openldap-software February 2009

openldap-software@openldap.org

48 participants
51 discussions

Linuxtag 2009
by Dieter Kluenter 10 Feb '09

10 Feb '09

Hi, same procedure as every year. I am calling for volunteers at Linuxtag http://www.linuxtag.org/2009 As in the last 5 years, the OpenLDAP Project will have a booth. I would appreciate one to two volunteers. -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E

1 0

Another Lock Table question
by Sn!per 10 Feb '09

10 Feb '09

db-4.5.20 openldap-2.3.39 This is the first time that I noticed the message "Lock table is out of available locker entries" in my ldap.log file. I googled for help and found this link: http://www.openldap.org/faq/data/cache/893.html . Unfortunately those explaination are very alien to me. While reading some other links from the Google search, I decided to try putting these lines into my DB_CONFIG and restarted slapd set_lk_max_locks 8000 set_lk_max_lockers 8000 set_lk_max_objects 8000 (heck I don't have the slightest clue what they are for) All applications that are dependant on ldap are now working. Is/are there a possibility that I will encounter this same problem again in the future? Is yes, is there anything that I can do to totally eliminate it? I really appreciate all help. TIA. -- Roger -- Sign Up for free Email at http://ureg.home.net.my/

2 1

Re: Application data is sent but not received in OpenLDAP server in case of SSL session reuse
by Chris G. Sellers 09 Feb '09

09 Feb '09

I'm not sure the slapd.logs will show that. You will want to do a network trace on the TCP port you are using and see if the connection is closed by the TCP stack by one side or the other and your application tries to re-use that TCP connection but it's closed on the server side. On Feb 9, 2009, at 11:14 AM, Krisztian Nagy-Varga wrote: > Hi, > > Thanks for your reply. > I am not able to upgrade the openldap version to a higher one. > > From the slapd logs I see, that this case (your client has left a > connection open but the server (TCP) has closed the session and has > not told the client to close the TCP session) does not occur. There > is an other problem. > > The following are the LDAP and SSL libraries used by the client > program: > - iPlanet LDAP SDK for C, version 5.0 > - OpenSSL 0.9.7 > Krisztián Nagy-Varga > > Software Developer > > > > Ericsson Hungary Ltd. > > > Chris G. Sellers wrote: >> >> OpenLDAP 2.0 is very old (circa 2000) and being 9 years old is >> going to give you problems. >> >> It sounds like your problem is session based, and it may be your >> client has left a connection open but the server (TCP) has closed >> the session and has not told the client to close the TCP session. >> >> First step for you - upgrade. >> >> Sellers >> >> >> >> On Feb 9, 2009, at 3:33 AM, Krisztian Nagy-Varga wrote: >> >>> My server uses >>> - openldap 2.0.6 >>> - openssl 0.9.6 >> >>

1 0

Application data is sent but not received in OpenLDAP server in case of SSL session reuse
by Krisztian Nagy-Varga 09 Feb '09

