openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

Performance and TLS on bind/search operations.
by k bah 03 Jul '08

03 Jul '08

Hi, I noticed binds to the LDAP server with TLS off (plain connection) generate around 14 packets, while with TLS on, generate around twice the number of packets. It's not always twice, but near that. The smtp server only does anonymous binds do LDAP, while the IMAP server always use TLS, because it makes bind with DN/passwords. I don't think about changing this setup (smtp = plain connections, imap = tls connections). My question is about other software, code me and others write, that makes queries to the same LDAP server. We want to define a standard to always use TLS on code any of us write, so we don't need to recheck the code, to find if authenticated binds are being made without TLS, or sensitive data is being passed on a LDAP query with plain text connections. We can't always be sure if sensitive data will be passed, it's not just passwords. My question is, any of you can share your experience on LDAP perfomance regarding this, whether or not to *always use TLS*? I think it's best to be sure we always use TLS, but don't know the impact on performance. For the code we write I guess it will be no more than 100 connections/hour (bind operations). That's really not much, so I think TLS on everything won't be a problem. The real load is the smtp server use of LDAP, thousands/hour, but that's all plain connections, anon bind, search operations. thanks = Manage Clusters Easier Easy to use Graphical Interface. Get 90-99% HW Utilization - Try Moab. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=c8db0bf13ca5dbd1a987ac0… -- Powered by Outblaze

1 0

different shells on different hosts?
by Joy Khoriaty 02 Jul '08

02 Jul '08

Hi! I'd like my LDAP users to have different shells on 2 different client machines. Is that possible? how can I set it up? e.g, on host1, user1 has for shell /bin/bash, on host2, user1 has for shell /bin/rsh Someone suggested having the defined shell for the user in their LDAP entry be called e.g. /bin/ldap_shell, and symbolic linking accordingly on each machine, but it doesn't give me the granularity I want on a per user basis Any suggestions, pointers, ideas are more than welcomed! Thanks! -- Joy Khoriaty elventails(a)elventails.com http://elventails.com

2 2

How does Openldap work with Cyrus SASL and MIT Kerberos V
by Le Trung Kien 02 Jul '08

02 Jul '08

Hi everyone, I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V. Now, my server can authenticate users. In "Authentication Configuration", I set option information for LDAP server and Kerberos server. And I could login with accounts (Kerberos principals) which are created through Kerberos. And user information can be obtained from LDAP server. But it's seem to be only Openldap and Kerberos work with together. I can't figure out what the SASL role is in this strategy. And how it effects on my system. When I attempt setup phpldapadmin, I must configure SASL option, but I don't know how SASL works with LDAP in this strategy ? -- Le Trung Kien.

5 8

ldap_bind: Invalid credentials (49)
by Wael Mashal 02 Jul '08

02 Jul '08

I install the openldap on windows I add the .ldif file on ldap put the problem appear when I use c:\OpenLDAP>ldapwhoami -x -D "cn=admin,o=world" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) Please help Wael Mashal Java Team Leader ASAL Technologies Ramallah, Palestine Tel: +970-2-2409 101 Fax: +970-2-2409 103 Mob: +970-52-487-11-70 Web: http://www.asaltech.com

