openldap-technical February 2010

openldap-technical@openldap.org

59 participants
64 discussions

Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
by Jose G. Torres 25 Feb '10

25 Feb '10

Hello again, Well I tried the following. Added the full path of the check_password.so in my slapd.conf under "moduleload". moduleload /opt/openldap/etc/openldap/modules/check_password.so Added the full path to my check_password.so module in my ldif pwdCheckModule: /opt/openldap/etc/openldap/modules/check_password.so Recompiled the sources again using the configure used to build the openSUSE package. CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ ./configure --prefix=/opt/openldap --with-tls \ --enable-spasswd --enable-crypt --with-gnu-ld \ --enable-ppolicy --enable-modules --enable-dynamic --enable-aci --enable-bdb --enable-hdb \ --enable-rewrite --enable-ldap=yes --enable-meta=mod \ --enable-monitor=yes --enable-slp --enable-overlays=yes \ Still no luck. At least within my ldap logs I see the "Password fails quality checking policy" so at least it is hitting the ldap server for password checking. Any ideas????? Thanks!!!! Jose > I am trying to get my solaris 10 openldap 2.4.21 server to use my check_password.so module using the ppolicy overlay. When I try to change a user's > password from a linux client, I get the following error message. > > passwd ldapuser > Changing password for ldapuser. > Enter login(LDAP) password: > New Password: > Reenter New Password: > LDAP password information update failed: Constraint violation > Password fails quality checking policy > passwd: Permission denied > > > Within > my logs, I do not see any error messages from my check_password.so > module. I created the directory /opt/openldap/etc/openldap/modules and > placed my module in that directory and I added the modulepath in my > slapd.conf. > > Is there something I missed? Is this a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server. Help. > > I included part of my slapd.conf, openldap configure, check_password.c source, makefile and ldd of my check_password.so. > > Thanks!!!! > > Jose Torres > > > openldap configure > ****************** > > CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ > LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ > ./configure --prefix=/opt/openldap --with-tls \ > --enable-spasswd --enable-crypt --with-gnu-ld \ > --enable-ppolicy --enable-modules --enable-dynamic > > > slapd.conf: > ********** > > include /opt/openldap/etc/openldap/schema/ppolicy.schema > > # Add password policies. > modulepath /opt/openldap/etc/openldap/modules > overlay ppolicy > ppolicy_default "cn=default,ou=policies,dc=caci,dc=ymp,dc=com" > ppolicy_use_lockout > > I tried ppolicy_clear_txt I still have the same problem. > > check_password.c: > **************** > > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <ctype.h> > #include "portable.h" > #include "slap.h" > > int init_module() > { > return 0; > } > > int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry) > { > char error=0; > char retmsg[255]; > char *message,*buffer,*token; > const char special[] ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"; > const char number[] ="1234567890"; > const char CAPS[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZ"; > > error = 0; > > > if (strstr( pPasswd, " ") != NULL) > { > error = 1; > strcpy(retmsg , "******** CHECKPW: Password contains SPACES! ********"); > } > > buffer = strdup(pPasswd); > token = strtok(buffer,special); > if ( !(strcmp(token,pPasswd)) || (token == NULL) ) > { > error = 1; > strcpy(retmsg , "******** CHECKPW: Password does not contain any special c > haracters! ********"); > } > > buffer = strdup(pPasswd); > token = strtok(buffer,number); > > if ( !(strcmp(token,pPasswd)) || (token == NULL) ) > { > error = 1; > strcpy(retmsg , "******** CHECKPW: Password does not contain any numbers! > ********"); > } > > buffer = strdup(pPasswd); > token = strtok(buffer,number); > > if ( !(strcmp(token,pPasswd)) || (token == NULL) ) > { > error = 1; > strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L > ETTERS! ********"); > } > > if (error) > { > /* Allocate */ > message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1)); > /* Copy the contents of the string. */ > strcpy(message, retmsg); > *ppErrStr=message; > } > return error; > } > > Makefile: > ********* > > check_password.so: check_password.o > gcc -L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo > rd.o > check_password.o: check_password.c > gcc -fpic -I../../include -I. -c check_password.c > clean: > rm check_password.so check_password.o > > > It seems to find the right libraries. > > $ ldd modules/check_password.so > libldap-2.4.so.2 => /opt/openldap/lib/libldap-2.4.so.2 > libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1 > liblber-2.4.so.2 => /opt/openldap/lib/liblber-2.4.so.2 > libresolv.so.2 => /usr/lib/libresolv.so.2 > libgen.so.1 => /usr/lib/libgen.so.1 > libnsl.so.1 => /usr/lib/libnsl.so.1 > libsocket.so.1 => /usr/lib/libsocket.so.1 > libsasl.so.1 => /usr/lib/libsasl.so.1 > libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7 > libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7 > libc.so.1 => /usr/lib/libc.so.1 > libmp.so.2 => /usr/lib/libmp.so.2 > libmd.so.1 => /usr/lib/libmd.so.1 > libscf.so.1 => /usr/lib/libscf.so.1 > libdoor.so.1 => /usr/lib/libdoor.so.1 > libuutil.so.1 => /usr/lib/libuutil.so.1 > libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7 > libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7 > libm.so.2 => /usr/lib/libm.so.2