09 Feb '09

1 1 0.0091 (0.0091) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 2 1 0.0023 (0.0023) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 2 0.0247 (0.0156) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b ae 50 0a 42 8c 73 ef 03 04 40 e1 97 dd f0 2c ac 0e 75 d0 5c 04 49 1d b6 69 4f c6 b1 98 session_id[32]= a6 a2 aa 1a d7 e8 4e 0a 9b ee 29 6c 32 ca 25 ed 31 7c 33 1c c8 48 d4 15 d8 aa f9 cb 29 af 14 55 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.0247 (0.0000) S>CV3.1(812) Handshake Certificate 1 4 0.0247 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 1 5 0.0327 (0.0080) C>SV3.1(134) Handshake ClientKeyExchange EncryptedPreMasterSecret[128]= 79 fe 8e d2 52 ef 42 0c 26 96 b2 57 27 2c e8 4f 7b e6 78 f1 05 22 bf ab c3 0e 0b b5 ee 5c e3 46 ce e5 0a 43 27 f6 d8 bf b0 a6 94 b8 0a 6c 03 40 57 36 48 2b c0 28 ec ac c7 72 55 82 9e 94 b6 f2 39 1c 99 2d 16 37 46 c7 fe cf d3 f9 01 13 7a 38 3e 26 6e 16 9b 8c 21 d0 ec 80 d1 13 ab 73 15 52 74 dd d3 46 c6 44 dd 74 5a f5 11 42 c9 e3 6e 3d 1d 9d 36 91 9b eb 75 c9 5c a6 e4 72 7e 48 ec 02 1 6 0.0327 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 0.0327 (0.0000) C>SV3.1(32) Handshake 3 1 0.0016 (0.0016) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 2 2 0.0261 (0.0238) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b ae 86 b8 76 42 3b c3 26 c0 10 11 04 ab dd e3 fb 11 43 32 bb 68 d0 67 87 fc e6 32 d1 e8 session_id[32]= a2 1b 05 9d c2 f4 b6 df 03 6a 6a 51 8e de eb d9 67 f4 49 77 bb 4d f5 f7 75 89 38 b3 67 93 2e c9 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 2 3 0.0261 (0.0000) S>CV3.1(812) Handshake Certificate 2 4 0.0261 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 2 5 0.0328 (0.0066) C>SV3.1(134) Handshake ClientKeyExchange EncryptedPreMasterSecret[128]= be 0f 2f 54 21 98 26 e4 99 f5 dc 5f 1d ed e0 f1 d0 00 d4 98 3d 63 75 33 b2 e7 06 40 ba 43 49 63 df 6a 92 c9 9a e5 cf 85 92 6c c7 3c 42 21 4d f7 14 b8 bd 0c 75 39 f3 f4 6a 97 26 0a 9f 4d 18 ac f8 36 da 37 95 38 fe b2 27 a9 63 7d 72 bc 0f 50 a8 0b 94 ac 9e e6 fd fd b6 77 22 c4 78 fd a4 11 f9 4f a5 3f 21 19 46 bf 71 86 c8 0b 8a 0c 83 fc 02 b2 e6 d1 5f 9b f4 d0 36 d5 d1 90 d5 a0 c8 36 2 6 0.0328 (0.0000) C>SV3.1(1) ChangeCipherSpec 2 7 0.0328 (0.0000) C>SV3.1(32) Handshake 4 1 0.0017 (0.0017) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 8 0.0597 (0.0270) S>CV3.1(1) ChangeCipherSpec 1 9 0.0597 (0.0000) S>CV3.1(32) Handshake 1 10 0.0606 (0.0008) C>SV3.1(79) application_data 2 8 0.0698 (0.0369) S>CV3.1(1) ChangeCipherSpec 2 9 0.0698 (0.0000) S>CV3.1(32) Handshake 2 10 0.0708 (0.0010) C>SV3.1(79) application_data 4 2 0.0608 (0.0591) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b ae a3 f2 91 29 54 95 6f 92 1b 9b a8 b6 ba 7c 4d c3 23 c4 39 1a 56 9f d5 4f 9a b6 a4 5b session_id[32]= fc 04 15 44 52 af 17 f3 98 6c 15 ac e2 06 6f ce e7 b7 31 a0 80 1a d0 60 61 36 fb 46 a6 24 10 b6 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 4 3 0.0608 (0.0000) S>CV3.1(812) Handshake Certificate 4 4 0.0608 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 3 2 0.0708 (0.0691) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b ae dc d4 d3 2c 5c a2 ea aa 34 9d 75 34 6d 22 92 67 8c 89 fd b1 96 b7 3f 0d 