (0.0000) C>SV3.1(32) Handshake
3 1 0.0016 (0.0016) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
2 2 0.0261 (0.0238) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b ae 86 b8 76 42 3b c3 26 c0 10 11 04 ab
dd e3 fb 11 43 32 bb 68 d0 67 87 fc e6 32 d1 e8
session_id[32]=
a2 1b 05 9d c2 f4 b6 df 03 6a 6a 51 8e de eb d9
67 f4 49 77 bb 4d f5 f7 75 89 38 b3 67 93 2e c9
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
2 3 0.0261 (0.0000) S>CV3.1(812) Handshake
Certificate
2 4 0.0261 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
2 5 0.0328 (0.0066) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
be 0f 2f 54 21 98 26 e4 99 f5 dc 5f 1d ed e0 f1
d0 00 d4 98 3d 63 75 33 b2 e7 06 40 ba 43 49 63
df 6a 92 c9 9a e5 cf 85 92 6c c7 3c 42 21 4d f7
14 b8 bd 0c 75 39 f3 f4 6a 97 26 0a 9f 4d 18 ac
f8 36 da 37 95 38 fe b2 27 a9 63 7d 72 bc 0f 50
a8 0b 94 ac 9e e6 fd fd b6 77 22 c4 78 fd a4 11
f9 4f a5 3f 21 19 46 bf 71 86 c8 0b 8a 0c 83 fc
02 b2 e6 d1 5f 9b f4 d0 36 d5 d1 90 d5 a0 c8 36
2 6 0.0328 (0.0000) C>SV3.1(1) ChangeCipherSpec
2 7 0.0328 (0.0000) C>SV3.1(32) Handshake
4 1 0.0017 (0.0017) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
1 8 0.0597 (0.0270) S>CV3.1(1) ChangeCipherSpec
1 9 0.0597 (0.0000) S>CV3.1(32) Handshake
1 10 0.0606 (0.0008) C>SV3.1(79) application_data
2 8 0.0698 (0.0369) S>CV3.1(1) ChangeCipherSpec
2 9 0.0698 (0.0000) S>CV3.1(32) Handshake
2 10 0.0708 (0.0010) C>SV3.1(79) application_data
4 2 0.0608 (0.0591) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b ae a3 f2 91 29 54 95 6f 92 1b 9b a8 b6
ba 7c 4d c3 23 c4 39 1a 56 9f d5 4f 9a b6 a4 5b
session_id[32]=
fc 04 15 44 52 af 17 f3 98 6c 15 ac e2 06 6f ce
e7 b7 31 a0 80 1a d0 60 61 36 fb 46 a6 24 10 b6
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
4 3 0.0608 (0.0000) S>CV3.1(812) Handshake
Certificate
4 4 0.0608 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
3 2 0.0708 (0.0691) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b ae dc d4 d3 2c 5c a2 ea aa 34 9d 75 34
6d 22 92 67 8c 89 fd b1 96 b7 3f 0d 8b bb 43 f8
session_id[32]=
a3 3a 09 ba b5 4c f3 b2 67 be 4d 09 4a c2 b4 16
68 e9 f6 2c 3f 99 f1 68 73 0f 43 0b cb 19 f9 50
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
3 3 0.0708 (0.0000) S>CV3.1(812) Handshake
Certificate
3 4 0.0708 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
4 5 0.0688 (0.0080) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
50 40 a9 5f 4b f2 b3 60 87 36 0c 1a 86 b4 0d 13
c8 61 64 2c da 8b bf 1d c0 dd 33 ee 79 47 f4 ec
23 82 2e e4 9b 4e dd 05 0f b0 1c 2d 84 e1 43 0e
38 85 73 23 bd f7 68 03 1a 99 ad b3 e4 1f fd 33
91 bc 36 f8 06 00 e7 f0 b5 88 1e 70 47 c9 6e a8
50 e6 42 db a9 03 4d 94 2d c2 69 84 b3 49 b6 ff
45 70 96 7f d3 69 25 7f 5c 4f 4d b3 2c 97 9f 18
de a3 cf 31 96 de 98 eb 6a 9a 83 d2 60 e9 67 9a
4 6 0.0688 (0.0000) C>SV3.1(1) ChangeCipherSpec
4 7 0.0688 (0.0000) C>SV3.1(32) Handshake
1 11 0.1204 (0.0597) S>CV3.1(30) application_data
3 5 0.0789 (0.0080) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
