openldap-software

openldap-software@openldap.org

2719 discussions

FW: Problem in configuring SSL with openldap
by Monica_Rana 18 Oct '06

18 Oct '06

Hi All, I have successfully installed and built openLDAP and openSSL. Now I need to configure SSL. I have followed the link http://www.proscrutiny.com/howtos/OpenLDAP.html#confssl-co. These are the settings in my "slapd.conf" TLSCipherSuite HIGH:MEDIUM TLSCertificateFile /usr/local/etc/openldap/certs/newcert.pem TLSCertificateKeyFile /usr/local/etc/openldap/certs/privkey.pem TLSCACertificateFile /usr/local/ssl/misc/demoCA/cacert.pem TLSCACertificatePath /usr/local/ssl/misc/demoCA #TLSRandFile <filename> #TLSVerifyClient 0 ------------------------------------------------------------------------ ----- These are the settings in my "ldap.conf" # See ldap.conf(5) for details # This file should be world readable but not world wr HOST 10.152.72.5 BASE dc=ad,dc=infosys,dc=com URI ldap://10.152.72.5 ldap://10.152.72.5:389 BINDDN "cn=Manager,dc=ad,dc=infosys,dc=com" SIZELIMIT 12 TIMELIMIT 25 #DEREF never TLS_CACERT /usr/local/ssl/misc/demoCA/cacert.pem ~ When I run the command "./slapd -h 'ldap://10.152.72.5:389/ ldaps://10.152.72.5:636/' -d 255 ", and try to connect to the SSL port, I get the following error messages. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c :1057 connection_read(12): TLS accept failure error=-1 id=3, closing connection_closing: readying conn=3 sd=12 for close connection_close: conn=3 sd=12 daemon: removing 12 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL Could you please suggest what is the probable reason for this. Have I configured something incorrectly. Earlier I had tried with a different CA. But the issue was there. That's why I created the Demo Certification Authority(using openssl). But the issue persists. Regards, Monica Rana -----Original Message----- From: Sameer N Ingole [mailto:strike@proscrutiny.com] Sent: Thursday, October 12, 2006 6:03 PM To: Monica_Rana Subject: Re: Problem in configuring SSL with openldap Hi Monica, Replying off list because this is more of a Solaris/OpenSSL issue. Please ignore my last mail, it was obscure. If you are referring to Openssl installation, you may want to take a look at this http://www.sunfreeware.com/openssh8.html Else download OpenSSL from: ftp://ftp.sunfreeware.com/pub/freeware/sparc/8/openssl-0.9.8d-sol8-sparc -local.gz If you are referring to OpenSSL source installation (downloaded from openssl.org) then there are few things to note: Sun does not ship include libraries (for Solaris 9, I guess) You would want to compile shared version of libraries, it defaults to static By default it is compiled gnu-shared so and for solaris you need to specify solaris-shared instead of gnu-shared So generally you would do this: edit Configure script - find solaris-x86-gcc or solaris-sparcv9-gcc etc as suitable * Change "gnu-shared" to "solaris-shared". * add "-R/usr/local/ssl/lib " just before "-lsocket" So now your configure command would look something like.. ./Configure solaris-x86-gcc shared Some of the above things might be inconsistent as last time I worked on solaris was 11 months back. Regards, Sameer Ingole. http://weblogic.noroot.org/gallery2/ Monica_Rana wrote: > Hi Sameer, > > I have followed the below mentioned steps: > 1. $ ./config > 2. $ make > 3. $ make test > 4. $ make install. > > All the options ran without any errors. > Do I need to do anything extra? > > Regards, > Monica Rana > > -----Original Message----- > From: Sameer N Ingole [mailto:strike@proscrutiny.com] > Sent: Thursday, October 12, 2006 2:34 PM > To: openldap-software(a)openldap.org > Cc: Monica_Rana > Subject: Re: Problem in configuring SSL with openldap > > Did you custom compile Openssl? > Did you install development libraries for Openssl? > > I suspect absence of development libraries is causing this problem. > Also read http://www.columbia.edu/~ariel/ssleay/rsaref.html > > Regards, > > Sameer Ingole. > http://weblogic.noroot.org/gallery2/ > <snip> >> -----Original Message----- >> From: Phillip [mailto:phuang@plasmon.cn] >> Sent: Thursday, October 12, 2006 1:07 PM >> To: Monica_Rana >> Cc: openldap-software(a)openldap.org >> Subject: Re: Problem in configuring SSL with openldap >> >> Monica, >> >> Maybe you've take a mistake in setting "env", just try: >> >> env CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include - >> I/usr/local/db4/include" LDFLAGS="-L/usr/local/ssl/lib - >> L/usr/local/db4/lib" ./configure --with-tls --with-cyrus-sasl >> --enable- wrappers --enable-crypt --enable-bdb >> >> You'd better verify the "include" and "lib" path for SSL and DB. >> >> Regards, >> Phillip >> >> >> >> >> >> On Thu, 2006-10-12 at 12:18 +0530, Monica_Rana wrote: >> >> >>> Hi All, >>> >>> I have the following installed on solaris 8. >>> openLDAP 2.3.27 >>> openSSL 0.9.8b. >>> >>> when i try to configure using the command env >>> CPPFLAGS="-I/usr/local/include -I/usr/local/include/ssl - >>> I/usr/local/include/db4" >>> LDFLAGS="-L/usr/local/ssl/lib -L/usr/local/lib/db4" >>> ./configure --with-tls --with-cyrus-sasl --enable-wrappers -- >>> enable-crypt --enable-bdb it throws the error checking for >>> openssl/ssl.h... yes checking for SSL_library_init in -lssl... no >>> checking for ssl3_accept in -lssl... no checking OpenSSL library >>> version (CRL checking capability)... yes >>> configure: error: Could not locate TLS/SSL package. >>> >>> Please let me know what could be the possible reson behind. PFA the >>> config.log file. >>> >>> Regards, >>> Monica Rana >>> **************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS***

