openldap-software April 2009

openldap-software@openldap.org

47 participants
39 discussions

Any ways to release START_TLS's random file from Ldap API?
by chantra 16 Apr '09

16 Apr '09

Hi there, when using ldap_start_tls_s , /dev/urandom is opened but never seems to be close until the program exist, which causes issues when a program uses pam_ldap in such a way that openvpn does, e.g loop{ new connection; dlopen(pamldap); authenticate user using pam_ldap; // (open /dev/urandom); dlclose(pamldap); // /dev/urandom is still open } Unfortunately, I am not sure if there is a way to close the TLS context from the API, even when unbinding. For instance, when using the code below, stracing the code will show that /dev/urandom is not close even once finished with LDAP. ============ ... ... open("/etc/hosts", O_RDONLY) = 4 close(4) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 close(4) = 0 open("/lib/tls/i686/cmov/libnss_dns.so.2", O_RDONLY) = 4 close(4) = 0 close(4) = 0 open("/dev/urandom", O_RDONLY) = 4 open(NULL, O_RDONLY) = -1 EFAULT (Bad address) close(3) = 0 =========== the ldap tools (ldapsearch....) do close properly /dev/urandom, but they use tool_destroy()/ldap_pvt_tls_destroy() which has not effect when I attempt to forward declare it and use it. Any hints on how one could close TLS context? Thanks a mil, chantra /* * compile with * gcc -o start_tls start_tls.c -lldap */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <ldap.h> #include <unistd.h> void ldap_pvt_tls_destroy( void ); void usage(const char *name){ fprintf(stderr, "USAGE: %s ldap://host\n", name); } int main(int argc, char **argv){ char uri[BUFSIZ]; LDAP *ldp; int rc; int ldap_version = 3; LDAPControl *serverctrls; LDAPControl *clientctrls; if(argc!=2){ usage(argv[0]); exit(1); } strcpy(uri, argv[1]); rc = ldap_initialize(&ldp, uri); if(rc != LDAP_SUCCESS){ fprintf(stderr, "ERROR: ldap_initialize returned (%d) \"%s\" : %s\n", rc, ldap_err2string(rc), strerror(errno)); exit(1); } rc = ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &ldap_version); if(rc != LDAP_OPT_SUCCESS){ fprintf(stderr, "ERROR: ldap_set_option returned (%d) \"%s\"\n", rc, ldap_err2string(rc)); exit(1); } rc = ldap_start_tls_s(ldp, &serverctrls, &clientctrls); if(rc != LDAP_SUCCESS){ fprintf(stderr, "ERROR: ldap_start_tls_s returned (%d) \"%s\"\n", rc, ldap_err2string(rc)); exit(1); } fprintf(stdout, "Successfully started ldap_start_tls_s\n"); rc = ldap_unbind_ext_s(ldp, &serverctrls, &clientctrls); /* no effect ldap_pvt_tls_destroy(); */ sleep(100); exit(0); } -- http://www.debuntu.org Debuntu deb's repository !DSPAM:49e6334790401157261143!

1 0

Re: Compile problems with 2.4.16 and Fedora 10
by Quanah Gibson-Mount 16 Apr '09

16 Apr '09

--On Wednesday, April 15, 2009 9:53 AM -0700 Rick Stevens <rps2(a)socal.rr.com> wrote: > Quanah Gibson-Mount wrote: >> --On Tuesday, April 14, 2009 3:25 PM -0700 Rick Stevens >> <rps2(a)socal.rr.com> wrote: >> >>> Hi, gang. >>> >>> Having a bit of trouble compiling OpenLDAP 2.4.16 under Fedora 10. >>> I've built Berkeley DB 4.7 and installed it. I run configure with: >>> >>> LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" >>> CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include" ./configure >>> --enable-modules --enable-backends --enable-overlays=mod --enable-sql=no >>> >>> (all one line). Despite what "./configure --help" says, it still tries >>> to include the MySQL NDB stuff by default (and can't find the headers >>> even if the mysql-devel RPM is installed, the "NdbApi.hpp" file is in >>> /usr/include/mysql/ndb/ndbapi), so I've appended "--enable-ndb=no" as >>> well to get past that (don't need MySQL anyway). >> >>> Hints? Suggestions? >> >> Back-sql and back-ndb are different backends. You need to add >> --disable-ndb to your configure flags. See the output of ./configure >> --help. > > I did, which is why I said '"Despite what ./configure --help" says': > > --enable-ndb enable MySQL NDB Cluster backend no|yes|mod [no] > > I read that as saying the default is "--enable-ndb=no". Am I wrong? No, you're quite correct. I missed that bit further down, so my mistake, sorry. ;) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Externalize access to a partial replica
by Jehan PROCACCIA 16 Apr '09

