OpenLDAP Virtual File System
by Jon Rascal
Hi,
I want to create a virtual file system where metadata is stored in an LDAP
repository. Metadata includes owner, mod-time, create-time,
access-control-lists, pysical file path, and, of course, LDAP's hierarchy
instead of a file-system directory base.
Files are to be stored on physical medium and (preferably pyton) code used
to bridge the request (over https), the metadata, and the physical file
stream.
Users and Keys are also stored in the LDAP directory.
Is this a bad use for LDAP?
I'm also looking for an LDAP guru to consult for this particular project.
JR
14 years, 3 months
LDAP stopping without apparent reason
by Márcio Luciano Donada
Hi list,
We have a service ldap, version 2.4.11-1, debian lenny, but the times
have been falling and does not even have a message in the log about the
fall of it. Use it for e-mail service, jabber, ftp, and website. In the
logs I have the following message:
Aug 8 09:34:41 ldap slapd[15338]: connection_input: conn=1332300
deferring operation: binding
Aug 8 09:34:42 ldap slapd[15338]: connection_input: conn=1332301
deferring operation: binding
Aug 8 09:47:46 ldap slapd[15338]: slap_global_control: unrecognized
control: 1.3.6.1.4.1.42.2.27.8.5.1
My configuration
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/qmail.schema
include /etc/ldap/schema/authldap.schema
include /etc/ldap/schema/RADIUS-LDAPv3.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 1024
modulepath /usr/lib/ldap
moduleload back_hdb
TLSVerifyClient demand
TLSCACertificateFile /etc/ldap/ssl/server.pem
TLSCertificateFile /etc/ldap/ssl/server.pem
TLSCertificateKeyFile /etc/ldap/ssl/server.pem
tool-threads 16
threads 32
backend hdb
database hdb
suffix "dc=auroraalimentos,dc=com,dc=br"
rootdn "cn=suporte,dc=auroraalimentos,dc=com,dc=br"
rootpw secret
directory "/var/lib/ldap"
idletimeout 30
timelimit 320
schemacheck on
checkpoint 1024 5
cachesize 100000
dbconfig set_cachesize 0 2097152 0
lastmod on
sizelimit unlimited
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uniqueMember eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index mailAlternateAddress eq
index MailForwardingAddress eq
index mail pres,eq
index default sub
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index sambaSIDList,sambaGroupType eq
index givenName eq
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by self write
by users read
by * read
when the service to have a big problem, mainly because the e-mail
service is affected. thanks
--
Márcio Luciano Donada <mdonada at auroraalimentos dot com dot br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.
14 years, 3 months
ppolicy and ACLs of pwdAccountLockedTime?
by Jiri Bohac
Hi,
I am having troubles making the ppolicy overlay to prevent password
guessing attacks with pwdLockout with slapd-2.4.11-1 in Debian Lenny.
I set pwdMaxFailure to 3. In the user object I am testing with, I never get
more than two entries for pwdFailureTime and pwdAccountLockedTime is never
added at all.
I tracked the problem down to the ACL settings in slapd.conf. With my default
access to *
by dn="cn=admin,dc=example,dc=net" write
by * read
, I get the above result. When I rewrite the last line to "by * write", it works.
The pwdFailureTime is updated, because it is defined as
NO-USER-MODIFICATION, which bypasses te ACL checks for write.
The problem happens when pwdMaxFailure failed logins are reached,
and ppolicy.c tries to update pwdFailureTime and pwdAccountLockedTime
in a single request.
How is this supposed to work?
- Shouldn't pwdAccountLockedTime also be defined with NO-USER-MODIFICATION?
- couldn't the update request in ppolicy.c be executed with higher
privileges? I tried to set up an non-anonymous bind in
pam_ldap but this did not help.
- is there some recommended ACL setting to grant the necessary privileges so that
ppolicy.c can update pwdAccountLockedTime, but users can't?