8b bb 43 f8 session_id[32]= a3 3a 09 ba b5 4c f3 b2 67 be 4d 09 4a c2 b4 16 68 e9 f6 2c 3f 99 f1 68 73 0f 43 0b cb 19 f9 50 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 3 3 0.0708 (0.0000) S>CV3.1(812) Handshake Certificate 3 4 0.0708 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 4 5 0.0688 (0.0080) C>SV3.1(134) Handshake ClientKeyExchange EncryptedPreMasterSecret[128]= 50 40 a9 5f 4b f2 b3 60 87 36 0c 1a 86 b4 0d 13 c8 61 64 2c da 8b bf 1d c0 dd 33 ee 79 47 f4 ec 23 82 2e e4 9b 4e dd 05 0f b0 1c 2d 84 e1 43 0e 38 85 73 23 bd f7 68 03 1a 99 ad b3 e4 1f fd 33 91 bc 36 f8 06 00 e7 f0 b5 88 1e 70 47 c9 6e a8 50 e6 42 db a9 03 4d 94 2d c2 69 84 b3 49 b6 ff 45 70 96 7f d3 69 25 7f 5c 4f 4d b3 2c 97 9f 18 de a3 cf 31 96 de 98 eb 6a 9a 83 d2 60 e9 67 9a 4 6 0.0688 (0.0000) C>SV3.1(1) ChangeCipherSpec 4 7 0.0688 (0.0000) C>SV3.1(32) Handshake 1 11 0.1204 (0.0597) S>CV3.1(30) application_data 3 5 0.0789 (0.0080) C>SV3.1(134) Handshake ClientKeyExchange EncryptedPreMasterSecret[128]= 8e a3 a1 c2 b0 8b 5d 65 57 3d 23 9a 3a 74 9e 7d f0 bd 3e bd 89 80 31 20 fe 12 d6 5e 37 06 01 a7 62 0a ae 8a ab 02 50 26 aa 56 72 ef 08 43 10 8a 9c 4a a9 ac 3f 51 38 89 e9 f3 c6 ad 07 7f 77 74 8e ba f3 ab 90 00 30 c3 58 a9 82 30 3d 6a b2 7a 6b 37 50 04 30 1d 45 9f 1b 2d 0f 65 15 e3 5d 31 cf be 22 03 25 e2 e7 b1 0d ba 17 3f 64 ad 65 01 bc de 3d 23 fa 48 17 d2 13 c8 bb 20 a0 2c 11 61 3 6 0.0789 (0.0000) C>SV3.1(1) ChangeCipherSpec 3 7 0.0789 (0.0000) C>SV3.1(32) Handshake 2 11 0.1251 (0.0543) S>CV3.1(30) application_data 3 8 0.1083 (0.0293) S>CV3.1(1) ChangeCipherSpec 3 9 0.1083 (0.0000) S>CV3.1(32) Handshake 3 10 0.1094 (0.0011) C>SV3.1(79) application_data 4 8 0.1080 (0.0391) S>CV3.1(1) ChangeCipherSpec 4 9 0.1080 (0.0000) S>CV3.1(32) Handshake 4 10 0.1087 (0.0007) C>SV3.1(79) application_data 3 11 0.1487 (0.0393) S>CV3.1(30) application_data 4 11 0.1632 (0.0544) S>CV3.1(30) application_data 1 12 1.4420 (1.3216) C>SV3.1(23) application_data 1 13 1.4427 (0.0006) C>SV3.1(18) Alert 1 1.4427 (0.0000) C>S TCP FIN 5 1 0.0016 (0.0016) C>SV3.1(103) Handshake ClientHello Version 3.1 random[32]= 00 00 71 1e ea 5c b1 67 fd 45 ce 44 3b e1 f6 47 a8 c4 27 f6 9c 65 37 9e a7 ef fe c1 bb 18 00 5d resume [32]= a6 a2 aa 1a d7 e8 4e 0a 9b ee 29 6c 32 ca 25 ed 31 7c 33 1c c8 48 d4 15 d8 aa f9 cb 29 af 14 55 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL 1 14 1.4526 (0.0099) S>CV3.1(18) Alert 1 1.4527 (0.0000) S>C TCP FIN 2 12 1.4419 (1.3167) C>SV3.1(23) application_data 2 13 1.4425 (0.0006) C>SV3.1(18) Alert 2 1.4425 (0.0000) C>S TCP FIN 3 12 1.4204 (1.2717) C>SV3.1(23) application_data 6 1 0.0014 (0.0014) C>SV3.1(103) Handshake ClientHello Version 3.1 random[32]= 00 00 71 1e ff cc 94 cc 92 b2 21 2a e7 db 67 95 93 28 3c e1 75 96 0b 2a f0 7d f8 be f0 d0 70 f6 resume [32]= a2 1b 05 9d c2 f4 b6 df 03 6a 6a 51 8e de eb d9 67 f4 49 77 bb 4d f5 f7 75 89 38 b3 67 93 2e c9 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL 3 13 1.4210 (0.0006) C>SV3.1(18) Alert 3 1.4210 (0.0000) C>S TCP FIN 7 1 0.0014 (0.0014) C>SV3.1(103) Handshake ClientHello Version 3.1 random[32]= 00 00 71 1e 2b ec d0 0d 45 c7 3c 34 34 50 66 fc 62 3a 96 15 2b c9 b7 78 dd 61 22 6c 31 a5 5a 3e resume [32]= a3 3a 09 