slapd was refusing connections from local clients
by Haim [Howard] Roman
I had a strange situation where the slapd would accept connections from
other machines, but not from the local host. It didn't matter whether
the local client program was the RADIUS server or ldapsearch. According
to netstat & lsof, slapd was listening on all interfaces.
Setup:
* CentOS release 4.6
* slapd 2.2.13 (Jul 11 2008 09:16:05) (CentOS package)
* This slapd maintains a replica data base. (The slapd on the
master server is slapd 2.3.35, Jun 11 2007, running on Solaris 10.)
* FreeRADIUS Version 1.0.1, built on May 10 2007 -- it uses the
local slapd to get user names & passwords.
Yesterday we had a power outage, and the UPS didn't work :-( Someone
suggested that maybe things came up in the wrong order & that a reboot
would help. And the reboot did indeed solve the problem.
But I'd still like to know what happened. Before the reboot, I even
tried turning on the following log levels (in /etc/slapd.conf):
loglevel conns config stats sync packets BER ACL none
But I really couldn't find any messages that helped me understand *why*
I had this strange problem.
Any suggestions, or even pointers on how to find out? Thanks.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Haim (Howard) Roman
Computer Center, Jerusalem College of Technology
roman(a)jct.ac.il
Phone: 052-8-592-599 (6022 from within Machon Lev)
15 years, 4 months
Convert Fedora-DS LDIF to OpenLDAP?
by John Oliver
Google hasn't helped... I only found something to go the other way. And
I didn't see this addressed in the FAQ, either.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
15 years, 4 months
Changing password from squirrelmail
by Aravind Arjunan
hi,
I had configured openldap 2.3 in RHEL 5 operating system,
and my squirrel mail is running in RHEL 4.
I had integrated these two for address book synchronization.
Its working fine .In my squirrelmail options i had change password option.
I can able to chang the password by giving the old password and typing new
password.
SO that it will automatically changed in openldap database also for a
particular user.
But when am trying to change the password am getting error,
*"Your login account was not found in the LDAP database, cannot change
password!"*
15 years, 4 months
Newbie OpenLDAP woes
by Kristen Walker
Hi everyone,
I am new to OpenLDAP and this list. I joined because I am trying to set up
an OpenLDAP server so that Moodle and ELGG can authenticate users from the
LDAP server. It is a little more difficult than I thought it would be, and
I am running into some frustrating problems that I don't understand. I am
hoping someone here might be able to help.
I am using Ubuntu and using the book Mastering OpenLDAP as my guide.
I have the server set up, edited config files and installed phpldapadmin to
make things a little easier for me. I added my first entries but do not see
them when I do a search, and nothing appears under my base in phpldapadmin
(see attached screen shot). I don't get any complaints when I add the
entries from my .ldif file, so I just don't understand why they don't seem
to end up in my directory.
If I do this command, sudo slapcat -a '(uid=barbara)' , the result is:
dn:
ou: Users
uid: barbara
sn: Jensen
cn: Barbara Jensen
givenName: Barbara
displayName: Barbara Jensen
mail: barbara(a)example.com
userPassword:: c2VjcmV0
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
structuralObjectClass: inetOrgPerson
entryUUID: 8565f97e-e25b-102c-828c-238ab0ab2691
creatorsName: cn=Manager,dc=example,dc=com
modifiersName: cn=Manager,dc=example,dc=com
createTimestamp: 20080709233555Z
modifyTimestamp: 20080709233555Z
entryCSN: 20080709233555Z#000005#00#000000
So, it seems like there is a user with uid barbara in the directory. But if
I try using ldapsearch to find that user, and I use this command,
ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -b
'ou=Users,dc=example,dc=com' -LLL '(userID=barbara)' +
I get this:
No such object (32)
Also, it seems like I can't connect to my database unless I do an anonymous
bind. When I try typing in a password to login to phpldapadmin it rejects
my credentials and the same thing when I try using -w with a password on the
command line.