16 Apr '09

hello I need to give acces to a partial replica of my ldap directory this replica only contain "white pages" attributes -> no userpassword ! syncrepl rid=001 filter="(|(objectClass=organizationalPerson) attrs="uid,cn,sn,ou,departmentNumber,GivenName I created a bind user in the master ldap to give external access to that replica but as I don't replicate userpassword, then that bind user doesn't have usperpasswd in the replicate and then cannot authenticate on it (egg and chiken pb !) then how can I have that partial replica whitout userpassword attributes, but still allow someone (at least one dn, but not the rootdn in slapd.conf that I want to keep secret) to bind to that replica !? I tested a binddn out of ldap database with SASL (digest-md5), but apparently (ldapsearch -Y) it requires a userpassword attribute for that binddn in the ldap database :-( I though that having a password only in /etc/salsdb2 would be enough ... to bad ;-( I also tested with a translucent in front of my replica, in that translucent I added the userpassword for the binddn so that he can bind , but the search addresed to that translucent that finally goes to my partial replica ends up in an anonymous bind, not as that binddn I expected :-( (so ACL cannot be match ) Please let me know how to let a user+password (binddn having correponding ACL) search my replica on a replica not containing userpassword attributes (or a least one for that binddn) . would it be possible to replicate userpassowrd attribute from the master only for that binddn ? Thanks.

3 2

openldap 2.4.11 slave update chaining
by Alan Evans 15 Apr '09

15 Apr '09

I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining. Can someone please help me figure this configuration out. I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals. I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights. 1. Client binds with dn and password to slave 2. Client submits modify request to slave 3. Slave binds to master with binddn (bindmethod=simple) 4. Slave rebinds to master with dn and password provided by the client (mode=self, chain-rebind-as-user TRUE) 5. Slave submits modify to master as client (chain is global) 6. Master checks client's dn for access 7. Master performs update 8. Master returns result to slave 9. Slave returns result to client # ldapsearch cn=replicator authzTo -LLL Enter LDAP Password: dn: cn=replicator,dc=company,dc=com authzTo: dn:* You can see in the case of mode=legacy that I have given my replicator account authzTo # slave slapd.conf # Global Section overlay chain chain-tls start chain-chase-referrals yes chain-return-error true chain-uri "ldap://ldapmaster.company.net/" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=replicator,dc=company,dc=com" credentials="secret" starttls="yes" tls_reqcert="allow" mode="self" # Database Sections database bdb suffix "dc=company,dc=com" rootdn "cn=manager,dc=company,dc=com" ... removed for brevity ... updateref ldap://ldapmaster.company.net/

2 1

back-sql Varchar2 Primary Key Support
by King, Leon C 15 Apr '09

15 Apr '09

Hi all, Is there a way to wrap oracle functions to where clauses passed into back-sql? I have a non-numeric primary key value of my users' table which in some cases is preceeded by a '0'. None of the data mapped via the ldap_entries.keyval and my table are being retrieve when I execute an ldap search. If I remove the preceeding '0' the values are retrieved. Thanks, Leon King

2 1

Compile problems with 2.4.16 and Fedora 10
by Rick Stevens 15 Apr '09

15 Apr '09

Hi, gang. Having a bit of trouble compiling OpenLDAP 2.4.16 under Fedora 10. I've built Berkeley DB 4.7 and installed it. I run configure with: LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include" ./configure --enable-modules --enable-backends --enable-overlays=mod --enable-sql=no (all one line). Despite what "./configure --help" says, it still tries to include the MySQL NDB stuff by default (and can't find the headers even if the mysql-devel RPM is installed, the "NdbApi.hpp" file is in /usr/include/mysql/ndb/ndbapi), so I've appended "--enable-ndb=no" as well to get past that (don't need MySQL anyway). Beyond that, compilation bombs when it hits libraries/liblutil/lutil_getpeerid.c: getpeereid.c: In function ‘lutil_getpeereid’: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known "struct ucred" is defined in <asm/socket.h> and the compile doesn't seem to be picking that up. Never had this issue with 2.4.10 or 2.4.11. Hints? Suggestions? ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2(a)socal.rr.com - - - - Polygon: A dead parrot (With apologies to John Cleese) - ----------------------------------------------------------------------

