openldap-technical January 2009

openldap-technical@openldap.org

45 participants
44 discussions

Re: web apps and client certificate authentication
by Kurt Zeilenga 24 Jan '09

24 Jan '09

On Jan 11, 2009, at 10:07 AM, Emmanuel Dreyfus wrote: > Hello > > I am not sure this is the right place for that question, but I cannot > figure a better one. Please point me to the right place if there is a > better one than here. [[from openldap-software]] > > > I know how to use x509 certificate to authenticate a client against > OpenLDAP. It works great with ldap{search|add|modify|delete| > whatever}.` > > Now I would like to do the same with the client being a web browser > and > with a web application between the browser and slapd: > > browser (client cert) --> apache (PHP web application) --> slapd > > Client certificate authentication from the browser to apache is > strightforward. Yes, so why complicate it? > > > Therefore I can easily have the client authenticating to the web > application, and the web application operating on the directory on > behalf on the client (the web app should bind to the directory as a > privilegied user that would have authzTo: *) The web application should just authenticate as itself and then use proxy authorization to act on behalf of the client. Of course, it has to be authorized to do so. > > > But it would be nicer to actually have the client authenticate to > slapd > using its own client certificate. Why? Generally, the web application is part of the service which encompasses the web server and directory service. They should already have an appropriate trust relationship. > That is, having the web application > behaving as a kind of proxy, without any special privilege on the > directory. Is that possible? If it is, where should I start? Would require cooperation between the web server and the directory server. So nothing gained, IMO, except complexity. > > > -- > Emmanuel Dreyfus > http://hcpnet.free.fr/pubz > manu(a)netbsd.org

4 12

OpenLDAP locks
by Gaëtan Slongo 24 Jan '09

24 Jan '09

Hello all, I saw on a book that OpenLDAP locks parent entries when an entry is updating... It's true ? Example : If I'm updating "uid=username,ou=Users,dc=mydomain", "ou=Users,dc=mydomain" and all children will be locked (write lock?) while the update is performing ?? Thanks. -- Slongo Gaëtan Tel: +32 (0)65/84.23.85 (+6005) GPG/PGP : http://www.gslongo.eu/gslongo_it-optics.pub.asc -- OpenPGP E-Mail Security : http://enigmail.mozdev.org/home/index.php

2 1

LDAP data for JUnit
by yukti kaura 24 Jan '09

24 Jan '09

Hi All, I am using LDAP as a back end for my application. Howeve my JUnit have become LDAPServer dependant. i.e. they read the data from a particular server which I specify as the ldapUrl Do we have a mechanism that for the testing purpose alone I can introduce a static LDIF file ported alongwith the code. The JUnit will then read from LDIF in a manner that they read from LDAP Server. Is there such a method?? Please guide... Thanks for all your help!!!! Yukti Kaura

1 0

openldap C sdk help
by Sankhadip Sengupta 24 Jan '09

24 Jan '09

Hi , I am a developer and I have set up openldap2.4.12 and wrote an ldap client in C using the ldap C sdk. Over lan everything looks fine but when I try to connect and do the same thing over an external IP it fails saying ldap_bind_s :Can;t contact ldap server(-1). The server runnign with d127 shows " error:broken pipe connection reset by peer " Could you please help me? Thanks Sankhadip

1 0

Self-signed server cert within our corp = failure
by Jeff Blaine 23 Jan '09

23 Jan '09

OpenLDAP 2.4.11 client How do I subvert this bogusness? The cert is legit. % /usr/rcf/bin/ldapsearch -d 1 -v -ZZ -h ldap.our.com -p 4890 -D uid=jblaine -W mail=jblaine(a)our.com emailmailbox ... res_errno: 0, res_error: <Start TLS request accepted.Server willing to negotiate SSL.>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 2, err: 19, subject: /O=our.com/OU=Certificate Authority/CN=SuperDuper Corporation Root CA-1, issuer: /O=our.com/OU=Certificate Authority/CN=SuperDuper Corporation Root CA-1 TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. ldap_err2string ldap_start_tls: Connect error (-11)

