openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

slapd was refusing connections from local clients
by Haim [Howard] Roman 15 Jul '08

15 Jul '08

I had a strange situation where the slapd would accept connections from other machines, but not from the local host. It didn't matter whether the local client program was the RADIUS server or ldapsearch. According to netstat & lsof, slapd was listening on all interfaces. Setup: * CentOS release 4.6 * slapd 2.2.13 (Jul 11 2008 09:16:05) (CentOS package) * This slapd maintains a replica data base. (The slapd on the master server is slapd 2.3.35, Jun 11 2007, running on Solaris 10.) * FreeRADIUS Version 1.0.1, built on May 10 2007 -- it uses the local slapd to get user names & passwords. Yesterday we had a power outage, and the UPS didn't work :-( Someone suggested that maybe things came up in the wrong order & that a reboot would help. And the reboot did indeed solve the problem. But I'd still like to know what happened. Before the reboot, I even tried turning on the following log levels (in /etc/slapd.conf): loglevel conns config stats sync packets BER ACL none But I really couldn't find any messages that helped me understand *why* I had this strange problem. Any suggestions, or even pointers on how to find out? Thanks. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Haim (Howard) Roman Computer Center, Jerusalem College of Technology roman(a)jct.ac.il Phone: 052-8-592-599 (6022 from within Machon Lev)

1 0

Convert Fedora-DS LDIF to OpenLDAP?
by John Oliver 15 Jul '08

15 Jul '08

Google hasn't helped... I only found something to go the other way. And I didn't see this addressed in the FAQ, either. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

5 5

Changing password from squirrelmail
by Aravind Arjunan 12 Jul '08

12 Jul '08

hi, I had configured openldap 2.3 in RHEL 5 operating system, and my squirrel mail is running in RHEL 4. I had integrated these two for address book synchronization. Its working fine .In my squirrelmail options i had change password option. I can able to chang the password by giving the old password and typing new password. SO that it will automatically changed in openldap database also for a particular user. But when am trying to change the password am getting error, *"Your login account was not found in the LDAP database, cannot change password!"*

1 0

Newbie OpenLDAP woes
by Kristen Walker 11 Jul '08

11 Jul '08

Hi everyone, I am new to OpenLDAP and this list. I joined because I am trying to set up an OpenLDAP server so that Moodle and ELGG can authenticate users from the LDAP server. It is a little more difficult than I thought it would be, and I am running into some frustrating problems that I don't understand. I am hoping someone here might be able to help. I am using Ubuntu and using the book Mastering OpenLDAP as my guide. I have the server set up, edited config files and installed phpldapadmin to make things a little easier for me. I added my first entries but do not see them when I do a search, and nothing appears under my base in phpldapadmin (see attached screen shot). I don't get any complaints when I add the entries from my .ldif file, so I just don't understand why they don't seem to end up in my directory. If I do this command, sudo slapcat -a '(uid=barbara)' , the result is: dn: ou: Users uid: barbara sn: Jensen cn: Barbara Jensen givenName: Barbara displayName: Barbara Jensen mail: barbara(a)example.com userPassword:: c2VjcmV0 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson structuralObjectClass: inetOrgPerson entryUUID: 8565f97e-e25b-102c-828c-238ab0ab2691 creatorsName: cn=Manager,dc=example,dc=com modifiersName: cn=Manager,dc=example,dc=com createTimestamp: 20080709233555Z modifyTimestamp: 20080709233555Z entryCSN: 20080709233555Z#000005#00#000000 So, it seems like there is a user with uid barbara in the directory. But if I try using ldapsearch to find that user, and I use this command, ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -b 'ou=Users,dc=example,dc=com' -LLL '(userID=barbara)' + I get this: No such object (32) Also, it seems like I can't connect to my database unless I do an anonymous bind. When I try typing in a password to login to phpldapadmin it rejects my credentials and the same thing when I try using -w with a password on the command line. Thanks so much for any and all help in advance! -Kristen -- Kristen Walker Digital Media Resources Developer Instructional Media Services Santa Barbara County Education Office 4400 Cathedral Oaks Road P.O. Box 6307 Santa Barbara, CA 93160-6307 (805)964-4711 ext. 5244/FAX (805)683-3597 kwalker(a)sbceo.org http://www.sbceoportal.org

5 8

Problems using OpenLPAP for authentification of users: Client library issues STARTTLS but TLS is not configured
by Jörg Spilker 10 Jul '08

