SSL
by mario ramirez cervera
Firstly thank you very much
But my problem was that rpincipal, but to explain it wrong.
My problem is the config openldad SSL I followed this manualhttp: / /
www.juanramartin.com/?p=60 # comment-49151 but did not work for me to insert
the lines in slapd.conf ..
Podrian ayudarme
Greetings
11 years, 10 months
Re: Problem ldif encrypt MD5
by mario ramirez cervera
Firstly thank you very much
But my problem was that rpincipal, but to explain it wrong.
My problem is the config openldad SSL I followed this manualhttp: / /
www.juanramartin.com/?p=60 # comment-49151 but did not work for me to insert
the lines in slapd.conf ..
Podrian ayudarme
Greetings
2009/3/16 Brian Friday <brian.friday(a)gmail.com>
> Hello Mario,
>
> Please check out the documentation on the openldap website which
> speaks specifically about passwords:
>
> http://www.openldap.org/faq/data/cache/419.html
>
> On Mon, Mar 16, 2009 at 2:08 AM, mario ramirez cervera
> <marioramirezph(a)gmail.com> wrote:
> > Good morning to everyone:
> >
> > My problem is I need to configure my openldap not have the passwd in
> plain
> > text. He then ta rootdn with the passwd MD5.
> > How can I spend my ldif passwd current MD5?
> >
> > Thank you very much and hope your help
>
11 years, 10 months
Openldap cookie synchronization
by Mihai Stanescu
Hello all
I am developing a service to replicate openldap changes to another
server. For this i am using cookie based search with a certain polling
interval (10 secs)
My problem occurs when there are many changes to be synced from
openldap while openldap is under modification stress. Sometimes
openldap returns all the entries of the openldap database to my cookie
search (i am not reseting the cookie). Later on after the processing
is finalized even a single modification in openldap triggers a
situation in which cookie based search fetches all the entries of the
openldap database.
I am not altering the cookies between searches.
Does anyone have any idea why this could happen? Is it nomal behavior
or a known issue?
Could it be a configuration problem?
Thanks
Mihai
11 years, 10 months
Problem ldif encrypt MD5
by mario ramirez cervera
Good morning to everyone:
My problem is I need to configure my openldap not have the passwd in plain
text. He then ta rootdn with the passwd MD5.
How can I spend my ldif passwd current MD5?
Thank you very much and hope your help
11 years, 10 months
smbk5pwd - slapd stops responding
by Eduardo Sachs
Hi People,
I use the overlay smbk5pwd for sync password of Samba with the of
Heimdal Kerberos.
In Debian Etch using Samba 3.0.24-6etch10, OpenLDAP 2.3.30-5+etch2
and Heimdal Kerberos 0.7.2.dfsg.1-10, I don't have problems.
But, in Debian Lenny using Samba 2:3.2.5-4, OpenLDAP 2.4.11-1,
and Heimdal Kerberos 1.2.dfsg.1-2.1, I have problems.
When I invoke smbpasswd or ldappaswd and trying change
the password, slapd stops responding.
With kpasswd I do not have problems, change the password of
Samba and Kerberos correctly, and userPassword fixed with {K5KEY},
slapd not stops responding (working correctly), but, I need change
the password with smbpasswd for Windows clients.
Below follows a more detailed debug, has something else that I can show?
This is a bug?
slapd.conf configuration:
moduleload smbk5pwd
overlay smbk5pwd
smbk5pwd-enable krb5
smbk5pwd-enable samba
smbk5pwd-must-change 2592000
password-hash {K5KEY}
- OpenLDAP have permission to read/write the file /var/lib/heimdal-kdc/m-key.
- I configure OpenLDAP to run with user root and group root, for tests.
smb.conf configuration about password:
ldap passwd sync = Only
unix password sync = no
Look this example:
1 - LDAP OK:
root# ps aux|grep slapd
root 3841 3.0 0.8 21920 4512 ? Ssl 14:47 0:00
/usr/sbin/slapd -h ldap://10.111.222.100:389/
ldaps://10.111.222.100:636/ ldapi:/// -g root -u root -f
/etc/ldap/slapd.conf
root 3844 0.0 0.1 3116 728 pts/0 S+ 14:47 0:00 grep slapd
root# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: sachs(a)LOCAL.INT.BR
SASL SSF: 56
SASL data security layer installed.
dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br
2 - Change password witch LDAPPASSWD:
root# ldappasswd -x -D
"krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
"uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" -w secret -S
New password:
Re-enter new password:
ldap_result: Can't contact LDAP server (-1)
root# ps aux|grep slapd
root 3832 0.0 0.1 3116 724 pts/0 S+ 14:47 0:00 grep slapd
root# ldapwhoami -Y GSSAPI
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Loglevel in 256, trying change password with LDAPPASWD, stop in PASSMOD:
conn=0 fd=18 ACCEPT from IP=10.111.222.100:40181 (IP=10.111.222.100:389)
conn=0 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
method=128
conn=0 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=0 op=1 PASSMOD
id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new
Debug of Overlay Audit, trying change password with LDAPPASWD:
# modify 1236964911 dc=local,dc=int,dc=br
krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br
dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br
changetype: modify
replace: userPassword
userPassword:: e0s1S0VZfQ==
-
replace: entryCSN
entryCSN: 20090313172151.459306Z#000000#000#000000
-
replace: modifiersName
modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin
cipals,ou=Usuarios,dc=local,dc=int,dc=br
-
replace: modifyTimestamp
modifyTimestamp: 20090313172151Z
-
# end replace 1236964911
3 - Change Password with SMBPASSWD:
LDAP running correctly.
root# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: sachs(a)LOCAL.INT.BR
SASL SSF: 56
SASL data security layer installed.
dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br
# smbpasswd sachs
New SMB password:
Retype new SMB password:
failed to bind to server ldaps://debian.local.int.br/ with
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
Error: Can't contact LDAP server
(unknown)
Connection to LDAP server failed for the 2 try!
Connection to LDAP server failed for the 3 try!
Connection to LDAP server failed for the 4 try!
Connection to LDAP server failed for the 5 try!
Connection to LDAP server failed for the 6 try!
Connection to LDAP server failed for the 7 try!
Loglevel in 256, trying change password with SMBPASSWD, stop in PASSMOD:
conn=2 fd=27 ACCEPT from IP=10.111.222.100:35715 (IP=10.111.222.100:636)
conn=2 fd=27 TLS established tls_ssf=128 ssf=128
conn=2 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
method=128
conn=2 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
conn=2 op=1 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sachs))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=5 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2
deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
conn=1 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList
description displayName cn objectClass
conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=6 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
scope=2 deref=0
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))"
conn=1 op=6 SRCH attr=uid sambaSid
conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1 op=7 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2
deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))"
conn=1 op=7 SRCH attr=cn displayName sambaSid sambaGroupType
conn=1 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=8 MOD dn="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
conn=1 op=8 MOD attr=sambaAcctFlags sambaAcctFlags
conn=1 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=1 op=9 SRCH attr=supportedExtension
conn=1 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=10 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1 op=10 PASSMOD
id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new
conn=1 op=8 RESULT tag=103 err=0 text=
Debug of Overlay Audit, trying change password with SMBPASSWD:
# modify 1236968199 dc=local,dc=int,dc=br
krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br
dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br
changetype: modify
delete: sambaAcctFlags
sambaAcctFlags: [U]
-
add: sambaAcctFlags
sambaAcctFlags: [U ]
-
replace: entryCSN
entryCSN: 20090313181639.613866Z#000000#000#000000
-
replace: modifiersName
modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin
cipals,ou=Usuarios,dc=local,dc=int,dc=br
-
replace: modifyTimestamp
modifyTimestamp: 20090313181639Z
-
# end replace 1236968199
Thanks!!!
11 years, 10 months
Hostname does not match common name problem
by Sascha
Hi there!
I have a problem with an LDAP server that I need to connect to. I have the required certificate stored on the client but I am getting the following error message:
"TLS: hostname (A.xyz123.com) does not match common name in
certificate (*.xyz123.com)"
Is there any way to work around this problem? As far as I understand it, RFC4514 section 3.1.3 allows wildcards thus the connection should work, shouldn't it?
What is confusing me is that
"openssl s_client -connect A.xyz123.com:636 -CAfile /etc/ssl/certs/rootca.cer"
results in:
Verify return code: 0 (ok)
If I am not mistaken, openssl accepts the server based on the certificate but openldap does not.
Any help is much appreciated. I am really stuck with this. Thanks.
Regards,
Sascha
--
Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01
11 years, 10 months
CPU IOWAIT
by Sergio Cioban Filho
Hi all,
I have 2 openldap servers running on CentOS 5.2 (openldap-2.4.11 RPM:
http://staff.osuosl.org/~jeff/openldap/el5/i386/<http://staff.osuosl.org/%7Ejeff/openldap/el5/i386/>),
the single-master replication works fine, but when I have activated
mirrormode, any ldap interaction is so slowly and CPU IOWAT is 100% (in
ldapsearch or ldapadd...).
I have tried the same configuration with openldap-2.4.15 + db-4.7.25, but
this problem still occurred.
Have any idea about this problem?
** Sorry for my poor english... :)
Thanks,
Regards,
---
Sergio Cioban Filho
11 years, 10 months
newbie question: No anonymous authentication = problems
by Andreas Brudin
Hi,
I hope I am on the right list for questions like this. I manage a
OpenLDAP server installation on Ubuntu 8.10, and when I upgraded from
8.04 the configuration changed quite a bit.
I am trying to turn off anonymous access, but I get problems
connecting to the ldap database even when not using anonymous bind.