Thanks so much for any and all help in advance!
-Kristen
--
Kristen Walker
Digital Media Resources Developer
Instructional Media Services
Santa Barbara County Education Office
4400 Cathedral Oaks Road
P.O. Box 6307
Santa Barbara, CA 93160-6307
(805)964-4711 ext. 5244/FAX (805)683-3597
kwalker(a)sbceo.org
http://www.sbceoportal.org
15 years, 4 months
Problems using OpenLPAP for authentification of users: Client library issues STARTTLS but TLS is not configured
by Jörg Spilker
Hi,
well, i don´t know what i´m doing wrong. I just want to authenticate
unix and windows users against OpenLDAP Database. I followed some howtos
to setup openldap, winbind etc. and nearly everything seems just fine.
But authenticating unix users finally doesn´t work. I´ve attached the
syslog output. START TLS extension not supportet. This is true, as i
haven´t configured OpenLPAP for TLS. But my LDAP client configuration
doesn´t specify an LDAPS URL. So what´s going wrong?
Greeting, Jörg
#
# This is the configuration file for the LDAP nameservice
# switch library, the LDAP PAM module and the shadow package.
#
# Your LDAP server. Must be resolvable without using LDAP.
URI ldap://localhost
# The distinguished name of the search base.
base dc=jetsys,dc=de
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# Don't try forever if the LDAP server is not reacheable
bind_policy soft
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=Manager,dc=jetsys,dc=de
# The credentials to bind with.
# Optional: default is no credential.
bindpw XXXXXXXXX
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=jetsys,dc=de
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 fd=23 ACCEPT from IP=127.0.0.1:15332 (IP=0.0.0.0:389)
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=0 RESULT tag=120 err=2 text=unsupported extended operation
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 op=1 UNBIND
Jul 9 07:32:26 xdaolin slapd[2241]: conn=702 fd=23 closed
Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 fd=23 ACCEPT from IP=127.0.0.1:15333 (IP=0.0.0.0:389)
Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=0 RESULT tag=120 err=2 text=unsupported extended operation
Jul 9 07:32:26 xdaolin slapd[2241]: conn=703 op=1 UNBIND
Jul 9 07:32:27 xdaolin slapd[2241]: conn=703 fd=23 closed
Jul 9 07:32:27 xdaolin getent: nss_ldap: could not search LDAP server - Server is unavailable
15 years, 4 months
LDAP binding failure to Active Directory using certificates
by Clayton Tucker
Greetings:
I'm wondering if anyone has had any experience with this problem.
I am endevouring to use ldapmodify (from OpenLDAP 2.3) to connect to a
domain controller (named intacta) in our Active Directory forest and
perform account management operations. For this purpose, the bind to the
AD's LDAP must provide credentials of a user with the rights to manage
accounts in the domain in question. I'm attempting to perform the
authentication using certificates generated by a certificate authority
which we have established on a domain controller in the forest root
domain of our AD (not the same domain as the domain where we are trying
to perform account management but is the same forest). The bind account
is named test_account_manager and the user certificate
CSCFForestAccount.cer (listed below) is name mapped to the account.
All domain controllers in the forest have domain controller certificates
distributed to them from the forest's certificate authority.
Below is the content of my .ldaprc file on the Solaris 8 host where I'm
attempting to run ldapmodify. As stated above, the TLS_CERT certificate
is name mapped to the test_account_manager account in the AD. The
account of coarse, has a password but the key file has no access
password as I believe is necessary for the current version of openldap.
TLS_CACERT /u/ctucker/LDAP_Cert/CSCFTrustedCA.pem.cer
TLS_CERT /u/ctucker/LDAP_Cert/CSCFForestAccount.cer
TLS_KEY /u/ctucker/LDAP_Cert/private_test1.pem
TLS_REQCERT demand
Below is the output of an ldapmodify command run on the Solaris 8 host.