ba b5 4c f3 b2 67 be 4d 09 4a c2 b4 16 68 e9 f6 2c 3f 99 f1 68 73 0f 43 0b cb 19 f9 50 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL 2 14 1.4529 (0.0104) S>CV3.1(18) Alert 4 12 1.4346 (1.2714) C>SV3.1(23) application_data 4 13 1.4352 (0.0005) C>SV3.1(18) Alert 4 1.4352 (0.0000) C>S TCP FIN 8 1 0.0013 (0.0013) C>SV3.1(103) Handshake ClientHello Version 3.1 random[32]= 00 00 71 1e 1d 53 08 8f 7b 01 5f b5 a4 1e ee e0 38 77 9e dd c9 d9 50 0d e7 cf 29 2d 74 7f ec ba resume [32]= fc 04 15 44 52 af 17 f3 98 6c 15 ac e2 06 6f ce e7 b7 31 a0 80 1a d0 60 61 36 fb 46 a6 24 10 b6 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL 3 14 1.4487 (0.0277) S>CV3.1(18) Alert 3 1.4488 (0.0000) S>C TCP FIN 4 14 1.4594 (0.0241) S>CV3.1(18) Alert 4 1.4594 (0.0000) S>C TCP FIN 5 2 0.0778 (0.0761) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b af 42 17 bc 06 4f e8 7f 23 10 9c c8 07 97 31 c6 36 33 04 62 16 8e 9e e1 df 7d 29 67 1d session_id[32]= a6 a2 aa 1a d7 e8 4e 0a 9b ee 29 6c 32 ca 25 ed 31 7c 33 1c c8 48 d4 15 d8 aa f9 cb 29 af 14 55 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 5 3 0.0778 (0.0000) S>CV3.1(1) ChangeCipherSpec 5 4 0.0778 (0.0000) S>CV3.1(32) Handshake 5 5 0.0796 (0.0018) C>SV3.1(1) ChangeCipherSpec 5 6 0.0796 (0.0000) C>SV3.1(32) Handshake 5 7 0.0796 (0.0000) C>SV3.1(79) application_data 5 8 0.0803 (0.0006) C>SV3.1(626) application_data 7 2 0.0718 (0.0703) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b af c2 71 62 1e ad 23 c4 60 af 71 54 ee 2c 33 8f 55 de d5 13 46 9d 30 aa c5 2e 55 54 7e session_id[32]= a3 3a 09 ba b5 4c f3 b2 67 be 4d 09 4a c2 b4 16 68 e9 f6 2c 3f 99 f1 68 73 0f 43 0b cb 19 f9 50 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 7 3 0.0718 (0.0000) S>CV3.1(1) ChangeCipherSpec 7 4 0.0718 (0.0000) S>CV3.1(32) Handshake 7 5 0.0736 (0.0018) C>SV3.1(1) ChangeCipherSpec 7 6 0.0736 (0.0000) C>SV3.1(32) Handshake 7 7 0.0736 (0.0000) C>SV3.1(79) application_data 7 8 0.0743 (0.0006) C>SV3.1(626) application_data 6 2 0.1089 (0.1075) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b af ec 94 f0 14 b8 88 5e cf d7 02 3d b7 04 7e cf d8 a2 f5 e3 76 e3 1c 55 66 9a bd 9d c5 session_id[32]= a2 1b 05 9d c2 f4 b6 df 03 6a 6a 51 8e de eb d9 67 f4 49 77 bb 4d f5 f7 75 89 38 b3 67 93 2e c9 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 6 3 0.1089 (0.0000) S>CV3.1(1) ChangeCipherSpec 6 4 0.1089 (0.0000) S>CV3.1(32) Handshake 6 5 0.1107 (0.0017) C>SV3.1(1) ChangeCipherSpec 6 6 0.1107 (0.0000) C>SV3.1(32) Handshake 6 7 0.1107 (0.0000) C>SV3.1(79) application_data 6 8 0.1113 (0.0006) C>SV3.1(626) application_data 8 2 0.1051 (0.1038) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 49 6d 8b af 66 e0 90 55 c2 9b 48 5d 15 f0 6e 02 33 58 b6 4d 8a 31 ca 7a 8f 93 2e af 14 e5 f4 e2 session_id[32]= fc 04 15 44 52 af 17 f3 98 6c 15 ac e2 06 6f ce e7 b7 31 a0 80 1a d0 60 61 36 fb 46 a6 24 10 b6 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 8 3 0.1051 (0.0000) S>CV3.1(1) ChangeCipherSpec 8 4 0.1051 (0.0000) S>CV3.1(32) Handshake 8 5 0.1069 (0.0017) C>SV3.1(1) ChangeCipherSpec 8 6 0.1069 (0.0000) C>SV3.1(32) Handshake 8 7 0.1069 (0.0000) C>SV3.1(79) application_data 8 8 0.1076 (0.0006) C>SV3.1(626) application_data