I managed to find the configuration options I was looking for (at
least i think so) with phpldapadmin. I found an object with dn
olcDatabase={1}bdb,cn=config, in which I found an attribute called
olcAccess, which I think is what I need to change. From the beginning
it said:
{0}to attrs=userPassword,shadowLastChange by
dn.base="cn=manager,dc=mydomain,dc=com" write by anonymous auth by
self write by * none
{1}to dn.base="" by * read
{2}to * by dn.base="cn=manager,dc=mydomain,dc=com" write by * read
(of course with my dc values).
I tried to change the last entry to by * none, as I do not right now
need my users to be able to read their or other users' values. It
worked as expected, from an LDAP point of view, I still could log in
anonymously, but I could not browse the database, however, logged in
as manager it worked as it should.
The problem came in postfix, because I use my LDAP database (among
other things) as an alias table. So I configured postfix not to bind
anonymously, but to use
server_host = localhost
server_port = 389
search_base = dc=mydomain, dc=com
bind = yes
bind_dn = cn=manager, dc=mydomain, dc=com
bind_pw = mysecret
result_attribute = mail
query_filter = (|(uid=%s)(mailAlias=%s))
But I got
dict_ldap_lookup: Search error 50: Insufficient access
from the mail.log
When I changed back, it worked again. I have tried to change various
things (such as put in by anonymous auth before by * read, and
changing dc.base="..." to dc="..." both in the first and in the last
attribute value above, but it does not seem to change. What am I doing
wrong? Any help would be much appreciated.
Best regards,
Andreas
11 years, 10 months
[Fwd: Re: OpenLDAP event in Paris - programme details]
by Howard Chu
As already mentioned, I'll be in London later this month to give a talk on
OpenLDAP and MySQL at the UKUUG LISA conference. Since I'm going to be in
Europe for a few days, the folks at Linagora in France invited me to give a
talk in Paris as well. I look forward to meeting up with our friends on the
Continent....
8<------------------------------------------------------------
Community event with Howard Chu, OpenLDAP Chief Architect, in Paris
Linagora is proud to welcome Howard Chu, OpenLDAP Chief Architect, for a
conference on OpenLDAP version 2.4, Monday 23rd March at 6 PM in Paris.
In a relaxed after-work atmosphere, come and learn more about the new
features of the open source directory server, and meet other members of
the French OpenLDAP community.
Sign-up for free by a simple email to <ldap+event2009(a)linagora.com>.
Warning : this conference will be given in English.
Where : 27 rue de Berri, 75008 Paris -
http://www.linagora.com/societe/contacts/nous_contacter/_r45.html
Professional needs? Attend a seminary on industrializing OpenLDAP with
Symas and Linagora, on Tuesday 24th March morning:
http://www.linagora.com/actualites/evenement_exceptionnel_openldap_pour_l...
8<------------------------------------------------------------
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11 years, 10 months
ldap delete and modifying by delete problems
by Catalin
Hello!
I'm trying to write a php script in order to manage my LDAP Directory
easier. Everything works fine when I'm adding new entries and when I'm
modifying an attribute.
When it comes to delete an entry from my directory or to remove an
attribute, I get error no. 8 which means
"PHP Warning: ldap_delete() [<a
href='function.ldap-delete'>function.ldap-delete</a>]: Delete: Strong(er)
authentication required in
/var/www/html/admin.mydomain.tld/responsabil/sterge.php on line 34, referer:
http://admin.mydomain.tld/responsabil/index.php?nav=del
[Tue Mar 10 07:15:03 2009] [error] [client 172.17.26.57] PHP Warning:
ldap_mod_del() [<a href='function.ldap-mod-del'>function.ldap-mod-del</a>]:
Modify: Strong(er) authentication required in /var/www/html/admin.
mydomain.tld /responsabil/sterge.php on line 37, referer: http://admin.
mydomain.tld /responsabil/index.php?nav=del"
Here is how I'm trying to do these:
<?php
$ldap = ldap_connect("localhost");
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
$r = @ldap_bind($ldap, "root","password");
$arrayCN=array("cn=",$login,",ou=people,dc=mydomain,dc=tld");
$CN=implode($arrayCN);
$arraygroup=array("cn=",$row_verifica[5],",ou=departments,dc=mydomain,dc=tld
");
$group=implode($arraygroup);
$entry["member"]=$CN;
$stergere=ldap_delete($ldap,$CN);
$modificare=ldap_mod_del($ldap,$group,$entry);
$closing=ldap_close($ldap);
?>
I think it has something to do with LDAP settings.
I'm using default settings for LDAP , I've only included a supplemental
schema to fit it for my needs.
I've generated a {SSHA} password for root.
If needed, I can send all these files.
Can anyone help?
Any suggestion would be greatly appreciated.
Thanks in advance!
Best regards!
Catalin
11 years, 10 months
