openldap-technical February 2008

openldap-technical@openldap.org

57 participants
79 discussions

basic database design
by VaraPrasad Yalla 18 Feb '08

18 Feb '08

I built a basic ldap server which is now working fine . It presently has very few attributes for each of the entries in the database . one of the records now looks like this : --------------------------------------------- dn: uid=test,ou=People,dc=example,dc=com uid: test cn: test objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$XViJ4WIc$KIn0R0tQnYaKglIOI5Koj. shadowLastChange: 13925 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 506 gidNumber: 506 homeDirectory: /home/test ---------------------------------------------- How do I add further attributes like surname , email , street name etc to it ? Where should I make the modifications for these things to be added to the database ?

2 1

Re: Question concerning the dynlist overlay and single valued attributes
by Pierangelo Masarati 16 Feb '08

16 Feb '08

Gerd Schering wrote: > Pierangelo Masarati wrote: >> Dynlist does not >> allow massaging, so an option would be to stack a rwm before dynlist, so >> that rwm can massage the attribute names from persID to memberID before >> gathering. Looks ugly. > > Even if I will look for another solution (as promised in my previous > posting), I am somewhat curious: where can I find an example dealing > with overlay stacking? Please keep replies on the list. Overlay stacking is trivial: just configure more than one. From slapd.conf(5): overlay <overlay-name> Add the specified overlay to this database. An overlay is a piece of code that intercepts database operations in order to extend or change them. Overlays are pushed onto a stack over the database, and so they will execute in the reverse of the order in which they were configured and the database itself will receive control last of all. See the slapd.overlays(5) manual page for an overview of the available overlays. Note that all of the database’s regular settings should be configured before any overlay settings. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

1 0

ldap_initialize failure
by Ron Rogers 15 Feb '08

15 Feb '08

Hi All, I am receiving an LDAP_NO_MEMORY return from ldap_initialize on my Linux box. This error only occurs when the my application is executed from another process. If I start the app from the command line, everything works fine. I've spent some time looking at the source code and manual pages . The error seems to be coming from the call to LDAP_INT_GLOBAL_OPT. After that I'm getting lost in the macros and #defines . Does anyone have any ideas about this problem? Thanks Ron Rogers ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

1 0

OpenLDAP synchtonization with windows/Active Directory
by Razi Garbie 15 Feb '08

15 Feb '08

Hi everyone, I've spent countless of hours trying to figure out how to sync openLDAP with my currently running windows/active directory, however.. i cant find any information on how this is done. Im currently running windows/AD which authenticates ~20users all windows boxes (obviously), however.. all windows users have accounts on the linux machines i run and that makes administrative tasks a bit messy, hence i have to make account changes on two different domains. The ideal setup is to setup setup a OpenLDAP server that is synced with windows active directory, so that my users can authenticate against the linux domain using their windows passwords. etc, (linux machines/-ldap clients) - > OpenLDAP <--SYNC --> Win/AD <- (windows machines) Thats how i imagine the setup will look like. Has anyone ever done this? Any help is greatly appreciated! // Thanks, boney

5 7

LDAP Auth
by Nuno Manuel Martins 14 Feb '08

14 Feb '08

Hello List, I am very new to OpenLDAP and I am trying to put a Linux box authenticating trough OpenLDAP instead of using the standard password file. For this use I followed the tutorial you can find at http://ldots.org/ldap/ but it seems this howto is out of date. The first problem I ran into was when trying to insert a new user in LDIF format, I corrected the first error I got and now this is the file I have dn: uid=myuser,ou=People,dc=example,dc=com uid: myuser cn: myuser sn: Doe givenname: John objectclass: person objectclass: posixaccount objectclass: account ou: People uidnumber: 10001 gidnumber: 10001 homedirectory=: /home/ldap/john loginshell: /bin/bash When I try to run ldapadd I get the following error: adding new entry "uid=branc0,ou=People,dc=example,dc=com" ldap_add: Invalid syntax (21) additional info: objectclass: value #1 invalid per syntax I am not sure what the problem is, although I'm pretty sure it is between the chair and the keyboard. Maybe someone on the list can direct me to a more up-to-date tutorial on setting up authentication with LDAP ? OpenLDAP version is 2.4.7