10 Jul '08

Hi, well, i don´t know what i´m doing wrong. I just want to authenticate unix and windows users against OpenLDAP Database. I followed some howtos to setup openldap, winbind etc. and nearly everything seems just fine. But authenticating unix users finally doesn´t work. I´ve attached the syslog output. START TLS extension not supportet. This is true, as i haven´t configured OpenLPAP for TLS. But my LDAP client configuration doesn´t specify an LDAPS URL. So what´s going wrong? Greeting, Jörg # # This is the configuration file for the LDAP nameservice # switch library, the LDAP PAM module and the shadow package. # # Your LDAP server. Must be resolvable without using LDAP. URI ldap://localhost # The distinguished name of the search base. base dc=jetsys,dc=de # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # Don't try forever if the LDAP server is not reacheable bind_policy soft # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Manager,dc=jetsys,dc=de # The credentials to bind with. # Optional: default is no credential. bindpw XXXXXXXXX # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) rootbinddn cn=Manager,dc=jetsys,dc=de Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 fd=23 ACCEPT from IP=127.0.0.1:15332 (IP=0.0.0.0:389) Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 RESULT tag=120 err=2 text=unsupported extended operation Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=1 UNBIND Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 fd=23 closed Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 fd=23 ACCEPT from IP=127.0.0.1:15333 (IP=0.0.0.0:389) Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 RESULT tag=120 err=2 text=unsupported extended operation Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=1 UNBIND Jul 9 07:32:27 xdaolin slapd[2241]: conn=703 fd=23 closed Jul 9 07:32:27 xdaolin getent: nss_ldap: could not search LDAP server - Server is unavailable

3 3

LDAP binding failure to Active Directory using certificates
by Clayton Tucker 10 Jul '08

10 Jul '08

Greetings: I'm wondering if anyone has had any experience with this problem. I am endevouring to use ldapmodify (from OpenLDAP 2.3) to connect to a domain controller (named intacta) in our Active Directory forest and perform account management operations. For this purpose, the bind to the AD's LDAP must provide credentials of a user with the rights to manage accounts in the domain in question. I'm attempting to perform the authentication using certificates generated by a certificate authority which we have established on a domain controller in the forest root domain of our AD (not the same domain as the domain where we are trying to perform account management but is the same forest). The bind account is named test_account_manager and the user certificate CSCFForestAccount.cer (listed below) is name mapped to the account. All domain controllers in the forest have domain controller certificates distributed to them from the forest's certificate authority. Below is the content of my .ldaprc file on the Solaris 8 host where I'm attempting to run ldapmodify. As stated above, the TLS_CERT certificate is name mapped to the test_account_manager account in the AD. The account of coarse, has a password but the key file has no access password as I believe is necessary for the current version of openldap. TLS_CACERT /u/ctucker/LDAP_Cert/CSCFTrustedCA.pem.cer TLS_CERT /u/ctucker/LDAP_Cert/CSCFForestAccount.cer TLS_KEY /u/ctucker/LDAP_Cert/private_test1.pem TLS_REQCERT demand Below is the output of an ldapmodify command run on the Solaris 8 host. When this command is run entries confirming the logon of the test_account_manager account appear in the security event logs of the domain controller intacta as a successful logon. This suggests that the connection was properly authenticated by the certificates for the user test_account_manager. However, the subsequent binding to LDAP fails with the error "Authentication method not supported" Any help with this persistent problem would be greatly appriciated. Thanks. Clayton % ldapmodify -d13 -H ldaps://intacta.cs.uwaterloo.ca/ ldap_create ldap_url_parse_ext(ldaps://intacta.cs.uwaterloo.ca/) ldap_pvt_sasl_getmech ldap_search put_filter: "(objectclass=*)" put_filter: simple put_simple_filter: "objectclass=*" ldap_build_search_req ATTRS: supportedSASLMechanisms ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP intacta.cs.uwaterloo.ca:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 129.97.152.158:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA, issuer: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA TLS certificate verification: depth: 0, err: 0, subject: /CN=intacta.cs.uwaterloo.ca, issuer: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write certificate verify A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:SSLv3 read finished A ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush: 64 bytes to sd 3 ldap_result ld 30748 msgid 1 ldap_chkResponseList ld 30748 msgid 1 all 1 ldap_chkResponseList returns ld 30748 NULL wait4msg ld 30748 msgid 1 (infinite timeout) wait4msg continue ld 30748 msgid 1 all 1 ** ld 30748 Connections: * host: intacta.cs.uwaterloo.ca port: 636 (default) refcnt: 2 status: Connected last used: Thu Jul 10 09:50:43 2008 ** ld 30748 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 30748 Response Queue: Empty ldap_chkResponseList ld 30748 msgid 1 all 1 ldap_chkResponseList returns ld 30748 NULL ldap_int_select read1msg: ld 30748 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 96 contents: read1msg: ld 30748 msgid 1 message type search-entry ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 30748 msgid 1 message type search-result ber_scanf fmt ({eaa) ber: read1msg: ld 30748 0 new referrals read1msg: mark request completed, ld 30748 msgid 1 request done: ld 30748 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 adding response ld 30748 msgid 1 type 101: ldap_parse_result ber_scanf fmt ({iaa) ber: ber_scanf fmt (}) ber: ldap_get_values ber_scanf fmt ({x{{a) ber: ber_scanf fmt ([v]) ber: ldap_msgfree ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5 ldap_int_sasl_open: host=intacta.cs.uwaterloo.ca => ldap_dn2bv(16) <= ldap_dn2bv(CN=test_account_manager,OU=Test User,OU=Unassigned,DC=cs,DC=uwaterloo,DC=ca)=0 SASL/EXTERNAL authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush: 26 bytes to sd 3 ldap_result ld 30748 msgid 2 ldap_chkResponseList ld 30748 msgid 2 all 1 ldap_chkResponseList returns ld 30748 NULL wait4msg ld 30748 msgid 2 (infinite timeout) wait4msg continue ld 30748 msgid 2 all 1 ** ld 30748 Connections: * host: intacta.cs.uwaterloo.ca port: 636 (default) refcnt: 2 status: Connected last used: Thu Jul 10 09:50:43 2008 ** ld 30748 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 30748 Response Queue: Empty ldap_chkResponseList ld 30748 msgid 2 all 1 ldap_chkResponseList returns ld 30748 NULL ldap_int_select read1msg: ld 30748 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 103 contents: read1msg: ld 30748 msgid 2 message type bind ber_scanf fmt ({eaa) ber: read1msg: ld 30748 0 new referrals read1msg: mark request completed, ld 30748 msgid 2 request done: ld 30748 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eaa) ber: ldap_msgfree ldap_perror ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: 00002027: LdapErr: DSID-0C090499, comment: Invalid Authentication method, data 0, vece

