openldap-technical August 2009

openldap-technical@openldap.org

65 participants
73 discussions

OpenLDAP Virtual File System
by Jon Rascal 11 Aug '09

11 Aug '09

Hi, I want to create a virtual file system where metadata is stored in an LDAP repository. Metadata includes owner, mod-time, create-time, access-control-lists, pysical file path, and, of course, LDAP's hierarchy instead of a file-system directory base. Files are to be stored on physical medium and (preferably pyton) code used to bridge the request (over https), the metadata, and the physical file stream. Users and Keys are also stored in the LDAP directory. Is this a bad use for LDAP? I'm also looking for an LDAP guru to consult for this particular project. JR

2 1

LDAP stopping without apparent reason
by Márcio Luciano Donada 11 Aug '09

11 Aug '09

Hi list, We have a service ldap, version 2.4.11-1, debian lenny, but the times have been falling and does not even have a message in the log about the fall of it. Use it for e-mail service, jabber, ftp, and website. In the logs I have the following message: Aug 8 09:34:41 ldap slapd[15338]: connection_input: conn=1332300 deferring operation: binding Aug 8 09:34:42 ldap slapd[15338]: connection_input: conn=1332301 deferring operation: binding Aug 8 09:47:46 ldap slapd[15338]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 My configuration allow bind_v2 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/qmail.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/RADIUS-LDAPv3.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 1024 modulepath /usr/lib/ldap moduleload back_hdb TLSVerifyClient demand TLSCACertificateFile /etc/ldap/ssl/server.pem TLSCertificateFile /etc/ldap/ssl/server.pem TLSCertificateKeyFile /etc/ldap/ssl/server.pem tool-threads 16 threads 32 backend hdb database hdb suffix "dc=auroraalimentos,dc=com,dc=br" rootdn "cn=suporte,dc=auroraalimentos,dc=com,dc=br" rootpw secret directory "/var/lib/ldap" idletimeout 30 timelimit 320 schemacheck on checkpoint 1024 5 cachesize 100000 dbconfig set_cachesize 0 2097152 0 lastmod on sizelimit unlimited index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uniqueMember eq index uidNumber eq index gidNumber eq index memberUID eq index mailAlternateAddress eq index MailForwardingAddress eq index mail pres,eq index default sub index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index sambaSIDList,sambaGroupType eq index givenName eq access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by self write by users read by * read when the service to have a big problem, mainly because the e-mail service is affected. thanks -- Márcio Luciano Donada <mdonada at auroraalimentos dot com dot br> Aurora Alimentos - Cooperativa Central Oeste Catarinense Departamento de T.I.