4 6

RE: SSL Help
by Vinh.CTR.Hoang＠faa.gov 14 Feb '08

14 Feb '08

It seems like my ldapsearch can't find the get local issuer certificate. what configuration files tells the ldapsearch of which certificate to use? Oh, my certificate and keys and cacert files are good, I've tested them using the openssl s_server and s_client to get a basic connection. can someone help me, I don't know what else could be the problem. here's the log for ldapsearch: /usr/local/bin/ldapsearch -x -LLL -ZZ -d 1 ldap_create ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying ::1 389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_close_socket: 4 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 31 bytes to sd 4 ldap_result ld 60888 msgid 1 ldap_chkResponseList ld 60888 msgid 1 all 1 ldap_chkResponseList returns ld 60888 NULL wait4msg ld 60888 msgid 1 (infinite timeout) wait4msg continue ld 60888 msgid 1 all 1 ** ld 60888 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Wed Feb 13 20:49:25 2008 ** ld 60888 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 60888 Response Queue: Empty ldap_chkResponseList ld 60888 msgid 1 all 1 ldap_chkResponseList returns ld 60888 NULL ldap_int_select read1msg: ld 60888 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 60888 msgid 1 message type extended-result ber_scanf fmt ({eaa) ber: read1msg: ld 60888 0 new referrals read1msg: mark request completed, ld 60888 msgid 1 request done: ld 60888 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eaa) ber: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 20, subject: /CN=ldap1.mylan/emailAddress=abc@mylan, issuer: /CN=ldap1.mylan/emailAddress=abc@mylan TLS certificate verification: Error, unable to get local issuer certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and here's the server's log for that search daemon: activity on 1 descriptor >>> slap_listener(ldap:///) daemon: listen=8, new connection on 14 daemon: added 14r (active) listener=0 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=6 connection_read(14): checking for input on id=6 ber_get_next ldap_read: want=8, got=8 0000: 30 1d 02 01 01 77 18 80 0....w.. ldap_read: want=23, got=23 0000: 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 .1.3.6.1.4.1.146 0010: 36 2e 32 30 30 33 37 6.20037 ber_get_next: tag 0x30 len 29 contents: ber_dump: buf=0x002094f0 ptr=0x002094f0 end=0x0020950d len=29 0000: 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .1.1466.20037 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x002094f0 ptr=0x002094f3 end=0x0020950d len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 do_extended: oid=1.3.6.1.4.1.1466.20037 send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 78 07 0a 01 00 04 00 04 00 0....x........ daemon: activity on 1 descriptor daemon: activity on: 14r daemon: read activity on 14 connection_get(14) connection_get(14): got connid=6 connection_read(14): checking for input on id=6 TLS trace: SSL_accept:before/accept initialization tls_read: want=11, got=11 0000: 80 7a 01 03 01 00 51 00 00 00 20 .z....Q... tls_read: want=113, got=113 0000: 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 ..9..8..5....... 0010: 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 .......3..2../.. 0020: 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 ................ 