Performance and TLS on bind/search operations.
by k bah
Hi,
I noticed binds to the LDAP server with TLS off (plain connection) generate around 14 packets, while with TLS on, generate around twice the number of packets. It's not always twice, but near that.
The smtp server only does anonymous binds do LDAP, while the IMAP server always use TLS, because it makes bind with DN/passwords. I don't think about changing this setup (smtp = plain connections, imap = tls connections).
My question is about other software, code me and others write, that makes queries to the same LDAP server. We want to define a standard to always use TLS on code any of us write, so we don't need to recheck the code, to find if authenticated binds are being made without TLS, or sensitive data is being passed on a LDAP query with plain text connections. We can't always be sure if sensitive data will be passed, it's not just passwords.
My question is, any of you can share your experience on LDAP perfomance regarding this, whether or not to *always use TLS*? I think it's best to be sure we always use TLS, but don't know the impact on performance. For the code we write I guess it will be no more than 100 connections/hour (bind operations). That's really not much, so I think TLS on everything won't be a problem. The real load is the smtp server use of LDAP, thousands/hour, but that's all plain connections, anon bind, search operations.
thanks
=
Manage Clusters Easier
Easy to use Graphical Interface. Get 90-99% HW Utilization - Try Moab.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=c8db0bf13ca5dbd1a987a...
--
Powered by Outblaze
15 years, 5 months
different shells on different hosts?
by Joy Khoriaty
Hi!
I'd like my LDAP users to have different shells on 2 different client
machines. Is that possible? how can I set it up?
e.g, on host1, user1 has for shell /bin/bash, on host2, user1 has for
shell /bin/rsh
Someone suggested having the defined shell for the user in their LDAP
entry be called e.g. /bin/ldap_shell, and symbolic linking accordingly on
each machine, but it doesn't give me the granularity I want on a per user
basis
Any suggestions, pointers, ideas are more than welcomed!
Thanks!
--
Joy Khoriaty
elventails(a)elventails.com
http://elventails.com
15 years, 5 months
How does Openldap work with Cyrus SASL and MIT Kerberos V
by Le Trung Kien
Hi everyone,
I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V.
Now, my server can authenticate users.
In "Authentication Configuration", I set option information for LDAP server
and Kerberos server. And I could login with accounts (Kerberos principals)
which are created through Kerberos. And user information can be obtained
from LDAP server.
But it's seem to be only Openldap and Kerberos work with together.
I can't figure out what the SASL role is in this strategy. And how it
effects
on my system.
When I attempt setup phpldapadmin, I must configure SASL option, but I
don't know how SASL works with LDAP in this strategy ?
--
Le Trung Kien.
15 years, 5 months
ldap_bind: Invalid credentials (49)
by Wael Mashal
I install the openldap on windows I add the .ldif file on ldap put the
problem appear when I use
c:\OpenLDAP>ldapwhoami -x -D "cn=admin,o=world" -W
Enter LDAP Password: ldap_bind: Invalid credentials (49)
Please help
Wael Mashal
Java Team Leader
ASAL Technologies
Ramallah, Palestine
Tel: +970-2-2409 101
Fax: +970-2-2409 103
Mob: +970-52-487-11-70
Web: http://www.asaltech.com
15 years, 5 months
openldap Master/slave
by Aravind Arjunan
hi
i had configured openldap in rhel5 as master/slave
openldap version is 2.3
Slave is not getting replicating from master.
These are the logs generated in master and slave server.
plz help me with this issue.
At the time restarting slapd.conf in master server.
[B][root@master~]# tail -f /var/log/slapd.log[/B]Jul 1 21:07:21 master
slapd[2960]: daemon: shutdown requested and initiated.
Jul 1 21:07:21 master slapd[2960]: slapd shutdown: waiting for 0 threads to
terminate
Jul 1 21:07:21 master slapd[2960]: slapd stopped.