When this command is run entries confirming the logon of the
test_account_manager account appear in the security event logs of the
domain controller intacta as a successful logon. This suggests that the
connection was properly authenticated by the certificates for the user
test_account_manager. However, the subsequent binding to LDAP fails with
the error "Authentication method not supported"
Any help with this persistent problem would be greatly appriciated.
Thanks.
Clayton
% ldapmodify -d13 -H ldaps://intacta.cs.uwaterloo.ca/
ldap_create
ldap_url_parse_ext(ldaps://intacta.cs.uwaterloo.ca/)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS:
supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP intacta.cs.uwaterloo.ca:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 129.97.152.158:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA, issuer:
/DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF Forest CA
TLS certificate verification: depth: 0, err: 0, subject:
/CN=intacta.cs.uwaterloo.ca, issuer: /DC=ca/DC=uwaterloo/DC=cscf/CN=CSCF
Forest CA
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write certificate verify A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 64 bytes to sd 3
ldap_result ld 30748 msgid 1
ldap_chkResponseList ld 30748 msgid 1 all 1
ldap_chkResponseList returns ld 30748 NULL
wait4msg ld 30748 msgid 1 (infinite timeout)
wait4msg continue ld 30748 msgid 1 all 1
** ld 30748 Connections:
* host: intacta.cs.uwaterloo.ca port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jul 10 09:50:43 2008
** ld 30748 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 30748 Response Queue:
Empty
ldap_chkResponseList ld 30748 msgid 1 all 1
ldap_chkResponseList returns ld 30748 NULL
ldap_int_select
read1msg: ld 30748 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 96 contents:
read1msg: ld 30748 msgid 1 message type search-entry
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 30748 msgid 1 message type search-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 30748 0 new referrals
read1msg: mark request completed, ld 30748 msgid 1
request done: ld 30748 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
adding response ld 30748 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO
EXTERNAL DIGEST-MD5
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_open: host=intacta.cs.uwaterloo.ca
=> ldap_dn2bv(16)
<= ldap_dn2bv(CN=test_account_manager,OU=Test
User,OU=Unassigned,DC=cs,DC=uwaterloo,DC=ca)=0
SASL/EXTERNAL authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush: 26 bytes to sd 3
ldap_result ld 30748 msgid 2
ldap_chkResponseList ld 30748 msgid 2 all 1
ldap_chkResponseList returns ld 30748 NULL
wait4msg ld 30748 msgid 2 (infinite timeout)
wait4msg continue ld 30748 msgid 2 all 1
** ld 30748 Connections:
* host: intacta.cs.uwaterloo.ca port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Jul 10 09:50:43 2008
** ld 30748 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
** ld 30748 Response Queue:
Empty
ldap_chkResponseList ld 30748 msgid 2 all 1
ldap_chkResponseList returns ld 30748 NULL
ldap_int_select
read1msg: ld 30748 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 103 contents:
read1msg: ld 30748 msgid 2 message type bind
ber_scanf fmt ({eaa) ber:
read1msg: ld 30748 0 new referrals
read1msg: mark request completed, ld 30748 msgid 2
request done: ld 30748 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eaa) ber:
ldap_msgfree
ldap_perror
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: 00002027: LdapErr: DSID-0C090499, comment:
Invalid Authentication method, data 0, vece
15 years, 4 months
problem with openldap ssl client
by Sambuddho Chakravarty
Hello
I have an openldap server running slapd on 636 (LDAPS) . When I connect
from a ldap browser , I am able to successfully browse the database.
However when I try to connect from a linux client machine (Ubuntu Server
8.04) I am not able to connect to the ldaps. However regular ldap works
fine.