0030: 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 ...........@.... 0040: 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 ................ 0050: 80 32 4e ca 88 41 1f 3a 73 cd a1 1c 29 73 a6 81 .2N..A.:s...)s.. 0060: 8c c5 af c3 af 93 bf 13 4a c7 54 90 b7 82 d2 69 ........J.T....i 0070: 2f / TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=810, written=810 0000: 16 03 01 00 4a 02 00 00 46 03 01 47 b3 58 84 43 ....J...F..G.X.C 0010: c3 a5 64 a9 b5 7c 0b 8b 25 1c d6 e9 ce f2 1f 9b ..d..|..%....... 0020: 82 00 e0 6d 33 e7 e6 44 53 6c 52 20 7d 72 fe 41 ...m3..DSlR }r.A 0030: 17 4c 96 5c 5c 9c 6b df 32 0d c0 32 45 fe 7b bf .L.\\.k.2..2E.{. 0040: a9 5e 16 4b 62 ec 3b 11 76 6e ee ce 00 35 00 16 .^.Kb.;.vn...5.. 0050: 03 01 02 cd 0b 00 02 c9 00 02 c6 00 02 c3 30 82 ..............0. 0060: 02 bf 30 82 02 28 a0 03 02 01 02 02 01 01 30 0d ..0..(........0. 0070: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 30 31 ..*.H........001 0080: 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 31 2e .0...U....ldap1. 0090: 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 86 f7 mylan1.0...*.H.. 00a0: 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 6e 30 ......abc@mylan0 00b0: 1e 17 0d 30 38 30 32 31 33 31 36 31 34 32 32 5a ...080213161422Z 00c0: 17 0d 31 38 30 32 31 32 31 36 31 34 32 32 5a 30 ..180212161422Z0 00d0: 30 31 14 30 12 06 03 55 04 03 13 0b 6c 64 61 70 01.0...U....ldap 00e0: 31 2e 6d 79 6c 61 6e 31 18 30 16 06 09 2a 86 48 1.mylan1.0...*.H 00f0: 86 f7 0d 01 09 01 16 09 61 62 63 40 6d 79 6c 61 ........abc@myla 0100: 6e 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 n0..0...*.H..... 0110: 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 ef 80 .......0........ 0120: 03 36 0f 1e e0 19 e7 1d 03 a9 cb 13 53 81 d6 f7 .6..........S... 0130: bf b6 e4 1c 84 38 77 bd 85 39 e6 f6 9c 50 70 82 .....8w..9...Pp. 0140: 3e 7e e0 17 e9 86 4f a3 48 8f bb 1a f1 04 92 72 >~....O.H......r 0150: bc 02 a7 dd 97 54 c1 cd 09 bd f8 d8 da 23 04 8e .....T.......#.. 0160: e7 77 de 44 f8 54 f9 5e 35 1e 05 50 71 b2 dc 25 .w.D.T.^5..Pq..% 0170: 71 7b e9 48 99 bf 93 a2 07 4e 4e 1f 1f 96 c8 b8 q{.H.....NN..... 0180: 76 21 3b fc c7 60 ab b2 4a 01 2d 8a 15 ee af e7 v!;..`..J.-..... 0190: 76 4e 50 1b 61 8f 5c a1 b3 07 4a cc 82 43 02 03 vNP.a.\...J..C.. 01a0: 01 00 01 a3 81 e8 30 81 e5 30 09 06 03 55 1d 13 ......0..0...U.. 01b0: 04 02 30 00 30 2c 06 09 60 86 48 01 86 f8 42 01 ..0.0,..`.H...B. 01c0: 0d 04 1f 16 1d 4f 70 65 6e 53 53 4c 20 47 65 6e .....OpenSSL Gen 01d0: 65 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 erated Certifica 01e0: 74 65 30 1d 06 03 55 1d 0e 04 16 04 14 18 e5 ab te0...U......... 01f0: 2a 99 96 50 78 35 71 52 a6 ad 1f 8a 53 c6 72 cd *..Px5qR....S.r. 0200: dc 30 60 06 03 55 1d 23 04 59 30 57 80 14 25 ba .0`..U.#.Y0W..%. 0210: f3 49 07 88 d2 aa 76 2f 59 fc f0 bb 08 6d b5 17 .I....v/Y....m.. 0220: f3 e8 a1 34 a4 32 30 30 31 14 30 12 06 03 55 04 ...4.2001.0...U. 0230: 03 13 0b 6c 64 61 70 31 2e 6d 79 6c 61 6e 31 18 ...ldap1.mylan1. 0240: 30 16 06 09 2a 86 48 86 f7 0d 01 09 01 16 09 61 0...*.H........a 0250: 62 63 40 6d 79 6c 61 6e 82 09 00 8e 0f 59 9d 05 bc@mylan.....Y.. 0260: 90 4f f0 30 29 06 03 55 1d 11 04 22 30 20 82 0a .O.0)..U..."0 .. 0270: 6c 64 61 70 2e 6d 79 6c 61 6e 82 12 6c 6f 61 64 ldap.mylan..load 0280: 62 61 6c 61 6e 63 65 72 2e 6d 79 6c 61 6e 30 0d balancer.mylan0. 