I am a splapd newbie, so maybe I don't see something obvious, but in
the log below, I see: "acl_mask: to all values by "", (=0)" -- that
looks like an anonymous bind, right? Allowing write for the
pwdAccountLockedTime attribute to anyone does not seem a good idea ;-)
Thanks for any insight!
Jiri
P.S.: some detailed notes from my debugging are attached below:
I am authenticating with pam-ldap. When I mis-type the password
of a user and do a search on the user object (with a +, to see
the operational attributes), the pwdFailureTime is created. This
is good.
When I preform the bad login again, I get a second value for
pwdFailureTime. Still good.
But on the next login, instead of getting a third value for
pwdFailureTime and an updated value for pwdAccountLockedTime, nothing
happens. I put some more debug info into ppolicy_bind_response() like
this:
-----
* We only count those failures
* which are not due to expire.
*/
Debug(LDAP_DEBUG_ANY, "xxx: counting pwdFailureTime %i/%d\n", i, fc, 0);
}
}
if ((ppb->pp.pwdMaxFailure > 0) &&
(fc >= ppb->pp.pwdMaxFailure - 1)) {
Debug(LDAP_DEBUG_ANY, "xxx: trying to insert pwdAccountLockedTime\n", 0, 0, 0);
-----
... in the logs (with loglevel 65535), I really see:
------
Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 0/1
Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 1/2
Aug 8 00:05:42 localhost slapd[15416]: xxx: trying to insert pwdAccountLockedTime
[snip]
Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: delete access to "uid=j.bohac,ou=users,dc=example,dc=net" "pwdAccountLockedTime" requested
Aug 8 00:05:42 localhost slapd[15416]: => acl_get: [2] attr pwdAccountLockedTime
Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: result not in cache (pwdAccountLockedTime)
Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: access to entry "uid=j.bohac,ou=users,dc=example,dc=net", attr "pwdAccountLockedTime" requested
Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: to all values by "", (=0)
Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: cn=admin,dc=example,dc=net
Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: *
Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] applying read(=rscxd) (stop)
Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] mask: read(=rscxd)
Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: delete access denied by read(=rscxd)
Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: no more rules
------
14 years, 3 months
ldapsearch is not able to show Japanese chars
by anish patil
Hi All,
I am using openldap-2.4.11
I have added localized that is japaneese use names into ldap database
.Format(ldif) that i have used was UTF-8.
However when i run ladearch it shows me invalid values in dn and uid filed.
I want there values in localized format? how can i achieve this ?
Thanks in advance
--
Anish Patil
--
Anish Patil
14 years, 3 months
Phpldapadmin + openldap - is not registering new users
by Édnei Rodrigues
Good morning.
I have OpenLdap 2.4.12 and phpldapadmin 1.0.1.. My problem is occuring when
i try register a new user. Follow error:
*O servidor LDAP respondeu: Object class violation
Erro número: 0x41 (LDAP_OBJECT_CLASS_VIOLATION)
Descrição: You tried to perform an operation that would cause an undefined
attribute to exist or that would remove a required attribute, given the
current list of ObjectClasses. This can also occur if you do not specify a
structural objectClass when creating an entry, or if you specify more than
one structural objectClass.*
And /var/log/messages:
*Aug 10 07:58:11 webs slapd[3426]: Entry (cn=cyrusadmin
cyrusadmin,ou=People,dc=novohamburgo,dc=rs,dc=gov,dc=br): object class
'posixAccount' requires attribute 'gidNumber'*
This is stranger. In the PhpLdapAdmin, the fill gidNumber is blank, don't
have option for change. What's happening ?
My sladp.conf:
*include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
moduleload back_hdb
moduleload autoPosixIds
sizelimit 500
tool-threads 1
backend hdb
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
loglevel -1
database bdb
suffix "dc=novohamburgo,dc=rs,dc=gov,dc=br"
checkpoint 1024 5
cachesize 30000
sizelimit -1
rootdn "cn=Manager,dc=novohamburgo,dc=rs,dc=gov,dc=br"
rootpw {SSHA}GS89uCsqQaeBuBQ+RoxgDuY6hkg2946U*
*directory /var/lib/ldap
overlay autoPosixIds
index objectClass eq
index uid eq
index memberUid eq
index member eq
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30*
Thanks!
