openldap-technical March 2009

openldap-technical@openldap.org

64 participants
69 discussions

Start a nNew thread

SSL
by mario ramirez cervera 17 Mar '09

17 Mar '09

1 0

Re: Problem ldif encrypt MD5
by mario ramirez cervera 17 Mar '09

17 Mar '09

Firstly thank you very much But my problem was that rpincipal, but to explain it wrong. My problem is the config openldad SSL I followed this manualhttp: / / www.juanramartin.com/?p=60 # comment-49151 but did not work for me to insert the lines in slapd.conf .. Podrian ayudarme Greetings 2009/3/16 Brian Friday <brian.friday(a)gmail.com> > Hello Mario, > > Please check out the documentation on the openldap website which > speaks specifically about passwords: > > http://www.openldap.org/faq/data/cache/419.html > > On Mon, Mar 16, 2009 at 2:08 AM, mario ramirez cervera > <marioramirezph(a)gmail.com> wrote: > > Good morning to everyone: > > > > My problem is I need to configure my openldap not have the passwd in > plain > > text. He then ta rootdn with the passwd MD5. > > How can I spend my ldif passwd current MD5? > > > > Thank you very much and hope your help >

1 0

Openldap cookie synchronization
by Mihai Stanescu 16 Mar '09

16 Mar '09

Hello all I am developing a service to replicate openldap changes to another server. For this i am using cookie based search with a certain polling interval (10 secs) My problem occurs when there are many changes to be synced from openldap while openldap is under modification stress. Sometimes openldap returns all the entries of the openldap database to my cookie search (i am not reseting the cookie). Later on after the processing is finalized even a single modification in openldap triggers a situation in which cookie based search fetches all the entries of the openldap database. I am not altering the cookies between searches. Does anyone have any idea why this could happen? Is it nomal behavior or a known issue? Could it be a configuration problem? Thanks Mihai

1 0

Problem ldif encrypt MD5
by mario ramirez cervera 16 Mar '09

16 Mar '09

Good morning to everyone: My problem is I need to configure my openldap not have the passwd in plain text. He then ta rootdn with the passwd MD5. How can I spend my ldif passwd current MD5? Thank you very much and hope your help