0290: 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 ..*.H........... 02a0: 00 89 b9 5b c0 9e 57 39 32 c0 55 79 d6 dd cd 55 ...[..W92.Uy...U 02b0: 2f 6c a4 7e 96 96 f8 f2 51 38 85 35 f1 a9 42 45 /l.~....Q8.5..BE 02c0: b8 f7 e4 a8 68 46 43 c5 5a d8 74 3e e8 a1 f3 25 ....hFC.Z.t>...% 02d0: a7 57 2c bd 0c a2 5d f3 ae 19 57 f6 13 f1 07 2f .W,...]...W..../ 02e0: df da 39 85 bd 0f 60 7b 98 52 8b ae 5d 7a 1a c5 ..9...`{.R..]z.. 02f0: 59 b5 6f 49 74 05 87 5f a4 72 49 7d 59 79 da 97 Y.oIt.._.rI}Yy.. 0300: 5d 01 9c e2 fb b5 42 21 19 f6 9a ef 05 5e cb 8b ].....B!.....^.. 0310: e4 b3 2a 7f f2 5e 87 73 23 ed c0 31 78 53 7e 18 ..*..^.s#..1xS~. 0320: 39 16 03 01 00 04 0e 00 00 00 9......... TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 0000: 15 03 01 00 02 ..... tls_read: want=2, got=2 0000: 02 30 .0 TLS trace: SSL3 alert read:fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 connection_read(14): TLS accept failure error=-1 id=6, closing connection_closing: readying conn=6 sd=14 for close connection_close: conn=6 sd=14 daemon: removing 14 daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=7 active_threads=0 tvp=NULL daemon: select: listen=8 active_threads=0 tvp=NULL daemon: select: listen=9 active_threads=0 tvp=NULL daemon: select: listen=10 active_threads=0 tvp=NULL >>>>>>>>>>>>>>>>>>>>END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Thanks, Vinh Vinh CTR Hoang/ACT/CNTR/FAA@FAA Sent by: openldap-technical-bounces+vinh.ctr.hoang=faa.gov(a)OpenLDAP.org 02/12/2008 05:27 PM To openldap-technical(a)openldap.org cc Subject SSL Help Hi, I'm having some troubles with openldap w/ TLS. I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" On the server side log I'm getting: TLS trace: SSL3 alert read: fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 I've tried and tested my ssl connection using: openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection saying that the client didn't send the certificate. I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option: openssl s_client -connect ldap1.mylan:636 -state \ -CAfile /usr/local/etc/openldap/cacert.pem \ -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \ -key /usr/local/etc/openldap/slapd-key-ldap1.pem Does any know what i'm doing wrong? Here are the tls part of my configs: slapd.conf .... #TLS SSL keys TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem #TLSVerifyClient demand .... ldap.conf BASE dc=mylan HOST ldap1.mylan #URI ldaps://127.0.0.1:636 TLS_CACERT /usr/local/etc/openldap/cacert.pem ..... /etc/ldap.conf # network or connect timeouts (see bind_timelimit). host 127.0.0.1 # The distinguished name of the search base. #base dc=caplan,dc=org base dc=mylan # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. host ldap1.mylan #uri ldap://127.0.0.1/ #uri ldap://127.0.0.1/ ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=NonAnon,dc=caplan,dc=org # The credentials to bind with. # Optional: default is no credential. #bindpw SeCrEt # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=root,dc=padl,dc=com # The port. # Optional: default is 389. port 389 .. ... .. # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs tls_cacertfile /usr/local/etc/openldap/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key Thanks, Vinh

