openldap-software July 2009

openldap-software@openldap.org

49 participants
46 discussions

RE: How do I get libldap to pick up changes in TLS_CACERTDIR?
by Lawrence Chan 21 Jul '09

21 Jul '09

> Subject: How do I get libldap to pick up changes in TLS_CACERTDIR? > Date: Wed, 1 Jul 2009 10:51:52 -0400 > > > Hi, > > I'm writing an application that connects to a slapd and the application uses ldap_start_tls_s to secure communication between itself and slapd before doing anything else. The version of openLDAP I'm using is 2.2.29... I know I should get a newer version, but I have no say on this matter, this is the version I have to use. The /etc/openldap/ldap.conf config file contains only one modification: > > TLS_CACERTDIR /usr/sw/certs > > I'm not sure how I can get libldap to re-process/re-check the contents of TLS_CACERTDIR without ending the application and restarting it. I initially thought that tearing down the session and re-creating one from scratch would do the trick, but that isn't working. > > Thanks, > Lawrence > I answered my own question and I'll add my solution to the mailing list archive for future reference. Going through the openldap code revealed to me that libldap keeps a default tls context. If you don't specify your own tls context for the LDAP session, then this is the one you're getting. This gets initialized once. So if you decide to change the contents of TLS_CACERTDIR while your LDAP client app is still running, the changes won't get detected (at least not immediately). This was troublesome, since new certificates wouldn't get picked up and deleted certificates didn't cause start_tls to fail. I got around this by managing my own tls context and setting this context to my session via ldap_set_option(ld, LDAP_OPT_X_TLS_CTX, my_ctx). Whenever the contents of the directory changed, I would disconnect the session and re-create the context and set it to the session. Managing your own context also implies that setting TLS_CACERTDIR is unnecessary. Caveat: In 2.2.29, the case statement in ldap_pvt_tls_set_option looks something like: case LDAP_OPT_X_TLS_CTX: if ( ld == NULL ) { tls_def_ctx = (SSL_CTX *) arg; } else { ld->ld_defconn->lconn_tls_ctx = arg; } return 0; It seems that ld_defconn can be NULL in some cases. So I tried to get around this by doing an anonymous bind before setting LDAP_OPT_X_TLS_CTX. Probably not the best strategy, but this strategy is the best I have right now and it seems to work. Cheers, Lawrence

1 0

aliasedObject not found
by Andreas Schoe 20 Jul '09

20 Jul '09

Hello list, I have some problems with alias Objects. I have setup an internal and an external tree. Some group accounts have to point from the external suffix to the internal one. Example: dn: cn=alias,ou=Groups,dc=intern,dc=de objectClass: top objectClass: groupOfUniqueNames cn: alias ... dn: cn=alias,ou=Groups,dc=extern,dc=de aliasedObjectName: cn=alias,ou=Groups,dc=intern,dc=de objectClass: top objectClass: extensibleObject objectClass: alias cn: alias ldapsearch -h ldap -x -a find -b "ou=Groups,dc=extern,dc=de" search: 2 result: 33 Alias problem matchedDN: alias,ou=Groups,dc=gfz-extern,dc=de text: aliasedObject not found System: OpenLDAP: 2.4.16, configured with --enable-overlays=yes solaris 10, SPARC The aliasedObjectName is set to "cn=alias,ou=Groups,dc=intern,dc=de" but the search result give back: "alias,ou=Groups,dc=gfz-extern,dc=de" for the matchedDN. Both trees are indexed with "olcDbIndex: cn pres,eq,approx,sub". I'm looking forward to your advice, hints and help. Thanks a lot! Andreas

2 4

Ndb-backend questions...
by Reinhard Nappert 20 Jul '09

20 Jul '09

Hi, I try to get openldap 2.4.16 running with the MySQL Cluster 7.0.6 as backend. Is there a documentation available, how to configure openldap and my-sql? Specifically, I want to know if I can define more than one suffix, which point to different databases (multiple suffix and dbname directives). If so, how to I associate a suffix with the desired database. Secondly, I got the connection with one suffix to work, but it looked like I have to start the mysql server as well. I thought that the backend-ndb talks directly ndb api. Thirdly, as far as I know, the backend-ndb also allows you to read existing sql tables from the cluster. How does this work and how do you configure this. So far, I am not able to do that. Thanks for any pointers. -Reinhard