1 0

smbk5pwd - slapd stops responding
by Eduardo Sachs 15 Mar '09

15 Mar '09

Hi People, I use the overlay smbk5pwd for sync password of Samba with the of Heimdal Kerberos. In Debian Etch using Samba 3.0.24-6etch10, OpenLDAP 2.3.30-5+etch2 and Heimdal Kerberos 0.7.2.dfsg.1-10, I don't have problems. But, in Debian Lenny using Samba 2:3.2.5-4, OpenLDAP 2.4.11-1, and Heimdal Kerberos 1.2.dfsg.1-2.1, I have problems. When I invoke smbpasswd or ldappaswd and trying change the password, slapd stops responding. With kpasswd I do not have problems, change the password of Samba and Kerberos correctly, and userPassword fixed with {K5KEY}, slapd not stops responding (working correctly), but, I need change the password with smbpasswd for Windows clients. Below follows a more detailed debug, has something else that I can show? This is a bug? slapd.conf configuration: moduleload smbk5pwd overlay smbk5pwd smbk5pwd-enable krb5 smbk5pwd-enable samba smbk5pwd-must-change 2592000 password-hash {K5KEY} - OpenLDAP have permission to read/write the file /var/lib/heimdal-kdc/m-key. - I configure OpenLDAP to run with user root and group root, for tests. smb.conf configuration about password: ldap passwd sync = Only unix password sync = no Look this example: 1 - LDAP OK: root# ps aux|grep slapd root 3841 3.0 0.8 21920 4512 ? Ssl 14:47 0:00 /usr/sbin/slapd -h ldap://10.111.222.100:389/ ldaps://10.111.222.100:636/ ldapi:/// -g root -u root -f /etc/ldap/slapd.conf root 3844 0.0 0.1 3116 728 pts/0 S+ 14:47 0:00 grep slapd root# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: sachs(a)LOCAL.INT.BR SASL SSF: 56 SASL data security layer installed. dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br 2 - Change password witch LDAPPASSWD: root# ldappasswd -x -D "krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" "uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" -w secret -S New password: Re-enter new password: ldap_result: Can't contact LDAP server (-1) root# ps aux|grep slapd root 3832 0.0 0.1 3116 724 pts/0 S+ 14:47 0:00 grep slapd root# ldapwhoami -Y GSSAPI ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Loglevel in 256, trying change password with LDAPPASWD, stop in PASSMOD: conn=0 fd=18 ACCEPT from IP=10.111.222.100:40181 (IP=10.111.222.100:389) conn=0 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" method=128 conn=0 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=0 op=1 PASSMOD id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new Debug of Overlay Audit, trying change password with LDAPPASWD: # modify 1236964911 dc=local,dc=int,dc=br krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br changetype: modify replace: userPassword userPassword:: e0s1S0VZfQ== - replace: entryCSN entryCSN: 20090313172151.459306Z#000000#000#000000 - replace: modifiersName modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin cipals,ou=Usuarios,dc=local,dc=int,dc=br - replace: modifyTimestamp modifyTimestamp: 20090313172151Z - # end replace 1236964911 3 - Change Password with SMBPASSWD: LDAP running correctly. root# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: sachs(a)LOCAL.INT.BR SASL SSF: 56 SASL data security layer installed. dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br # smbpasswd sachs New SMB password: Retype new SMB password: failed to bind to server ldaps://debian.local.int.br/ with dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" Error: Can't contact LDAP server (unknown) Connection to LDAP server failed for the 2 try! Connection to LDAP server failed for the 3 try! Connection to LDAP server failed for the 4 try! Connection to LDAP server failed for the 5 try! Connection to LDAP server failed for the 6 try! Connection to LDAP server failed for the 7 try! Loglevel in 256, trying change password with SMBPASSWD, stop in PASSMOD: conn=2 fd=27 ACCEPT from IP=10.111.222.100:35715 (IP=10.111.222.100:636) conn=2 fd=27 TLS established tls_ssf=128 ssf=128 conn=2 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" method=128 conn=2 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" mech=SIMPLE ssf=0 conn=2 op=0 RESULT tag=97 err=0 text= conn=2 op=1 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sachs))" conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=5 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))" conn=1 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=6 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))" conn=1 op=6 SRCH attr=uid sambaSid conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1 op=7 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))" conn=1 op=7 SRCH attr=cn displayName sambaSid sambaGroupType conn=1 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=8 MOD dn="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" conn=1 op=8 MOD attr=sambaAcctFlags sambaAcctFlags conn=1 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=1 op=9 SRCH attr=supportedExtension conn=1 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=10 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1 op=10 PASSMOD id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new conn=1 op=8 RESULT tag=103 err=0 text= Debug of Overlay Audit, trying change password with SMBPASSWD: # modify 1236968199 dc=local,dc=int,dc=br krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br changetype: modify delete: sambaAcctFlags sambaAcctFlags: [U] - add: sambaAcctFlags sambaAcctFlags: [U ] - replace: entryCSN entryCSN: 20090313181639.613866Z#000000#000#000000 - replace: modifiersName modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin cipals,ou=Usuarios,dc=local,dc=int,dc=br - replace: modifyTimestamp modifyTimestamp: 20090313181639Z - # end replace 1236968199 Thanks!!!

1 0

Hostname does not match common name problem
by Sascha 14 Mar '09

14 Mar '09

Hi there! I have a problem with an LDAP server that I need to connect to. I have the required certificate stored on the client but I am getting the following error message: "TLS: hostname (A.xyz123.com) does not match common name in certificate (*.xyz123.com)" Is there any way to work around this problem? As far as I understand it, RFC4514 section 3.1.3 allows wildcards thus the connection should work, shouldn't it? What is confusing me is that "openssl s_client -connect A.xyz123.com:636 -CAfile /etc/ssl/certs/rootca.cer" results in: Verify return code: 0 (ok) If I am not mistaken, openssl accepts the server based on the certificate but openldap does not. Any help is much appreciated. I am really stuck with this. Thanks. Regards, Sascha -- Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01

3 4

CPU IOWAIT
by Sergio Cioban Filho 14 Mar '09

14 Mar '09

Hi all, I have 2 openldap servers running on CentOS 5.2 (openldap-2.4.11 RPM: http://staff.osuosl.org/~jeff/openldap/el5/i386/<http://staff.osuosl.org/%7Ejeff/openldap/el5/i386/>), the single-master replication works fine, but when I have activated mirrormode, any ldap interaction is so slowly and CPU IOWAT is 100% (in ldapsearch or ldapadd...). I have tried the same configuration with openldap-2.4.15 + db-4.7.25, but this problem still occurred. Have any idea about this problem? ** Sorry for my poor english... :) Thanks, Regards, --- Sergio Cioban Filho

2 2

newbie question: No anonymous authentication = problems
by Andreas Brudin 13 Mar '09

