basic database design
by VaraPrasad Yalla
I built a basic ldap server which is now working fine . It presently has
very few attributes for each of the entries in the database .
one of the records now looks like this :
---------------------------------------------
dn: uid=test,ou=People,dc=example,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$XViJ4WIc$KIn0R0tQnYaKglIOI5Koj.
shadowLastChange: 13925
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 506
gidNumber: 506
homeDirectory: /home/test
----------------------------------------------
How do I add further attributes like surname , email , street name etc to it
? Where should I make the modifications for these things to be added to the
database ?
15 years, 7 months
Re: Question concerning the dynlist overlay and single valued attributes
by Pierangelo Masarati
Gerd Schering wrote:
> Pierangelo Masarati wrote:
>> Dynlist does not
>> allow massaging, so an option would be to stack a rwm before dynlist, so
>> that rwm can massage the attribute names from persID to memberID before
>> gathering. Looks ugly.
>
> Even if I will look for another solution (as promised in my previous
> posting), I am somewhat curious: where can I find an example dealing
> with overlay stacking?
Please keep replies on the list. Overlay stacking is trivial: just
configure more than one. From slapd.conf(5):
overlay <overlay-name>
Add the specified overlay to this database. An overlay is a
piece of code that intercepts database operations in order to
extend or change them. Overlays are pushed onto a stack over
the database, and so they will execute in the reverse of the
order in which they were configured and the database itself
will receive control last of all. See the slapd.overlays(5)
manual page for an overview of the available overlays. Note
that all of the database’s regular settings should be
configured before any overlay settings.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
15 years, 7 months
ldap_initialize failure
by Ron Rogers
Hi All,
I am receiving an LDAP_NO_MEMORY return from ldap_initialize on my Linux box. This error only occurs when the my application is executed from another process. If I start the app from the command line, everything works fine. I've spent some time looking at the source code and manual pages . The error seems to be coming from the call to LDAP_INT_GLOBAL_OPT. After that I'm getting lost in the macros and #defines . Does anyone have any ideas about this problem?
Thanks
Ron Rogers
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
15 years, 7 months
OpenLDAP synchtonization with windows/Active Directory
by Razi Garbie
Hi everyone,
I've spent countless of hours trying to figure out how to sync openLDAP with
my currently running windows/active directory, however.. i cant find any
information on how this is done.
Im currently running windows/AD which authenticates ~20users all windows
boxes (obviously), however.. all windows users have accounts on the linux
machines i run and that makes administrative tasks a bit messy, hence i have
to make account changes on two different domains.
The ideal setup is to setup setup a OpenLDAP server that is synced with
windows active directory, so that my users can authenticate against the
linux domain using their windows passwords.
etc,
(linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows
machines)
Thats how i imagine the setup will look like.
Has anyone ever done this?
Any help is greatly appreciated!
// Thanks, boney
15 years, 7 months
LDAP Auth
by Nuno Manuel Martins
Hello List,
I am very new to OpenLDAP and I am trying to put a Linux box authenticating trough OpenLDAP instead of using the standard password file.
For this use I followed the tutorial you can find at http://ldots.org/ldap/ but it seems this howto is out of date. The first problem I ran into was when trying to insert a new user in LDIF format, I corrected the first error I got and now this is the file I have
dn: uid=myuser,ou=People,dc=example,dc=com
uid: myuser
cn: myuser
sn: Doe
givenname: John
objectclass: person
objectclass: posixaccount
objectclass: account
ou: People
uidnumber: 10001
gidnumber: 10001
homedirectory=: /home/ldap/john
loginshell: /bin/bash
When I try to run ldapadd I get the following error:
adding new entry "uid=branc0,ou=People,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectclass: value #1 invalid per syntax
I am not sure what the problem is, although I'm pretty sure it is between the chair and the keyboard. Maybe someone on the list can direct me to a more up-to-date tutorial on setting up authentication with LDAP ?
OpenLDAP version is 2.4.7
15 years, 7 months
RE: SSL Help
by Vinh.CTR.Hoang@faa.gov
It seems like my ldapsearch can't find the get local issuer certificate.
what configuration files tells the ldapsearch of which
certificate to use?
