query regarding user names and passwords
by anish patil
Hi All,
I want to add usr names which are not in ASCII characters using ldapadd
command .
I tried it on RHEL 4.4 , it giving me following error
<error>
adding new entry "uid=ああああ,ou=People,dc=avaya,dc=com"
ldap_add: Invalid DN syntax (34)
additional info: invalid DN
</error>
Systems locale set:-*LANG=ja_JP.SJIS*
i googled it i found this
http://www.openldap.org/lists/openldap-software/200308/msg00570.html
But this post is in 2003
So i wanted to know is it LDAP's limitation ?
Thanks in advance
--
Anish Patil
15 years, 7 months
Red Hat RPMs?
by Gavin Henry
BTW, has anyone over the history of the "well-known" broken Red Hat RPMs
raised bug reports etc. and had any response? I'm not sure what effort
has been put into this and whether it's worth picking it up again?
As most users first experience of OpenLDAP is via the RH and Fedora
RPMs, I think some effort (if it's not a waste of time again) should be
put into trying to raise our concerns, as it harms the project in the
long run.
Currently we have SuSE, Mandriva and Debian guys on the lists who care
(you all know who you are ;-) ).
Anyone from Red Hat or Fedora here?
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
15 years, 7 months
TLS/SSL Handshake Error
by Mathis, Jim
Hello,
After creating a self-signed certificate as per the, OpenLDAP Admin
Guide, TLS/SSL was enabled. The CN used when creating the certificates
was the hostname of the LDAP server - "node01". However, when conducting
further TLS/SSL tests there appears to be a handshaking error between
the client and server. Additionally, when checking the Server
certificates using the " openssl s_client -connect :636 -state -CAfile
/var/certs/cacert.pem -cert /var/certs/servercrt.pem -key
/var/certs/serverkey.pem" command it indicates that the client private
certificate key can't be loaded and expecting a start line (see below).
Appreciate any additional info. Config data as follows:
CLIENT CONFIG DATA
/etc/ldap.conf
host node01
base dc=S80,dc=com
uri ldaps://node01/
ldap_version 3
port 636
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
ssl on
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts
tls_reqcert never
tls_ciphers TLSv1
pam_password md5
/etc/openldap/ldap.conf
URI ldaps://node01:636
HOST node01
BASE dc=S80,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never
/etc/openldap/cacerts/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Virginia, O=XXX, OU=S80,
CN=node01/emailAddress=XXX
Validity
Not Before: Feb 21 15:10:48 2008 GMT
Not After : Feb 20 15:10:48 2011 GMT
Subject: C=US, ST=Virginia, O=XXX, OU=S80,
CN=node01/emailAddress=XXX
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:da:b9:b0:ba:ca:95:f1:fc:48:6e:e9:d5:5d:d5:
22:aa:9e:38:19:7d:0c:14:65:44:fa:12:69:f6:98:
6a:38:43:11:29:20:a8:a2:98:a9:00:ce:40:19:e5:
56:46:1b:85:d6:99:91:5f:7b:a9:19:ac:7b:7c:cc:
42:13:88:99:99:af:98:52:9b:a4:60:77:ca:e7:ae:
41:97:c0:8c:5e:f9:a1:44:c0:6b:29:ec:3f:9b:1e:
59:dc:05:f5:b8:a8:ed:71:7c:db:51:26:1f:59:ee:
04:fc:b0:24:77:64:2e:be:df:a7:1a:91:34:81:f4:
a6:d6:b9:26:64:63:2f:19:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0
X509v3 Authority Key Identifier:
keyid:C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0
Signature Algorithm: sha1WithRSAEncryption
37:84:43:62:ed:98:c3:31:85:24:3e:8d:d8:88:9f:4d:8f:00:
dc:08:21:ee:9d:19:07:21:c0:70:cf:b1:38:94:49:34:de:42:
93:5e:51:79:95:6b:d6:2d:7f:92:f7:da:49:d0:92:65:81:8f:
ed:0e:24:0a:0d:17:cd:73:fe:c2:86:9c:40:22:04:af:7b:d6:
1e:ba:2c:5a:f4:d8:52:ab:8f:94:45:ae:bc:11:07:06:0d:da:
11:6f:f5:1a:63:ae:05:0a:64:32:b1:f0:5c:eb:21:6b:d1:ff:
bb:0a:42:a9:a9:23:f3:ab:d4:9f:b4:26:4e:d4:ea:7b:0a:26:
df:a4
-----BEGIN CERTIFICATE-----
.....XXX
-----END CERTIFICATE-----
SERVER CONFIG DATA
Server IP: 192.168.10.1
Hostname: node01
Suffix: dc=S80,dc=com
Certificate Common Name (CN): node01
/etc/openldap/slapd.conf
TLSCACertificateFile /var/certs/cacert.pem
TLSCertificateFile /var/certs/servercrt.pem
TLSCertificateKeyFile /var/certs/serverkey.pem
database ldbm
suffix "dc=S80,dc=com"
SERVER KEY (serverkey.pem)
-----BEGIN CERTIFICATE REQUEST-----
...XXX
-----END CERTIFICATE REQUEST-----
ERRORS OBSERVED (SERVER)
[root@node01 certs]# openssl s_client -connect :636 -state -CAfile
/var/certs/cacert.pem -cert /var/certs/servercrt.pem -key
/var/certs/serverkey.pem
unable to load client certificate private key file
8086:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:644:Expecting: ANY PRIVATE KEY
[root@node01 certs]# ldapsearch -d127 -x -H ldaps://node01 uid=uid
ldap_create
ldap_url_parse_ext(ldaps://node01)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP node01:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.10.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=133, written=133
0000: 80 83 01 03 01 00 5a 00 00 00 20 00 00 39 00 00 ......Z...