14 years, 3 months
Trouble with slapd-ldap in various scenarios (LdarErr: DSID-0C090627)
by Martin Rubáš
Hello,
I'm evaluating OpenLDAP and I've got cornered with slapd-ldap combined
together
with slapd-relay or slapo-translucent.
First of all, I would like to mention that I read man pages back and forth.
I also read archives of openldap.org mailing lists as well as configuration
files for slapd tests. I'm still a little bit confused.
The second important thing is that I don't want to enable anonymous
binding at
this time. Each user that access slapd is required to bind using its own DN
and credentials. This statement is valid for both kind of repositories -
local or remote.
So, give me a chance, please... ;-)
I tried several scenarios but was only partially successful. You can find
more info about them below.
I read about acl-bind, idassert-bind & idassert-authzFrom, mode=self but
I was not able to get them working so far. I haven't used any 'authz-xxx'
options yet. So, the configuration parts (below) doesn't contain only the
schema includes and the config database settings.
1. What's wrong with my configuration? (cases A & B at first)
I suppose that I had to use idassert-bind somehow but I don't have any idea
how to do it.
2. Why is there the second connection with the strange binding request?
This is probably related with question 1 but it could be an error symptom.
I just want to be sure...
3. Do I have to use something else except "idassert-bind mode=self" option?
I just want to bind to remote server with the proper user DN (my
application
is requesting data on behalf of user) and additionaly on some specific
account DN (if the application is requesting data for private use).
I feel that these questions could look silly, but I hope that it's better
to make itself to look like fool, get advice and move forward then stand
still.
Thanks for any advice,
Martin Rubas
PS: I'm sorry for being so long...
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Notes:
~ using slapd version 2.4.15 on Ubuntu (9.04/jaunty;64-bit;localhost)
- using Windows 2003 Server as PDC (pdc.domain.net)
~ command used to query:
ldapsearch -x -w secret -H ldap://localhost:389 \
-D 'CN=The Root,CN=Users,DC=domain,DC=net' \
-b 'CN=The User,CN=Users,DC=domain,DC=net' \
-s sub -a always '(objectClass=*)'
~ all used accounts (The Root, The User, The Bind & Administrator) exists
in Windows domain (AD) and have set password to 'secret'. 'The Root' is
also member 'Domain Admins', so it should have the same access rights as
'Administrator' (at least, for AD/LDAP operations)
=== Case A ===
I started with slapd-hdb and slapo-translucent to combine data from
Active Directory repository with other data from local DB. It finally got
it working but only when ldapsearch command was binding with "rootdn" from
slapd-hdb configuration. But I want to do binding with the (proper) user DN
to slapd (local repository) as well as to AD (remote one).
#======================================================================
database hdb
suffix "dc=domain,dc=net"
rootdn "cn=The Root,cn=Users,dc=domain,dc=net"
rootpw secret
directory /var/lib/ldap/lib-trans
index objectClass eq
index cn eq
overlay translucent
uri ldap://pdc.domain.net:389
binddn "cn=The Bind,cn=Users,dc=domain,dc=net"
bindpw heslo
lastmod off
chase-referrals true
rebind-as-user true
#----------------------------------------------------------------------
If I use ldapsearch -D "cn=The Root,..." -b "cn=The User,..." then slapd
binds to "cn=The Bind". That's correct, I guess...
But when I use some other DN for -D parameter then the response is
"LdarErr: DSID-0C090627 ... " (I saw that one many time in archives).
It doesn't matter if it was "cn=The User,..." or "cn=The Bind".
