openldap-technical February 2008

openldap-technical@openldap.org

57 participants
79 discussions

query regarding user names and passwords
by anish patil 21 Feb '08

21 Feb '08

Hi All, I want to add usr names which are not in ASCII characters using ldapadd command . I tried it on RHEL 4.4 , it giving me following error <error> adding new entry "uid=ああああ,ou=People,dc=avaya,dc=com" ldap_add: Invalid DN syntax (34) additional info: invalid DN </error> Systems locale set:-*LANG=ja_JP.SJIS* i googled it i found this http://www.openldap.org/lists/openldap-software/200308/msg00570.html But this post is in 2003 So i wanted to know is it LDAP's limitation ? Thanks in advance -- Anish Patil

3 5

Red Hat RPMs?
by Gavin Henry 21 Feb '08

21 Feb '08

BTW, has anyone over the history of the "well-known" broken Red Hat RPMs raised bug reports etc. and had any response? I'm not sure what effort has been put into this and whether it's worth picking it up again? As most users first experience of OpenLDAP is via the RH and Fedora RPMs, I think some effort (if it's not a waste of time again) should be put into trying to raise our concerns, as it harms the project in the long run. Currently we have SuSE, Mandriva and Debian guys on the lists who care (you all know who you are ;-) ). Anyone from Red Hat or Fedora here? Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

