RE: How do I get libldap to pick up changes in TLS_CACERTDIR?
by Lawrence Chan
> Subject: How do I get libldap to pick up changes in TLS_CACERTDIR?
> Date: Wed, 1 Jul 2009 10:51:52 -0400
>
>
> Hi,
>
> I'm writing an application that connects to a slapd and the
application uses ldap_start_tls_s to secure communication between itself
and slapd before doing anything else. The version of openLDAP I'm using
is 2.2.29... I know I should get a newer version, but I have no say on
this matter, this is the version I have to use. The
/etc/openldap/ldap.conf config file contains only one modification:
>
> TLS_CACERTDIR /usr/sw/certs
>
> I'm not sure how I can get libldap to re-process/re-check the contents
of TLS_CACERTDIR without ending the application and restarting it. I
initially thought that tearing down the session and re-creating one from
scratch would do the trick, but that isn't working.
>
> Thanks,
> Lawrence
>
I answered my own question and I'll add my solution to the mailing list
archive for future reference.
Going through the openldap code revealed to me that libldap keeps a
default tls context. If you don't specify your own tls context for the
LDAP session, then this is the one you're getting. This gets initialized
once. So if you decide to change the contents of TLS_CACERTDIR while
your LDAP client app is still running, the changes won't get detected
(at least not immediately).
This was troublesome, since new certificates wouldn't get picked up and
deleted certificates didn't cause start_tls to fail.
I got around this by managing my own tls context and setting this
context to my session via ldap_set_option(ld, LDAP_OPT_X_TLS_CTX,
my_ctx). Whenever the contents of the directory changed, I would
disconnect the session and re-create the context and set it to the
session. Managing your own context also implies that setting
TLS_CACERTDIR is unnecessary.
Caveat: In 2.2.29, the case statement in ldap_pvt_tls_set_option looks
something like:
case LDAP_OPT_X_TLS_CTX:
if ( ld == NULL ) {
tls_def_ctx = (SSL_CTX *) arg;
} else {
ld->ld_defconn->lconn_tls_ctx = arg;
}
return 0;
It seems that ld_defconn can be NULL in some cases. So I tried to get
around this by doing an anonymous bind before setting
LDAP_OPT_X_TLS_CTX. Probably not the best strategy, but this strategy is
the best I have right now and it seems to work.
Cheers,
Lawrence
13 years, 10 months
aliasedObject not found
by Andreas Schoe
Hello list,
I have some problems with alias Objects. I have setup an internal and an
external tree. Some group accounts have to point from the external
suffix to the internal one.
Example:
dn: cn=alias,ou=Groups,dc=intern,dc=de
objectClass: top
objectClass: groupOfUniqueNames
cn: alias
...
dn: cn=alias,ou=Groups,dc=extern,dc=de
aliasedObjectName: cn=alias,ou=Groups,dc=intern,dc=de
objectClass: top
objectClass: extensibleObject
objectClass: alias
cn: alias
ldapsearch -h ldap -x -a find -b "ou=Groups,dc=extern,dc=de"
search: 2
result: 33 Alias problem
matchedDN: alias,ou=Groups,dc=gfz-extern,dc=de
text: aliasedObject not found
System:
OpenLDAP: 2.4.16, configured with --enable-overlays=yes
solaris 10, SPARC
The aliasedObjectName is set to "cn=alias,ou=Groups,dc=intern,dc=de" but
the search result give back: "alias,ou=Groups,dc=gfz-extern,dc=de" for
the matchedDN. Both trees are indexed with "olcDbIndex: cn
pres,eq,approx,sub".
I'm looking forward to your advice, hints and help.
Thanks a lot!
Andreas
13 years, 10 months
Ndb-backend questions...
by Reinhard Nappert
Hi,
I try to get openldap 2.4.16 running with the MySQL Cluster 7.0.6 as backend. Is there a documentation available, how to configure openldap and my-sql? Specifically, I want to know if I can define more than one suffix, which point to different databases (multiple suffix and dbname directives). If so, how to I associate a suffix with the desired database.
Secondly, I got the connection with one suffix to work, but it looked like I have to start the mysql server as well. I thought that the backend-ndb talks directly ndb api.
Thirdly, as far as I know, the backend-ndb also allows you to read existing sql tables from the cluster. How does this work and how do you configure this. So far, I am not able to do that.
Thanks for any pointers.
-Reinhard
13 years, 10 months
RE: [Openldap 2.4.16] Unable to use DB_CONFIG
by Brett Maxfield
I think you should read the manual again. That is not a DB_CONFIG. That looks like a slapd config file, in ldif format.