..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0
8..5............
0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00
..3..2../.....f.
0030: 00 05 00 00 04 01 00 80 00 00 63 00 00 62 00 00
..........c..b..
0040: 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64
.........@..e..d
0050: 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00
................
0060: 00 03 02 00 80 28 9b 68 41 39 df 12 52 12 ab 41
.....(.hA9..R..A
0070: 20 11 b0 b9 d0 76 3d 5c 2d f6 3a 00 49 28 07 d4
....v=\-.:.I(..
0080: 67 8d 26 70 fb g.&p.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 15 03 01 00 02 02 28 ......(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERRORS OBSERVED (CLIENT)
[root@node03 ~]# openssl s_client -connect node01:636 -showcerts -state
-CAfile /etc/openldap/cacerts/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
3531:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:562:
[root@node03 ~]# ldapsearch -d127 -x -H ldaps://node01 uid=uid
ldap_create
ldap_url_parse_ext(ldaps://node01)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP node01:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.10.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=133, written=133
0000: 80 83 01 03 01 00 5a 00 00 00 20 00 00 39 00 00 ......Z...
..9..
0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0
8..5............
0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00
..3..2../.....f.
0030: 00 05 00 00 04 01 00 80 00 00 63 00 00 62 00 00
..........c..b..
0040: 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64
.........@..e..d
0050: 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00
................
0060: 00 03 02 00 80 51 97 63 fc ee 43 25 a8 d2 e4 8c
.....Q.c..C%....
0070: ef 63 6e e0 97 b7 cd c2 1e 14 97 c9 50 5d 82 6b
.cn.........P].k
0080: 3f f5 d0 6f a4 ?..o.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
0000: 15 03 01 00 02 02 28 ......(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:error in SSLv2/v3 read server hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
15 years, 7 months
RE: LDAP Writes are not propagated to mirror nodes.
by Quanah Gibson-Mount
--On Thursday, February 21, 2008 2:56 PM +0800 "K C, Sachin (Sachin)"
<sachinkc(a)alcatel-lucent.com> wrote:
>
> Quanah,
>
> I have compiled the source on solaris 10. OpenLDAP release I
> used is 2.4.7
Keep all replies on the list. Sending a reply to the list and then sending
a further reply to me is only going to help ensure you end up on my
blacklist, and it definitely won't get you a quicker response.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
15 years, 7 months
Re: Ppolicy issues
by Bryan Payne
Thank you for your help. I added the pwdPolicySubentry to a user to no
avail. I did find this in the logfile though:
Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT
tag=101 err=50 nentries=0 text=Operations are restricted to
bind/unbind/abandon/StartTLS/modify password
So it looks like it's trying to do something but cannot. While I'm
concerned about password strength, I'm more concerned (at this point)
with just having the machine prompt for a password change. I'm running
centos 4.6 and openldap 2.3.39. I compiled it with the following:
./configure --enable-crypt --enable-ppolicy --with-tls
--prefix=/opt/openldap/
Once again, thanks for any help.
