openldap-technical June 2008

openldap-technical@openldap.org

73 participants
83 discussions

OpenLDAP & Thunderbird with SSL
by Erik Lotspeich 08 Jun '08

08 Jun '08

Hi: I have OpenLDAP set up and working such that Thunderbird can access my addressbook without SSL or authentication. This part is good, but I want to move to the next level. My OpenLDAP server (slapd) is set up with SASL authentication (using the PLAIN method) and a self-signed certificate. The slapd command line is: /usr/local/libexec/slapd -h ldap:/// ldaps:/// When I connect to my OpenLDAP server using an OpenLDAP client such as ldapsearch, everything works (I have my self-generated CA cert as part of my system's ca-bundle): ldapsearch -ZZ -b 'ou=xxx, dc=yyy,dc=zzz' '(objectclass=*)' ldapsearch prompts for authentication and returns the contents of my addressbook: SASL/PLAIN authentication started Please enter your password: SASL username: erik SASL SSF: 0 # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy,dc=zzz> with scope subtree # filter: (objectclass=*) # requesting: ALL # . . . When I enable SSL in Thunderbird, Thunderbird is unable to connect. I know using tcpdump that it's attempting a connection on the SSL port, but is failing and giving up somewhere. Is this a known issue? In slapd.conf I'm not requiring authentication at the moment. I will require authentication once I get the SSL working; since I'm using PLAIN, I don't want to allow non-SSL authentication. Any help would be greatly appreciated. Regards, Erik.

1 0

slapcat: symbol lookup error ldap_pvt_sasl_mutex_unlock
by M. Todd Smith 07 Jun '08

07 Jun '08

Hello all, I'm currently looking at upgrading my LDAP server from version 2.3.19. In trying to slapcat my db from the old machine I am getting the following error: slapcat: symbol lookup error: slapcat: undefined symbol: ldap_pvt_sasl_mutex_unlock I get this error whenever I attempt to use any of the slap tools. There is a little noise on the web in regards to the ldap_pvt_sasl_mutex_unlock but nothing definitive that I can find. I am going to replicate the db if possible and see if I can slapcat them from a different machine. Barring that however it would be good to be able to solve this from the original perspective. Any ideas? Many thanks in advance. Cheers Todd Systems Administrator -- Soho VFX 99 Atlantc Ave. Suite 303 Toronto, Ontario M6K-3J8 (416)516-7863 x240

1 0

Password policy questions
by Vincent Panel 07 Jun '08

07 Jun '08

Hi list, I'd like to do something rather simple (at least to me) with password policy : * Ensure the userPassword is 6 characters long at least * Ensure there's at least onenumber * Ensure there's at least one uppercase character I found out my first condition can be set by using the pwdMinLength attribute and the ppolicy overlay, but what should I do for the other two ? If it implies using pwdCheckModule and writing a C function and plugging it into openldap then I find it rather difficult for an ldap administrator just wanting to enforce policies... Is there any plan to make things easier, like having openldap providing 2 or 3 default C functions for this module ? Finally, why is it taking so long for the IETF to approve the ppolicy draft published in 2001 ? Has the effort been abandonned ? Thanks, Vincent

2 2

Trouble authenticating using OSX 10.4 and Openldap 2.4
by Donald Thompson 06 Jun '08

06 Jun '08

I have an openldap 2.4 authentication system, that works smoothly with many versions of linux, and OSX 10.5. But I can't get OSX 10.4 to authenticate with it. I was previously using openldap 2.0.27 with an identical setup, and 10.4 was able to authenticate with it. I can su to user accounts that are in the ldap database, but when I'm required to enter a password for the user, the authentication fails. Heres the relevant section from my logfile when I try to authenticate: Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=dthomp))(|(cn=dthomp))))" Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SRCH attr=uid cn Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SRCH attr=userPassword Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:58 owl slapd[10661]: conn=22 op=22 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:58 owl slapd[10661]: conn=22 op=22 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:58 owl slapd[10661]: conn=35 fd=20 ACCEPT from IP=192.168.1.145:49405 (IP=0.0.0.0:636) Jun 6 16:03:58 owl slapd[10661]: conn=35 fd=20 closed (TLS negotiation failure) Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 ACCEPT from IP=192.168.1.145:49406 (IP=0.0.0.0:636) Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 TLS established tls_ssf=32 ssf=32 Jun 6 16:03:59 owl slapd[10661]: conn=36 op=0 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: conn=36 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jun 6 16:03:59 owl slapd[10661]: conn=36 op=1 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: SASL [conn=36] Failure: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=36 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=36 op=2 UNBIND Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 closed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=dthomp))(|(cn=dthomp))))" Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SRCH attr=uid cn Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SRCH attr=userPassword Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:59 owl slapd[10661]: conn=22 op=25 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=25 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:59 owl slapd[10661]: conn=37 fd=20 ACCEPT from IP=192.168.1.145:49407 (IP=0.0.0.0:636) Jun 6 16:03:59 owl slapd[10661]: conn=37 fd=20 closed (TLS negotiation failure) Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 ACCEPT from IP=192.168.1.145:49408 (IP=0.0.0.0:636) Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 TLS established tls_ssf=32 ssf=32 Jun 6 16:03:59 owl slapd[10661]: conn=38 op=0 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: conn=38 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jun 6 16:03:59 owl slapd[10661]: conn=38 op=1 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: SASL [conn=38] Failure: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=38 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=38 op=2 UNBIND Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 closed I'm not sure why its trying to use sasl to authenticate, or even sure if thats the problem. I ended up creating an empty sasl database, because originally it kept trying to open one that wasn't there. Do I have to do some king of mapping from the sasl database to ldap?