Jul 1 21:07:22 master slapd[3254]: @(#) $OpenLDAP: slapd 2.3.27 (Jan 3
2007 13:13:17) $
brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
Jul 1 21:07:23 master slapd[3255]: slapd starting
============================================================================================================================
###At the time of restarting the slave slapd.conf#####
[root@master~]# tail -f /var/log/slapd.log
Jul 1 21:08:34 master slapd[3255]: conn=0 fd=13 ACCEPT from IP=
192.168.117.5:35205 (IP=0.0.0.0:389)
Jul 1 21:08:34 master slapd[3255]: conn=0 op=0 BIND
dn="cn=syncuser,dc=panafnet,dc=com" method=128
*Jul 1 21:08:34 master slapd[3255]: conn=0 op=0 RESULT tag=97 err=49 text=*
*Jul 1 21:08:35 master slapd[3255]: conn=0 op=1 UNBIND
*Jul 1 21:08:35 master slapd[3255]: conn=0 fd=13 closed
Jul 1 21:08:35 master slapd[3255]: connection_read(13): no connection!
[B][root@slave ~]# tail -f /var/log/slapd.log[/B]Jun 30 10:40:36 slave
slapd[6481]: daemon: shutdown requested and initiated.
Jun 30 10:40:36 slave slapd[6481]: slapd shutdown: waiting for 0 threads to
terminate
Jun 30 10:40:36 slave slapd[6481]: slapd stopped.
Jun 30 10:40:37 slave slapd[6758]: @(#) $OpenLDAP: slapd 2.3.27 (Jan 3 2007
13:13:17) $
brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd
Jun 30 10:40:38 slave slapd[6759]: slapd starting
*Jun 30 10:40:38 slave slapd[6759]: do_syncrep1: ldap_sasl_bind_s failed
(49)*
* *
15 years, 5 months
me
by Aravind Arjunan
hi,
i had configured openldap and postfix in rhel 5.
I had not installed any source code for the above two.
With the help of rpm only i had configured ldap and postfix.
Now i need to integrate openldap with postfix.
I had followed the redhat documents for integrating.
I want to know wheather it is necessary to complie ldap with postfix source
code instead of rpm's?
and kindly tell what mistake i had made here?
plz look the error which am getting while sending mail to user who is
located in ldap database.
This is my configuration paramaters:
=====================================
alias_maps = hash:/etc/postfix/aliases, ldap:ldapaliases
alias_database = hash:/etc/postfix/aliases, ldap:ldapaliases
ldapaliases_server_host = localhost
ldapaliases_server_port = 389
ldapaliases_search_base = dc=panafnet,dc=com
ldapaliases_scope = sub
ldapaliases_query_filter = (|(mailid=%s))
ldapaliases_result_attribute = maildrop
Error in maillog
=================
Jul 1 17:18:05 experts postfix/cleanup[7422]: 900CFFDFE1: message-id=<
20080701114805.900CFFDFE1(a)experts.panafnet.com>
Jul 1 17:18:05 experts postfix/qmgr[7416]: 900CFFDFE1: from=<
root(a)panafnet.com>, size=310, nrcpt=1 (queue active)
Jul 1 17:18:05 experts postfix/local[7424]: warning: dict_ldap_lookup:
ldapaliases: Search base '' not found: 32: No such object
Jul 1 17:18:05 experts postfix/local[7424]: 900CFFDFE1: to=<
aravind(a)panafnet.com>, orig_to=<aravind>, relay=local, delay=0,
status=deferred (alias database unavailable)
15 years, 5 months
me
by Aravind Arjunan
hi,
I had configured openldap 2.3 in RHEL 5 operating system.
I had configured in master/slave.
I want where can i fing the ldap logs.
i had tried in /var/log/messages, but no logs were generating there.
plz guide me where to find the ldap logs.
15 years, 5 months
openldap
by Aravind Arjunan
hi,
I got problem in openldap master,slave replication.
I had configured openldap in RHEL 5 as master/slave in syncrepl method (
refreshOnly)
my problem is my slave server is not getting replicated with master.