2 10

ppolicy and ACLs of pwdAccountLockedTime?
by Jiri Bohac 11 Aug '09

11 Aug '09

Hi, I am having troubles making the ppolicy overlay to prevent password guessing attacks with pwdLockout with slapd-2.4.11-1 in Debian Lenny. I set pwdMaxFailure to 3. In the user object I am testing with, I never get more than two entries for pwdFailureTime and pwdAccountLockedTime is never added at all. I tracked the problem down to the ACL settings in slapd.conf. With my default access to * by dn="cn=admin,dc=example,dc=net" write by * read , I get the above result. When I rewrite the last line to "by * write", it works. The pwdFailureTime is updated, because it is defined as NO-USER-MODIFICATION, which bypasses te ACL checks for write. The problem happens when pwdMaxFailure failed logins are reached, and ppolicy.c tries to update pwdFailureTime and pwdAccountLockedTime in a single request. How is this supposed to work? - Shouldn't pwdAccountLockedTime also be defined with NO-USER-MODIFICATION? - couldn't the update request in ppolicy.c be executed with higher privileges? I tried to set up an non-anonymous bind in pam_ldap but this did not help. - is there some recommended ACL setting to grant the necessary privileges so that ppolicy.c can update pwdAccountLockedTime, but users can't? I am a splapd newbie, so maybe I don't see something obvious, but in the log below, I see: "acl_mask: to all values by "", (=0)" -- that looks like an anonymous bind, right? Allowing write for the pwdAccountLockedTime attribute to anyone does not seem a good idea ;-) Thanks for any insight! Jiri P.S.: some detailed notes from my debugging are attached below: I am authenticating with pam-ldap. When I mis-type the password of a user and do a search on the user object (with a +, to see the operational attributes), the pwdFailureTime is created. This is good. When I preform the bad login again, I get a second value for pwdFailureTime. Still good. But on the next login, instead of getting a third value for pwdFailureTime and an updated value for pwdAccountLockedTime, nothing happens. I put some more debug info into ppolicy_bind_response() like this: ----- * We only count those failures * which are not due to expire. */ Debug(LDAP_DEBUG_ANY, "xxx: counting pwdFailureTime %i/%d\n", i, fc, 0); } } if ((ppb->pp.pwdMaxFailure > 0) && (fc >= ppb->pp.pwdMaxFailure - 1)) { Debug(LDAP_DEBUG_ANY, "xxx: trying to insert pwdAccountLockedTime\n", 0, 0, 0); ----- ... in the logs (with loglevel 65535), I really see: ------ Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 0/1 Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 1/2 Aug 8 00:05:42 localhost slapd[15416]: xxx: trying to insert pwdAccountLockedTime [snip] Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: delete access to "uid=j.bohac,ou=users,dc=example,dc=net" "pwdAccountLockedTime" requested Aug 8 00:05:42 localhost slapd[15416]: => acl_get: [2] attr pwdAccountLockedTime Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: result not in cache (pwdAccountLockedTime) Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: access to entry "uid=j.bohac,ou=users,dc=example,dc=net", attr "pwdAccountLockedTime" requested Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: to all values by "", (=0) Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: cn=admin,dc=example,dc=net Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: * Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] applying read(=rscxd) (stop) Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] mask: read(=rscxd) Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: delete access denied by read(=rscxd) Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: no more rules ------

2 1

ldapsearch is not able to show Japanese chars
by anish patil 11 Aug '09

11 Aug '09

Hi All, I am using openldap-2.4.11 I have added localized that is japaneese use names into ldap database .Format(ldif) that i have used was UTF-8. However when i run ladearch it shows me invalid values in dn and uid filed. I want there values in localized format? how can i achieve this ? Thanks in advance -- Anish Patil -- Anish Patil

2 3

Phpldapadmin + openldap - is not registering new users
by Édnei Rodrigues 10 Aug '09

10 Aug '09

Good morning. I have OpenLdap 2.4.12 and phpldapadmin 1.0.1.. My problem is occuring when i try register a new user. Follow error: *O servidor LDAP respondeu: Object class violation Erro número: 0x41 (LDAP_OBJECT_CLASS_VIOLATION) Descrição: You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.* And /var/log/messages: *Aug 10 07:58:11 webs slapd[3426]: Entry (cn=cyrusadmin cyrusadmin,ou=People,dc=novohamburgo,dc=rs,dc=gov,dc=br): object class 'posixAccount' requires attribute 'gidNumber'* This is stranger. In the PhpLdapAdmin, the fill gidNumber is blank, don't have option for change. What's happening ? My sladp.conf: *include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules moduleload back_hdb moduleload autoPosixIds sizelimit 500 tool-threads 1 backend hdb access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read loglevel -1 database bdb suffix "dc=novohamburgo,dc=rs,dc=gov,dc=br" checkpoint 1024 5 cachesize 30000 sizelimit -1 rootdn "cn=Manager,dc=novohamburgo,dc=rs,dc=gov,dc=br" rootpw {SSHA}GS89uCsqQaeBuBQ+RoxgDuY6hkg2946U* *directory /var/lib/ldap overlay autoPosixIds index objectClass eq index uid eq index memberUid eq index member eq dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30* Thanks!

2 1

Trouble with slapd-ldap in various scenarios (LdarErr: DSID-0C090627)
by Martin Rubáš 10 Aug '09