4 4

locking issue (again)
by Guillaume Rousse 15 Apr '09

15 Apr '09

Hello. I'm facing heavy ldap locking again, even after upgrading bdb 4.6 to latest patch level (4.6.21.3). When the problem occurs, any ldap query fails with this result: [root@etoile main]# ldapsearch -x ldapsearch: error.c:272: ldap_parse_result: Assertion `r != ((void *)0)' failed. Abandon gdb shows 18 active thread, apparently waiting a lock release (see bt and bt full output attached). I'm also joing output of db_stat -m and -c output. The only suspect trace I found in the log was some strange queries from an apparently wrongly host, such as: Apr 14 06:57:09 etoile slapd[24528]: conn=61313 op=2 SRCH base="dc=msr-inria,dc=inria,dc=fr" scope=2 deref=0 filter="(&(objectClass=posixAccount)(objectClass=posixAccount)(uid=<!--))" But I suffered from this kind of lockup before it was installed. I wonder however of the potential impact of such kind of queries, using exotic characters. I'm using openldap 2.4.15 on linux 32 bits. Beyond the problematic lockup, why does the client abort, instead of trying the slave server when the first one fails ? Here is my ldap.conf configuration file. BASE dc=msr-inria,dc=inria,dc=fr URI ldap://ldap1.msr-inria.inria.fr ldap://ldap2.msr-inria.inria.fr TLS_CACERTDIR /etc/pki/tls/certs TLS_REQCERT demand NETWORK_TIMEOUT 2 TIMEOUT 2 TIMELIMIT 2 -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Île-de-France Parc Orsay Université, 4 rue J. Monod 91893 Orsay Cedex France Tel: 01 69 35 69 62

2 2

ACL problem
by Guillaume CHARDIN 14 Apr '09

14 Apr '09

Hi, i'm a begginer with openldap and I would like some help about configuring a test directory (for now). I tought I set up correctly the base of the directory, but I encounter some issues with ACL to delegate rw access to some users/OU/groups. While I can do anything on the directory with the 'rootdn', I wasnt able to give rw access to another user (admintest) on the directory. To achieve this tasks I use several tools : phpldapadmin, ldapadd, ldapdelete. And everytime these tools return error about the rights of the user I bind to de Directory. here is an example : ]#ldapdelete -x -D 'uid=admintest,dc=brcorp,dc=local' -W ou=test,dc=brcorp,dc=local Enter LDAP Password: ldap_delete: Insufficient access (50) additional info: no write access to parent If i do the same with the rootdn user everything goes fine. I use a static configuration on the server side so i have to start/restart ldap to have new acl applied. Below are my access rules written in my sldap.conf file #in the global config : access to * by * read #in the "database" config : access to dn.subtree="dc=brcorp,dc=local" by dn.one="uid=admintest,dc=brcorp,dc=local" write by self write access to * by dn.exact="cn=Manager,dc=brcorp,dc=local" read by * none I read on the admin documentation the global directive are applied after the "database" access directives were read. So the 'access to * by * read' is applied after 'access to dn.subtree="dc=brcorp,dc=local" by dn.one="uid=admintest,dc=brcorp,dc=local" write' wich is the important line for my user. whats wrong with my configuration ? Someone can tell me ? Thanks for your help. -- Guillaume

3 3

log level to see details of MOD operations
by Scott Koranda 14 Apr '09

14 Apr '09

I am running OpenLDAP version 2.3.27 as distributed with CentOS 5.2. I want to set 'loglevel' in slapd.conf so that I will be able to see the details of what a client is sending to slapd when it modifies entries for a dn. Specifically I would like to see which attributes the client is requesting to modify for the dn and the values it is sending for those attributes. What value for 'loglevel' results in the least verbose logging but would still show me that information? Sincerely, Scott

3 5

OpenLDAP Password Encryption
by Myles Merrell 10 Apr '09

10 Apr '09

I'm working on our LDAP server, we want to be sure to encrypt the password. We also want to be able to decrypt the passwords if a user loses their passwords, and we need to send it to them. I've done a lot of research on encrypting the passwords, but none of the methods I have seen allow you to easily decrypt the password using a private key or something like that. Is this possible, if so how? thanks. myles.

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2009