Oh, my certificate and keys and cacert files are good, I've tested them
using the openssl s_server and s_client to get a basic connection.
can someone help me, I don't know what else could be the problem.
here's the log for ldapsearch:
/usr/local/bin/ldapsearch -x -LLL -ZZ -d 1
ldap_create
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying ::1 389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_close_socket: 4
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 31 bytes to sd 4
ldap_result ld 60888 msgid 1
ldap_chkResponseList ld 60888 msgid 1 all 1
ldap_chkResponseList returns ld 60888 NULL
wait4msg ld 60888 msgid 1 (infinite timeout)
wait4msg continue ld 60888 msgid 1 all 1
** ld 60888 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Feb 13 20:49:25 2008
** ld 60888 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 60888 Response Queue:
Empty
ldap_chkResponseList ld 60888 msgid 1 all 1
ldap_chkResponseList returns ld 60888 NULL
ldap_int_select
read1msg: ld 60888 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 60888 msgid 1 message type extended-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 60888 0 new referrals
read1msg: mark request completed, ld 60888 msgid 1
request done: ld 60888 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_extended_result
ber_scanf fmt ({eaa) ber:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 0, err: 20, subject:
/CN=ldap1.mylan/emailAddress=abc@mylan, issuer:
/CN=ldap1.mylan/emailAddress=abc@mylan
TLS certificate verification: Error, unable to get local issuer
certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and here's the server's log for that search
daemon: activity on 1 descriptor
>>> slap_listener(ldap:///)
daemon: listen=8, new connection on 14
daemon: added 14r (active) listener=0
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=6
connection_read(14): checking for input on id=6
ber_get_next
ldap_read: want=8, got=8
0000: 30 1d 02 01 01 77 18 80 0....w..
ldap_read: want=23, got=23
0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146
0010: 36 2e 32 30 30 33 37 6.20037
ber_get_next: tag 0x30 len 29 contents:
ber_dump: buf=0x002094f0 ptr=0x002094f0 end=0x0020950d len=29
0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x002094f0 ptr=0x002094f3 end=0x0020950d len=26
0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037
do_extended: oid=1.3.6.1.4.1.1466.20037
send_ldap_extended: err=0 oid= len=0
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd 14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........
daemon: activity on 1 descriptor
daemon: activity on: 14r
daemon: read activity on 14
connection_get(14)
connection_get(14): got connid=6
connection_read(14): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
tls_read: want=11, got=11
0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q...
tls_read: want=113, got=113
0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5.......
0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../..
0020: 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 ................
0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@....
0040: 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 ................
0050: 80 32 4e ca 88 41 1f 3a 73 cd a1 1c 29 73 a6 81 .2N..A.:s...)s..
0060: 8c c5 af c3 af 93 bf 13 4a c7 54 90 b7 82 d2 69 ........J.T....i
0070: 2f /
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=810, written=810
0000: 16 03 01 00 4a 02 00 00 46 03 01 47 b3 58 84 43 ....J...F..G.X.C
0010: c3 a5 64 a9 b5 7c 0b 8b 25 1c d6 e9 ce f2 1f 9b ..d..|..%.......
0020: 82 00 e0 6d 33 e7 e6 44 53 6c 52 20 7d 72 fe 41 ...m3..DSlR
}r.A
0030: 17 4c 96 5c 5c 9c 6b df 32 0d c0 32 45 fe 7b bf .L.\\.k.2..2E.{.
0040: a9 5e 16 4b 62 ec 3b 11 76 6e ee ce 00 35 00 16 .^.Kb.;.vn...5..
0050: 03 01 02 cd 0b 00 02 c9 00 02 c6 00 02 c3 30 82 ..............0.
0060: 02 bf 30 82 02 28 a0 03 02 01 02 02 01 01 30 0d ..0..(........0.
0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 30 31 ..*.H........001
0080: 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 31 2e .0...U....ldap1.
0090: 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 86 f7 mylan1.0...*.H..
00a0: 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 6e 30 ......abc@mylan0
00b0: 1e 17 0d 30 38 30 32 31 33 31 36 31 34 32 32 5a ...080213161422Z
00c0: 17 0d 31 38 30 32 31 32 31 36 31 34 32 32 5a 30 ..180212161422Z0
00d0: 30 31 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 01.0...U....ldap
00e0: 31 2e 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 1.mylan1.0...*.H
00f0: 86 f7 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 ........abc@myla
0100: 6e 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 n0..0...*.H.....
