SSL/TLS connection on port 389
by Chris Carr
Hi All,
I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS
connections on port 636. This has worked with most clients (Outlook,
Seamonkey, Thunderbird) but does not work for Evolution. I don't know
why not, but Evolution seems to insist on using port 389 for secure
connections.
When I type
openssl s_client -connect my.server.com:389
It says connection refused. When I type the same command with :636 at
the end it connects fine.
Could somebody explain to me how to tell slapd to accept secure
connections on port 389? I am using the new version of slapd in Debian
Testing (2.4.7-1).
Sorry if this is a really stupid question, but according to the docs the
"startTLS" process should be automatic if a secure connection comes in
on port 389. Something is obviously not quite right.
Thanks in advance,
Chris
This e-mail may contain information which is confidential, legally privileged and/or copyright protected. This e-mail is intended for the addressee only. If you receive this in error, please contact the sender and delete the material from your computer
14 years, 8 months
only ET_DYN and ET_EXEC can be loaded
by Pat Riehecky
When I started up my test slapd today I got the following message (along
with a bunch of normal stuff):
line 41 (moduleload smbk5pwd)
lt_dlopenext failed: (smbk5pwd) /usr/lib/ldap/smbk5pwd.so.0: only ET_DYN
and ET_EXEC can be loaded
/etc/ldap/slapd.conf: line 41: <moduleload> handler exited with 1!
What on earth does this mean? I spent some time on google to no avail.
I know it doesn't like my .so.0 but (a) what doesn't it like and (b) how
do I fix it?
Pat
14 years, 8 months
OpenLDAP and Solaris 10 - group problem
by Kick, Claus
Hello everyone,
we are trying to use OpenLDAP to provide user management for a CMS. The
CMS relies on OS groups to manage directory branch- and file-access.
We are using the following group structure:
dn: cn=ts_de_de_gg_ax, ou=Group, o=**********
gidNumber: 1400
memberUid: uid=tsmaster, ou=People, o=**********
memberUid: uid=teamsite, ou=People, o=**********
memberUid: uid=ostehov9, ou=People, o=**********
memberUid: uid=zenksid3, ou=People, o=**********
memberUid: uid=lellirdg, ou=People, o=**********
memberUid: uid=osteholdap, ou=People, o=**********
objectClass: posixGroup
objectClass: top
cn: ts_de_de_gg_ax
a user looks like this:
dn: uid=osteholdap, ou=People, o=*********
sn: osteholdap
userPassword:: *********
loginShell: /bin/bash
uidNumber: 3618
gidNumber: 504
mail: ******
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: teamsiteinfo
objectClass: inetOrgPerson
uid: osteholdap
tcgid: Z000E58C
gecos: ***********
teamsiteuserrole: tsuser
shadowLastChange: 11111
cn: *******
homeDirectory: /tmp
However, it is not possible for a user to access directories belonging
to a secondary group he belongs to. What could be the issue here?
I would be very grateful for a pointer into the right direction.
Regards,
Claus Kick
14 years, 8 months
Uniqueness of entryUUID across multiple LDAP servers
by Rakesh Yadav
Hi,
Actually i am using multiple LDAP servers due to distributed environment.
So our tree hierarchy can span over multiple LDAP servers.
And i want to use entryUUID as a unique key for my entries of the tree.
Can u tell me,entryUUID would be unique over multiple LDAP servers?
Or in case of multiple LDAP servers, Two entries which are residing on
different LDAP servers but belongs to the same Tree Hierarchy, can have same
entryUUID?
Regards
Rakesh Yadav
On Jan 25, 2008 10:36 PM, Michael Ströder <michael(a)stroeder.com> wrote:
> Rakesh Yadav wrote:
> >
> > I got your idea about entryUUID, but can u give me some idea about how
> > can i retrieve the value of entryUUID for each entry if it is supported
> > by LDAP system.
>
> Since it's an operational attribute it is not returned by default from
> OpenLDAP. You have to explicitly request it or request all operational
> attributes with +.