2 1

openldap Master/slave
by Aravind Arjunan 01 Jul '08

01 Jul '08

hi i had configured openldap in rhel5 as master/slave openldap version is 2.3 Slave is not getting replicating from master. These are the logs generated in master and slave server. plz help me with this issue. At the time restarting slapd.conf in master server. [B][root@master~]# tail -f /var/log/slapd.log[/B]Jul 1 21:07:21 master slapd[2960]: daemon: shutdown requested and initiated. Jul 1 21:07:21 master slapd[2960]: slapd shutdown: waiting for 0 threads to terminate Jul 1 21:07:21 master slapd[2960]: slapd stopped. Jul 1 21:07:22 master slapd[3254]: @(#) $OpenLDAP: slapd 2.3.27 (Jan 3 2007 13:13:17) $ brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd Jul 1 21:07:23 master slapd[3255]: slapd starting ============================================================================================================================ ###At the time of restarting the slave slapd.conf##### [root@master~]# tail -f /var/log/slapd.log Jul 1 21:08:34 master slapd[3255]: conn=0 fd=13 ACCEPT from IP= 192.168.117.5:35205 (IP=0.0.0.0:389) Jul 1 21:08:34 master slapd[3255]: conn=0 op=0 BIND dn="cn=syncuser,dc=panafnet,dc=com" method=128 *Jul 1 21:08:34 master slapd[3255]: conn=0 op=0 RESULT tag=97 err=49 text=* *Jul 1 21:08:35 master slapd[3255]: conn=0 op=1 UNBIND *Jul 1 21:08:35 master slapd[3255]: conn=0 fd=13 closed Jul 1 21:08:35 master slapd[3255]: connection_read(13): no connection! [B][root@slave ~]# tail -f /var/log/slapd.log[/B]Jun 30 10:40:36 slave slapd[6481]: daemon: shutdown requested and initiated. Jun 30 10:40:36 slave slapd[6481]: slapd shutdown: waiting for 0 threads to terminate Jun 30 10:40:36 slave slapd[6481]: slapd stopped. Jun 30 10:40:37 slave slapd[6758]: @(#) $OpenLDAP: slapd 2.3.27 (Jan 3 2007 13:13:17) $ brewbuilder@ls20-bc1-13.build.redhat.com:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd Jun 30 10:40:38 slave slapd[6759]: slapd starting *Jun 30 10:40:38 slave slapd[6759]: do_syncrep1: ldap_sasl_bind_s failed (49)* * *

2 1

me
by Aravind Arjunan 01 Jul '08

01 Jul '08

hi, i had configured openldap and postfix in rhel 5. I had not installed any source code for the above two. With the help of rpm only i had configured ldap and postfix. Now i need to integrate openldap with postfix. I had followed the redhat documents for integrating. I want to know wheather it is necessary to complie ldap with postfix source code instead of rpm's? and kindly tell what mistake i had made here? plz look the error which am getting while sending mail to user who is located in ldap database. This is my configuration paramaters: ===================================== alias_maps = hash:/etc/postfix/aliases, ldap:ldapaliases alias_database = hash:/etc/postfix/aliases, ldap:ldapaliases ldapaliases_server_host = localhost ldapaliases_server_port = 389 ldapaliases_search_base = dc=panafnet,dc=com ldapaliases_scope = sub ldapaliases_query_filter = (|(mailid=%s)) ldapaliases_result_attribute = maildrop Error in maillog ================= Jul 1 17:18:05 experts postfix/cleanup[7422]: 900CFFDFE1: message-id=< 20080701114805.900CFFDFE1(a)experts.panafnet.com> Jul 1 17:18:05 experts postfix/qmgr[7416]: 900CFFDFE1: from=< root(a)panafnet.com>, size=310, nrcpt=1 (queue active) Jul 1 17:18:05 experts postfix/local[7424]: warning: dict_ldap_lookup: ldapaliases: Search base '' not found: 32: No such object Jul 1 17:18:05 experts postfix/local[7424]: 900CFFDFE1: to=< aravind(a)panafnet.com>, orig_to=<aravind>, relay=local, delay=0, status=deferred (alias database unavailable)

2 1

me
by Aravind Arjunan 01 Jul '08

01 Jul '08

hi, I had configured openldap 2.3 in RHEL 5 operating system. I had configured in master/slave. I want where can i fing the ldap logs. i had tried in /var/log/messages, but no logs were generating there. plz guide me where to find the ldap logs.