I had integrated openldap with postfix also,so when i restart the postfix
service i get the below error which i mentioned.
plz help me with this issue.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client
software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
access to attrs=userPassword
by self write
by dn="cn=syncuser,dc=panafnet,dc=com" read
by * auth
access to *
by dn="cn=syncuser,dc=panafnet,dc=com" read
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=panafnet,dc=com"
rootdn "cn=Manager,dc=panafnet,dc=com"
rootpw {SSHA}9ma4wkvWQM2ws7E9q7qIgK9vQ2Rp4IhZ
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/panafnet.com
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index default sub
index entryCSN,entryUUID eq
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
overlay syncprov
syncprov-checkpoint 100 05
[root@master ~]#
=============================================================================
/etc/ldap.conf(master)
==============================================================================
#host 127.0.0.1
host 192.168.117.4 192.168.117.5
# The distinguished name of the search base.
base dc=panafnet,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn dc=panafnet,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw secret
# may incur a small performance impact.
nss_base_passwd ou=People,dc=panafnet,dc=com?one
nss_base_shadow ou=People,dc=panafnet,dc=com?one
nss_base_group ou=Group,dc=panafnet,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
#uri ldap://127.0.0.1/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
==================================================================================
/etc/openlldap/slapd.conf(slave)
===================================================================================
# network or connect timeouts (see bind_timelimit).
host 192.168.117.5 192.168.117.4
# The distinguished name of the search base.
base dc=panafnet,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn dc=panafnet,dc=com
# The credentials to bind with.
# Optional: default is no credential.
bindpw secret
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd ou=People,dc=panafnet,dc=com?one
nss_base_shadow ou=People,dc=panafnet,dc=com?one
nss_base_group ou=Group,dc=pananfet,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
ssl no
tls_cacertdir /etc/openldap/cacerts
=====================================================================================
Note: I had integrated ldap with postfix.
So when am restart my postfix service i got this error in logs.
Jul 1 16:05:59 master postfix/postfix-script: stopping the Postfix mail
system
Jul 1 16:05:59 master postfix/master[6303]: terminating on signal 15
Jul 1 16:06:01 master postfix/postfix-script: starting the Postfix mail
system
Jul 1 16:06:02 master postfix/master[1283]: daemon started -- version
2.3.3, configuration /etc/postfix
Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to
LDAP server ldap://192.168.117.4: Invalid credentials
Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP
server ldap://192.168.117.4: Invalid credentials
Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to
LDAP server ldap://192.168.117.5: Invalid credentials
Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: could not search LDAP
server - Server is unavailable
Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to
LDAP server ldap://192.168.117.4: Invalid credentials
Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP
server ldap://192.168.117.5: Invalid credentials
Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: could not search LDAP
server - Server is unavailable
Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to
LDAP server ldap://192.168.117.5: Invalid credentials
Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: could not search LDAP
server - Server is unavailable
Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP
server ldap://192.168.117.4: Invalid credentials
Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP
server ldap://192.168.117.5: Invalid credentials
Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: could not search LDAP
server - Server is unavailable
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib64/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client
software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=panafnet,dc=com"
rootdn "cn=Manager,dc=panafnet,dc=com"
rootpw {SSHA}F/VF2kcFeRzWxmYddG2JryM/0odBN7Hy
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/panafnet.com
syncrepl
rid=0
provider=ldap://192.168.117.4:389
binddn="dc=panafnet,dc=com"
bindmethod=simple
credentials=SyncUser
searchbase="dc=panafnet,dc=com"
filter="(objectClass=*)"
attrs="*"
schemachecking=off
scope=sub
type=refreshOnly
interval=00:00:00:06
access to attrs=userPassword
by dn="cn=syncuser,dc=panafnet,dc=com" write
by * auth
access to *
by dn="cn=syncuser,dc=panafnet,dc=com" write
by * read
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index default sub
index entryCSN,entryUUID eq
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
[root@slave ~]#
=====================================================================================
/etc/ldap.conf(slave
======================================================================================
15 years, 5 months