1 1

problem with openldap ssl client
by Sambuddho Chakravarty 10 Jul '08

10 Jul '08

Hello I have an openldap server running slapd on 636 (LDAPS) . When I connect from a ldap browser , I am able to successfully browse the database. However when I try to connect from a linux client machine (Ubuntu Server 8.04) I am not able to connect to the ldaps. However regular ldap works fine. The /etc/ldap.conf looks like this ssl start_tls ssl on tls_checkpeer tes tls_cacertdir /etc/ldap/cacerts tls_cacertfile /etc/ldap/cacert/cacert.pem #server IP uri ldaps://30.0.0.2/ pam_password md5 base dc=example,dc=com The /etc/ldap/ldap.conf file is like this URI ldaps://30.0.0.2/ TLS_CACERTDIR /etc/ldap/cacerts TLS_CACERT /etc/ldap/cacerts/cacert.pem HOST 30.0.0.2 BASE dc=example,dc=com The same configuration (with approprirate changes - replacing ldaps with ldap and so on) works fine for regular ldap. But the problem is the ldaps. When ldaps client is enabled and I do a getent passed , the /var/log/auth.log looks like this Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server... Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... Jul 7 23:57:47 host3 getent: nss_ldap: could not search LDAP server - Server is unavailable Jul 7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server... Please suggest where I could have gone wrong. Any suggestions would be really appreciated. Thanks Sambuddho

5 8

Re: problem with openldap ssl client
by Pat Riehecky 09 Jul '08

09 Jul '08

On Tue, 2008-07-08 at 16:45 -0400, Sambuddho Chakravarty wrote: > Hello Pat > I think I am . I did apt-get update and tried a apt-get install > libnss-ldap and it said you already have the latest packages. > Ok, one more thing to check what does the output of apt-get -f dist-upgrade report? Pat > Thanks > Sambuddho > On Tue, 2008-07-08 at 15:39 -0500, Pat Riehecky wrote: > > On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote: > > > Hello > > > I have an openldap server running slapd on 636 (LDAPS) . When I connect > > > from a ldap browser , I am able to successfully browse the database. > > > However when I try to connect from a linux client machine (Ubuntu Server > > > 8.04) I am not able to connect to the ldaps. However regular ldap works > > > fine. > > > > There was a problem with the original 8.04 ldap packages (I think it was > > actually gnutls related but memory fails). Are you on the latest and > > greatest packages? > > > > Pat > > > >

2 2

Importing data from SunLDAP to OpenLDAP
by Jayesh Kamdar 09 Jul '08

09 Jul '08

I just set up OpenLDAP instance and would like to export data from my SunLDAP and import into my OpenLDAP instance. How do I go about it? My main concern is, how do I make sure that the exported files' field will match and import properly in my OpenLDAP database. Please let me know, if any of you have gone through migration from SunLDAP to OpenLDAP and have any pointers for me. Thanks. Jayesh Kamdar jkamdar(a)yahoo.com

3 2

Setting up "slave" OpenLDAP server
by John Oliver 08 Jul '08

08 Jul '08

I know nothing about LDAP / OpenLDAP. With that out of the way... I have a CentOS 5 machine running openldap-2.3.27-8 I just built a CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3 My goal is to have the LDAP on the first machine synch with, and stay synched to, the LDAP on the second machine, so if the first machine dies I can bring up an interface with it's IP on the second and get authentication working again. I've Googled "LDAP replication" and "LDAP synchronization". Both terms lead me to a variety of papers that have a variety of ideas of how this should be done, and some have diagrams of convoluted networks involving multiple load balancers, etc. Since I know nothing about LDAP or OpenLDAP, it is very difficult for me to evaluate what I'm seeing... is this way "best", but because it's part of a globe-spanning install with hundreds of thousands of users? I'm hoping for a pointer to a nice, simple document that doesn't pre-suppose any depth of knowledge and isn't part of a Holy War over which method of doing this confers the greatest bragging rights :-) -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008