-----Original Message-----
From: Lepoutre Lionel <leplio(a)gmail.com>
Sent: Friday, 17 July 2009 10:19 PM
To: openldap-software(a)openldap.org
Subject: [Openldap 2.4.16] Unable to use DB_CONFIG
Hello,
I am trying to use the DB_CONFIG file as it seems to be the good way to configure my hdb database.
My LDAP start without any DB_CONFIG, but when I put a DB_CONFIG file I have an error:
"unrecognized name-value pair: dn:"
Here is an extract of my files (I have changed my personal information by MY...)
- slapd.conf:
------------------------------------
database hdb
suffix "MY_LDAP_SUFFIX"
rootdn "MY_ROOT_DN"
rootpw MY_ROOT_PASS
directory /opt/local/openldap/var/openldap-data
- DB_CONFIG:
-----------------------------------
# global configuration settings
dn: cn=config
objectClass: olcGlobal
cn: config
# schema definitions
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
dn: cn=core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: core
#backend definitions
dn: olcBackend=hdb,cn=config
objectClass: olcBackendConfig
olcBackend: hdb
# database definitions
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
olcDatabase: hdb
olcSuffix: MY_LDAP_SUFFIX
....
It seems to be because of the first line of my DB_CONFIG file but I have copied it from the documentation (http://www.openldap.org/doc/admin24/slapdconf2.html). Did I miss something? Is it not the good file for such configuration?
Any help is welcome and sorry if it is a stupid question.
Lionel
13 years, 10 months
Re: saslmech=EXTERNAL
by Greek Ordono
Hi,
What I'm trying to do is change the password[1] of user guest to see if my chain overlay will work with saslmech=external. Referring from this email[2] this should be working. But I'm a bit I confused cause I can't get this working while my syncrepl is working well. TIA
[1] ldappaswd -s newPasswd - Set the new password to newPasswd.
[2] http://www.openldap.org/lists/openldap-software/200808/msg00113.html
--
Greek Ordono
myppa: launchpad.net/~grexk/+archive/ppa
--- On Wed, 7/15/09, Gavin Henry <ghenry(a)suretecsystems.com> wrote:
From: Gavin Henry <ghenry(a)suretecsystems.com>
Subject: Re: saslmech=EXTERNAL
To: "Quanah Gibson-Mount" <quanah(a)zimbra.com>, "Greek Ordono" <grexk(a)yahoo.com>
Cc: "openldap-software(a)openldap.org" <openldap-software(a)openldap.org>
Date: Wednesday, July 15, 2009, 10:22 PM
Also, -stseug is wrong. It should be:
[-s base|one|sub]
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
13 years, 10 months
Re: SOLVED saslmech=EXTERNAL
by Greek Ordono
Hi,
After series of trial and error I finally get it working. The following configuration
works for openldap-2.4.16:
overlay chain
chain-uri "ldap://server.group"
#chain-uri "ldaps:///server.group" - not working at all[1]?
chain-idassert-bind bindmethod=sasl
saslmech=EXTERNAL
binddn="cn=whatever"
#starttls=yes/critical - even this?
tls_cert=/etc/ldap/ssl/replicator-cert.pem
tls_key=/etc/ldap/ssl/replicator-key.pem
tls_cacert=/etc/ssl/certs/mgoc-cacert.pem
tls_reqcert=demand
mode=self
chain-tls start
chain-idassert-authzFrom "*"
chain-return-error TRUE
$ ldappasswd -x -D 'uid=guest,ou=users,dc=server,dc=group' -w1234 -sguest
from the master you may something like this one:
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 PROXYAUTHZ dn="uid=guest,ou=users,dc=server,dc=group"
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 PASSMOD new
Jul 18 11:45:44 server slapd[1275]: conn=1 op=6 RESULT oid= err=0 text=
on the slave:
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 BIND dn="uid=guest,ou=users,dc=server,dc=group" method=128
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 BIND dn="uid=guest,ou=Users,dc=server,dc=group" mech=SIMPLE ssf=0
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=0 RESULT tag=97 err=0 text=
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 PASSMOD new
Jul 18 11:47:30 slave slapd[8915]: conn=0 op=1 RESULT oid= err=0 text=
Thanks for all the people that tried to help me.