3 2

Re: Trying to figure out access policies
by Jason Lixfeld 17 Oct '06

17 Oct '06

Between Roy and Kurt's replies, I think I have enough information to go forward. It is now very apparent to me that I went off-topic by including portions of an ldap.conf that had nss configuration directives in it. I apologize for going off-topic -- I did not do so intentionally. On 27-Jun-06, at 2:32 PM, Roy Ledochowski wrote: > > Jason-- > > I'm not quite certain what you're trying to do, but if it's setup > nss_ldap and pam_ldap to use a proxy user for those libraries. > nss_ldap & pam_ldap are the client libraries which Linux (dunno > about FreeBSD & other PC *nix use) uses for LDAP user > authentication & authorization. These libraries use /etc/ldap.conf > (on Redhat) and /etc/libnss-ldap.conf & /etc/libpam.conf (on > Debian). nss_ldap & pam_ldap use /etc/ldap.secret for rootbinddn's > pwd. These files are configured at build time. > > That being said, the openLDAP client libraries & binaries such as > ldapsearch, ldappasswd, etc, also use ldap.conf, but it's a > *different file*. On Redhat it's in /etc/openldap. On Debian it's > in /etc/ldap. Point is, you have to configure the right one for > the right task. openLDAP does not use /etc/ldap.secret. > > Your ACL needs a bit of help: > access to attrs=userPassword > by dn="cn=Proxyuser,dc=example,dc=ca" read > > -->you also need at least "by * auth". There is an implied "by * > none" at the end of each access directive. > > Rootbinddn is how nss_ldap will bind to do "root" operations. This > functions pretty much like passwd & group. Users can read but root > (=proxy) can edit. Binddn if I remember right is for proxy users > if you do not allow anonymous binds. > > For your ldapsearch, I notice that you are trying to bind as your > proxy user but did not includ a password or server to bind to it > probably failed probably because > A) your ldap.conf wasn't configured correctly (no URL or HOST > directive. This is the default server to bind to) > B) you didn't include a passwd (-w or -W) > C) If you are not using SASL (ie only simple binds), you need the - > x switch. > > Hope that helps, > roy > > > > > Jason Lixfeld <jason+lists.openldap(a)lixfeld.ca> > Sent by: owner-openldap-software(a)OpenLDAP.org > 06/27/2006 09:38 AM > > To > OpenLDAP software list <openldap-software(a)OpenLDAP.org> > cc > Subject > Trying to figure out access policies > > > > > > I think I'm somewhat versed in the basics of OpenLDAP, but the > concept of access policies eludes me because they are far beyond my > current level of comprehension. That being said, I'm doing some > trial by fire to try to make sense of how they work and hopefully > will then be able to relate some of what I read in the manual to what > I've made happen in tests... > > I'm trying to get a proxyuser working so I don't have to do > everything as Manager. > > I put this entry into my slapd.conf as per some tutorials I read: > > access to attrs=userPassword > by dn="cn=Proxyuser,dc=example,dc=ca" read > > and likewise, these entries into my ldap.conf: > > binddn cn=Proxyuser,dc=example,dc=ca > bindpw **** > rootbinddn cn=Proxyuser,dc=example,dc=ca > > and finally, the Proxyuser password in /etc/ldap.secret. > > Being unsure if the lookups for ldap.conf and ldap.secret is in /etc > or /usr/local/etc (Using a FreeBSD system here), I symlinked each so > they are available in both locations. > > After that was all said and done, I restarted slapd and tried to do a > search using the proxyuser as the binddn: > > # ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b > 'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > # all.log > Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from > IP=127.0.0.1:54632 (IP=0.0.0.0:389) > Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND > dn="cn=Proxyuser,dc=example,dc=ca" method=128 > Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 err=49 > text= > Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed (connection > lost) > > It would seem to me that it's not complaining about the password, so > I assume it's complaining about the access entry in slapd.conf. I > removed the access entry from slapd.conf and was able to perform the > same search as above without a problem. > > Anyone have any pointers on what I can look at as the source of this > problem? > > Also, I'm a little confused about the difference between binddn and > rootbinddn. If I understand correctly, rootbinddn is the DN used to > bind if the user executing the command is root, while binddn is the > DN used to bind if the user executing the command is any user other > than root. Is this correct? I ask because if I run ldapsearch as > root with no additional arguments and check the logs, it seems to > bind anonymously so I'm not sure if my understanding of binddn vs. > rootbinddn is correct: > > Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from > IP=127.0.0.1:58244 (IP=0.0.0.0:389) > Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128 > Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0 > text= > Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" scope=2 > deref=0 filter="(objectClass=*)" > Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT tag=101 > err=32 nentries=0 text= > Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND > Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed > > Thanks in advance for any insight on either or both of these points... >

1 0

slurpd for windows
by Mitch Bart 17 Oct '06

17 Oct '06

We need to replicate two OpenLDAP servers running on Windows - I have searched everywhere for a Slurpd windows port. I've seen a few references to a "slurpd.exe" file but have been unable to locate it or any associated documentation. Thanks in advance for you help. Mitch Bart

2 1

Some More Newbie Questions
by Ted Johnson 17 Oct '06

17 Oct '06

75Hi; Here are some more questions I have in setting up my slapd.conf file: * How does one incorporate a user certificate? Where does one incorporate strongAuthenticationUser, certificationAuthority? * Since my server is a stand-alone unit and I am the only administrator, I see no need for using Kerberos. However, TLS requires anonymous bind, and anonymous bind presents the problem of possible DoS attacks. Are there work-arounds with this, or, if I'm concerned about the same, is this reason enough to use Kerberos? * What are limits? Is this just for syncrepl? I have no replication. * Where does one set limits? In the database config file? * Access scope has three potential values: base, subtree and children. Does "children" go down the entire subtree, such that the only difference between "subtree" and "children" is that the former includes the base? * Can someone give me a clear explanation with an example of "dnattr" and where it is used (i.e. slapd.conf or slapd.d/cn=control)? * Can someone give me a clear explanation with an example of how and where to use "ssf"? How can this be configured for someone authorizing via SSH2? How about an internal daemon? * Why is the default timelimit so high (3600)? I mean, if slapd can't find what it's looking for in 300 seconds, something's wrong! * I had to specially install bdb to use bdb. Do I have to specially install monitor to use monitor? If so, where do I find it? TIA, Ted