10 Aug '09

Hello, I'm evaluating OpenLDAP and I've got cornered with slapd-ldap combined together with slapd-relay or slapo-translucent. First of all, I would like to mention that I read man pages back and forth. I also read archives of openldap.org mailing lists as well as configuration files for slapd tests. I'm still a little bit confused. The second important thing is that I don't want to enable anonymous binding at this time. Each user that access slapd is required to bind using its own DN and credentials. This statement is valid for both kind of repositories - local or remote. So, give me a chance, please... ;-) I tried several scenarios but was only partially successful. You can find more info about them below. I read about acl-bind, idassert-bind & idassert-authzFrom, mode=self but I was not able to get them working so far. I haven't used any 'authz-xxx' options yet. So, the configuration parts (below) doesn't contain only the schema includes and the config database settings. 1. What's wrong with my configuration? (cases A & B at first) I suppose that I had to use idassert-bind somehow but I don't have any idea how to do it. 2. Why is there the second connection with the strange binding request? This is probably related with question 1 but it could be an error symptom. I just want to be sure... 3. Do I have to use something else except "idassert-bind mode=self" option? I just want to bind to remote server with the proper user DN (my application is requesting data on behalf of user) and additionaly on some specific account DN (if the application is requesting data for private use). I feel that these questions could look silly, but I hope that it's better to make itself to look like fool, get advice and move forward then stand still. Thanks for any advice, Martin Rubas PS: I'm sorry for being so long... #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Notes: ~ using slapd version 2.4.15 on Ubuntu (9.04/jaunty;64-bit;localhost) - using Windows 2003 Server as PDC (pdc.domain.net) ~ command used to query: ldapsearch -x -w secret -H ldap://localhost:389 \ -D 'CN=The Root,CN=Users,DC=domain,DC=net' \ -b 'CN=The User,CN=Users,DC=domain,DC=net' \ -s sub -a always '(objectClass=*)' ~ all used accounts (The Root, The User, The Bind & Administrator) exists in Windows domain (AD) and have set password to 'secret'. 'The Root' is also member 'Domain Admins', so it should have the same access rights as 'Administrator' (at least, for AD/LDAP operations) === Case A === I started with slapd-hdb and slapo-translucent to combine data from Active Directory repository with other data from local DB. It finally got it working but only when ldapsearch command was binding with "rootdn" from slapd-hdb configuration. But I want to do binding with the (proper) user DN to slapd (local repository) as well as to AD (remote one). #====================================================================== database hdb suffix "dc=domain,dc=net" rootdn "cn=The Root,cn=Users,dc=domain,dc=net" rootpw secret directory /var/lib/ldap/lib-trans index objectClass eq index cn eq overlay translucent uri ldap://pdc.domain.net:389 binddn "cn=The Bind,cn=Users,dc=domain,dc=net" bindpw heslo lastmod off chase-referrals true rebind-as-user true #---------------------------------------------------------------------- If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd binds to "cn=The Bind". That's correct, I guess... But when I use some other DN for -D parameter then the response is "LdarErr: DSID-0C090627 ... " (I saw that one many time in archives). It doesn't matter if it was "cn=The User,..." or "cn=The Bind". === Case B === I also tried to combine slapd-ldap together with slapd-relay extended by slapo-rwm, to get something like "domain-alias" (2 names for one repository). #====================================================================== database ldap suffix "dc=domain,dc=net" uri ldap://pdc.domain.net:389 chase-referrals yes rebind-as-user yes database relay suffix "dc=alias,dc=net" relay "dc=domain,dc=net" overlay rwm rwm-suffixmassage "dc=domain,dc=net" #---------------------------------------------------------------------- In this case, I was able to get result with -D option set to "cn=The User,cn=Users,dc=domain,dc=net" but I got the same error while using the aliased DN "cn=The Users,cn=Users,dc=alias,dc=net". === Case C/D === Finally, I gave up and tried most simple case. Plain slapd-ldap (C) and with slapo-rwm (D). This way I've got simple bridge to AD or an alias for it. #====================================================================== database ldap suffix "dc=domain,dc=net" #for C only #D#suffix "dc=alias,dc=net" uri ldap://pdc.domain.net:389 chase-referrals yes rebind-as-user yes #D#overlay rwm #D#rwm-suffixmassage "dc=domain,dc=net" #---------------------------------------------------------------------- Whoa, it worked! One small step for me, but ... Hm, pretty useless at the whole scope :-( === Network Dump === I catched a network packets and noticed some pretty wierd thing... Each ldapsearch received "LdarErr: DSID-0C090627" there way the same scenario: 1. slapd opens the connection 2. slapd binds succefully (mostly with the credentials I wanted to use) 3. slapd opens another connection 4. slapd binds again with "nothing" (displayed as "<ROOT>" in Wireshark) 5. slapd sends request and receives LdapErr 6. slapd unbinds and closses connection from step 3 x. other requests are processed repeating step 3 to 6 #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 0.000000 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=85650917 TSER=0 WS=6 2 0.000304 a.b.c.153 -> a.b.c.174 :: ldap > 50178 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 3 0.000321 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=85650917 TSER=0 4 0.000455 a.b.c.174 -> a.b.c.153 :: bindRequest(1) "cn=The Root,cn=Users,dc=domain,dc=net" simple 5 0.053060 a.b.c.153 -> a.b.c.174 :: bindResponse(1) success 6 0.053086 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [ACK] Seq=77 Ack=23 Win=5888 Len=0 TSV=85650930 TSER=7278645 7 0.058317 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=85650932 TSER=0 WS=6 8 0.058604 a.b.c.153 -> a.b.c.174 :: ldap > 50179 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0 9 0.058622 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=85650932 TSER=0 10 0.058746 a.b.c.174 -> a.b.c.153 :: bindRequest(1) "<ROOT>" simple 11 0.058972 a.b.c.153 -> a.b.c.174 :: bindResponse(1) success 12 0.058992 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [ACK] Seq=15 Ack=23 Win=5888 Len=0 TSV=85650932 TSER=7278645 13 0.059158 a.b.c.174 -> a.b.c.153 :: searchRequest(2) "cn=The User,cn=Users,dc=domain,dc=net" wholeSubtree 14 0.059380 a.b.c.153 -> a.b.c.174 :: searchResDone(2) operationsError (00000000: LdapErr: DSID-0C090627, comment: ...) 15 0.098978 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [ACK] Seq=140 Ack=196 Win=6912 Len=0 TSV=85650942 TSER=7278645 16 225.873049 a.b.c.174 -> a.b.c.153 :: unbindRequest(3) 17 225.873111 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [FIN, ACK] Seq=147 Ack=196 Win=6912 Len=0 TSV=85707385 TSER=7278645 18 225.873183 a.b.c.174 -> a.b.c.153 :: unbindRequest(2) 19 225.873227 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [FIN, ACK] Seq=84 Ack=23 Win=5888 Len=0 TSV=85707385 TSER=7278645 #++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ For case A the steps 1 & 2 happens when translucent_bind action is executed (for the first time) and the step 3-6 are related to translucent_search action. I didn't check those for case B. Each successful request is processed the following way: 1. slapd opens the connection 2. slapd binds succefully (mostly with the credentials I wanted to use) 3. slapd sends request and receives the requested data 4. slapd unbinds and closses connection from step 1

