openldap-technical October 2008

openldap-technical@openldap.org

59 participants
63 discussions

referral and replication
by jakjr 21 Oct '08

21 Oct '08

Hi all, I'm using slapd 2.3.30-5 on Debian Etch. I have 1 provider and 2 consumers using refreshAndPersist replication. The replication works fine, but when I add a referral object on provider, this object is not replicate to the consumers. Is normal not replicate referrals ?? Thanks João Alfredo.

1 1

How to implement Extended DNs for Samba4?
by Andrew Bartlett 21 Oct '08

21 Oct '08

At the CIFS plugfest it became clear that Samba3 requires that we complete the implementation of 'extended DN' replies in the Samba4 LDAP server. This means that a DN in things like memberOf are in the form: <GUID=0bc11d00-e431-40a0-8767-344a320142fa>;<SID=S-1-2-3-2345>;cn=abartlet,cn=users,dc=abartlet,dc=net (or so, I've just made this one up) If the magic 'extended DN' control is specificed, then we have to return this form to the client, and it would work really well to store it in that form on the backend, and if they do not specify the control, only then strip it back to the 'normal' DN. The problem is now particularly how to implement these locally - inside Samba4 it should be pretty easy to have the right triggers in the existing memberOf module, but how to implement this in OpenLDAP and (eventually) FedoraDS. Currently OpenLDAP uses the refint and memberOf modules, knowing that this attribute is simply a DN, nothing more. These modules (and probably the input validation) will no doubt be unable to cope with the 'extended' DN form. Is it reasonable to ask that OpenLDAP carry a module so Samba-specific in it's application (reading the objectSid and entryUUID and formatting the link that way)? Should we try to just fill this in with another search as part of the search entry callback? (at great performance cost). Any thoughts? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com

3 8

LDAP + SSH + Key Auth
by openLDAP 17 Oct '08

17 Oct '08

I would like to use public keys on my OS X servers for my LDAP users to use SSH. All indications from the OSX list is that it is not possible. I was hoping someone on this list could confirm that LDAP/Key Pair/SSH is not possible or point me in the right direction to where someone has figured it out. I would like to centrally control SSH access and not have to have local accounts on all of my servers. Any help is appreciated.

3 3

What is the Difference between a LDAP client Prompting for Password as opposed ...
by Kumar, Amit H. 17 Oct '08

17 Oct '08

Hello All, Scenario: OpenLDAP Client Machine <-----talking------> OpenLDAP Server Machine. Both Client and Server are two different machines. What is the Difference between an OpenLDAP client Prompting for Password and then authenticating with the OpenLDAP server via TLS as opposed to : An OpenLDAP client redirecting the authentication request to an OpenLDAP server to prompt for the password and do the authentication. What kind of setup would we require if we want the OpenLDAP Server to prompt for the password and do the authentication for an end user to login onto the OpenLDAP client machine. Any thoughts will be of great help!!! Thank you, Amit

1 0

multiple suffix
by Kermito le kermit 15 Oct '08

15 Oct '08

hello all i want to know if is possible to have multiple suffix to same database ex: suffix dc=exemple,dc=org suffix dc=msn,dc=com any ideas

5 6

Complete list of APIs?
by Brad T Waldorf 14 Oct '08

14 Oct '08

Hi. Does a complete list of client APIs from ldap.h exist? The list provided in the "INDEX" section of the 'ldap' man page doesn't seem to contain all APIs. http://www.openldap.org/software/man.cgi?query=ldap&sektion=3&apropos=0&man… +2.4-Release Thanks

1 0

Help me clear in design
by Phan Dang Duy Thinh 14 Oct '08

14 Oct '08

Hi experts, I'm new member in LDAP. Although I've finished configured a Linux server qmail - ldap but I still have some points unclear, let's I explain: For example, I have a lap using some services require authenticate, ex: qmail, radius, ftp, ... I want to save the user information (username, password, ... ) in only one place, so I decided to using LDAP. (number of users are quite large) But after implement qmail-ldap (it now runs good), I don't know how to continue to implement radius service (or other services). Reason is I can't integrate the radius information into qmail database (although I included qmail.schema and radius.schema in slapd.conf). The question: is there a way to integrate data of one schema in to an existed schema? I want to design a structure like this: [qmail information] [radius information] [other service ....] \ | / \ | / \ | / \ | / [common user information] (username, password) Do I have to write my own schema for doing this? (Schema that include both [qmail service information] and [radius service information]) Please give me an advice how to solve this? Thanks, -- Phan Dang Duy Thinh