[1] http://www.openldap.org/lists/openldap-software/200808/msg00012.html
--
Greek Ordono
myppa: launchpad.net/~grexk/+archive/ppa
--- On Sat, 7/18/09, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
From: Quanah Gibson-Mount <quanah(a)zimbra.com>
Subject: Re: saslmech=EXTERNAL
To: "Greek Ordono" <grexk(a)yahoo.com>, ghenry(a)suretecsystems.com
Cc: openldap-software(a)openldap.org
Date: Saturday, July 18, 2009, 7:26 AM
--On Friday, July 17, 2009 5:44 PM -0700 Greek Ordono <grexk(a)yahoo.com>
wrote:
>
> Hi,
>
> What I'm trying to do is change the password[1] of user guest to see if
> my chain overlay will work with saslmech=external. Referring from this
> email[2] this should be working. But I'm a bit I confused cause I can't
> get this working while my syncrepl is working well. TIA
As I said, by using the "-x" mechanism, you are completely disabling SASL.
Thus no SASL/EXTERNAL method is going to work.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
13 years, 10 months
password policy - alternate lockout mechanism
by Aravind Gottipati
Hi,
The current password policy module can lock folks out after some
configurable number of failed attempts. The module currently does not
differentiate between a user failing with the same wrong password a
bunch of times versus a crack attempt where someone tries multiple
different wrong passwords. Are there any modules that take into
account if the same password is being used a bunch of times or if
multiple different passwords are failing? Could this be a useful
feature worth requesting (if it doesn't exist already)?
Thank you,
Aravind.
13 years, 10 months
fetching cookies with ldapsearch
by Dieter Kluenter
Hi,
if I do a ldapsearch(1) with simple paged result control enabled I receive a
cookie wich is printed to stdout. A ldapsearch(1) with sync request control
should receive a syncCookie, which is obviously submitted, but
somehow it is not printed to stdout. How can I add this syncCookie to
ldapsearch?
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E
13 years, 10 months
TLS secure connection problem
by Tamás Pisch
Hi,
I installed Openldap 2.4.11-1 on two Debian Lenny servers (srv3, srv4), in
mastrer-slave configuration. I wanted to create secure connection for
syncrepl.
srv3 is the master (provider) and srv4 is the slave (consumer). While I
didn't use secure connection, the ldapsearch, and syncrepl worked. After I
set up secure connection, syncrepl didn't work.
I start slapd with -h ldap://127.0.0.1/ ldaps:/// on both servers.
ldapsearch partially works:
Works from srv3:
ldapsearch -H ldaps://srv3.mydomain.site:636 -W -x -D
"cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldaps://srv4.mydomain.site:636 -W -x -D
"cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b
"dc=mydomain,dc=site" "(ObjectClass=*)"
Works from srv4:
ldapsearch -H ldaps://srv4.mydomain.site:636/ -W -x -D
"cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
ldapsearch -H ldap://127.0.0.1:389 -x -W -D "cn=adm,dc=mydomain,dc=site" -b
"dc=mydomain,dc=site" "(ObjectClass=*)"
*_Doesn't_work_from_srv4_:*
ldapsearch -H ldaps://srv3.mydomain.site:636/ -W -x -D
"cn=adm,dc=mydomain,dc=site" -b "dc=mydomain,dc=site" "(ObjectClass=*)"
Enter LDAP Password: **(after i give the password, it waits 1-2 seconds)**
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
On srv3:
/etc/ldap/ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
logdir /var/lib/ldap/log
TLS_REQCERT hard
TLS_CACERT /etc/ssl/certs/cacert.pem
slapd.conf:
#########################################
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel conns stats filter
idletimeout 30
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload syncprov
sizelimit unlimited
tool-threads 1
TLSCertificateFile /etc/ssl/certs/srv3cert.pem
TLSCertificateKeyFile /etc/ssl/private/srv3key.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSVerifyClient never
#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend hdb
database hdb
suffix "dc=mydomain,dc=site"
rootdn "cn=adm,dc=mydomain,dc=site"
rootpw {SSHA}.......
directory "/var/lib/ldap"
dbconfig set_cachesize 0 100000000 1
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 524288
dbconfig set_lg_dir /var/lib/ldap/log
dbconfig set_flags DB_LOG_AUTOREMOVE
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
index sambaSIDList eq
index sambaGroupType eq
index entryCSN,entryUUID eq
lastmod on
checkpoint 512 30
access to *
by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read
by * break
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange
by dn="cn=admin,dc=mydomain,dc=site" write
by dn="cn=replicator,dc=mydomain,dc=site" read
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=mydomain,dc=site" write
by dn="cn=replicator,dc=mydomain,dc=site" read
by self write
by * read
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
On srv4:
/etc/ldap/ldap.conf:
host 127.0.0.1
logdir /var/lib/ldap/log
TLS_REQCERT hard
TLS_CACERT /etc/ssl/certs/cacert.pem
Thanks,
Tamas.
13 years, 10 months
Re: saslmech=EXTERNAL
by Gavin Henry
Also, -stseug is wrong. It should be:
[-s base|one|sub]
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
13 years, 10 months