4 5

Equality matching on facsimileTelephoneNumber
by Sean Burford 22 Jan '09

22 Jan '09

Hi, ITS 2571 is suspended (since 2003) pending IETF action: http://www.openldap.org/its/index.cgi/Contrib?id=2571 Has the IETF decided how facsimile telephone number matching should work, if at all? Our users would like to replace fax numbers, and there doesn't seem to be an appropriate matching rule. -- Thanks, Sean Burford

1 0

ldap_simple_bind_s fails intermittently, when run in an loop
by bharath.venkata＠wipro.com 22 Jan '09

22 Jan '09

Hi all, I am trying to use openldap api's to connect to ldap from my code. I tried to connect to ldap server 1,00,000 times(just intiliazing , binding and unbinding) Intilaly Binding to the ldap server works fine, but after some time say after reaching more than 10,000 binds. bind continously fails with below error . "Can't connect to the LDAP server - Cannot assign requested address". and error number is 91 below is my code snapshot. int main() { int ret,version,i; i=0; LDAP *ld=0; while(100000) { const char *s=0; cout<<"count is "<<i++<<endl; ld=ldap_init(HOSTNAME,PORTNUMBER); // HOSTNAME and PORTNUMBER are defined if(ld == NULL) { cout<<" error in initiliaze "<<endl; return 2; } ret=ldap_simple_bind_s(ld,"",""); ldap_perror(ld,s); if(ret != LDAP_SUCCESS) { cout<<" error in bin "<<ret<<endl; cout<<ldap_err2string(ret)<<" is the error"<<endl; } else { cout<<"bind success "<<endl; } ldap_unbind(ld); ld=NULL; } return 0; } i am clue less why this happened. Is there any restriction or bug (already present) that only certain number of binds are possible in a given time. Your help will be highly help full in my further proceedings. Regards, Bharath. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

2 1

openldap syncrepl
by Brad C 21 Jan '09

21 Jan '09

Hi There, Im having trouble with openldap synrepl. Ive turned on debugging. http://pastebin.com/d2da66c02 OpenLDAP versions itshare:~ # rpm -qa | grep -i openldap openldap2-client-2.4.12-5.3 openldap2-devel-2.4.12-5.3 openldap2-2.4.12-5.4 OpenSUSE 11.1 Linux itshare 2.6.27.7-9-pae #1 SMP 2008-12-04 18:10:04 +0100 i686 i686 i386 GNU/Linux Any advice would be most welcome. This is a vanilla system, is it because it has not created the ldap database locally?Jan 21 16:39:05 itshare slapd[3321]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Kind Regards Brad

1 0

How can I configure overlays during runtime of slapd?
by Andreas Micheler 20 Jan '09

20 Jan '09

Hallo all, I am new to OpenLDAP, and I am trying to configure slapd during runtime to add/remove one or more Overlays. I have already converted slapd.conf to a config directory slapd.d before. The command I use to add the overlay is: slapadd -F slapd.d -n 0 -l myovondelta The ldif file myovondelta is: dn: olcOverlay=constraint,olcDatabase=bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcConstraintConfig olcOverlay: constraint olcConstraintAttribute: mail regex ^[:alnum:]+@mydomain.com$ olcConstraintAttribute: title uri ldap:///dc=catalog,dc=example,dc=com?title?su$ But the output I get is: <= str2entry: str2ad(changetype): attribute type undefined slapadd: could not parse entry (line=1) Can anyone please point me in the right direction? Where is my mistake? Thanks, Andreas

2 1

trailing characters in olcserverids after conversion
by Oliver Liebel 19 Jan '09

19 Jan '09

using openldap 2.4.13 (compiled from openldap.org source-package) i have noticed the following, reproducable behaviour when converting a slapd.conf to slapd.d: if slapd.conf contains serverids with ldap-urls, e.g. in this format: ServerID 1 "ldap://ldapmaster.local.site:9000" ServerID 2 "ldap://ldapslave.local.site:9000" the olcserverids always contains some trailing (garbage) characters after the conversion, and are base64 encoded. when i set them manually in cn=config with ldapmodify, they are displayed "clean". the serverid-lines in slapd.conf are "clean" (they contain no whsp/tabs at the end of the line or similar, invisible chars). i have tested it without \"\ and without portnumber, tested conversion with slaptest and slapd, in virtual and real machines, result is always the same. any ideas? greetings, oliver

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2009