The /etc/ldap.conf looks like this
ssl start_tls
ssl on
tls_checkpeer tes
tls_cacertdir /etc/ldap/cacerts
tls_cacertfile /etc/ldap/cacert/cacert.pem
#server IP
uri ldaps://30.0.0.2/
pam_password md5
base dc=example,dc=com
The /etc/ldap/ldap.conf file is like this
URI ldaps://30.0.0.2/
TLS_CACERTDIR /etc/ldap/cacerts
TLS_CACERT /etc/ldap/cacerts/cacert.pem
HOST 30.0.0.2
BASE dc=example,dc=com
The same configuration (with approprirate changes - replacing ldaps with
ldap and so on) works fine for regular ldap. But the problem is the
ldaps.
When ldaps client is enabled and I do a getent passed ,
the /var/log/auth.log looks like this
Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server...
Jul 7 23:57:46 host3 getent: nss_ldap: reconnecting to LDAP server
(sleeping 1 seconds)...
Jul 7 23:57:47 host3 getent: nss_ldap: could not search LDAP server -
Server is unavailable
Jul 7 23:58:18 host3 getent: nss_ldap: reconnecting to LDAP server...
Please suggest where I could have gone wrong. Any suggestions would be
really appreciated.
Thanks
Sambuddho
15 years, 4 months
Re: problem with openldap ssl client
by Pat Riehecky
On Tue, 2008-07-08 at 16:45 -0400, Sambuddho Chakravarty wrote:
> Hello Pat
> I think I am . I did apt-get update and tried a apt-get install
> libnss-ldap and it said you already have the latest packages.
>
Ok, one more thing to check what does the output of
apt-get -f dist-upgrade
report?
Pat
> Thanks
> Sambuddho
> On Tue, 2008-07-08 at 15:39 -0500, Pat Riehecky wrote:
> > On Tue, 2008-07-08 at 00:06 -0400, Sambuddho Chakravarty wrote:
> > > Hello
> > > I have an openldap server running slapd on 636 (LDAPS) . When I connect
> > > from a ldap browser , I am able to successfully browse the database.
> > > However when I try to connect from a linux client machine (Ubuntu Server
> > > 8.04) I am not able to connect to the ldaps. However regular ldap works
> > > fine.
> >
> > There was a problem with the original 8.04 ldap packages (I think it was
> > actually gnutls related but memory fails). Are you on the latest and
> > greatest packages?
> >
> > Pat
> >
>
>
15 years, 4 months
Importing data from SunLDAP to OpenLDAP
by Jayesh Kamdar
I just set up OpenLDAP instance and would like to export data from my SunLDAP and import into my OpenLDAP instance. How do I go about it?
My main concern is, how do I make sure that the exported files' field will match and import properly in my OpenLDAP database.
Please let me know, if any of you have gone through migration from SunLDAP to OpenLDAP and have any pointers for me.
Thanks.
Jayesh Kamdar
jkamdar(a)yahoo.com
15 years, 4 months
Setting up "slave" OpenLDAP server
by John Oliver
I know nothing about LDAP / OpenLDAP. With that out of the way...
I have a CentOS 5 machine running openldap-2.3.27-8 I just built a
CentOS 5.2 machine with openldap-2.3.27-8.el5_1.3 My goal is to have
the LDAP on the first machine synch with, and stay synched to, the LDAP
on the second machine, so if the first machine dies I can bring up an
interface with it's IP on the second and get authentication working
again.
I've Googled "LDAP replication" and "LDAP synchronization". Both terms
lead me to a variety of papers that have a variety of ideas of how this
should be done, and some have diagrams of convoluted networks involving
multiple load balancers, etc. Since I know nothing about LDAP or
OpenLDAP, it is very difficult for me to evaluate what I'm seeing... is
this way "best", but because it's part of a globe-spanning install with
hundreds of thousands of users?
I'm hoping for a pointer to a nice, simple document that doesn't
pre-suppose any depth of knowledge and isn't part of a Holy War over
which method of doing this confers the greatest bragging rights :-)
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
15 years, 4 months