2 3

Strong authentication required error
by Steinmetz, Robin 10 Aug '09

10 Aug '09

Hi, I am trying to setup a chaining configuration, all seems to work except that is i try to add/modify/del i get the message Strong auth required. Can someone help met out? Part of Chain server config: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org overlay chain chain-uri "ldap://10.253.2.7" chain-idassert-bind bindmethod="simple" binddn="xxxx" credentials="xxxxx" mode="self" chain-tls start chain-return-error TRUE access to * by * read pidfile /var/run/slapd-test-chain.pid argsfile /var/run/slapd-test-chain.args allow bind_v2 ####################################################################### # BDB database definitions ####################################################################### database bdb overlay syncprov #sessionlog 666 10000 syncprov-checkpoint 100 10 syncprov-sessionlog 100 suffix "dc=test,c=test" # Access database admin rootdn "xxxx" rootpw xxxxx syncrepl rid=444 provider=ldap://10.253.2.9:389 bindmethod=simple binddn="xxxxx" credentials=xxxx searchbase="dc=test,c=test" schemachecking=off type=refreshAndPersist retry="60 +" updateref "ldap://10.253.2.9"

2 2

Why did an index broke my config ?
by Denis BUCHER 10 Aug '09

10 Aug '09

Hello everyone, I added this in the config of my email server : > index virtualdomain eq But it broke the mail server, all emails were refused because Relaying denied. In fact postfix was not able anymore to find domains. For some reason, adding this index in the config made impossible to find this domain for programs... Don't know if my explanation is clear, but my question is "why adding an index breaks the config" ? Thanks a lot in advance for any help ! Denis