Bryan Payne skrev, on 19-02-2008 22:27:
I have some issues with ppolicy. It seems it recognizes expiration
dates (I know this from looking in the logs, but it does not warn
the user their password is expiring soon), properly locks out
accounts with too many failed logins but it cannot seem to force a
password change when pwdReset is set to TRUE, nor does it prevent
logins when the password has expired. Any help would be greatly
appreciated. I'll post the things of importance below. Please let me
know if anything else would help.
[root@ldapserver ~]# ldapsearch -x -LLL cn=default
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdLockoutDuration: 900
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 1
pwdAllowUserChange: TRUE
pwdMaxAge: 7776000
From slapd.conf
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
Most of the above looks kosher; my main site is running ppolicy on
OpenLDAP 2.3.33 up to 2.3.39 Buchan rpms on Red Hat RHEL5 and all the
above work. However:
1: I've found that each posixAccount has to have the operational
attribute pwdPolicySubentry. Although this is an operational attribute,
it is (the only?) such that is user modifiable. In this (as in many
other) respects gq is indispensable as GUI.
2: I've found that extensive use has to be made of pam_ldap to get the
best out of ppolicy (for example password strength).
3: It would help if you detailed OS and OL versions, so's one could know
whether to contribute help or not.
Bets,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
15 years, 7 months
Re: TLS LDAP Configuration w/Linux 5.0
by Buchan Milne
Please keep replies on-list.
On Thursday 21 February 2008 17:00:11 Mathis, Jim wrote:
> Buchan,
>
> Thanks for the info. I want to ensure when I create the certificates
> that I'm doing it correctly. As follows:
>
> LDAP Server IP: 192.168.10.1
> Host name: node01
> suffix: dc=S80,dc=com
>
> Do I create a Certificate Common Name using "node01.S80.com" or "node01"
You use the name that you are going to use to connect to the host with. The
real fqdn does not matter ....
So, if you are going to use:
URI ldaps://www.microsoft.com
then create a cert for www.microsoft.com
(of course, you should ensure that the name you use resolves to the IP)
Regard,s
Buchan
15 years, 7 months
ldapadd of LDIF files with attribute 'apple-generateduid' not allowed
by Alexander Hartner
I am trying to import a simple LDIF file into OpenDirectory on OS X
10.5.2 Leopard Server.
However when I issue the following ldapadd command I get an error :
ldapadd -D [rootdn] -x -w [secretPassword] -f Import.ldif
Error : 65 Object class violation"
attribute 'apple-generateduid' not allowed
I would have thought that I had specified apple-generateduid, but I
didn't.
This is my import file
-----------BEGIN-----------
# Alexander Hartner
dn: cn=Alexander Hartner2,cn=people,dc=macbook-znet,dc=local
objectClass: top
objectClass: person
objectClass: inetOrgPerson
displayName: Alexander Hartner2
cn: Alexander Hartner2
givenName: Alexander
sn: Hartner
mail: alex(a)j2anywhere.com
initials: A
o: j2anywhere.com
-----------END-----------
I know this might not be the best forum for OS X support, but I am a
bit stuck on this.
Thanks in advance.
Alex
15 years, 7 months
TLS LDAP Configuration w/Linux 5.0
by Mathis, Jim
Hello,
Info as follows:
OS: RH Enterprise Server 5.1
Server Certificates: Created using a Common Name of "S80.com"
Client Certificate: Copied "cacert.pem" from the server and placed into
"/etc/openldap/cacerts/"
Problem: When configuring TLS to work with LDAP I'm no longer able to
login from a client via LDAP. LDAP works normal when TLS is not
configured. Suspect possible configuration problem. I'd appreciate any
additional information. Thanks.