5 6

TLS/SSL Handshake Error
by Mathis, Jim 21 Feb '08

21 Feb '08

Hello, After creating a self-signed certificate as per the, OpenLDAP Admin Guide, TLS/SSL was enabled. The CN used when creating the certificates was the hostname of the LDAP server - "node01". However, when conducting further TLS/SSL tests there appears to be a handshaking error between the client and server. Additionally, when checking the Server certificates using the " openssl s_client -connect :636 -state -CAfile /var/certs/cacert.pem -cert /var/certs/servercrt.pem -key /var/certs/serverkey.pem" command it indicates that the client private certificate key can't be loaded and expecting a start line (see below). Appreciate any additional info. Config data as follows: CLIENT CONFIG DATA /etc/ldap.conf host node01 base dc=S80,dc=com uri ldaps://node01/ ldap_version 3 port 636 timelimit 120 bind_timelimit 120 bind_policy soft idle_timelimit 3600 ssl on tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts tls_reqcert never tls_ciphers TLSv1 pam_password md5 /etc/openldap/ldap.conf URI ldaps://node01:636 HOST node01 BASE dc=S80,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT never /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Virginia, O=XXX, OU=S80, CN=node01/emailAddress=XXX Validity Not Before: Feb 21 15:10:48 2008 GMT Not After : Feb 20 15:10:48 2011 GMT Subject: C=US, ST=Virginia, O=XXX, OU=S80, CN=node01/emailAddress=XXX Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:da:b9:b0:ba:ca:95:f1:fc:48:6e:e9:d5:5d:d5: 22:aa:9e:38:19:7d:0c:14:65:44:fa:12:69:f6:98: 6a:38:43:11:29:20:a8:a2:98:a9:00:ce:40:19:e5: 56:46:1b:85:d6:99:91:5f:7b:a9:19:ac:7b:7c:cc: 42:13:88:99:99:af:98:52:9b:a4:60:77:ca:e7:ae: 41:97:c0:8c:5e:f9:a1:44:c0:6b:29:ec:3f:9b:1e: 59:dc:05:f5:b8:a8:ed:71:7c:db:51:26:1f:59:ee: 04:fc:b0:24:77:64:2e:be:df:a7:1a:91:34:81:f4: a6:d6:b9:26:64:63:2f:19:95 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0 X509v3 Authority Key Identifier: keyid:C1:AA:5F:32:3D:7F:80:FA:4A:A1:A2:24:BC:66:AB:CE:C3:5A:A8:E0 Signature Algorithm: sha1WithRSAEncryption 37:84:43:62:ed:98:c3:31:85:24:3e:8d:d8:88:9f:4d:8f:00: dc:08:21:ee:9d:19:07:21:c0:70:cf:b1:38:94:49:34:de:42: 93:5e:51:79:95:6b:d6:2d:7f:92:f7:da:49:d0:92:65:81:8f: ed:0e:24:0a:0d:17:cd:73:fe:c2:86:9c:40:22:04:af:7b:d6: 1e:ba:2c:5a:f4:d8:52:ab:8f:94:45:ae:bc:11:07:06:0d:da: 11:6f:f5:1a:63:ae:05:0a:64:32:b1:f0:5c:eb:21:6b:d1:ff: bb:0a:42:a9:a9:23:f3:ab:d4:9f:b4:26:4e:d4:ea:7b:0a:26: df:a4 -----BEGIN CERTIFICATE----- .....XXX -----END CERTIFICATE----- SERVER CONFIG DATA Server IP: 192.168.10.1 Hostname: node01 Suffix: dc=S80,dc=com Certificate Common Name (CN): node01 /etc/openldap/slapd.conf TLSCACertificateFile /var/certs/cacert.pem TLSCertificateFile /var/certs/servercrt.pem TLSCertificateKeyFile /var/certs/serverkey.pem database ldbm suffix "dc=S80,dc=com" SERVER KEY (serverkey.pem) -----BEGIN CERTIFICATE REQUEST----- ...XXX -----END CERTIFICATE REQUEST----- ERRORS OBSERVED (SERVER) [root@node01 certs]# openssl s_client -connect :636 -state -CAfile /var/certs/cacert.pem -cert /var/certs/servercrt.pem -key /var/certs/serverkey.pem unable to load client certificate private key file 8086:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY [root@node01 certs]# ldapsearch -d127 -x -H ldaps://node01 uid=uid ldap_create ldap_url_parse_ext(ldaps://node01) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP node01:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.10.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=133, written=133 0000: 80 83 01 03 01 00 5a 00 00 00 20 00 00 39 00 00 ......Z... ..9.. 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............ 0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030: 00 05 00 00 04 01 00 80 00 00 63 00 00 62 00 00 ..........c..b.. 0040: 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64 .........@..e..d 0050: 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 ................ 0060: 00 03 02 00 80 28 9b 68 41 39 df 12 52 12 ab 41 .....(.hA9..R..A 0070: 20 11 b0 b9 d0 76 3d 5c 2d f6 3a 00 49 28 07 d4 ....v=\-.:.I(.. 0080: 67 8d 26 70 fb g.&p. TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 01 00 02 02 28 ......( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ERRORS OBSERVED (CLIENT) [root@node03 ~]# openssl s_client -connect node01:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 3531:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: [root@node03 ~]# ldapsearch -d127 -x -H ldaps://node01 uid=uid ldap_create ldap_url_parse_ext(ldaps://node01) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP node01:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.10.1:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=133, written=133 0000: 80 83 01 03 01 00 5a 00 00 00 20 00 00 39 00 00 ......Z... ..9.. 0010: 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 8..5............ 0020: 00 00 33 00 00 32 00 00 2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030: 00 05 00 00 04 01 00 80 00 00 63 00 00 62 00 00 ..........c..b.. 0040: 15 00 00 12 00 00 09 06 00 40 00 00 65 00 00 64 .........@..e..d 0050: 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 ................ 0060: 00 03 02 00 80 51 97 63 fc ee 43 25 a8 d2 e4 8c .....Q.c..C%.... 0070: ef 63 6e e0 97 b7 cd c2 1e 14 97 c9 50 5d 82 6b .cn.........P].k 0080: 3f f5 d0 6f a4 ?..o. TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 0000: 15 03 01 00 02 02 28 ......( TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in SSLv2/v3 read server hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

1 0

RE: LDAP Writes are not propagated to mirror nodes.
by Quanah Gibson-Mount 21 Feb '08

21 Feb '08

--On Thursday, February 21, 2008 2:56 PM +0800 "K C, Sachin (Sachin)" <sachinkc(a)alcatel-lucent.com> wrote: > > Quanah, > > I have compiled the source on solaris 10. OpenLDAP release I > used is 2.4.7 Keep all replies on the list. Sending a reply to the list and then sending a further reply to me is only going to help ensure you end up on my blacklist, and it definitely won't get you a quicker response. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: Ppolicy issues
by Bryan Payne 21 Feb '08