0110: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ef 80 .......0........
0120: 03 36 0f 1e e0 19 e7 1d 03 a9 cb 13 53 81 d6 f7 .6..........S...
0130: bf b6 e4 1c 84 38 77 bd 85 39 e6 f6 9c 50 70 82 .....8w..9...Pp.
0140: 3e 7e e0 17 e9 86 4f a3 48 8f bb 1a f1 04 92 72 >~....O.H......r
0150: bc 02 a7 dd 97 54 c1 cd 09 bd f8 d8 da 23 04 8e .....T.......#..
0160: e7 77 de 44 f8 54 f9 5e 35 1e 05 50 71 b2 dc 25 .w.D.T.^5..Pq..%
0170: 71 7b e9 48 99 bf 93 a2 07 4e 4e 1f 1f 96 c8 b8 q{.H.....NN.....
0180: 76 21 3b fc c7 60 ab b2 4a 01 2d 8a 15 ee af e7 v!;..`..J.-.....
0190: 76 4e 50 1b 61 8f 5c a1 b3 07 4a cc 82 43 02 03 vNP.a.\...J..C..
01a0: 01 00 01 a3 81 e8 30 81 e5 30 09 06 03 55 1d 13 ......0..0...U..
01b0: 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 ..0.0,..`.H...B.
01c0: 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e .....OpenSSL
Gen
01d0: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated
Certifica
01e0: 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 18 e5 ab te0...U.........
01f0: 2a 99 96 50 78 35 71 52 a6 ad 1f 8a 53 c6 72 cd *..Px5qR....S.r.
0200: dc 30 60 06 03 55 1d 23 04 59 30 57 80 14 25 ba .0`..U.#.Y0W..%.
0210: f3 49 07 88 d2 aa 76 2f 59 fc f0 bb 08 6d b5 17 .I....v/Y....m..
0220: f3 e8 a1 34 a4 32 30 30 31 14 30 12 06 03 55 04 ...4.2001.0...U.
0230: 03 13 0b 6c 64 61 70 31 2e 6d 79 6c 61 6e 31 18 ...ldap1.mylan1.
0240: 30 16 06 09 2a 86 48 86 f7 0d 01 09 01 16 09 61 0...*.H........a
0250: 62 63 40 6d 79 6c 61 6e 82 09 00 8e 0f 59 9d 05 bc@mylan.....Y..
0260: 90 4f f0 30 29 06 03 55 1d 11 04 22 30 20 82 0a .O.0)..U..."0
..
0270: 6c 64 61 70 2e 6d 79 6c 61 6e 82 12 6c 6f 61 64 ldap.mylan..load
0280: 62 61 6c 61 6e 63 65 72 2e 6d 79 6c 61 6e 30 0d balancer.mylan0.
0290: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 ..*.H...........
02a0: 00 89 b9 5b c0 9e 57 39 32 c0 55 79 d6 dd cd 55 ...[..W92.Uy...U
02b0: 2f 6c a4 7e 96 96 f8 f2 51 38 85 35 f1 a9 42 45 /l.~....Q8.5..BE
02c0: b8 f7 e4 a8 68 46 43 c5 5a d8 74 3e e8 a1 f3 25 ....hFC.Z.t>...%
02d0: a7 57 2c bd 0c a2 5d f3 ae 19 57 f6 13 f1 07 2f .W,...]...W..../
02e0: df da 39 85 bd 0f 60 7b 98 52 8b ae 5d 7a 1a c5 ..9...`{.R..]z..
02f0: 59 b5 6f 49 74 05 87 5f a4 72 49 7d 59 79 da 97 Y.oIt.._.rI}Yy..
0300: 5d 01 9c e2 fb b5 42 21 19 f6 9a ef 05 5e cb 8b ].....B!.....^..
0310: e4 b3 2a 7f f2 5e 87 73 23 ed c0 31 78 53 7e 18 ..*..^.s#..1xS~.
0320: 39 16 03 01 00 04 0e 00 00 00 9.........