2 2

RE: [Openldap 2.4.16] Unable to use DB_CONFIG
by Brett Maxfield 19 Jul '09

19 Jul '09

I think you should read the manual again. That is not a DB_CONFIG. That looks like a slapd config file, in ldif format. -----Original Message----- From: Lepoutre Lionel <leplio(a)gmail.com> Sent: Friday, 17 July 2009 10:19 PM To: openldap-software(a)openldap.org Subject: [Openldap 2.4.16] Unable to use DB_CONFIG Hello, I am trying to use the DB_CONFIG file as it seems to be the good way to configure my hdb database. My LDAP start without any DB_CONFIG, but when I put a DB_CONFIG file I have an error: "unrecognized name-value pair: dn:" Here is an extract of my files (I have changed my personal information by MY...) - slapd.conf: ------------------------------------ database hdb suffix "MY_LDAP_SUFFIX" rootdn "MY_ROOT_DN" rootpw MY_ROOT_PASS directory /opt/local/openldap/var/openldap-data - DB_CONFIG: ----------------------------------- # global configuration settings dn: cn=config objectClass: olcGlobal cn: config # schema definitions dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=core,cn=schema,cn=config objectClass: olcSchemaConfig cn: core #backend definitions dn: olcBackend=hdb,cn=config objectClass: olcBackendConfig olcBackend: hdb # database definitions dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig olcDatabase: hdb olcSuffix: MY_LDAP_SUFFIX .... It seems to be because of the first line of my DB_CONFIG file but I have copied it from the documentation (http://www.openldap.org/doc/admin24/slapdconf2.html). Did I miss something? Is it not the good file for such configuration? Any help is welcome and sorry if it is a stupid question. Lionel

1 0

Re: saslmech=EXTERNAL
by Greek Ordono 17 Jul '09

17 Jul '09

Hi, What I'm trying to do is change the password[1] of user guest to see if my chain overlay will work with saslmech=external. Referring from this email[2] this should be working. But I'm a bit I confused cause I can't get this working while my syncrepl is working well. TIA [1] ldappaswd -s newPasswd - Set the new password to newPasswd. [2] http://www.openldap.org/lists/openldap-software/200808/msg00113.html -- Greek Ordono myppa: launchpad.net/~grexk/+archive/ppa --- On Wed, 7/15/09, Gavin Henry <ghenry(a)suretecsystems.com> wrote: From: Gavin Henry <ghenry(a)suretecsystems.com> Subject: Re: saslmech=EXTERNAL To: "Quanah Gibson-Mount" <quanah(a)zimbra.com>, "Greek Ordono" <grexk(a)yahoo.com> Cc: "openldap-software(a)openldap.org" <openldap-software(a)openldap.org> Date: Wednesday, July 15, 2009, 10:22 PM Also, -stseug is wrong. It should be: [-s base|one|sub] -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

3 2

Re: SOLVED saslmech=EXTERNAL
by Greek Ordono 17 Jul '09

17 Jul '09

Hi, After series of trial and error I finally get it working. The following configuration works for openldap-2.4.16: overlay chain chain-uri "ldap://server.group" #chain-uri "ldaps:///server.group" - not working at all[1]? chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=whatever" #starttls=yes/critical - even this? tls_cert=/etc/ldap/ssl/replicator-cert.pem tls_key=/etc/ldap/ssl/replicator-key.pem tls_cacert=/etc/ssl/certs/mgoc-cacert.pem tls_reqcert=demand mode=self chain-tls start chain-idassert-authzFrom "*" chain-return-error TRUE $ ldappasswd -x -D 'uid=guest,ou=users,dc=server,dc=group' -w1234 -sguest from the master you may something like this one: Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 PROXYAUTHZ dn="uid=guest,ou=users,dc=server,dc=group" Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 PASSMOD new Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 RESULT oid= err=0 text= on the slave: Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 BIND dn="uid=guest,ou=users,dc=server,dc=group" method=128 Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 BIND dn="uid=guest,ou=Users,dc=server,dc=group" mech=SIMPLE ssf=0 Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 RESULT tag=97 err=0 text= Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 PASSMOD new Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 RESULT oid= err=0 text= Thanks for all the people that tried to help me. [1] http://www.openldap.org/lists/openldap-software/200808/msg00012.html -- Greek Ordono myppa: launchpad.net/~grexk/+archive/ppa --- On Sat, 7/18/09, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: From: Quanah Gibson-Mount <quanah(a)zimbra.com> Subject: Re: saslmech=EXTERNAL To: "Greek Ordono" <grexk(a)yahoo.com>, ghenry(a)suretecsystems.com Cc: openldap-software(a)openldap.org Date: Saturday, July 18, 2009, 7:26 AM --On Friday, July 17, 2009 5:44 PM -0700 Greek Ordono <grexk(a)yahoo.com> wrote: > > Hi, > > What I'm trying to do is change the password[1] of user guest to see if > my chain overlay will work with saslmech=external. Referring from this > email[2] this should be working. But I'm a bit I confused cause I can't > get this working while my syncrepl is working well. TIA As I said, by using the "-x" mechanism, you are completely disabling SASL. Thus no SASL/EXTERNAL method is going to work. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