8e a3 a1 c2 b0 8b 5d 65 57 3d 23 9a 3a 74 9e 7d
f0 bd 3e bd 89 80 31 20 fe 12 d6 5e 37 06 01 a7
62 0a ae 8a ab 02 50 26 aa 56 72 ef 08 43 10 8a
9c 4a a9 ac 3f 51 38 89 e9 f3 c6 ad 07 7f 77 74
8e ba f3 ab 90 00 30 c3 58 a9 82 30 3d 6a b2 7a
6b 37 50 04 30 1d 45 9f 1b 2d 0f 65 15 e3 5d 31
cf be 22 03 25 e2 e7 b1 0d ba 17 3f 64 ad 65 01
bc de 3d 23 fa 48 17 d2 13 c8 bb 20 a0 2c 11 61
3 6 0.0789 (0.0000) C>SV3.1(1) ChangeCipherSpec
3 7 0.0789 (0.0000) C>SV3.1(32) Handshake
2 11 0.1251 (0.0543) S>CV3.1(30) application_data
3 8 0.1083 (0.0293) S>CV3.1(1) ChangeCipherSpec
3 9 0.1083 (0.0000) S>CV3.1(32) Handshake
3 10 0.1094 (0.0011) C>SV3.1(79) application_data
4 8 0.1080 (0.0391) S>CV3.1(1) ChangeCipherSpec
4 9 0.1080 (0.0000) S>CV3.1(32) Handshake
4 10 0.1087 (0.0007) C>SV3.1(79) application_data
3 11 0.1487 (0.0393) S>CV3.1(30) application_data
4 11 0.1632 (0.0544) S>CV3.1(30) application_data
1 12 1.4420 (1.3216) C>SV3.1(23) application_data
1 13 1.4427 (0.0006) C>SV3.1(18) Alert
1 1.4427 (0.0000) C>S TCP FIN
5 1 0.0016 (0.0016) C>SV3.1(103) Handshake
ClientHello
Version 3.1
random[32]=
00 00 71 1e ea 5c b1 67 fd 45 ce 44 3b e1 f6 47
a8 c4 27 f6 9c 65 37 9e a7 ef fe c1 bb 18 00 5d
resume [32]=
a6 a2 aa 1a d7 e8 4e 0a 9b ee 29 6c 32 ca 25 ed
31 7c 33 1c c8 48 d4 15 d8 aa f9 cb 29 af 14 55
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
compression methods
NULL
1 14 1.4526 (0.0099) S>CV3.1(18) Alert
1 1.4527 (0.0000) S>C TCP FIN
2 12 1.4419 (1.3167) C>SV3.1(23) application_data
2 13 1.4425 (0.0006) C>SV3.1(18) Alert
2 1.4425 (0.0000) C>S TCP FIN
3 12 1.4204 (1.2717) C>SV3.1(23) application_data
6 1 0.0014 (0.0014) C>SV3.1(103) Handshake
ClientHello
Version 3.1
random[32]=
00 00 71 1e ff cc 94 cc 92 b2 21 2a e7 db 67 95
93 28 3c e1 75 96 0b 2a f0 7d f8 be f0 d0 70 f6
resume [32]=
a2 1b 05 9d c2 f4 b6 df 03 6a 6a 51 8e de eb d9
67 f4 49 77 bb 4d f5 f7 75 89 38 b3 67 93 2e c9
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
compression methods
NULL
3 13 1.4210 (0.0006) C>SV3.1(18) Alert
3 1.4210 (0.0000) C>S TCP FIN
7 1 0.0014 (0.0014) C>SV3.1(103) Handshake
ClientHello
Version 3.1
random[32]=
00 00 71 1e 2b ec d0 0d 45 c7 3c 34 34 50 66 fc
62 3a 96 15 2b c9 b7 78 dd 61 22 6c 31 a5 5a 3e
resume [32]=
a3 3a 09 ba b5 4c f3 b2 67 be 4d 09 4a c2 b4 16
68 e9 f6 2c 3f 99 f1 68 73 0f 43 0b cb 19 f9 50
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
compression methods
NULL
2 14 1.4529 (0.0104) S>CV3.1(18) Alert
4 12 1.4346 (1.2714) C>SV3.1(23) application_data
4 13 1.4352 (0.0005) C>SV3.1(18) Alert
4 1.4352 (0.0000) C>S TCP FIN
8 1 0.0013 (0.0013) C>SV3.1(103) Handshake
ClientHello
Version 3.1
random[32]=
00 00 71 1e 1d 53 08 8f 7b 01 5f b5 a4 1e ee e0
38 77 9e dd c9 d9 50 0d e7 cf 29 2d 74 7f ec ba
resume [32]=
fc 04 15 44 52 af 17 f3 98 6c 15 ac e2 06 6f ce
e7 b7 31 a0 80 1a d0 60 61 36 fb 46 a6 24 10 b6
cipher suites
TLS_DHE_DSS_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xfefe
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
compression methods
NULL
3 14 1.4487 (0.0277) S>CV3.1(18) Alert