13 Mar '09

Hi, I hope I am on the right list for questions like this. I manage a OpenLDAP server installation on Ubuntu 8.10, and when I upgraded from 8.04 the configuration changed quite a bit. I am trying to turn off anonymous access, but I get problems connecting to the ldap database even when not using anonymous bind. I managed to find the configuration options I was looking for (at least i think so) with phpldapadmin. I found an object with dn olcDatabase={1}bdb,cn=config, in which I found an attribute called olcAccess, which I think is what I need to change. From the beginning it said: {0}to attrs=userPassword,shadowLastChange by dn.base="cn=manager,dc=mydomain,dc=com" write by anonymous auth by self write by * none {1}to dn.base="" by * read {2}to * by dn.base="cn=manager,dc=mydomain,dc=com" write by * read (of course with my dc values). I tried to change the last entry to by * none, as I do not right now need my users to be able to read their or other users' values. It worked as expected, from an LDAP point of view, I still could log in anonymously, but I could not browse the database, however, logged in as manager it worked as it should. The problem came in postfix, because I use my LDAP database (among other things) as an alias table. So I configured postfix not to bind anonymously, but to use server_host = localhost server_port = 389 search_base = dc=mydomain, dc=com bind = yes bind_dn = cn=manager, dc=mydomain, dc=com bind_pw = mysecret result_attribute = mail query_filter = (|(uid=%s)(mailAlias=%s)) But I got dict_ldap_lookup: Search error 50: Insufficient access from the mail.log When I changed back, it worked again. I have tried to change various things (such as put in by anonymous auth before by * read, and changing dc.base="..." to dc="..." both in the first and in the last attribute value above, but it does not seem to change. What am I doing wrong? Any help would be much appreciated. Best regards, Andreas

1 0

[Fwd: Re: OpenLDAP event in Paris - programme details]
by Howard Chu 13 Mar '09

13 Mar '09

As already mentioned, I'll be in London later this month to give a talk on OpenLDAP and MySQL at the UKUUG LISA conference. Since I'm going to be in Europe for a few days, the folks at Linagora in France invited me to give a talk in Paris as well. I look forward to meeting up with our friends on the Continent.... 8<------------------------------------------------------------ Community event with Howard Chu, OpenLDAP Chief Architect, in Paris Linagora is proud to welcome Howard Chu, OpenLDAP Chief Architect, for a conference on OpenLDAP version 2.4, Monday 23rd March at 6 PM in Paris. In a relaxed after-work atmosphere, come and learn more about the new features of the open source directory server, and meet other members of the French OpenLDAP community. Sign-up for free by a simple email to <ldap+event2009(a)linagora.com>. Warning : this conference will be given in English. Where : 27 rue de Berri, 75008 Paris - http://www.linagora.com/societe/contacts/nous_contacter/_r45.html Professional needs? Attend a seminary on industrializing OpenLDAP with Symas and Linagora, on Tuesday 24th March morning: http://www.linagora.com/actualites/evenement_exceptionnel_openldap_pour_les… 8<------------------------------------------------------------ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

ldap delete and modifying by delete problems
by Catalin 12 Mar '09

12 Mar '09

Hello! I'm trying to write a php script in order to manage my LDAP Directory easier. Everything works fine when I'm adding new entries and when I'm modifying an attribute. When it comes to delete an entry from my directory or to remove an attribute, I get error no. 8 which means "PHP Warning: ldap_delete() [<a href='function.ldap-delete'>function.ldap-delete</a>]: Delete: Strong(er) authentication required in /var/www/html/admin.mydomain.tld/responsabil/sterge.php on line 34, referer: http://admin.mydomain.tld/responsabil/index.php?nav=del [Tue Mar 10 07:15:03 2009] [error] [client 172.17.26.57] PHP Warning: ldap_mod_del() [<a href='function.ldap-mod-del'>function.ldap-mod-del</a>]: Modify: Strong(er) authentication required in /var/www/html/admin. mydomain.tld /responsabil/sterge.php on line 37, referer: http://admin. mydomain.tld /responsabil/index.php?nav=del" Here is how I'm trying to do these: <?php $ldap = ldap_connect("localhost"); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); $r = @ldap_bind($ldap, "root","password"); $arrayCN=array("cn=",$login,",ou=people,dc=mydomain,dc=tld"); $CN=implode($arrayCN); $arraygroup=array("cn=",$row_verifica[5],",ou=departments,dc=mydomain,dc=tld "); $group=implode($arraygroup); $entry["member"]=$CN; $stergere=ldap_delete($ldap,$CN); $modificare=ldap_mod_del($ldap,$group,$entry); $closing=ldap_close($ldap); ?> I think it has something to do with LDAP settings. I'm using default settings for LDAP , I've only included a supplemental schema to fit it for my needs. I've generated a {SSHA} password for root. If needed, I can send all these files. Can anyone help? Any suggestion would be greatly appreciated. Thanks in advance! Best regards! Catalin

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2009