1 0

a newbie trying to get the basics of syncrepl going
by Seger, Mark 25 Feb '10

25 Feb '10

I'm an admitted ldap lightweight but have been able to bring up an ldap server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing and now it's not so I've at least gotten that far. Here's what my replication section looks like in ldap.conf: syncrepl rid=123 provider=ldap://10.99.99.99:389 type=refreshOnly interval=01:00:00:00 searchbase="dc=myldap,dc=com" filter="(objectClass=account)" scope=sub schemachecking=off updatedn="cn=replica,dc=myldap,dc=com" bindmethod=simple binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com" credentials=Something I'm pretty sure I have the search parameters set correctly because if I run: ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid it dumps all my uids. The part I'm on clear on is how to define things on the slave side. For example I have the main part of the conf set the same on the master, just to make things easy on me and so I have the following which is exactly how I have the master set up. database bdb suffix "dc=myldap,dc=com" rootdn "cn=Manager,dc=myldap,dc=com" rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R directory /var/lib/ldap I'm guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com", but I'm not sure what it should be and whether or not I have to prime the replica with any special authentication to be able to write to it. If I run "ldapsearch -x -b 'dc=myldap,dc=com'" against the replica it comes up empty so I'm sure nothing is getting replicated. Further if I run the slave slapd with -d128 I get: [root@hpdc3dmgt1 ~]# slapd -d 128 @(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $ brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd slapd starting request done: ld 0x2ac52b507c70 msgid 1 => bdb_entry_get: cannot find entry: "dc=myldap,dc=com" do_syncrep2: rid 123got search entry without control do_syncrepl: rid 123 quitting but I have no idea where it's looking for the entry, on the master or the slave? But I do have that entry on the master. I'm sure I'm doing something wrong but am also hoping it's relatively minor. -mark