3 1.4488 (0.0000) S>C TCP FIN
4 14 1.4594 (0.0241) S>CV3.1(18) Alert
4 1.4594 (0.0000) S>C TCP FIN
5 2 0.0778 (0.0761) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b af 42 17 bc 06 4f e8 7f 23 10 9c c8 07
97 31 c6 36 33 04 62 16 8e 9e e1 df 7d 29 67 1d
session_id[32]=
a6 a2 aa 1a d7 e8 4e 0a 9b ee 29 6c 32 ca 25 ed
31 7c 33 1c c8 48 d4 15 d8 aa f9 cb 29 af 14 55
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
5 3 0.0778 (0.0000) S>CV3.1(1) ChangeCipherSpec
5 4 0.0778 (0.0000) S>CV3.1(32) Handshake
5 5 0.0796 (0.0018) C>SV3.1(1) ChangeCipherSpec
5 6 0.0796 (0.0000) C>SV3.1(32) Handshake
5 7 0.0796 (0.0000) C>SV3.1(79) application_data
5 8 0.0803 (0.0006) C>SV3.1(626) application_data
7 2 0.0718 (0.0703) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b af c2 71 62 1e ad 23 c4 60 af 71 54 ee
2c 33 8f 55 de d5 13 46 9d 30 aa c5 2e 55 54 7e
session_id[32]=
a3 3a 09 ba b5 4c f3 b2 67 be 4d 09 4a c2 b4 16
68 e9 f6 2c 3f 99 f1 68 73 0f 43 0b cb 19 f9 50
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
7 3 0.0718 (0.0000) S>CV3.1(1) ChangeCipherSpec
7 4 0.0718 (0.0000) S>CV3.1(32) Handshake
7 5 0.0736 (0.0018) C>SV3.1(1) ChangeCipherSpec
7 6 0.0736 (0.0000) C>SV3.1(32) Handshake
7 7 0.0736 (0.0000) C>SV3.1(79) application_data
7 8 0.0743 (0.0006) C>SV3.1(626) application_data
6 2 0.1089 (0.1075) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b af ec 94 f0 14 b8 88 5e cf d7 02 3d b7
04 7e cf d8 a2 f5 e3 76 e3 1c 55 66 9a bd 9d c5
session_id[32]=
a2 1b 05 9d c2 f4 b6 df 03 6a 6a 51 8e de eb d9
67 f4 49 77 bb 4d f5 f7 75 89 38 b3 67 93 2e c9
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
6 3 0.1089 (0.0000) S>CV3.1(1) ChangeCipherSpec
6 4 0.1089 (0.0000) S>CV3.1(32) Handshake
6 5 0.1107 (0.0017) C>SV3.1(1) ChangeCipherSpec
6 6 0.1107 (0.0000) C>SV3.1(32) Handshake
6 7 0.1107 (0.0000) C>SV3.1(79) application_data
6 8 0.1113 (0.0006) C>SV3.1(626) application_data
8 2 0.1051 (0.1038) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
49 6d 8b af 66 e0 90 55 c2 9b 48 5d 15 f0 6e 02
33 58 b6 4d 8a 31 ca 7a 8f 93 2e af 14 e5 f4 e2
session_id[32]=
fc 04 15 44 52 af 17 f3 98 6c 15 ac e2 06 6f ce
e7 b7 31 a0 80 1a d0 60 61 36 fb 46 a6 24 10 b6
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
8 3 0.1051 (0.0000) S>CV3.1(1) ChangeCipherSpec
8 4 0.1051 (0.0000) S>CV3.1(32) Handshake
8 5 0.1069 (0.0017) C>SV3.1(1) ChangeCipherSpec
8 6 0.1069 (0.0000) C>SV3.1(32) Handshake
8 7 0.1069 (0.0000) C>SV3.1(79) application_data
8 8 0.1076 (0.0006) C>SV3.1(626) application_data
14 years, 7 months
synrcrepl "be_modify failed (80)"
by manu@netbsd.org
>From time to time, syncrepl breaks on the replica, with this in the
logs:
slapd[1737]: null_callback : error code 0x50
slapd[1737]: syncrepl_entry: rid=017 be_modify failed (80)
slapd[1737]: do_syncrepl: rid=017 retrying
code 80 is LDAP_OTHER, which is not very insightful. The only way to get
syncrepl working again is to wipe out the database and restart slapd.
Being out of sync is not very pleasant, but there is worse: when several