21 Feb '08

Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though: Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change. I'm running centos 4.6 and openldap 2.3.39. I compiled it with the following: ./configure --enable-crypt --enable-ppolicy --with-tls --prefix=/opt/openldap/ Once again, thanks for any help. Bryan Payne skrev, on 19-02-2008 22:27: I have some issues with ppolicy. It seems it recognizes expiration dates (I know this from looking in the logs, but it does not warn the user their password is expiring soon), properly locks out accounts with too many failed logins but it cannot seem to force a password change when pwdReset is set to TRUE, nor does it prevent logins when the password has expired. Any help would be greatly appreciated. I'll post the things of importance below. Please let me know if anything else would help. [root@ldapserver ~]# ldapsearch -x -LLL cn=default dn: cn=default,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdSafeModify: FALSE pwdLockoutDuration: 900 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 1 pwdAllowUserChange: TRUE pwdMaxAge: 7776000 From slapd.conf overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_use_lockout Most of the above looks kosher; my main site is running ppolicy on OpenLDAP 2.3.33 up to 2.3.39 Buchan rpms on Red Hat RHEL5 and all the above work. However: 1: I've found that each posixAccount has to have the operational attribute pwdPolicySubentry. Although this is an operational attribute, it is (the only?) such that is user modifiable. In this (as in many other) respects gq is indispensable as GUI. 2: I've found that extensive use has to be made of pam_ldap to get the best out of ppolicy (for example password strength). 3: It would help if you detailed OS and OL versions, so's one could know whether to contribute help or not. Bets, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl

4 6

Re: TLS LDAP Configuration w/Linux 5.0
by Buchan Milne 21 Feb '08

21 Feb '08

Please keep replies on-list. On Thursday 21 February 2008 17:00:11 Mathis, Jim wrote: > Buchan, > > Thanks for the info. I want to ensure when I create the certificates > that I'm doing it correctly. As follows: > > LDAP Server IP: 192.168.10.1 > Host name: node01 > suffix: dc=S80,dc=com > > Do I create a Certificate Common Name using "node01.S80.com" or "node01" You use the name that you are going to use to connect to the host with. The real fqdn does not matter .... So, if you are going to use: URI ldaps://www.microsoft.com then create a cert for www.microsoft.com (of course, you should ensure that the name you use resolves to the IP) Regard,s Buchan

1 0

ldapadd of LDIF files with attribute 'apple-generateduid' not allowed
by Alexander Hartner 21 Feb '08

21 Feb '08

I am trying to import a simple LDIF file into OpenDirectory on OS X 10.5.2 Leopard Server. However when I issue the following ldapadd command I get an error : ldapadd -D [rootdn] -x -w [secretPassword] -f Import.ldif Error : 65 Object class violation" attribute 'apple-generateduid' not allowed I would have thought that I had specified apple-generateduid, but I didn't. This is my import file -----------BEGIN----------- # Alexander Hartner dn: cn=Alexander Hartner2,cn=people,dc=macbook-znet,dc=local objectClass: top objectClass: person objectClass: inetOrgPerson displayName: Alexander Hartner2 cn: Alexander Hartner2 givenName: Alexander sn: Hartner mail: alex(a)j2anywhere.com initials: A o: j2anywhere.com -----------END----------- I know this might not be the best forum for OS X support, but I am a bit stuck on this. Thanks in advance. Alex

1 0

TLS LDAP Configuration w/Linux 5.0
by Mathis, Jim 20 Feb '08

20 Feb '08

Hello, Info as follows: OS: RH Enterprise Server 5.1 Server Certificates: Created using a Common Name of "S80.com" Client Certificate: Copied "cacert.pem" from the server and placed into "/etc/openldap/cacerts/" Problem: When configuring TLS to work with LDAP I'm no longer able to login from a client via LDAP. LDAP works normal when TLS is not configured. Suspect possible configuration problem. I'd appreciate any additional information. Thanks. CLIENT /ETC/LDAP.CONF # The distinguished name of the search base. base dc=S80,dc=com timelimit 120 bind_timelimit 120 idle_timelimit 3600 # Just assume that there are no supplemental groups for these named users nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman bind_policy soft uri ldaps://192.168.10.1/ ssl start_tls TLS_CACERT /etc/openldap/cacerts/cacert.pem pam_password md5 CLIENT /ETC/OPENLDAP/LDAP.CONF URI ldaps://192.168.10.1/ BASE dc=S80,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem SERVER /ETC/OPENLDAP/SLAPD.CONF TLSCACertificateFile /var/certs/cacert.pem TLSCertificateFile /var/certs/servercrt.pem TLSCertificateKeyFile /var/certs/serverkey.pem database ldbm suffix "dc=S80,dc=com" rootdn "cn=Administrator,dc=S80,dc=com" USED THE FOLLOWING COMMANDS (Did not observe ldaps port 636 being opened. Not sure if it's necessary due to start_tls on port 389) slapd -h "ldap:/// ldaps:///" nmap 192.168.10.1 PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 389/tcp open ldap 617/tcp open sco-dtmgr 650/tcp open unknown 722/tcp open unknown 2049/tcp open nfs AMPLIFYING DATA No errors occur using "ldapsearch -x 'uid=jmathis' -H ldap://192.168.10.1" Errors observed using: ldapsearch -x 'uid=jmathis' -H ldaps://192.168.10.1 ldap_bind: Can't contact LDAP server (-1) ldapsearch -x -b 'dc=S80,dc=com' -ZZ ldap_start_tls: Can't contact LDAP server (-1)