5 9

Re: Adding a schema to OpenLdap
by Francis, Steve (IHG) 23 Feb '10

23 Feb '10

Thanks, I just figured it out. Somehow the ftp of the other ldif made it unusable. So I moved over my java program that creates the ldif file, and all is well. Steve Francis IHG - z/OS Technical Advisor Sent from my BlackBerry ________________________________ From: Jonathan Clarke <jonathan(a)phillipoux.net> To: Francis, Steve (IHG) Cc: <openldap-technical(a)openldap.org> <openldap-technical(a)openldap.org> Sent: Tue Feb 23 17:21:50 2010 Subject: Re: Adding a schema to OpenLdap On 23 févr. 2010, at 17:38, "Francis, Steve (IHG)" <Steve.Francis(a)ihg.com> wrote: I have a schema that I have used on a z/OS Ldap server for over six years. I received a NOID from IANA and have had no issues running ldapmodify commands on the z/OS ldap server to allow the objectclass's use. Now, I'm working to port he application that uses this ldap server to Linux and can't seem to get OpenLdap to allow the use of my objectclass. I have created my own schema file and have included it in the slapd.conf, which start with no errors; however, the ldapadd to process the ldif file fails with the famous "ldap_add: Invalid syntax (21) additional info: objectclass: value #1 invalid per syntax" . I know this to be my objectclass, since the following is my ldif file. dn: cn=10.172.50.0, o=SAH objectclass: top objectclass: saHolidex cn: 10.172.50.0 sn: AADAL ou: HOTEL mtrStatus: N ipAddr: 10.172.50.0 pqsStatus: MQSOFF subNetMask: 255.255.255.0 Make sure that you don't have any spaces trailing after your objectClass name in your LDIF file. This is a common source of this error. If this doesn't solve your problem, start slaps with "loglevel config" in slapd.conf and make sure your objectclass is read in. Hope this helps, Jonathan The z/OS ldap server had gotten away from including schema files and so I simply issued the ldapmodify command to update "cn=schema,o=sah" as my suffix was o=sah. The schema file I created looks like the following, as my IANA number is 15132: attributetype ( 1.3.6.1.4.1.15132.0.1.2.4 NAME 'mtrStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) attributetype ( 1.3.6.1.4.1.15132.0.1.2.3 NAME 'ipAddr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) attributetype ( 1.3.6.1.4.1.15132.0.1.2.5 NAME 'pqsStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) attributetype ( 1.3.6.1.4.1.15132.0.1.2.6 NAME 'subNetMask' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) objectClass ( 1.3.6.1.4.1.15123.0.1.2.1 NAME 'saHolidex' DESC 'IHG Sah' SUP top STRUCTURAL MUST ( cn $ sn ) MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) ) The old ldif file for the z/OS systems looks like the following: dn: cn=schema,o=SAH changetype:modify add:x attributetypes: ( 15132.0.1.2.4 NAME 'mtrStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) ibmattributetypes: ( 15132.0.1.2.4 ACCESS-CLASS normal) attributetypes: ( 15132.0.1.2.3 NAME 'ipAddr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) ibmattributetypes: ( 15132.0.1.2.3 ACCESS-CLASS normal) attributetypes: ( 15132.0.1.2.5 NAME 'pqsStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) ibmattributetypes: ( 15132.0.1.2.5 ACCESS-CLASS normal) attributetypes: ( 15132.0.1.2.6 NAME 'subNetMask' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) ibmattributetypes: ( 15132.0.1.2.6 ACCESS-CLASS normal) objectclasses: ( 15123.0.1.2.1 NAME 'saHolidex' SUP top MUST ( cn $ sn ) MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) ) Can anyone help me figure out why I can't get this objectclass to work. It works fine with the z/OS Ldap Server, and has for many years, all the way back to the OS390 days, prior to z/OS. Thanks, i advance, Steve Francis Technical Advisor - zSeries, zLinux, z/OS IHG Alpharetta Data Center Ph: 770-442-7157 Cell: 770-906-3122 IM: francisihg

1 0

Adding a schema to OpenLdap
by Francis, Steve (IHG) 23 Feb '10

23 Feb '10

I have a schema that I have used on a z/OS Ldap server for over six years. I received a NOID from IANA and have had no issues running ldapmodify commands on the z/OS ldap server to allow the objectclass's use. Now, I'm working to port he application that uses this ldap server to Linux and can't seem to get OpenLdap to allow the use of my objectclass. I have created my own schema file and have included it in the slapd.conf, which start with no errors; however, the ldapadd to process the ldif file fails with the famous "ldap_add: Invalid syntax (21) additional info: objectclass: value #1 invalid per syntax" . I know this to be my objectclass, since the following is my ldif file. dn: cn=10.172.50.0, o=SAH objectclass: top objectclass: saHolidex cn: 10.172.50.0 sn: AADAL ou: HOTEL mtrStatus: N ipAddr: 10.172.50.0 pqsStatus: MQSOFF subNetMask: 255.255.255.0 The z/OS ldap server had gotten away from including schema files and so I simply issued the ldapmodify command to update "cn=schema,o=sah" as my suffix was o=sah. The schema file I created looks like the following, as my IANA number is 15132: attributetype ( 1.3.6.1.4.1.15132.0.1.2.4 NAME 'mtrStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) attributetype ( 1.3.6.1.4.1.15132.0.1.2.3 NAME 'ipAddr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) attributetype ( 1.3.6.1.4.1.15132.0.1.2.5 NAME 'pqsStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) attributetype ( 1.3.6.1.4.1.15132.0.1.2.6 NAME 'subNetMask' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) objectClass ( 1.3.6.1.4.1.15123.0.1.2.1 NAME 'saHolidex' DESC 'IHG Sah' SUP top STRUCTURAL MUST ( cn $ sn ) MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) ) The old ldif file for the z/OS systems looks like the following: dn: cn=schema,o=SAH changetype:modify add:x attributetypes: ( 15132.0.1.2.4 NAME 'mtrStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) ibmattributetypes: ( 15132.0.1.2.4 ACCESS-CLASS normal) attributetypes: ( 15132.0.1.2.3 NAME 'ipAddr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) ibmattributetypes: ( 15132.0.1.2.3 ACCESS-CLASS normal) attributetypes: ( 15132.0.1.2.5 NAME 'pqsStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch ) ibmattributetypes: ( 15132.0.1.2.5 ACCESS-CLASS normal) attributetypes: ( 15132.0.1.2.6 NAME 'subNetMask' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) ibmattributetypes: ( 15132.0.1.2.6 ACCESS-CLASS normal) objectclasses: ( 15123.0.1.2.1 NAME 'saHolidex' SUP top MUST ( cn $ sn ) MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) ) Can anyone help me figure out why I can't get this objectclass to work. It works fine with the z/OS Ldap Server, and has for many years, all the way back to the OS390 days, prior to z/OS. Thanks, i advance, Steve Francis Technical Advisor - zSeries, zLinux, z/OS IHG Alpharetta Data Center Ph: 770-442-7157 Cell: 770-906-3122 IM: francisihg