1 0

Solaris 10 native Client with TLS to OpenLDAP
by John Gee 13 Oct '08

13 Oct '08

Hello, i have a problem with connecting Solaris10 native LDAP Client to a openLDAP Server (slapd 2.4.11) with TLS. The replication from Server ldap01 to ldap02 works fine with TLS, so i think that the problem must be on client site (Solaris 10 native LDAP Client - latest Patchset). Without TLS it works. Maybe someone can give me a hint - -(slapd - debug)--- >>> slap_listener(ldaps:///) connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=207 connection_read(11): checking for input on id=207 TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1053 connection_read(11): TLS accept failure error=-1 id=207, closing connection_closing: readying conn=207 sd=11 for close connection_close: conn=207 sd=11 -( slapd.conf - tls part)--- TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCACertificateFile /opt/openldap/var/openldap-data/ca-cert.pem TLSCertificateFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch.pem TLSCertificateKeyFile /opt/openldap/var/openldap-data/ldap01.kleinfeld.ch TLSVerifyClient never -( solaris 10 - client )---- # import the ca-cert certutil -N -d /var/ldap certutil -A -n "ca-cert" -i /tmp/ldap/ca-cert.pem -a -t CT -d /var/ldap/ # import ldap-server certs certutil -A -d /var/ldap/ -n "ldap01.kleinfeld.ch" -t C,, -i ldap01.kleinfeld.ch.pem certutil -A -d /var/ldap/ -n "ldap02.kleinfeld.ch" -t C,, -i ldap02.kleinfeld.ch.pem # list cert-db certutil -L -d /var/ldap ca-cert CT,, ldap02.kleinfeld.ch C,, ldap01.kleinfeld.ch C,, # initialize ldap-client ldapclient manual -v \ -a credentialLevel=proxy \ -a authenticationMethod=tls:simple \ -a serviceAuthenticationMethod=pam_ldap:tls:simple \ -a proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch \ -a proxyPassword=xxxxxxxxxxxx \ -a defaultsearchbase=ou=unix,o=kleinfeld,c=ch \ -a defaultServerList="ldap01.kleinfeld.ch ldap02.kleinfeld.ch" \ -a certificatePath=/var/ldap \ -a domainName=kleinfeld.ch \ -a attributeMap=passwd:gecos=cn \ -a objectClassMap=group:posixGroup=posixGroup \ -a objectClassMap=passwd:posixAccount=posixAccount \ -a objectClassMap=shadow:shadowAccount=shadowAccount \ -a serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one \ -a serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one # output from ldapclient Parsing credentialLevel=proxy Parsing authenticationMethod=tls:simple Parsing serviceAuthenticationMethod=pam_ldap:tls:simple Parsing proxyDN=cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Parsing proxyPassword=UnIXpRoXY Parsing defaultsearchbase=ou=unix,o=kleinfeld,c=ch Parsing defaultServerList=ldap01.kleinfeld.ch Parsing certificatePath=/var/ldap Parsing domainName=kleinfeld.ch Parsing attributeMap=passwd:gecos=cn Parsing objectClassMap=group:posixGroup=posixGroup Parsing objectClassMap=passwd:posixAccount=posixAccount Parsing objectClassMap=shadow:shadowAccount=shadowAccount Parsing serviceSearchDescriptor=passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=group:ou=groups,ou=unix,o=kleinfeld,c=ch?one Parsing serviceSearchDescriptor=netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one Arguments parsed: Handling manual option Proxy DN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch Proxy password: {NS1}xxxxxxxxxxxxxxxxxxxxx Credential level: 1 Authentication method: 3 About to modify this machines configuration by writing the files Stopping network services sendmail not running nscd not running autofs not running Stopping ldap stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: network/ldap/client:default... success nisd not running nis(yp) not running Removing existing restore directory file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "kleinfeld.ch" file_backup: stat(/var/yp/binding/kleinfeld.ch)=-1 file_backup: No /var/yp/binding/kleinfeld.ch directory. file_backup: stat(/var/ldap/ldap_client_file)=0 file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file) file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred) Starting network services start: /usr/bin/domainname kleinfeld.ch... success start: sleep 100000 microseconds start: network/ldap/client:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured authenticationMethod: tls:simple serviceAuthenticationMethod: arg[0]: pam_ldap:tls:simple defaultSearchBase: ou=unix,o=kleinfeld,c=ch credentialLevel: proxy domainName: kleinfeld.ch proxyDN: cn=proxyAgent,ou=profile,o=kleinfeld,c=ch objectclassMap: arg[0]: group:posixGroup=posixGroup arg[1]: passwd:posixAccount=posixAccount arg[2]: shadow:shadowAccount=shadowAccount attributeMap: arg[0]: passwd:gecos=cn serviceSearchDescriptor: arg[0]: passwd:ou=people,ou=unix,o=kleinfeld,c=ch?one arg[1]: group:ou=groups,ou=unix,o=kleinfeld,c=ch?one arg[2]: netgroup:ou=netgroup,ou=unix,o=kleinfeld,c=ch?one proxyPassword: xxxxxxxxxxxxx defaultServerList: ldap01.kleinfeld.ch certificatePath: /var/ldap thanks in advance John