replicas are harassing the master with syncrepl requests, it tends to
die horribly, with stuff like this:
1) assertion "c->c_conn_state == SLAP_C_CLOSING" failed: file
"connection.c", line 787, function "connection_close"
2) assertion "c->c_struct_state == SLAP_C_USED" failed: file
"connection.c", line 680, function "connection_state_closing"
3) slapd: Error detected by libpthread: Invalid mutex. Detected by file
"/home/builds/ab/netbsd-4/src/lib/libpthread/pthread_mutex.c", line
295, function "pthread_mutex_trylock".
I end up with a hung slapd, that I can only get rid of with a kill -9.
All of this happens with 2.4.13. Are these known bugs?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
14 years, 7 months
SASL digest-md5 Authentication and ACL
by Oscar Plameras
I'm running slapd 2.4.12 on fedora10.
I can't figure out where to continue looking after trying for 3 days.
When no ACL are inserted into slapd.conf in Test 1 Simple Bind with
SASL succeeds.
When I inserted ACL into slapd.conf in Test 2 Simple Bind with SASL fails.
Simple Bind without SASL succeeds in Test 1 and Test 2.
I have two test setups. Difference, test 1 has NO ACL and test 2 has ACL
Test No. 1
1.1. bare-bones slapd.conf
1.2. SASL
1.3.1 #ldapsearch -x -D "cn=Jose
Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL
1.3.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL
1.3.1 successcul
1.3.2 successful
Test No. 2
2.1.bare-bones slapd.conf
2.2. SASL
2.3. ACL
2.4.1 #ldapsearch -x -D "cn=Jose
Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL
2.4.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL
Test 2.4.1 successful
Test 2.4.2 Not successful
with the following message
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Test 1 slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
TLSCACertificateFile /etc/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/newkey.pem
password-hash {CLEARTEXT}
#
authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
#
database bdb
suffix "dc=example,dc=com,dc=au"
rootdn "cn=Manager,dc=example,dc=com,dc=au"
rootpw secret
directory /var/lib/ldap
database monitor
#
Test 2 slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
TLSCACertificateFile /etc/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/newkey.pem
password-hash {CLEARTEXT}
#
# ACL1
access to attrs=userpassword
by self write
by anonymous auth
by group.exact="cn=admingroup,ou=groups,dc=example,dc=com,dc=au" write
by * none
# ACL2
access to attrs=carlicense,homepostaladdress,homephone
by self write
by group.exact="cn=salesgroup,ou=groups,dc=example,dc=com,dc=au" write
by * none
# ACL3
access to *
by self write
by group.exact="cn=itgroup,ou=groups,dc=example,dc=com,dc=au" write
by users read
by * none
#
authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
#
database bdb
suffix "dc=example,dc=com,dc=au"
rootdn "cn=Manager,dc=example,dc=com,dc=au"
rootpw secret
directory /var/lib/ldap
database monitor
Here's my ldif
dn: dc=example,dc=com,dc=au
dc: example
description: Example, Pty Ltd.