3 2

synrcrepl "be_modify failed (80)"
by manu＠netbsd.org 08 Feb '09

08 Feb '09

>From time to time, syncrepl breaks on the replica, with this in the logs: slapd[1737]: null_callback : error code 0x50 slapd[1737]: syncrepl_entry: rid=017 be_modify failed (80) slapd[1737]: do_syncrepl: rid=017 retrying code 80 is LDAP_OTHER, which is not very insightful. The only way to get syncrepl working again is to wipe out the database and restart slapd. Being out of sync is not very pleasant, but there is worse: when several replicas are harassing the master with syncrepl requests, it tends to die horribly, with stuff like this: 1) assertion "c->c_conn_state == SLAP_C_CLOSING" failed: file "connection.c", line 787, function "connection_close" 2) assertion "c->c_struct_state == SLAP_C_USED" failed: file "connection.c", line 680, function "connection_state_closing" 3) slapd: Error detected by libpthread: Invalid mutex. Detected by file "/home/builds/ab/netbsd-4/src/lib/libpthread/pthread_mutex.c", line 295, function "pthread_mutex_trylock". I end up with a hung slapd, that I can only get rid of with a kill -9. All of this happens with 2.4.13. Are these known bugs? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

3 11

SASL digest-md5 Authentication and ACL
by Oscar Plameras 07 Feb '09

07 Feb '09

I'm running slapd 2.4.12 on fedora10. I can't figure out where to continue looking after trying for 3 days. When no ACL are inserted into slapd.conf in Test 1 Simple Bind with SASL succeeds. When I inserted ACL into slapd.conf in Test 2 Simple Bind with SASL fails. Simple Bind without SASL succeeds in Test 1 and Test 2. I have two test setups. Difference, test 1 has NO ACL and test 2 has ACL Test No. 1 1.1. bare-bones slapd.conf 1.2. SASL 1.3.1 #ldapsearch -x -D "cn=Jose Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL 1.3.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL 1.3.1 successcul 1.3.2 successful Test No. 2 2.1.bare-bones slapd.conf 2.2. SASL 2.3. ACL 2.4.1 #ldapsearch -x -D "cn=Jose Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL 2.4.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL Test 2.4.1 successful Test 2.4.2 Not successful with the following message SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) Test 1 slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem password-hash {CLEARTEXT} # authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" # database bdb suffix "dc=example,dc=com,dc=au" rootdn "cn=Manager,dc=example,dc=com,dc=au" rootpw secret directory /var/lib/ldap database monitor # Test 2 slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem password-hash {CLEARTEXT} # # ACL1 access to attrs=userpassword by self write by anonymous auth by group.exact="cn=admingroup,ou=groups,dc=example,dc=com,dc=au" write by * none # ACL2 access to attrs=carlicense,homepostaladdress,homephone by self write by group.exact="cn=salesgroup,ou=groups,dc=example,dc=com,dc=au" write by * none # ACL3 access to * by self write by group.exact="cn=itgroup,ou=groups,dc=example,dc=com,dc=au" write by users read by * none # authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" # database bdb suffix "dc=example,dc=com,dc=au" rootdn "cn=Manager,dc=example,dc=com,dc=au" rootpw secret directory /var/lib/ldap database monitor Here's my ldif dn: dc=example,dc=com,dc=au