4 8

ldap_start_tls_s() usage related errors
by dhiraj.prasad＠tcs.com 12 Oct '08

12 Oct '08

Hello, I have configured LDAP server on linux with TLS support and was able to fetch data from it using the 'ldapsearch' utility. However, when i tried to do this searching via code i got following errors: Error at Server Side: slap_listener_activate(10): >>> slap_listener(ldaps://) connection_get(15): got connid=47 connection_read(15): checking for input on id=47 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(15): got connid=47 connection_read(15): checking for input on id=47 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 connection_read(15): TLS accept failure error=-1 id=47, closing connection_closing: readying conn=47 sd=15 for close connection_close: conn=47 sd=15 Error at Client side: [root@localhost LDAP1]# ./ldapSearch ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost.localdomain:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad(a)tcs.com, issuer: /C=IN/ST=MH/O=TCS/OU=EIS/CN=localhost.localdomain/emailAddress=dhiraj.prasad(a)tcs.com TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_err2string Error in ldap_start_tls_s -1:Can't contact LDAP serverTest..1 ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request Test..2: -1 ldap_err2string Failure of LDAP bind -1-Can't contact LDAP server [root@localhost LDAP1]# Snippet of client code for TLS support used by Me: ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version ); ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, "/root/cacert.pem"); ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, "/usr/local/etc/openldap/ldap.client.pem"); ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, "/usr/local/etc/openldap/ldap.client.key.pem"); ldap_set_option(ld, LDAP_OPT_REFERRALS , LDAP_OPT_ON); val = LDAP_OPT_X_TLS_ALLOW; ldap_set_option (ld, LDAP_OPT_X_TLS, &val); status = ldap_start_tls_s(ld, NULL, NULL); Please let me know as to what is missing in my code that is triggering the above errors. Also if there are any sample TLS client code, please let me know where can i get it. Thanks, Dhiraj Kumar Prasad Tata Consultancy Services Mailto: dhiraj.prasad(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

2 1

How to make two attribute unique
by piyush joshi 10 Oct '08

10 Oct '08

Hello All, I wanna know is it possible to make 2 attributes unique Example -: mail and mailAlternateAddress , I mean to say if i have set abc(a)expmple.net in mail attribute as a value and if then I try to add same to the mailAlternateAddress attribute it will prevent me to do this and also vice versa. -- Regards Piyush Joshi 9415414376

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2008