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1053
connection_read(14): TLS accept failure error=-1 id=6, closing
connection_closing: readying conn=6 sd=14 for close
connection_close: conn=6 sd=14
daemon: removing 14
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
>>>>>>>>>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Thanks,
Vinh
Vinh CTR Hoang/ACT/CNTR/FAA@FAA
Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov(a)OpenLDAP.org
02/12/2008 05:27 PM
To
openldap-technical(a)openldap.org
cc
Subject
SSL Help
Hi, I'm having some troubles with openldap w/ TLS.
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back
"SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
TLS trace: SSL3 alert read: fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1053
I've tried and tested my ssl connection using:
openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile
/usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient demand" in slapd.conf,
the server will reject the connection
saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o
the TLSVerifyClient demand option:
openssl s_client -connect ldap1.mylan:636 -state \
-CAfile /usr/local/etc/openldap/cacert.pem \
-cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
-key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....
ldap.conf
BASE dc=mylan
HOST ldap1.mylan
#URI ldaps://127.0.0.1:636
TLS_CACERT /usr/local/etc/openldap/cacert.pem
.....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com
# The port.
# Optional: default is 389.
port 389
..
...
..
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Thanks,
Vinh
15 years, 7 months
Question concerning the dynlist overlay and single valued attributes
by Gerd Schering
Hi,
I wnt to use the dynlist overlay to collect attribute values from
entries in different branches of the DIT, via a dynamic group like this:
dn: cn=dynamicTestList,ou=Groups,dc=local,dc=site
cn: dynamicTestList
objectclass: groupOfURLs
memberURL: ldap:///dc=local,dc=site?sn,persID?sub?(objectclass=*)
When I query this, I via
ldapsearch -x -H ldaps:/// \
-b "cn=dynamicTestList,dc=local,dc=site" -s base "(objectclass=*)"
I recieve a reasonable number of "sn" values but just one for "persID",
despite the fact, that there should be a lot of them.
"persID" is defined SINGLE VALUE.
Is this the reason for receiving just one item and if so, what can I do
to circumvent this, i.e. retrieve all "persID" from matched entries?
BTW, does the dynlist overlay support the "cn=config" staff?
Any help will be appreciated,
Gerd
--
------------------------------------------------------
-- Gerd Schering, Email: Schering(a)tubit.TU-Berlin.DE --
------------------------------------------------------
15 years, 7 months
SSL Help
by Vinh.CTR.Hoang@faa.gov
Hi, I'm having some troubles with openldap w/ TLS.
I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back
"SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
On the server side log I'm getting:
TLS trace: SSL3 alert read: fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1053
I've tried and tested my ssl connection using:
openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile
/usr/local/etc/openldap/cacert.pem
and that works, althought if I use "TLSVerifyClient demand" in slapd.conf,
the server will reject the connection
saying that the client didn't send the certificate.
I also tried the client authentication ssl test and the works w/ and w/o
the TLSVerifyClient demand option:
openssl s_client -connect ldap1.mylan:636 -state \
-CAfile /usr/local/etc/openldap/cacert.pem \
-cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \
-key /usr/local/etc/openldap/slapd-key-ldap1.pem
Does any know what i'm doing wrong?
Here are the tls part of my configs:
slapd.conf
....
#TLS SSL keys
TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem
TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem
#TLSVerifyClient demand
....
ldap.conf
BASE dc=mylan
HOST ldap1.mylan
#URI ldaps://127.0.0.1:636
TLS_CACERT /usr/local/etc/openldap/cacert.pem
.....
/etc/ldap.conf
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
#base dc=caplan,dc=org
base dc=mylan
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
host ldap1.mylan
#uri ldap://127.0.0.1/
#uri ldap://127.0.0.1/ ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=NonAnon,dc=caplan,dc=org
# The credentials to bind with.
# Optional: default is no credential.
#bindpw SeCrEt
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=root,dc=padl,dc=com
# The port.
# Optional: default is 389.
port 389
..
...
..
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
tls_cacertfile /usr/local/etc/openldap/cacert.pem
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
Thanks,
Vinh
15 years, 7 months
Re: Ldap ppolicy schema entries
by Aravind Arjunan
* Am still facing issue while configuring ldap in master slave for
replication.
am using openldap 2.2 version.
OS: RHEL 4.0
And am trying to configure master slave replication thro slurpd method.
i had configured my master slapd.conf and slave slave slapd.conf.
similarly i configured master and slave ldap.conf.