2 1

Re: the parent of a result.
by Peter Mogensen 23 Feb '10

23 Feb '10

This sounds like an inherent relational problem. Any special reason for using a directory to store the forum data? /Peter

1 0

the parent of a result.
by Mihamina Rakotomandimby 22 Feb '10

22 Feb '10

Manao ahoana, Hello, Bonjour, I look for the way to search for the parent of the matched target. FOr example, let's image a forum, with multiple topics - boys - girls - dogs Each topic has comments (for simplicit let's make them flat) - boys - comment 234 - comment 65 - girls - comment 659 - comment 4 - dogs - comment 351 - comment 323 Comments ID are unique. I perform a search: ldapsearch (...) commentId=659 The only way to have the parent (girls) is for me to parse the resulting "dn" of that search, splitting it by ",". Bad & Dirty. How (which argument/option) to get the parent of commentId=659? Misaotra, Thanks, Merci. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 / +261 33 11 207 36

2 1

Syncrepl for AD replication
by Siddhartha Jain 22 Feb '10

22 Feb '10

Hi, I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input. Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user? Thanks, Siddhartha

5 5

openldap client GSSAPI authentication segfaults in fbgsd8-stable i386
by George Mamalakis 22 Feb '10

22 Feb '10

Dear all, I have submitted this email to freebsd-stable mailing list as well, but with no luck until now; so, I decided to share it with this list as well. The email is large, only because I have tested my setup in six different machines, and I explain my results for each one. The problem is more simple; my email subject explains it all. So, here is how it goes: I am facing many instabilities in FBSD8 with openldap-client and sasl authentication (GSSAPI in particular). I have setup an openldap 2.4.1 server with gssapi support (through cyrus-sasl-2.1.23) on a fbsd8-stable amd64 latest sources, in a esxi host. In the same host I have setup two fbsd8-stable i386 clients; one has latest sources, the other one is installed via the iso-image of January's fbsd snapshot; on both systems openldap client and sasl is installed (all ldap/cyrus versions on all hosts mentioned in this email are the same). My laptop has fbsd8-i386 stable (sources 25 January 2010), and on my laptop I have setup an fbsd8-stable i386 (snapshot iso image) on a virtualbox client. Lastly, on the esxi host I have setup another fbsd8-stable amd64 system, to act as an ldap client (latest sources). To summarize, and put a label-number on each host, we have: 1 - esxi: fbsd8(latest) amd64 openldap server 2 - esxi: fbsd8(latest) i386 openldap client 3 - esxi: fbsd8(snapshot) i386 openldap client 4 - esxi: fbsd8(latest) amd64 openldap client 5 - laptop: fbsd8(jan 25) i386 openldap client 6 - laptop/vbox: fbsd8(snapshot) i386 openldap client The openldap server is installed in a jail, and the client is tested in the same jail. Kerberos works on all machines (same /etc/krb5.conf), and ldap as well. In all machines, line 96 of /usr/bin/krb5-config is changed to read: lib_flags="$lib_flags -lgssapi -lgssapi_spnego -lgssapi_krb5 -lheimntlm" instead of: lib_flags="$lib_flags -lgssapi -lheimntlm" which was the default, since without these lines I couldn't get gssapi authentication to work for cyrus (and spnego). This change was made after recommendations given from freebsd-stable mailing list, and I was very happy to see that after this change the ldap server worked as I expected. On all system, cat /usr/local/etc/openldap/ldap.conf: BASE dc=ee,dc=auth,dc=gr URI ldap://ldap.ee.auth.gr SASL_MECH GSSAPI without kiniting in any client I get the following outcomes when I give ldapwhoami (with no arguments): 1: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown) which is expected. 