3 2

Re: ldapsearch for accont object class
by Hamidreza Hamedtoolloei 20 Feb '08

20 Feb '08

Dear Dieter , Thanks for your response. I am using LDAP as a centrtal authentication unit, and migrated all the linux accounts to ldap via some migration tools. currently authentication for linux users work fine i.e. "su sriram then inputing the password" doesnt complain, but when I want to bind to ldap using a user DN (ex ldapsearch "uid=sriram,ou=People,dc=ibm,dc=com" -W -x) I get the Invalid credentials (49) error. I added password-hash {CRYPR} to my slapd.config file, however, it prevented the server from running. the other entry, "cn=fratbrother,ou=People,dc=ibm,dc=com", I added manually. Although the hashing method is SSHA, when I add password-hash {MD5} to my slapd.config, I still can successfully bind. I dont know why this is happening... since the password-hash method has changed, I expect to get the Invalid credentials error... any ideas? ----- Original Message ---- From: Dieter Kluenter <dieter(a)dkluenter.de> To: openldap-technical(a)openldap.org Sent: Tuesday, February 19, 2008 11:33:05 PM Subject: Re: ldapsearch for accont object class Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com> writes: > Dear all, > Below is the "partial" content of my openldap db. > when I do: > ldapsearch -D "cn=fratbrother,ou=People,dc=ibm,dc=com" -w password -x > everything is fine. However, when I do > ldapsearch -D "uid=sriram,ou=People,dc=ibm,dc=com" -w password -x > I get the ldap_bind: Invalid credentials (49) error. > is this related to the "account" object class? > it seems that none of the openLdap tools such as ldapsearch,ldappasswd works > for "account" object class.. is the syntax different for this type of class? > p.s. in my slapd.config for ACL I have > access to * > by * read Your problem seem to be different password hashing methods > # sriram, People, ibm.com > dn: uid=sriram,ou=People,dc=ibm,dc=com > userPassword:: e2NyeXB0fSQxJC82bGVIazhGJEY3bHpuS1d2bi5UWmQuZ2o1TUhqLy4= this is a crypt hashed passwword > dn: cn=fratbrother,ou=People,dc=ibm,dc=com > userPassword:: e1NTSEF9aXVxUkw1MlAvaS9XUkRkNHhuN0lEbUl3VnhhekRzV2s= this is a ssha hashed password. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 1

Another question concerning the dynlist overlay
by Gerd Schering 20 Feb '08

20 Feb '08

Hi, I my slapd.conf i added th following line: dynlist-attrset myAccount myAccountOwnerURL myAccount is a propriatary, auxliliary objectclass. SlapD says: AttributeDescription "myAccountOwnerURL" must be a subtype of "labeledURI". I really don't now how to arrange this. Trying attributetype ( labeledURI:1 NAME 'myAccountOwnerURL' ... ) gives: OID could not be expanded: "labeledURI:1" even the dyngroup.schema wsa loaded prior to the schema containing the "myAccountOwnerURL" Attribute. Any hint how to proceed? Gerd -- ------------------------------------------------------ -- Gerd Schering, Email: Schering(a)tubit.TU-Berlin.DE -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin -- -- phone: +49 30 314 24383, fax: +49 30 314 21060 -- ------------------------------------------------------

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2008