1 0

can syncrepl do this?
by Stefano Zanmarchi 06 Jun '08

06 Jun '08

Hi, I need to replicate in my local openldap server all the entries in a given subtree of a remote openldap server, but the two DITs differ. That means I'd like to replicate all entries under "dc=people,dc=A,dc=it" (remote server) to "dc=employees,dc=B,dc=it" (local server). Can syncrepl do that? Or is there another way to obtain this? Any help is greatly appreciated, thanks a lot, Stefano

1 0

Password Policy and SASL DIGEST-MD5
by alessandro patrissi 06 Jun '08

06 Jun '08

Hi everyone, I'm using openldap-2.4.8 and cyrus-sasl-2.1.22. I've enabled password policy in my OpenLdap Server and I've seen that when I authenticate myself using SASL DIGEST-MD5 I can make any searches even if my account is locked. In fact I have the following results: ./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -D 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -x -W -e ppolicy '(objectClass=*)' Enter LDAP Password: ldap_bind: Invalid credentials (49); Account locked ./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -W -Y DIGEST-MD5 -U apatrissi '(objectClass=*)' DIGEST-MD5 -U apatrissi '(objectClass=*)' Enter LDAP Password: SASL/DIGEST-MD5 authentication started SASL username: apatrissi SASL SSF: 128 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=apatrissi,ou=people,dc=my-domain,dc=com> with scope subtree # filter: (objectClass=*) # requesting: ALL # # apatrissi, people, my-domain.com dn: uid=apatrissi,ou=people,dc=my-domain,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: people cn: Alessandro Patrissi givenName: Alessandro sn: Patrissi uid: apatrissi userPassword:: YWxleA== mail: alessandro.patrissi(a)commprove.com telephoneNumber: +0039 description: test LDAP # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Where I can look to solve the problem? Thanks a lot, Alessandro Patrissi

1 0

sasl problem with Scientific Linux / RedHat but not with debian ?!
by Bjørn Nachtwey 05 Jun '08

05 Jun '08

Dear all, I set up a ldap server and want to use sasl/kerberos5 for authetification. well, using debian/etch it works fine. using scientific linux 5.1 (SL5.1) it does not work, not even testsaslauthd works. the configuration of both systems is the same, besides hostname gives on debian just the name and on SL5.1 the FQN. i also tried to compile cyrus/sasl from sources -- just the same. sl being a clone of RHEL, does anyone have the same problem? does anyone have any idea? thanks & best regards, Bjørn -- ######################################################################## Dipl.-Ing. Bjørn Nachtwey Technische Universität Carolo-Wilhelmina zu Braunschweig Gauss-IT-Zentrum (GITZ) -- Abteilung Server Hans-Sommer-Straße 65, 38106 Braunschweig Telephon: +49 (0)531 / 391 - 5535 TeleFax: +49 (0)531 / 391 - 5549 http://www.tu-braunschweig.de/it mailto: b.nachtwey(a)tu-bs.de mailto: c0034031(a)tu-bs.de ######################################################################## PGP-Schluessel: http://www-public.tu-bs.de:8080/~nachtwey/bjoern_nachtwey.asc PGP-Fingerprint: B472 526A A903 4AEB 9269 EC0B 9CDE 7465 CE87 ########################################################################

2 3

slapd-meta question
by danz＠wustl.edu 04 Jun '08

04 Jun '08

We have a scenario that I’m hoping OpenLDAP can offer a solution to. We are in the process of transitioning from one ldap authentication source to another for several of our applications. During the transition we need to be able to authenticate users against one of two different ldap services. Unfortunately our applications do not support the capability to try authentication against multiple services. Would an OpenLDAP setup be able to take the authentication request and attempt to validate it against 2 different backends? I should note that each of the ldap backends would have different OU structures and that a given userID would not exist in both backends. Based on the slapd-meta man page SCENARIOS section it looks as though this may be possible. The examples don't illustrate whether or not the OU structures need to be the same between the backends. Any help would be greatly appreciated! Regards, Dan

4 5

ACLs Seem to Have No Effect
by nick＠ndmckinney.net 04 Jun '08

04 Jun '08

I am having some difficulty setting up the ACLs on my OpenLDAP server (2.4.8). No matter what I change, the ACL rules I write into my slapd.conf file seem to have no effect at all. I have followed the FAQ here to try to set a simple password change ACL: http://www.openldap.org/faq/data/cache/320.html As well as another to try to block Anonymous binds: http://www.openldap.org/faq/data/cache/318.html But neither seem to have any effect at all. My present slapd.conf ACLs are as follows: --- access to attrs=userPassword by self =xw by anonymous auth # allow only rootdn to read the monitor access to * by self write by anonymous none by users read --- Is there some other part of the configuration that might disable ACLs.

4 4

Re: slapd-meta question
by Gavin Henry 04 Jun '08

04 Jun '08

<quote who="Pierangelo Masarati"> > Gavin Henry wrote: > >> I can't see Ando's example in this thread? > > My fault: during a mail migration, my address got automatically > rewritten from ando(a)sys-net.it to the canonical > pierangelo.masarati(a)sys-net.it, which is not the address I used when > subscribing to the mailing list. I think the problem is now fixed > (hopefully :) > > Ah, makes sense now. I thought I was going mad ;-) -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP.

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2008