>
> Example (lines might be wrapped):
> ldapsearch -b "dc=stroeder,dc=de" -s base "(objectClass=*)" "*" entryUUID
>
> or
>
> ldapsearch -b "dc=stroeder,dc=de" -s base "(objectClass=*)" "*" +
>
> Ciao, Michael.
>
--
14 years, 8 months
OpenLDAP+Active Directory
by Aiko Barz
Hello,
is it possible to create an Active Directory forest with multible
subdomains and make those informations available for one Linux
machine?
Right now, we have one domain and it is possible to do authentication
against the Active Directory, while using OpenLDAP, PAM and Kerberos.
But now, another department would like to have its own
directory/sub-domain. This means: uid=xyz will be located on
different directory servers within the Active Directory forest.
That means, there are UIDs with different BASEDNs.
CN=userA,OU=Users,DC=example,DC=local from AD1 and
CN=userB,OU=Users,DC=sub,DC=example,DC=local from AD2 shall both be
able to access a Linux box via SSH. No problem?
Regards,
Aiko
--
:wq
14 years, 8 months
RE: [SPAM] - Re: Syncrepl multimaster replication issue - Sending mail server found on zen.spamhaus.org
by Penza Kenneth at MITTS
Tonni,
Thanks very much for your help. I have removed the compiled
version of openldap (it was failing in 4 test in make test) and
installed the packages from http://staff.telkomsa.net/packages. The
tests worked without any issues and managed to configure openldap using
syncrepl.
Thanks for the help provided
Kenneth Penza
-----Original Message-----
From: openldap-technical-bounces+kenneth.penza=gov.mt(a)openldap.org
[mailto:openldap-technical-bounces+kenneth.penza=gov.mt@openldap.org] On
Behalf Of Tony Earnshaw
Sent: 24 January 2008 07:34
Cc: openldap-technical(a)openldap.org
Subject: [SPAM] - Re: Syncrepl multimaster replication issue - Sending
mail server found on zen.spamhaus.org
Penza Kenneth at MITTS skrev, on 23-01-2008 11:06:
> I am currently trying to setup a multi-master ldap setup.
> The setup is running on CentOS 5.1 with kernel 2.6.18-53.el5. In this
> setup I have migrated the UNIX authentication files using
MigrationTools
> and everything worked fine. When I am trying to setup the replication
I
> am encountering a strange behavior. The initial synchronization was
> performed by copying /var/lib/ldap directory when openldap was
shutdown.
> On starting both nodes query each other and everything seems operating
> correctly. When I perform a change on either node, the node performs
the
> local change however it is not propagated on the other node and in the
> /var/log/ldap.log I get the following message:
>
>
>
> When ever the change is made on ldap1 it reports:
>
> Jan 23 10:10:43 ldap1 slapd[5787]: null_callback : error code 0x10
>
> Jan 23 10:10:43 ldap1 slapd[5787]: syncrepl_updateCookie: rid=002
> be_modify failed (16)
Apart from what Gavin writes, since you're using CentOS5.1, consider
using Buchan Milne's Red Hat RHEL5 rpms or src rpm at
http://staff.telkomsa.net/packages/. He's done an awful lot of work (has
done for years) and patched things that need patching (apart from
anything else db4.6) which should ensure things working out of the box
on your system.
Best,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
14 years, 8 months
Read/Write locks for LDAP entry
by Rakesh Yadav
Hi,
Actually i want to know whether we can acquire any kind of lock in openLDAP
for entries.
Suppose we read some entry and use this for doing some calculation and at
the same time someone else modify this entry,
so i want to know that LDAP provides any kind of lock just like RDBMS.
In case of RDBMS we can acquire lock over any record so nobody can modify
this until we release this lock.
Please tell me about the locking mechanism in OpenLDAP.
Thanks
--
Rakesh Yadav
Pune.
14 years, 8 months
RFC 2307 and me
by Sean Myers
I'm currently using an LDAP directory to do a few jobs, including acting as a
Network Information Server in a POSIX environment (Debian Linux) via
libnss-ldap. It's working great, with authentication handled by
Kerberos...simple and elegant SSO.