2 1

Proper Deinit? ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed
by Michael B Allen 17 Oct '06

17 Oct '06

Hey, What is the proper method for deinitializing an LDAP * context if the binding fails? Consider the following code: ret = ldap_initialize(&ld, buf); if (ret) { ERR("ldap_initialize: %s: %s", buf, ldap_err2string(ret)); } ret = ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); if (ret) { ERR("ldap_set_option: %s", ldap_err2string(ret)); } else { ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &v3); if (ret) { ERR("ldap_set_option: %s", ldap_err2string(ret)); } else { if (my_ldap_bind_gssapi(ld, flags) == 0) { return 0; } } } ldap_unbind_ext(lx->ld, NULL, NULL); If the bind fails, the ldap_unbind_ext function asserts: unbind.c:49: ldap_unbind_ext: Assertion `( (ld)->ld_options.ldo_valid == 0x2 )' failed. Aborted What am I doing wrong? Thanks, Mike

2 2

syncrepl: no update referral
by Sepp 17 Oct '06

17 Oct '06

Hello, we have the following consumer syncrepl config (V 2.3.25, Suse Linux SLES 9): database bdb suffix "o=test,c=de" rootdn "cn=dirmgr,o=test,c=de" ... syncrepl rid=1 provider=ldap://testserver:389 type=refreshOnly interval=00:00:01:00 searchbase="ou=repltree,o=test,c=de" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=dirmgr,o=test,c=de" credentials=xxx The intention is to replicate only a part of the DIT ("ou=repltree,o=test,c=de"), Other parts of the database should be alterable on the consumer (e.g. "localtree,o=test,c=de"). But when we try add an entry, we get the error message: LDAP Error updating entry 'ou=testentry,cn=localtree,o=test,c=de'. Code:53. Message:shadow context; no update referral Any ideas ? Thanks in advance, Sepp

3 2

Non SASL authentication without -x option
by Sadique Puthen 17 Oct '06

17 Oct '06

Hi All, Is it possible to do simple authentication - non SASL - using LDAPS without explicitly passing "-x" option with ldapclient commands like ldapsearch, ldapadd and etc... Is it possible by making any changes in /etc/ldap.conf or /etc/ldap/ldap.conf or /etc/sysconfig/ldap. I believe this is hardcoded. If you anybody have any idea on how this can be accomplised, please share with me. Regards, Sadique

2 1

Avoid binding with external directory for cached results
by Daniel Montero Motilla 16 Oct '06

16 Oct '06

Hi, I'm using slapd 2.3.27 as a metadirectory with two external active directory servers and pcache overlay enabled. The pcache overlay is working ok, but when I do a non-anonymous search and slapd gets the results from local cache, it establishes a new connection to the external directory, tries to bind and then closes the connection. Altough I understand that this is the logical behaviour, I'm looking for some way to avoid this binding against the external directory if the results of the search are going to be obtained from slapd cache, in order to increase performance (in my scenario validating credentials for cached results is not a priority). If that is not possible, i'd like to know if there is a way to make slapd stablish a permanent connection to the external directory with the purpose of doing those credentials validations (instead establishing a new tcp connection on every search). Thank you in advance.

2 2

userPKCS12 and storage format
by Wyatt Neal 16 Oct '06

16 Oct '06

when i store a userPKCS12 binary file into the ldap directory using base64 encoding using the C LDAP API, the next time I try to retrieve the data, it is returned in base64 format; however, if insert the certificate using an ldif file from the command line and request the file using C, it comes back in binary format. i'm using the binary values as my LDAPMod ops, what am I doing wrong? wyatt

2 2

Issue while starting "slapd"
by Monica_Rana 16 Oct '06

16 Oct '06

Hi All, After successful installation of openldap 2.3.27 on Solaris 8, when i try to start the ldap service, it throws the following error. # ./slapd ld.so.1: ./slapd: fatal: libdb-4.4.so: open failed: No such file or directory Killed If anyone has any idea on what is causing this issue, please guide. Regards, Monica Rana **************** CAUTION - Disclaimer ***************** This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS******** End of Disclaimer ********INFOSYS***

5 4

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software