After that i stopped the service in master and slave by
[root@server ~]# service ldap stop
Stopping slapd: [ OK ]
Stopping slurpd: [ OK ]
[root@server ~]#
similarly in slave also.
then i copied the database manually using slapcat
[root@server openldap]# slapcat -b "dc=example,dc=com" -v -l
example.com.ldif
# id=00000001
# id=00000003
[root@server openldap]# scp example.com.ldif root(a)151.2.119.133
:/var/lib/ldap/example.com/
root(a)151.2.119.133's password:
example.com.ldif 100% 747 0.7KB/s 00:00
[root@server openldap]#
In slave :
[root@slave openldap]# slapadd -b "dc=example,dc=com" -v -l example.com.ldif
added: "dc=example,dc=com" (00000001)
added: "cn=Manager,dc=example,dc=com" (00000002)
[root@slave openldap]#
but when i create a user in ldapmaster and check that user in slave,i was
not able to found.
there was no log in replogfile.
[root@server ~]# useradd test
[root@server ~]# passwd test
Changing password for user test.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@server ~]#
In slave
[root@slave openldap]# id test
id: test: No such user
Here is my configuration files
master slapd.conf
* *=============*
*#######################################################################*
# ldbm and/or bdb database definitions
#######################################################################
*
database bdb
*
#The base of your directory
*
suffix "dc=example,dc=com"
*
#where the database files are physically stored
*
directory "/var/lib/ldap/example.com"
*
#Distinguished name,not subject to access control
*
rootdn "cn=Manager,dc=example,dc=com"
rootpw password
*
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
*
replica uri=ldap://=151.2.119.133:389
suffix="dc=example,dc=com"
binddn="cn=syncuser,dc=example,dc=com"
bindmethod=simple credentials=hcllch
replogfile /var/lib/ldap/replogfile
*
#ACL's
*
access to attrs=userpassword
by self write
by anonymous auth
by dn="cn=syncuser,dc=example,dc=com" read
by * auth
access to *
by self write
by dn="cn=syncuser,dc=example,dc=com" read
by * read
*
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
[root@server openldap]#
*
Slave slapd.conf
==============
*
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
*
database bdb
*
#The base of your directory
*
suffix "dc=example,dc=com"
*
#where the database files are physically stored
#directory "/var/lib/ldap/ldap-test"
#Distinguished name,not subject to access control
*
rootdn "cn=Manager,dc=example,dc=com"
rootpw password
*
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended
*
updatedn cn=syncuser,dc=example,dc=com
updateref ldap://151.2.119.120
directory /var/lib/ldap/example.com
access to attrs=userpassword
by self write
by anonymous auth
by dn="cn=syncuser,dc=example,dc=com" write
by * auth
access to *
by self write
by dn="cn=syncuser,dc=example,dc=com" write
by * read
*
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
[root@slave openldap]#
*
Master ldap.conf
==============
*
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
*
host 151.2.119.120 151.2.119.133
base dc=example,dc=com
binddn cn=Manager,dc=example,dc=com
bindpw password
bind_policy soft
pam_password expo
Slave ldap.conf
==============
*
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
*
host 151.2.119.133 151.2.119.120
base dc=example,dc=com
binddn cn=Manager,dc=example,dc=com
bindpw password
bind_policy soft
pam_password expo
*
15 years, 7 months
Master Slave ldap
by Aravind Arjunan
---------- Forwarded message ----------
From: Aravind Arjunan <aravind.arjunan(a)gmail.com>
Date: 9 Feb 2008 11:20
Subject: Fwd: Ldap ppolicy schema entries
To: openldap-technical(a)openldap.org
---------- Forwarded message ----------
From: Aravind Arjunan <aravind.arjunan(a)gmail.com>
Date: 9 Feb 2008 11:19
Subject: Re: Ldap ppolicy schema entries
To: Buchan Milne <bgmilne(a)staff.telkomsa.net>
Am trying to confiure the ldap in master-slave
It was mentioned in the document that after configuring the master and slave
slapd.conf file
for replication, shutdown the master slapd,so you can copy the database.
I cant understand in this part,how to copy the database.
where to copy?tell me how to check that my slave slapd is working?
wheather by giving ldapsearch command in slave instance or by any other.
am attaching the master and slave conf file for reference,please mention me
if
there is any mistake.
15 years, 7 months