password policy - alternate lockout mechanism
by Aravind Gottipati 17 Jul '09

17 Jul '09

Hi, The current password policy module can lock folks out after some configurable number of failed attempts. The module currently does not differentiate between a user failing with the same wrong password a bunch of times versus a crack attempt where someone tries multiple different wrong passwords. Are there any modules that take into account if the same password is being used a bunch of times or if multiple different passwords are failing? Could this be a useful feature worth requesting (if it doesn't exist already)? Thank you, Aravind.

6 24

fetching cookies with ldapsearch
by Dieter Kluenter 16 Jul '09

16 Jul '09

Hi, if I do a ldapsearch(1) with simple paged result control enabled I receive a cookie wich is printed to stdout. A ldapsearch(1) with sync request control should receive a syncCookie, which is obviously submitted, but somehow it is not printed to stdout. How can I add this syncCookie to ldapsearch? -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E

1 1

TLS secure connection problem
by Tamás Pisch 16 Jul '09

16 Jul '09

Hi, I installed Openldap 2.4.11-1 on two Debian Lenny servers (srv3, srv4), in mastrer-slave configuration. I wanted to create secure connection for syncrepl. srv3 is the master (provider) and srv4 is the slave (consumer). While I didn't use secure connection, the ldapsearch, and syncrepl worked. After I set up secure connection, syncrepl didn't work. I start slapd with -h ldap://127.0.0.1/ ldaps:/// on both servers. ldapsearch partially works: Works from srv3: ldapsearch -H ldaps://srv3.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" ldapsearch -H ldaps://srv4.mydomain.site:636 -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" Works from srv4: ldapsearch -H ldaps://srv4.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" *_Doesn't_work_from_srv4_:* ldapsearch -H ldaps://srv3.mydomain.site:636/ -W -x -D "cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)" Enter LDAP Password: **(after i give the password, it waits 1-2 seconds)** ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) On srv3: /etc/ldap/ldap.conf: host 127.0.0.1 base dc=mydomain,dc=site logdir /var/lib/ldap/log TLS_REQCERT hard TLS_CACERT /etc/ssl/certs/cacert.pem slapd.conf: ######################################### # Global Directives: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel conns stats filter idletimeout 30 modulepath /usr/lib/ldap moduleload back_hdb moduleload syncprov sizelimit unlimited tool-threads 1 TLSCertificateFile /etc/ssl/certs/srv3cert.pem TLSCertificateKeyFile /etc/ssl/private/srv3key.pem TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSVerifyClient never ####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb database hdb suffix "dc=mydomain,dc=site" rootdn "cn=adm,dc=mydomain,dc=site" rootpw {SSHA}....... directory "/var/lib/ldap" dbconfig set_cachesize 0 100000000 1 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 524288 dbconfig set_lg_dir /var/lib/ldap/log dbconfig set_flags DB_LOG_AUTOREMOVE index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index sambaSIDList eq index sambaGroupType eq index entryCSN,entryUUID eq lastmod on checkpoint 512 30 access to * by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read by * break access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange by dn="cn=admin,dc=mydomain,dc=site" write by dn="cn=replicator,dc=mydomain,dc=site" read by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=mydomain,dc=site" write by dn="cn=replicator,dc=mydomain,dc=site" read by self write by * read overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 On srv4: /etc/ldap/ldap.conf: host 127.0.0.1 logdir /var/lib/ldap/log TLS_REQCERT hard TLS_CACERT /etc/ssl/certs/cacert.pem Thanks, Tamas.

2 2

Re: saslmech=EXTERNAL
by Gavin Henry 15 Jul '09

15 Jul '09

Also, -stseug is wrong. It should be: [-s base|one|sub] -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software July 2009