4 4

OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
by Allan 09 Aug '09

09 Aug '09

Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for authentication/authorization. I'm a bit confused on how to get it all working but I've gotten far enough that I can run getent passwd test.user and it pulls down the information from ldap (ran as root and non-root user). I can also successfully get a ticket with kinit from various users. Where I run into problems, is actually getting services to use GSSAPI. I am currently using nss_ldap and pam_ldap to authenticate during ssh login, if there's a better alternative please let me know. Here's the setup I've got: Services -> FQDN -> IP ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5 ssh -> cake.crazy.lan -> 192.168.1.6 Running kinit: ============================================================== cake# kinit ldapadm ldapadm(a)CRAZY.LAN's Password: kinit: NOTICE: ticket renewable lifetime is 1 week cake# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: ldapadm(a)CRAZY.LAN Issued Expires Principal Aug 9 17:45:41 Aug 10 03:45:41 krbtgt/CRAZY.LAN(a)CRAZY.LAN ============================================================== Here's what I run to authenticate with SSH: ============================================================== cr4z3d@Allan-PC:~$ ssh -v -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes test.user(a)cake.crazy.lan OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to cake.crazy.lan [192.168.1.6] port 22. debug1: Connection established. debug1: identity file /home/cr4z3d/.ssh/identity type -1 debug1: identity file /home/cr4z3d/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/cr4z3d/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 FreeBSD-20080901 debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'cake.crazy.lan' is known and matches the DSA host key. debug1: Found key in /home/cr4z3d/.ssh/known_hosts:47 debug1: ssh_dss_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received ============================================================== I've tried different options in /usr/local/etc/ldap.conf for pam_ldap/nss_ldap (the conf files are symlinked). The first one is with SASL turned on and the second with out. ============================================================== #define the ldap server's fqdn host frisbee.crazy.lan # define the base search pattern base dc=crazy,dc=lan # define the uri uri ldap://frisbee.crazy.lan # use starttls ssl start_tls # use sasl for all authentications use_sasl on # SASL authorization ID sasl_auth_id host/cake.crazy.lan #check the server's cert tls_checkpeer yes # full path to CA's cert tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem # enable debug #debug 9 ============================================================== Here is the logs from the ldap server: ============================================================== Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP= 192.168.1.6:56955 (IP=0.0.0.0:389) Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text= Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established tls_ssf=256 ssf=256 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163 Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7 text=SASL(-4): no mechanism available: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed ============================================================== This is where I get a bit confused, it tells me that there's no mechanism for GSSAPI.. So I try changing to no SASL options in the configuration file: ============================================================== #define the ldap server's fqdn host frisbee.crazy.lan # define the base search pattern base dc=crazy,dc=lan # define the uri uri ldap://frisbee.crazy.lan # use starttls ssl start_tls #check the server's cert tls_checkpeer yes # full path to CA's cert tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem # enable debug #debug 9 ============================================================== This leads to the following in the ldap logs when trying to SSH in: ============================================================== Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 ACCEPT from IP= 192.168.1.6:63817 (IP=0.0.0.0:389) Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 STARTTLS Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 RESULT oid= err=0 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 TLS established tls_ssf=256 ssf=256 Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 BIND dn="" method=128 Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 RESULT tag=97 err=0 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test.user))" Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not indexed Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixGroup))" Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test.user))" Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not indexed Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= ============================================================== It just keeps asking for my password and outputs the following in auth.log on the ssh server: ============================================================== Aug 9 18:36:42 cake sshd[63643]: pam_ldap: error trying to bind as user "uid=test.user,ou=people,dc=crazy,dc=lan" (Server is unwilling to perform) Aug 9 18:36:42 cake sshd[63640]: error: PAM: authentication error for test.user from 192.168.1.119 Aug 9 18:36:42 cake sshd[63644]: nss_ldap: reconnected to LDAP server ldap://frisbee.crazy.lan after 1 attempt ============================================================== So while root I tried su test.user and was surprised to see that had worked. I was able to run commands as test.user souch as touch file, but if I tried whoami it just sat there until I broke the command with ctrl+c. On the ldap server I had the following in the logs: ============================================================== Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 ACCEPT from IP= 192.168.1.6:60126 (IP=0.0.0.0:389) Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 STARTTLS Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 RESULT oid= err=0 text= Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 closed (TLS negotiation failure) Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 ACCEPT from IP= 192.168.1.6:60601 (IP=0.0.0.0:389) Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 STARTTLS Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 RESULT oid= err=0 text= Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 closed (TLS negotiation failure) Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 ACCEPT from IP= 192.168.1.6:50915 (IP=0.0.0.0:389) Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 STARTTLS Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 RESULT oid= err=0 text= Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 closed (TLS negotiation failure) ============================================================== There seems to be something wrong with the TLS negotiation, but I've ensured that the CN for my key is frisbee.crazy.lan. I Set the CA's cert CN to allanfeid.com (i own the domain) At this point I'm unsure where to go to continue troubleshooting and getting this to work. I'm just trying to get a solid Single Sign-on solution using kerberos, ldap, and sasl for a learning experience. If there is a more appropriate way of acheiving this, I'm open to suggestions. Here's my ldap and slapd configuration files: (server) frisbee# cat /usr/local/etc/openldap/ldap.conf ============================================================== TLS_CACERT /usr/local/etc/openldap/certs/CA/cacert.pem ============================================================== (client) cake# cat /usr/local/etc/openldap/ldap.conf ============================================================== # path to CA's cert TLS_CACERT /usr/local/etc/openldap/certs/cacert.pem # define base to our search BASE dc=crazy,dc=lan # define uri to openldap URI ldap://frisbee.crazy.lan ============================================================== (server) frisbee# cat /usr/local/etc/openldap/slapd.conf note: i removed a lot of comments to save space ============================================================== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/duaconf.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/krb5-kdc.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # SSL/TLS cipher order preference TLSCipherSuite HIGH # Full path to CA cert file TLSCACertificateFile /usr/local/etc/openldap/certs/CA/cacert.pem # Full path to server's TLS cert TLSCertificateFile /usr/local/etc/openldap/certs/private/slapdcert.pem # Full path to server's TLS key TLSCertificateKeyFile /usr/local/etc/openldap/certs/private/slapdkey.pem # Password hashing mechanism password-hash {SSHA} # log level loglevel 256 # refuse simple binds disallow bind_simple ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=crazy,dc=lan" directory /var/db/openldap-data # Indices to maintain index default eq,pres index objectClass eq index cn,sn,givenname,mail eq,pres,sub # ACL Definitions authz-policy from authz-regexp uid=(.*),cn=crazy.lan,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=crazy,dc=lan # SASL hostname sasl-host frisbee.crazy.lan access to * by dn="uid=ldapadm,cn=gssapi,cn=auth" write by * read access to * by * read ==============================================================