CLIENT /ETC/LDAP.CONF
# The distinguished name of the search base.
base dc=S80,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
# Just assume that there are no supplemental groups for these named
users
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
bind_policy soft
uri ldaps://192.168.10.1/
ssl start_tls
TLS_CACERT /etc/openldap/cacerts/cacert.pem
pam_password md5
CLIENT /ETC/OPENLDAP/LDAP.CONF
URI ldaps://192.168.10.1/
BASE dc=S80,dc=com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
SERVER /ETC/OPENLDAP/SLAPD.CONF
TLSCACertificateFile /var/certs/cacert.pem
TLSCertificateFile /var/certs/servercrt.pem
TLSCertificateKeyFile /var/certs/serverkey.pem
database ldbm
suffix "dc=S80,dc=com"
rootdn "cn=Administrator,dc=S80,dc=com"
USED THE FOLLOWING COMMANDS (Did not observe ldaps port 636 being
opened. Not sure if it's necessary due to start_tls on port 389)
slapd -h "ldap:/// ldaps:///"
nmap 192.168.10.1
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
389/tcp open ldap
617/tcp open sco-dtmgr
650/tcp open unknown
722/tcp open unknown
2049/tcp open nfs
AMPLIFYING DATA
No errors occur using "ldapsearch -x 'uid=jmathis' -H
ldap://192.168.10.1"
Errors observed using:
ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1
ldap_bind: Can't contact LDAP server (-1)
ldapsearch -x -b 'dc=S80,dc=com' -ZZ
ldap_start_tls: Can't contact LDAP server (-1)
15 years, 7 months
Re: ldapsearch for accont object class
by Hamidreza Hamedtoolloei
Dear Dieter ,
Thanks for your response. I am using LDAP as a centrtal authentication unit, and migrated all the linux accounts to ldap via some migration tools. currently authentication for linux users work fine i.e. "su sriram then inputing the password" doesnt complain, but when I want to bind to ldap using a user DN (ex ldapsearch "uid=sriram,ou=People,dc=ibm,dc=com" -W -x) I get the Invalid
credentials
(49)
error. I added password-hash {CRYPR} to my slapd.config file, however, it prevented the server from running.
the other entry, "cn=fratbrother,ou=People,dc=ibm,dc=com", I added manually. Although the hashing method is SSHA, when I add password-hash {MD5} to my slapd.config, I still can successfully bind. I dont know why this is happening... since the password-hash method has changed, I expect to get the Invalid credentials error... any ideas?
----- Original Message ----
From: Dieter Kluenter <dieter(a)dkluenter.de>
To: openldap-technical(a)openldap.org
Sent: Tuesday, February 19, 2008 11:33:05 PM
Subject: Re: ldapsearch for accont object class
Hamidreza
Hamedtoolloei
<hamedtoolloei(a)yahoo.com>
writes:
>
Dear
all,
>
Below
is
the
"partial"
content
of
my
openldap
db.
>
when
I
do:
>
ldapsearch
-D
"cn=fratbrother,ou=People,dc=ibm,dc=com"
-w
password
-x
>
everything
is
fine.
However,
when
I
do
>
ldapsearch
-D
"uid=sriram,ou=People,dc=ibm,dc=com"
-w
password
-x
>
I
get
the
ldap_bind:
Invalid
credentials
(49)
error.
>
is
this
related
to
the
"account"
object
class?
>
it
seems
that
none
of
the
openLdap
tools
such
as
ldapsearch,ldappasswd
works
>
for
"account"
object
class..
is
the
syntax
different
for
this
type
of
class?
>
p.s.
in
my
slapd.config
for
ACL
I
have
>
access
to
*
>
by
*
read
Your
problem
seem
to
be
different
password
hashing
methods
>
#
sriram,
People,
ibm.com
>
dn:
uid=sriram,ou=People,dc=ibm,dc=com
>
userPassword::
e2NyeXB0fSQxJC82bGVIazhGJEY3bHpuS1d2bi5UWmQuZ2o1TUhqLy4=
this
is
a
crypt
hashed
passwword
>
dn:
cn=fratbrother,ou=People,dc=ibm,dc=com
>
userPassword::
e1NTSEF9aXVxUkw1MlAvaS9XUkRkNHhuN0lEbUl3VnhhekRzV2s=
this
is
a
ssha
hashed
password.
-Dieter
--
Dieter
Klünter
|
Systemberatung
http://www.dkluenter.de
GPG
Key
ID:8EF7B6C6
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
15 years, 7 months
Another question concerning the dynlist overlay
by Gerd Schering
Hi,
I my slapd.conf i added th following line:
dynlist-attrset myAccount myAccountOwnerURL
myAccount is a propriatary, auxliliary objectclass.
SlapD says:
AttributeDescription "myAccountOwnerURL" must be a subtype of "labeledURI".
I really don't now how to arrange this. Trying
attributetype ( labeledURI:1 NAME 'myAccountOwnerURL'
... )
gives: OID could not be expanded: "labeledURI:1"
even the dyngroup.schema wsa loaded prior to the schema containing the
"myAccountOwnerURL" Attribute.
Any hint how to proceed?
Gerd
--
------------------------------------------------------
-- Gerd Schering, Email: Schering(a)tubit.TU-Berlin.DE --
-- TU Berlin, Zentraleinrichtung Rechenzentrum --
-- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin --
-- phone: +49 30 314 24383, fax: +49 30 314 21060 --
------------------------------------------------------
15 years, 7 months