3 2

openldap
by Aravind Arjunan 01 Jul '08

01 Jul '08

hi, I got problem in openldap master,slave replication. I had configured openldap in RHEL 5 as master/slave in syncrepl method ( refreshOnly) my problem is my slave server is not getting replicated with master. I had integrated openldap with postfix also,so when i restart the postfix service i get the below error which i mentioned. plz help me with this issue. # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/qmail.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib64/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # access to attrs=userPassword by self write by dn="cn=syncuser,dc=panafnet,dc=com" read by * auth access to * by dn="cn=syncuser,dc=panafnet,dc=com" read by * read # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=panafnet,dc=com" rootdn "cn=Manager,dc=panafnet,dc=com" rootpw {SSHA}9ma4wkvWQM2ws7E9q7qIgK9vQ2Rp4IhZ # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/panafnet.com # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index default sub index entryCSN,entryUUID eq # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM overlay syncprov syncprov-checkpoint 100 05 [root@master ~]# ============================================================================= /etc/ldap.conf(master) ============================================================================== #host 127.0.0.1 host 192.168.117.4 192.168.117.5 # The distinguished name of the search base. base dc=panafnet,dc=com # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn dc=panafnet,dc=com # The credentials to bind with. # Optional: default is no credential. bindpw secret # may incur a small performance impact. nss_base_passwd ou=People,dc=panafnet,dc=com?one nss_base_shadow ou=People,dc=panafnet,dc=com?one nss_base_group ou=Group,dc=panafnet,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one #nss_base_services ou=Services,dc=example,dc=com?one # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 #uri ldap://127.0.0.1/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 ================================================================================== /etc/openlldap/slapd.conf(slave) =================================================================================== # network or connect timeouts (see bind_timelimit). host 192.168.117.5 192.168.117.4 # The distinguished name of the search base. base dc=panafnet,dc=com # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn dc=panafnet,dc=com # The credentials to bind with. # Optional: default is no credential. bindpw secret # to append the default base DN but this # may incur a small performance impact. nss_base_passwd ou=People,dc=panafnet,dc=com?one nss_base_shadow ou=People,dc=panafnet,dc=com?one nss_base_group ou=Group,dc=pananfet,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one ssl no tls_cacertdir /etc/openldap/cacerts ===================================================================================== Note: I had integrated ldap with postfix. So when am restart my postfix service i got this error in logs. Jul 1 16:05:59 master postfix/postfix-script: stopping the Postfix mail system Jul 1 16:05:59 master postfix/master[6303]: terminating on signal 15 Jul 1 16:06:01 master postfix/postfix-script: starting the Postfix mail system Jul 1 16:06:02 master postfix/master[1283]: daemon started -- version 2.3.3, configuration /etc/postfix Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: could not search LDAP server - Server is unavailable Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: could not search LDAP server - Server is unavailable Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/pickup[1284]: nss_ldap: could not search LDAP server - Server is unavailable Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.4: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: failed to bind to LDAP server ldap://192.168.117.5: Invalid credentials Jul 1 16:06:02 master postfix/qmgr[1285]: nss_ldap: could not search LDAP server - Server is unavailable # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath /usr/lib64/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=panafnet,dc=com" rootdn "cn=Manager,dc=panafnet,dc=com" rootpw {SSHA}F/VF2kcFeRzWxmYddG2JryM/0odBN7Hy # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/panafnet.com syncrepl rid=0 provider=ldap://192.168.117.4:389 binddn="dc=panafnet,dc=com" bindmethod=simple credentials=SyncUser searchbase="dc=panafnet,dc=com" filter="(objectClass=*)" attrs="*" schemachecking=off scope=sub type=refreshOnly interval=00:00:00:06 access to attrs=userPassword by dn="cn=syncuser,dc=panafnet,dc=com" write by * auth access to * by dn="cn=syncuser,dc=panafnet,dc=com" write by * read # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index default sub index entryCSN,entryUUID eq # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM [root@slave ~]# ===================================================================================== /etc/ldap.conf(slave ======================================================================================

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008