2 1

Using syncrepl in single slapd instance.
by Laurence Field 07 Aug '09

07 Aug '09

I have been investigating the use of syncrepl as a replacement for the mechanism we are currently using in our system and become stuck. Here is the scenario to put the problem in context. Within our infrastructure there is the order of 1000 Grid services each of which runs its own LDAP server that contains information about its structure and state under the DN mds-vo-name=resource,o=grid. Each institute that that operates a Grid service (in the order of 300 distributed globally), runs an LDAP server containing the consolidated information from all services within its domain under the DN mds-vo-name=site-name,o=grid. In addition, there are about 70 top-level LDAP servers distributed globally that contain the consolidated information from all sites using the DN mds-vo-name=local,o=grid. At the moment the LDAP databases are updated externally via process that polls the LDAP server for all information, which is very inefficient. Syncrepl seems to be a better mechanism to use however, I am having difficulty with one scenario. Using standard syncrepl with a relay, the site-level LDAP server can be configured with the following slapd.conf file. http://lfield.web.cern.ch/lfield/bdii-slapd.conf-basic-rep However, the site LDAP server is a Grid service and needs to publish itself. If I try to just to an LDAP add I get the following message, which I guess is due to the fact that this part of the database is now "owned" by the syncrepl process. ldap_add: Server is unwilling to perform (53) additional info: shadow context; no update referral I tried to work around this problem by using another database and some more relays the result of which can be seen in the following file. http://lfield.web.cern.ch/lfield/bdii-slapd.conf However, this result with the following error, which suggests that I can't "mask" a database with a relay that points somewhere else. bdii-slapd.conf: line 69: <suffix> namingContext "Mds-Vo-name=resource,o=internal" already served by a preceding bdb database serving namingContext "Mds-Vo-name=resource,o=internal" Does anyone have an example of how to do a syncrepl where a single slapd instance can act as both the consumer and producer? Also, has anyone done any scalability/reliability tests with syncrepl? Thanks, Laurence

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2009