2 2

Question concerning the dynlist overlay and single valued attributes
by Gerd Schering 14 Feb '08

14 Feb '08

Hi, I wnt to use the dynlist overlay to collect attribute values from entries in different branches of the DIT, via a dynamic group like this: dn: cn=dynamicTestList,ou=Groups,dc=local,dc=site cn: dynamicTestList objectclass: groupOfURLs memberURL: ldap:///dc=local,dc=site?sn,persID?sub?(objectclass=*) When I query this, I via ldapsearch -x -H ldaps:/// \ -b "cn=dynamicTestList,dc=local,dc=site" -s base "(objectclass=*)" I recieve a reasonable number of "sn" values but just one for "persID", despite the fact, that there should be a lot of them. "persID" is defined SINGLE VALUE. Is this the reason for receiving just one item and if so, what can I do to circumvent this, i.e. retrieve all "persID" from matched entries? BTW, does the dynlist overlay support the "cn=config" staff? Any help will be appreciated, Gerd -- ------------------------------------------------------ -- Gerd Schering, Email: Schering(a)tubit.TU-Berlin.DE -- ------------------------------------------------------

2 2

SSL Help
by Vinh.CTR.Hoang＠faa.gov 13 Feb '08

13 Feb '08

Hi, I'm having some troubles with openldap w/ TLS. I can't seem to do a ldapsearch -x -LLL -ZZ, as it is giving be back "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" On the server side log I'm getting: TLS trace: SSL3 alert read: fatal:unknown CA TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:1053 I've tried and tested my ssl connection using: openssl s_client -connect ldap1.mylan:636 -showcerts -state -CAfile /usr/local/etc/openldap/cacert.pem and that works, althought if I use "TLSVerifyClient demand" in slapd.conf, the server will reject the connection saying that the client didn't send the certificate. I also tried the client authentication ssl test and the works w/ and w/o the TLSVerifyClient demand option: openssl s_client -connect ldap1.mylan:636 -state \ -CAfile /usr/local/etc/openldap/cacert.pem \ -cert /usr/local/etc/openldap/slapd-cert-ldap1.pem \ -key /usr/local/etc/openldap/slapd-key-ldap1.pem Does any know what i'm doing wrong? Here are the tls part of my configs: slapd.conf .... #TLS SSL keys TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/slapd-cert-ldap1.pem TLSCertificateKeyFile /usr/local/etc/openldap/slapd-key-ldap1.pem #TLSVerifyClient demand .... ldap.conf BASE dc=mylan HOST ldap1.mylan #URI ldaps://127.0.0.1:636 TLS_CACERT /usr/local/etc/openldap/cacert.pem ..... /etc/ldap.conf # network or connect timeouts (see bind_timelimit). host 127.0.0.1 # The distinguished name of the search base. #base dc=caplan,dc=org base dc=mylan # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. host ldap1.mylan #uri ldap://127.0.0.1/ #uri ldap://127.0.0.1/ ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=NonAnon,dc=caplan,dc=org # The credentials to bind with. # Optional: default is no credential. #bindpw SeCrEt # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=root,dc=padl,dc=com # The port. # Optional: default is 389. port 389 .. ... .. # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs tls_cacertfile /usr/local/etc/openldap/cacert.pem # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key Thanks, Vinh