objectClass: dcObject
objectClass: organization
o: Example, Inc.
dn: ou=people,dc=example,dc=com,dc=au
ou: people
description: All people in organisation
objectClass: organizationalUnit
dn: cn=John Short,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: John Short
cn: John R Short
cn: Johnny Short
sn: short
uid: jshort
userPassword:: anNoMHJ0
carLicense: BCW-25F
homePhone: 029686822
mail: j.short(a)example.com.au
mail: jshort(a)example.com.au
mail: johnny.short(a)example.com.au
description:: TWFuYWdlciA=
ou: admingroup
dn: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: Jose Gonzales
cn: Jose G Gonzales
sn: Gonzales
uid: jgonzales
userPassword:: amcwbnpv
carLicense: SGO 124
homePhone: 555-111-2223
mail: j.gonzales(a)example.com.au
mail: jgonzales(a)example.com.au
mail: jose.gonzales(a)example.com.au
ou: salesgroup
dn: cn=Shanana Gonzales,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: Shanana Gonzales
sn: gonzales
uid: sgonzales
userPassword:: c2cwbnpv
carLicense: SGO 125
homePhone: 555-111-2225
mail: s.gonzales(a)example.com.au
mail: sgonzales(a)example.com.au
mail: shanana.gonzales(a)example.com.au
ou: itgroup
dn: ou=groups,dc=example,dc=com,dc=au
objectClass: organizationalUnit
ou: groups
description:: Z3JvdXBzIA==
dn: cn=admingroup,ou=groups,dc=example,dc=com,dc=au
objectClass: groupOfNames
cn: admingroup
description: Administration
member: cn=John Short,ou=people,dc=example,dc=com,dc=au
dn: cn=salesgroup,ou=groups,dc=example,dc=com,dc=au
objectClass: groupOfNames
cn: salesgroup
description: Sales group
member: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au
14 years, 7 months
alias container?
by James Bagley
Maybe a stupid question, but can you alias a container object?
One of the State's agencies changed it's name. I want to be able to
alias the old name to the new one so searches on the old agency name
still work. I tried creating the following record, which worked, but
didn't have the desirable result:
# prd.state.or.us
dn: dc=prd,dc=state,dc=or,dc=us
dc: prd
objectClass: top
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: dc=oprd,dc=state,dc=or,dc=us
The container object is:
# oprd.state.or.us
dn: dc=oprd,dc=state,dc=or,dc=us
dc: oprd
objectClass: domain
objectClass: top
description: Oregon Department of Parks and Recreation
o: Parks and Recreation
Possibly there is a better way to accomplish this?
The desired end result is to be able to do:
ldapsearch -b 'dc=prd,dc=state,dc=or,dc=us' -s sub
Thanks!
-james
14 years, 7 months
ACL Question
by Tim Gustafson
Hi,
I have the following in my slapd.conf:
access to dn.subtree="cn=log"
by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu" read
However, anyone (even unbound anonymous users) can access cn=log without any problems. I don't want anyone but ldap-admins to be able to access this subtree.
I'm thinking that I must be missing something really simple here. Am I doing something wrong? Any help is greatly appreciated.
Tim Gustafson
BSOE Webmaster
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
14 years, 7 months
Initializing cn=config from existing multi-master setup via syncrepl - "glue: no superior found for"
by Thomas Chemineau
Hi all,
Same subject, but with a minor change :) For now, as I explain in a
previous mail, it seems we have a working N-Way multimaster
replication, still with some problems.
we use RE24, checked out 2 days ago.
But, even if cn=config seems to be correclty replicated, there is a
problem with gluing database declarations.
We have a primary provider. Its config backend has been initialized by
this command : slapd -f slapd.conf -F slapd.d. All work fine, no
errors. The configuration has multiple backends (8), and some are glued.