=== Case B ===
I also tried to combine slapd-ldap together with slapd-relay extended by
slapo-rwm, to get something like "domain-alias" (2 names for one
repository).
#======================================================================
database ldap
suffix "dc=domain,dc=net"
uri ldap://pdc.domain.net:389
chase-referrals yes
rebind-as-user yes
database relay
suffix "dc=alias,dc=net"
relay "dc=domain,dc=net"
overlay rwm
rwm-suffixmassage "dc=domain,dc=net"
#----------------------------------------------------------------------
In this case, I was able to get result with -D option set to
"cn=The User,cn=Users,dc=domain,dc=net" but I got the same error while
using
the aliased DN "cn=The Users,cn=Users,dc=alias,dc=net".
=== Case C/D ===
Finally, I gave up and tried most simple case. Plain slapd-ldap (C) and
with slapo-rwm (D). This way I've got simple bridge to AD or an alias
for it.
#======================================================================
database ldap
suffix "dc=domain,dc=net" #for C only
#D#suffix "dc=alias,dc=net"
uri ldap://pdc.domain.net:389
chase-referrals yes
rebind-as-user yes
#D#overlay rwm
#D#rwm-suffixmassage "dc=domain,dc=net"
#----------------------------------------------------------------------
Whoa, it worked!
One small step for me, but ... Hm, pretty useless at the whole scope :-(
=== Network Dump ===
I catched a network packets and noticed some pretty wierd thing...
Each ldapsearch received "LdarErr: DSID-0C090627" there way the same
scenario:
1. slapd opens the connection
2. slapd binds succefully (mostly with the credentials I wanted to use)
3. slapd opens another connection
4. slapd binds again with "nothing" (displayed as "<ROOT>" in Wireshark)
5. slapd sends request and receives LdapErr
6. slapd unbinds and closses connection from step 3
x. other requests are processed repeating step 3 to 6
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 0.000000 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [SYN] Seq=0
Win=5840 Len=0 MSS=1460 TSV=85650917 TSER=0 WS=6
2 0.000304 a.b.c.153 -> a.b.c.174 :: ldap > 50178 [SYN, ACK] Seq=0
Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
3 0.000321 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [ACK] Seq=1 Ack=1
Win=5888 Len=0 TSV=85650917 TSER=0
4 0.000455 a.b.c.174 -> a.b.c.153 :: bindRequest(1) "cn=The
Root,cn=Users,dc=domain,dc=net" simple
5 0.053060 a.b.c.153 -> a.b.c.174 :: bindResponse(1) success
6 0.053086 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [ACK] Seq=77
Ack=23 Win=5888 Len=0 TSV=85650930 TSER=7278645
7 0.058317 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [SYN] Seq=0
Win=5840 Len=0 MSS=1460 TSV=85650932 TSER=0 WS=6
8 0.058604 a.b.c.153 -> a.b.c.174 :: ldap > 50179 [SYN, ACK] Seq=0
Ack=1 Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
9 0.058622 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [ACK] Seq=1 Ack=1
Win=5888 Len=0 TSV=85650932 TSER=0
10 0.058746 a.b.c.174 -> a.b.c.153 :: bindRequest(1) "<ROOT>" simple
11 0.058972 a.b.c.153 -> a.b.c.174 :: bindResponse(1) success
12 0.058992 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [ACK] Seq=15
Ack=23 Win=5888 Len=0 TSV=85650932 TSER=7278645
13 0.059158 a.b.c.174 -> a.b.c.153 :: searchRequest(2) "cn=The
User,cn=Users,dc=domain,dc=net" wholeSubtree
14 0.059380 a.b.c.153 -> a.b.c.174 :: searchResDone(2)
operationsError (00000000: LdapErr: DSID-0C090627, comment: ...)