2 1

Re: Ldap ppolicy schema entries
by Aravind Arjunan 12 Feb '08

12 Feb '08

* Am still facing issue while configuring ldap in master slave for replication. am using openldap 2.2 version. OS: RHEL 4.0 And am trying to configure master slave replication thro slurpd method. i had configured my master slapd.conf and slave slave slapd.conf. similarly i configured master and slave ldap.conf. After that i stopped the service in master and slave by [root@server ~]# service ldap stop Stopping slapd: [ OK ] Stopping slurpd: [ OK ] [root@server ~]# similarly in slave also. then i copied the database manually using slapcat [root@server openldap]# slapcat -b "dc=example,dc=com" -v -l example.com.ldif # id=00000001 # id=00000003 [root@server openldap]# scp example.com.ldif root(a)151.2.119.133 :/var/lib/ldap/example.com/ root(a)151.2.119.133's password: example.com.ldif 100% 747 0.7KB/s 00:00 [root@server openldap]# In slave : [root@slave openldap]# slapadd -b "dc=example,dc=com" -v -l example.com.ldif added: "dc=example,dc=com" (00000001) added: "cn=Manager,dc=example,dc=com" (00000002) [root@slave openldap]# but when i create a user in ldapmaster and check that user in slave,i was not able to found. there was no log in replogfile. [root@server ~]# useradd test [root@server ~]# passwd test Changing password for user test. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@server ~]# In slave [root@slave openldap]# id test id: test: No such user Here is my configuration files master slapd.conf * *=============* *#######################################################################* # ldbm and/or bdb database definitions ####################################################################### * database bdb * #The base of your directory * suffix "dc=example,dc=com" * #where the database files are physically stored * directory "/var/lib/ldap/example.com" * #Distinguished name,not subject to access control * rootdn "cn=Manager,dc=example,dc=com" rootpw password * # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database * replica uri=ldap://=151.2.119.133:389 suffix="dc=example,dc=com" binddn="cn=syncuser,dc=example,dc=com" bindmethod=simple credentials=hcllch replogfile /var/lib/ldap/replogfile * #ACL's * access to attrs=userpassword by self write by anonymous auth by dn="cn=syncuser,dc=example,dc=com" read by * auth access to * by self write by dn="cn=syncuser,dc=example,dc=com" read by * read * #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM [root@server openldap]# * Slave slapd.conf ============== * ####################################################################### # ldbm and/or bdb database definitions ####################################################################### * database bdb * #The base of your directory * suffix "dc=example,dc=com" * #where the database files are physically stored #directory "/var/lib/ldap/ldap-test" #Distinguished name,not subject to access control * rootdn "cn=Manager,dc=example,dc=com" rootpw password * # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended * updatedn cn=syncuser,dc=example,dc=com updateref ldap://151.2.119.120 directory /var/lib/ldap/example.com access to attrs=userpassword by self write by anonymous auth by dn="cn=syncuser,dc=example,dc=com" write by * auth access to * by self write by dn="cn=syncuser,dc=example,dc=com" write by * read * # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM [root@slave openldap]# * Master ldap.conf ============== * # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never * host 151.2.119.120 151.2.119.133 base dc=example,dc=com binddn cn=Manager,dc=example,dc=com bindpw password bind_policy soft pam_password expo Slave ldap.conf ============== * # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never * host 151.2.119.133 151.2.119.120 base dc=example,dc=com binddn cn=Manager,dc=example,dc=com bindpw password bind_policy soft pam_password expo *

2 1

Master Slave ldap
by Aravind Arjunan 11 Feb '08

11 Feb '08

---------- Forwarded message ---------- From: Aravind Arjunan <aravind.arjunan(a)gmail.com> Date: 9 Feb 2008 11:20 Subject: Fwd: Ldap ppolicy schema entries To: openldap-technical(a)openldap.org ---------- Forwarded message ---------- From: Aravind Arjunan <aravind.arjunan(a)gmail.com> Date: 9 Feb 2008 11:19 Subject: Re: Ldap ppolicy schema entries To: Buchan Milne <bgmilne(a)staff.telkomsa.net> Am trying to confiure the ldap in master-slave It was mentioned in the document that after configuring the master and slave slapd.conf file for replication, shutdown the master slapd,so you can copy the database. I cant understand in this part,how to copy the database. where to copy?tell me how to check that my slave slapd is working? wheather by giving ldapsearch command in slave instance or by any other. am attaching the master and slave conf file for reference,please mention me if there is any mistake.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2008