The question I have about RFC 2307, though, stems from a few applications that
I've encountered along the way that don't really do things in a POSIX way, and
while they can sift through my "people" ou just fine with filters I provide,
they generally want my groups to act like a groupOfNames entry, with full DN
member attributeTypes, insead of the POSIX uid alone.
Are the applications that I'm using simply being unreasonably inflexible? If so,
they're all open-source and adding in support to do things the RFC 2307 POSIX
way as well as the RFC 2256 groupOfNames way is not an unthinkably difficult task.
My initial feeling on this is that not everything is POSIX compatible, not
everything should be POSIX compatible, and it might be useful for me and others
to be able to abandon RFC 2307 for defining groups in favor of RFC 2256, which
appears to be the more "LDAP/X.500" way of doing things.
I'm using this directory for a few services, and Linux NSS is really the only
POSIX user in the bunch, so would it be "right" to instead fork and libnss-ldap
to support RFC 2256 for my implementation? If so, has this been done already?
Looking for input before I violate established best practice, and apologies if
I've failed at searching.
Thanks.
--
Sean Myers
System Administrator
American Research Institute
(919) 228-4961
14 years, 8 months
openldap tls with a ca
by Dave
Hello,
I'm trying to set up openldap for network authentication of both FreeBSD
and Linux machines as well as integrating a samba pdc. I've created a ca
with instructions found at:
http://sial.org/howto/openssl/ca/
I've added the appropriate options to slapd.conf, for TLS as i don't want
passwords going around in the clear. Slapd starts fine with tls options
added, but if i do an ldapsearch -Z i get a can not contact ldap server.
ldapsearch:
# extended LDIF
#
# LDAPv3
# base <dc=davemehler,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required
# numResponses: 1
I assume this is normal, but the below is what i'm getting with
ldapsearch -Z
ldapsearch -Z:
ldap_start_tls: Connect error (-11)
ldap_result: Can't contact LDAP server (-1)
Here are the tls options i'm using:
slapd.conf:
security ssf=128
TLSCipherSuite HIGH
TLSCertificateFile /usr/local/etc/openldap/tls/ldap.davemehler.com.crt
TLSCertificateKeyFile /usr/local/etc/openldap/tls/ldap.davemehler.com.key
TLSCACertificateFile /usr/local/etc/openldap/tls/ca-cert.pem
#TLSDHParamFile
I'm not sure what that last file is or how to make it, is it critical?
/usr/local/etc/ldap.conf:
ssl start_tls
tls_cacert /usr/local/etc/openldap/tls/ca-cert.pem
Checking /var/log/debug.log i'm seeing an error confidentiality required, as
if ldap can't read the key, but as i said it's mode 644. Here's the complete
transaction:
Jan 27 15:20:04 ldap slapd[73647]: conn=6 fd=10 ACCEPT from
IP=192.168.0.203:51704 (IP=0.0.0.0:389)
Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=0 BIND dn="" method=128
Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=0 RESULT tag=97 err=0 text=
Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=1 SRCH
base="dc=davemehler,dc=com" scope=2 deref=0
filter="(&(objectClass=posixGroup))"
Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=1 SRCH attr=cn userPassword
memberUid uniqueMember gidNumber
Jan 27 15:20:04 ldap slapd[73647]: conn=6 op=1 SEARCH RESULT tag=101 err=13
nentries=0 text=confidentiality required
Jan 27 15:20:04 ldap slapd[73647]: conn=6 fd=10 closed (connection lost)
Any help appreciated.
Thanks.
Dave.
14 years, 8 months
Unique id for each ldap entry
by Rakesh Yadav
Hi,
I want to get unique ids for each ldap entry, but i don't know whether ldap
provides unique id for each entry or not.
In case of RDBMS each entry(tuple) has a OID(Object id) through which we can
access uniquely this Entry.
In case of LDAP, i need such (OID) kind of object identifier.
Please tell me whether ldap provides some kind of unique id(Other than DN)
for it's entries or not.
If yes then please tell me how we can get these unique ids?
--
Rakesh Yadav
Pune.
14 years, 8 months