15 0.098978 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [ACK] Seq=140
Ack=196 Win=6912 Len=0 TSV=85650942 TSER=7278645
16 225.873049 a.b.c.174 -> a.b.c.153 :: unbindRequest(3)
17 225.873111 a.b.c.174 -> a.b.c.153 :: 50179 > ldap [FIN, ACK] Seq=147
Ack=196 Win=6912 Len=0 TSV=85707385 TSER=7278645
18 225.873183 a.b.c.174 -> a.b.c.153 :: unbindRequest(2)
19 225.873227 a.b.c.174 -> a.b.c.153 :: 50178 > ldap [FIN, ACK] Seq=84
Ack=23 Win=5888 Len=0 TSV=85707385 TSER=7278645
#++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
For case A the steps 1 & 2 happens when translucent_bind action is executed
(for the first time) and the step 3-6 are related to translucent_search
action.
I didn't check those for case B.
Each successful request is processed the following way:
1. slapd opens the connection
2. slapd binds succefully (mostly with the credentials I wanted to use)
3. slapd sends request and receives the requested data
4. slapd unbinds and closses connection from step 1
14 years, 3 months
Strong authentication required error
by Steinmetz, Robin
Hi,
I am trying to setup a chaining configuration, all seems to work except that is i try to add/modify/del i get the message Strong auth required. Can someone help met out?
Part of Chain server config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
overlay chain
chain-uri "ldap://10.253.2.7"
chain-idassert-bind bindmethod="simple"
binddn="xxxx"
credentials="xxxxx"
mode="self"
chain-tls start
chain-return-error TRUE
access to * by * read
pidfile /var/run/slapd-test-chain.pid
argsfile /var/run/slapd-test-chain.args
allow bind_v2
#######################################################################
# BDB database definitions
#######################################################################
database bdb
overlay syncprov
#sessionlog 666 10000
syncprov-checkpoint 100 10
syncprov-sessionlog 100
suffix "dc=test,c=test"
# Access database admin
rootdn "xxxx"
rootpw xxxxx
syncrepl rid=444
provider=ldap://10.253.2.9:389
bindmethod=simple
binddn="xxxxx"
credentials=xxxx
searchbase="dc=test,c=test"
schemachecking=off
type=refreshAndPersist
retry="60 +"
updateref "ldap://10.253.2.9"
14 years, 3 months
Why did an index broke my config ?
by Denis BUCHER
Hello everyone,
I added this in the config of my email server :
> index virtualdomain eq
But it broke the mail server, all emails were refused because Relaying
denied. In fact postfix was not able anymore to find domains.
For some reason, adding this index in the config made impossible to find
this domain for programs...
Don't know if my explanation is clear, but my question is "why adding an
index breaks the config" ?
Thanks a lot in advance for any help !
Denis
14 years, 3 months
OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
by Allan
Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for
authentication/authorization. I'm a bit confused on how to get it all
working but I've gotten far enough that I can run getent passwd test.user
and it pulls down the information from ldap (ran as root and non-root user).
I can also successfully get a ticket with kinit from various users. Where I
run into problems, is actually getting services to use GSSAPI. I am
currently using nss_ldap and pam_ldap to authenticate during ssh login, if
there's a better alternative please let me know.
Here's the setup I've got:
Services -> FQDN -> IP
ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5
ssh -> cake.crazy.lan -> 192.168.1.6
Running kinit:
==============================================================
cake# kinit ldapadm
ldapadm(a)CRAZY.LAN's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
cake# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ldapadm(a)CRAZY.LAN
Issued Expires Principal
Aug 9 17:45:41 Aug 10 03:45:41 krbtgt/CRAZY.LAN(a)CRAZY.LAN
==============================================================
Here's what I run to authenticate with SSH:
==============================================================
cr4z3d@Allan-PC:~$ ssh -v -oGSSAPIAuthentication=yes
-oGSSAPIDelegateCredentials=yes test.user(a)cake.crazy.lan
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to cake.crazy.lan [192.168.1.6] port 22.
debug1: Connection established.
debug1: identity file /home/cr4z3d/.ssh/identity type -1
debug1: identity file /home/cr4z3d/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/cr4z3d/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1
FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cake.crazy.lan' is known and matches the DSA host key.
debug1: Found key in /home/cr4z3d/.ssh/known_hosts:47
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
==============================================================
I've tried different options in /usr/local/etc/ldap.conf for
pam_ldap/nss_ldap (the conf files are symlinked). The first one is with SASL
turned on and the second with out.