dc: example description: Example, Pty Ltd. objectClass: dcObject objectClass: organization o: Example, Inc. dn: ou=people,dc=example,dc=com,dc=au ou: people description: All people in organisation objectClass: organizationalUnit dn: cn=John Short,ou=people,dc=example,dc=com,dc=au objectClass: inetOrgPerson cn: John Short cn: John R Short cn: Johnny Short sn: short uid: jshort userPassword:: anNoMHJ0 carLicense: BCW-25F homePhone: 029686822 mail: j.short(a)example.com.au mail: jshort(a)example.com.au mail: johnny.short(a)example.com.au description:: TWFuYWdlciA= ou: admingroup dn: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au objectClass: inetOrgPerson cn: Jose Gonzales cn: Jose G Gonzales sn: Gonzales uid: jgonzales userPassword:: amcwbnpv carLicense: SGO 124 homePhone: 555-111-2223 mail: j.gonzales(a)example.com.au mail: jgonzales(a)example.com.au mail: jose.gonzales(a)example.com.au ou: salesgroup dn: cn=Shanana Gonzales,ou=people,dc=example,dc=com,dc=au objectClass: inetOrgPerson cn: Shanana Gonzales sn: gonzales uid: sgonzales userPassword:: c2cwbnpv carLicense: SGO 125 homePhone: 555-111-2225 mail: s.gonzales(a)example.com.au mail: sgonzales(a)example.com.au mail: shanana.gonzales(a)example.com.au ou: itgroup dn: ou=groups,dc=example,dc=com,dc=au objectClass: organizationalUnit ou: groups description:: Z3JvdXBzIA== dn: cn=admingroup,ou=groups,dc=example,dc=com,dc=au objectClass: groupOfNames cn: admingroup description: Administration member: cn=John Short,ou=people,dc=example,dc=com,dc=au dn: cn=salesgroup,ou=groups,dc=example,dc=com,dc=au objectClass: groupOfNames cn: salesgroup description: Sales group member: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au

1 0

alias container?
by James Bagley 06 Feb '09

06 Feb '09

Maybe a stupid question, but can you alias a container object? One of the State's agencies changed it's name. I want to be able to alias the old name to the new one so searches on the old agency name still work. I tried creating the following record, which worked, but didn't have the desirable result: # prd.state.or.us dn: dc=prd,dc=state,dc=or,dc=us dc: prd objectClass: top objectClass: alias objectClass: extensibleObject aliasedObjectName: dc=oprd,dc=state,dc=or,dc=us The container object is: # oprd.state.or.us dn: dc=oprd,dc=state,dc=or,dc=us dc: oprd objectClass: domain objectClass: top description: Oregon Department of Parks and Recreation o: Parks and Recreation Possibly there is a better way to accomplish this? The desired end result is to be able to do: ldapsearch -b 'dc=prd,dc=state,dc=or,dc=us' -s sub Thanks! -james

2 1

ACL Question
by Tim Gustafson 05 Feb '09

05 Feb '09

Hi, I have the following in my slapd.conf: access to dn.subtree="cn=log" by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=soe,dc=ucsc,dc=edu" read However, anyone (even unbound anonymous users) can access cn=log without any problems. I don't want anyone but ldap-admins to be able to access this subtree. I'm thinking that I must be missing something really simple here. Am I doing something wrong? Any help is greatly appreciated. Tim Gustafson BSOE Webmaster UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

3 6

Initializing cn=config from existing multi-master setup via syncrepl - "glue: no superior found for"
by Thomas Chemineau 05 Feb '09