In the slapd.conf we have something like the following :
database ldap
suffix dc=example,o=test
subordinate
database bdb
suffix o=test
glue
So, in cn=config, we have :
olcDatabase={2}ldap,cn=config
olcSuffix dc=example,o=test
olcSubordinate TRUE
olcDatabase={3}bdb,cn=config
olcSuffix o=test
olcOverlay={0}glue,olcDatabase={4}bdb,cn=config
olcOverlay {0}glue
Fine. But when the new provider replicates the entire cn=config of the
primary provider, it can not replicate this kind of configuration :
8<--------
Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access to
"olcDatabase={2}ldap,cn=config" "entry" requested
Feb 5 10:42:37 server2 slapd[5093]: <= root access granted
Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access
granted by manage(=mwrscxd)
Feb 5 10:42:37 server2 slapd[5093]: <= acl_access_allowed: granted to
database root
Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access to
"cn=config" "children" requested
Feb 5 10:42:37 server2 slapd[5093]: <= root access granted
Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access
granted by manage(=mwrscxd)
Feb 5 10:42:37 server2 slapd[5093]: >>> dnPrettyNormal:
<dc=example,o=test>
Feb 5 10:42:37 server2 slapd[5093]: <<< dnPrettyNormal:
<dc=example,o=test>, <dc=example,o=test>
Feb 5 10:42:37 server2 slapd[5093]: >>> dnPrettyNormal:
<dc=example,o=test>
Feb 5 10:42:37 server2 slapd[5093]: <<< dnPrettyNormal:
<dc=example,o=test>, <dc=example,o=test>
Feb 5 10:42:37 server2 slapd[5093]: glue: no superior found for sub
dc=example,o=test!
Feb 5 10:42:37 server2 slapd[5093]: olcSubordinate: value #0:
<olcSubordinate> handler exited with 32!
Feb 5 10:42:37 server2 slapd[5093]: send_ldap_result: conn=-1 op=0 p=0
Feb 5 10:42:37 server2 slapd[5093]: send_ldap_result: err=80 matched=""
text="<olcSubordinate> handler exited with 32"
Feb 5 10:42:37 server2 slapd[5093]: null_callback : error code 0x50
Feb 5 10:42:37 server2 slapd[5093]: syncrepl_entry: rid=001 be_add
failed (80)
Feb 5 10:42:37 server2 slapd[5093]: connection_get(12)
Feb 5 10:42:37 server2 slapd[5093]: connection_get(12): got connid=0
Feb 5 10:42:37 server2 slapd[5093]: daemon: removing 12
Feb 5 10:42:37 server2 slapd[5093]: do_syncrepl: rid=001 retrying (4
retries left)
Feb 5 10:42:37 server2 slapd[5093]: daemon: epoll: listen=7
active_threads=0 tvp=zero
Feb 5 10:42:37 arv2b slapd[5093]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Feb 5 10:42:37 arv2b slapd[5093]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Feb 5 10:42:37 arv2b slapd[5093]: daemon: epoll: listen=10
active_threads=0 tvp=zero
8<--------
Is it a bug ?
I have an idea : reorder declarations into the cn=config to have
something like that :
olcDatabase={2}bdb,cn=config
olcSuffix o=test
olcOverlay={0}glue,olcDatabase={2}bdb,cn=config
olcOverlay {0}glue
olcDatabase={3}ldap,cn=config
olcSuffix dc=example,o=test
olcSubordinate TRUE
I have the first olcDatabase={2}bdb,cn=config replicated successfully.
But an other problem appears : the DN of
olcOverlay={0}glue,olcDatabase={4}bdb,cn=config is not correclty
renamed, because of a inexcepted "charset" ? I can reproduce this
problem for all types of database. OpenLDAP complains itself and
replication does not work. Hum... but I realized that even this "tips"
works, OpenLDAP could not be restarted correctly anymore because of the
configuration's test...
Any hints, or advice would be most appreciated.
Regards,
Thomas.
14 years, 7 months
How to configure value returned for dnsHostName?
by Eli Bach
I'm using openldap-2.3.41, but even searching through the mailing
lists and the docs for v2.4, I can't see how to configure the value
that is returned by the server to a client.
A client library connecting to my server happens to make use of this
as part of it's SSL verification, and it fails because it doesn't
return a value.
Digging through sources, a number of ldap clients request dnsHostName,
but I can't find where in the openldap source it would get returned.
Thx
Eli
14 years, 7 months