==============================================================
#define the ldap server's fqdn
host frisbee.crazy.lan
# define the base search pattern
base dc=crazy,dc=lan
# define the uri
uri ldap://frisbee.crazy.lan
# use starttls
ssl start_tls
# use sasl for all authentications
use_sasl on
# SASL authorization ID
sasl_auth_id host/cake.crazy.lan
#check the server's cert
tls_checkpeer yes
# full path to CA's cert
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug
#debug 9
==============================================================
Here is the logs from the ldap server:
==============================================================
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP=
192.168.1.6:56955 (IP=0.0.0.0:389)
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text=
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established
tls_ssf=256 ssf=256
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163
Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find
mech GSSAPI
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7
text=SASL(-4): no mechanism available: Couldn't find mech GSSAPI
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed
==============================================================
This is where I get a bit confused, it tells me that there's no mechanism
for GSSAPI.. So I try changing to no SASL options in the configuration file:
==============================================================
#define the ldap server's fqdn
host frisbee.crazy.lan
# define the base search pattern
base dc=crazy,dc=lan
# define the uri
uri ldap://frisbee.crazy.lan
# use starttls
ssl start_tls
#check the server's cert
tls_checkpeer yes
# full path to CA's cert
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug
#debug 9 ==============================================================
This leads to the following in the ldap logs when trying to SSH in:
==============================================================
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 ACCEPT from IP=
192.168.1.6:63817 (IP=0.0.0.0:389)
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 STARTTLS
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 RESULT oid= err=0 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 TLS established
tls_ssf=256 ssf=256
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 BIND dn="" method=128
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 RESULT tag=97 err=0 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH
base="dc=crazy,dc=lan" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=test.user))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass shadowLastChange shadowMax shadowExpire
Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not
indexed
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH
base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixGroup))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH attr=cn userPassword
memberUid uniqueMember gidNumber
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH
base="dc=crazy,dc=lan" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=test.user))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass shadowLastChange shadowMax shadowExpire
Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not
indexed
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
==============================================================
It just keeps asking for my password and outputs the following in auth.log
on the ssh server:
==============================================================
Aug 9 18:36:42 cake sshd[63643]: pam_ldap: error trying to bind as user
"uid=test.user,ou=people,dc=crazy,dc=lan" (Server is unwilling to perform)
Aug 9 18:36:42 cake sshd[63640]: error: PAM: authentication error for
test.user from 192.168.1.119
Aug 9 18:36:42 cake sshd[63644]: nss_ldap: reconnected to LDAP server
ldap://frisbee.crazy.lan after 1 attempt
==============================================================
So while root I tried su test.user and was surprised to see that had worked.