05 Feb '09

Hi all, Same subject, but with a minor change :) For now, as I explain in a previous mail, it seems we have a working N-Way multimaster replication, still with some problems. we use RE24, checked out 2 days ago. But, even if cn=config seems to be correclty replicated, there is a problem with gluing database declarations. We have a primary provider. Its config backend has been initialized by this command : slapd -f slapd.conf -F slapd.d. All work fine, no errors. The configuration has multiple backends (8), and some are glued. In the slapd.conf we have something like the following : database ldap suffix dc=example,o=test subordinate database bdb suffix o=test glue So, in cn=config, we have : olcDatabase={2}ldap,cn=config olcSuffix dc=example,o=test olcSubordinate TRUE olcDatabase={3}bdb,cn=config olcSuffix o=test olcOverlay={0}glue,olcDatabase={4}bdb,cn=config olcOverlay {0}glue Fine. But when the new provider replicates the entire cn=config of the primary provider, it can not replicate this kind of configuration : 8<-------- Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access to "olcDatabase={2}ldap,cn=config" "entry" requested Feb 5 10:42:37 server2 slapd[5093]: <= root access granted Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access granted by manage(=mwrscxd) Feb 5 10:42:37 server2 slapd[5093]: <= acl_access_allowed: granted to database root Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access to "cn=config" "children" requested Feb 5 10:42:37 server2 slapd[5093]: <= root access granted Feb 5 10:42:37 server2 slapd[5093]: => access_allowed: add access granted by manage(=mwrscxd) Feb 5 10:42:37 server2 slapd[5093]: >>> dnPrettyNormal: <dc=example,o=test> Feb 5 10:42:37 server2 slapd[5093]: <<< dnPrettyNormal: <dc=example,o=test>, <dc=example,o=test> Feb 5 10:42:37 server2 slapd[5093]: >>> dnPrettyNormal: <dc=example,o=test> Feb 5 10:42:37 server2 slapd[5093]: <<< dnPrettyNormal: <dc=example,o=test>, <dc=example,o=test> Feb 5 10:42:37 server2 slapd[5093]: glue: no superior found for sub dc=example,o=test! Feb 5 10:42:37 server2 slapd[5093]: olcSubordinate: value #0: <olcSubordinate> handler exited with 32! Feb 5 10:42:37 server2 slapd[5093]: send_ldap_result: conn=-1 op=0 p=0 Feb 5 10:42:37 server2 slapd[5093]: send_ldap_result: err=80 matched="" text="<olcSubordinate> handler exited with 32" Feb 5 10:42:37 server2 slapd[5093]: null_callback : error code 0x50 Feb 5 10:42:37 server2 slapd[5093]: syncrepl_entry: rid=001 be_add failed (80) Feb 5 10:42:37 server2 slapd[5093]: connection_get(12) Feb 5 10:42:37 server2 slapd[5093]: connection_get(12): got connid=0 Feb 5 10:42:37 server2 slapd[5093]: daemon: removing 12 Feb 5 10:42:37 server2 slapd[5093]: do_syncrepl: rid=001 retrying (4 retries left) Feb 5 10:42:37 server2 slapd[5093]: daemon: epoll: listen=7 active_threads=0 tvp=zero Feb 5 10:42:37 arv2b slapd[5093]: daemon: epoll: listen=8 active_threads=0 tvp=zero Feb 5 10:42:37 arv2b slapd[5093]: daemon: epoll: listen=9 active_threads=0 tvp=zero Feb 5 10:42:37 arv2b slapd[5093]: daemon: epoll: listen=10 active_threads=0 tvp=zero 8<-------- Is it a bug ? I have an idea : reorder declarations into the cn=config to have something like that : olcDatabase={2}bdb,cn=config olcSuffix o=test olcOverlay={0}glue,olcDatabase={2}bdb,cn=config olcOverlay {0}glue olcDatabase={3}ldap,cn=config olcSuffix dc=example,o=test olcSubordinate TRUE I have the first olcDatabase={2}bdb,cn=config replicated successfully. But an other problem appears : the DN of olcOverlay={0}glue,olcDatabase={4}bdb,cn=config is not correclty renamed, because of a inexcepted "charset" ? I can reproduce this problem for all types of database. OpenLDAP complains itself and replication does not work. Hum... but I realized that even this "tips" works, OpenLDAP could not be restarted correctly anymore because of the configuration's test... Any hints, or advice would be most appreciated. Regards, Thomas.

2 1

How to configure value returned for dnsHostName?
by Eli Bach 05 Feb '09

05 Feb '09

I'm using openldap-2.3.41, but even searching through the mailing lists and the docs for v2.4, I can't see how to configure the value that is returned by the server to a client. A client library connecting to my server happens to make use of this as part of it's SSL verification, and it fails because it doesn't return a value. Digging through sources, a number of ldap clients request dnsHostName, but I can't find where in the openldap source it would get returned. Thx Eli

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software February 2009