I was able to run commands as test.user souch as touch file, but if I tried
whoami it just sat there until I broke the command with ctrl+c. On the ldap
server I had the following in the logs:
==============================================================
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 ACCEPT from IP=
192.168.1.6:60126 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 closed (TLS negotiation
failure)
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 ACCEPT from IP=
192.168.1.6:60601 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 closed (TLS negotiation
failure)
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 ACCEPT from IP=
192.168.1.6:50915 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 closed (TLS negotiation
failure)
==============================================================
There seems to be something wrong with the TLS negotiation, but I've ensured
that the CN for my key is frisbee.crazy.lan. I Set the CA's cert CN to
allanfeid.com (i own the domain)
At this point I'm unsure where to go to continue troubleshooting and getting
this to work. I'm just trying to get a solid Single Sign-on solution using
kerberos, ldap, and sasl for a learning experience. If there is a more
appropriate way of acheiving this, I'm open to suggestions. Here's my ldap
and slapd configuration files:
(server) frisbee# cat /usr/local/etc/openldap/ldap.conf
==============================================================
TLS_CACERT /usr/local/etc/openldap/certs/CA/cacert.pem
==============================================================
(client) cake# cat /usr/local/etc/openldap/ldap.conf
==============================================================
# path to CA's cert
TLS_CACERT /usr/local/etc/openldap/certs/cacert.pem
# define base to our search
BASE dc=crazy,dc=lan
# define uri to openldap
URI ldap://frisbee.crazy.lan
==============================================================
(server) frisbee# cat /usr/local/etc/openldap/slapd.conf
note: i removed a lot of comments to save space
==============================================================
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/krb5-kdc.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# SSL/TLS cipher order preference
TLSCipherSuite HIGH
# Full path to CA cert file
TLSCACertificateFile /usr/local/etc/openldap/certs/CA/cacert.pem
# Full path to server's TLS cert
TLSCertificateFile /usr/local/etc/openldap/certs/private/slapdcert.pem
# Full path to server's TLS key
TLSCertificateKeyFile /usr/local/etc/openldap/certs/private/slapdkey.pem
# Password hashing mechanism
password-hash {SSHA}
# log level
loglevel 256
# refuse simple binds
disallow bind_simple
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=crazy,dc=lan"
directory /var/db/openldap-data
# Indices to maintain
index default eq,pres
index objectClass eq
index cn,sn,givenname,mail eq,pres,sub
# ACL Definitions
authz-policy from
authz-regexp
uid=(.*),cn=crazy.lan,cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=crazy,dc=lan
# SASL hostname
sasl-host frisbee.crazy.lan
access to *
by dn="uid=ldapadm,cn=gssapi,cn=auth" write
by * read
access to *
by * read
==============================================================
14 years, 3 months
Using syncrepl in single slapd instance.
by Laurence Field
I have been investigating the use of syncrepl as a replacement for the
mechanism we are currently using in our system and become stuck. Here
is the scenario to put the problem in context.
Within our infrastructure there is the order of 1000 Grid services each
of which runs its own LDAP server that contains information about its
structure and state under the DN mds-vo-name=resource,o=grid. Each
institute that that operates a Grid service (in the order of 300
distributed globally), runs an LDAP server containing the consolidated
information from all services within its domain under the DN
mds-vo-name=site-name,o=grid.
In addition, there are about 70 top-level LDAP servers distributed
globally that contain the consolidated information from all sites using
the DN mds-vo-name=local,o=grid.
At the moment the LDAP databases are updated externally via process that
polls the LDAP server for all information, which is very inefficient.
Syncrepl seems to be a better mechanism to use however, I am having
difficulty with one scenario. Using standard syncrepl with a relay, the
site-level LDAP server can be configured with the following slapd.conf
file.
http://lfield.web.cern.ch/lfield/bdii-slapd.conf-basic-rep
However, the site LDAP server is a Grid service and needs to publish
itself. If I try to just to an LDAP add I get the following message,
which I guess is due to the fact that this part of the database is now
"owned" by the syncrepl process.
ldap_add: Server is unwilling to perform (53)
additional info: shadow context; no update referral
I tried to work around this problem by using another database and some
more relays the result of which can be seen in the following file.
http://lfield.web.cern.ch/lfield/bdii-slapd.conf
However, this result with the following error, which suggests that I
can't "mask" a database with a relay that points somewhere else.
bdii-slapd.conf: line 69: <suffix> namingContext
"Mds-Vo-name=resource,o=internal" already served by a preceding bdb
database serving namingContext "Mds-Vo-name=resource,o=internal"
Does anyone have an example of how to do a syncrepl where a single slapd
instance can act as both the consumer and producer?
Also, has anyone done any scalability/reliability tests with syncrepl?
Thanks,
Laurence
14 years, 3 months