2: SASL/GSSAPI authentication started Segmentation fault: 11 (core dumped) which is not rational at all 3: SASL/GSSAPI authentication started Segmentation fault: 11 (core dumped) 4: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown) which is the same as 1 (as expected) 5: SASL/GSSAPI authentication started Segmentation fault: 11 (core dumped) 6: SASL/GSSAPI authentication started Segmentation fault: 11 (core dumped) if I kinit to mamalos, ldapwhoami returns: 1: SASL/GSSAPI authentication started SASL username: mamalos(a)EE.AUTH.GR SASL SSF: 56 SASL data security layer installed. dn:uid=mamalos,ou=people,dc=ee,dc=auth,dc=gr which is super! 2: SASL/GSSAPI authentication started Segmentation fault: 11 (core dumped) which is dramatic. 3: SASL/GSSAPI authentication started Segmentation fault: 11 (core dumped) 4: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2529638919 for mech unknown) which is very strange, since mech-code seems unnaturally large. 5: SASL/GSSAPI authentication started SASL username: mamalos(a)EE.AUTH.GR SASL SSF: 56 SASL data security layer installed. dn:uid=mamalos,ou=people,dc=ee,dc=auth,dc=gr which is super, but without kinit the same command segfaulted on this machine 6: SASL/GSSAPI authentication started SASL username: mamalos(a)EE.AUTH.GR SASL SSF: 56 SASL data security layer installed. dn:uid=mamalos,ou=people,dc=ee,dc=auth,dc=gr which is the exact same behavior as 5 above. All this means that there is no single pattern!!!!!!! If I gdb ldapwhoami in the clients that segfault, I get: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)... (gdb) run -d0 Starting program: /usr/local/bin/ldapwhoami -d0 (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)...SASL/GSSAPI authentication started Program received signal SIGSEGV, Segmentation fault. 0x2831e187 in free () from /lib/libc.so.7 (gdb) where #0 0x2831e187 in free () from /lib/libc.so.7 #1 0x2850fb82 in gss_release_buffer () from /usr/lib/libgssapi.so.10 #2 0x2850f552 in gss_release_name () from /usr/lib/libgssapi.so.10 #3 0x2850bea9 in gss_init_sec_context () from /usr/lib/libgssapi.so.10 #4 0x283f9abf in gssapi_client_mech_step () from /usr/local/lib/sasl2/libgssapiv2.so.2 #5 0x280e84b1 in sasl_client_step () from /usr/local/lib/libsasl2.so.2 #6 0x28443100 in ?? () #7 0x00000000 in ?? () #8 0x00000000 in ?? () #9 0xbfbfe968 in ?? () #10 0xbfbfe954 in ?? () #11 0xbfbfe964 in ?? () #12 0x28445860 in ?? () #13 0x280e83fe in sasl_client_step () from /usr/local/lib/libsasl2.so.2 #14 0xbfbfe8a8 in ?? () #15 0x280e9135 in sasl_client_start () from /usr/local/lib/libsasl2.so.2 #16 0x00000000 in ?? () #17 0x00000000 in ?? () #18 0xbfbfe968 in ?? () #19 0xbfbfe954 in ?? () #20 0xbfbfe964 in ?? () #21 0xd7a3b2da in ?? () #22 0x283abad8 in ?? () from /lib/libc.so.7 #23 0x00000000 in ?? () #24 0x283ab730 in __stderrp () from /lib/libc.so.7 #25 0xbfbfe878 in ?? () #26 0x2838c764 in vfprintf () from /lib/libc.so.7 Previous frame inner to this frame (corrupt stack?) I built openldap and cyrus-sasl on this machine from sources (not ports), and (after a long time of trying to find out how to run configure successfully in both installations) the outcome was exactly the same (meaning segfaults). So, one of my admins wrote a c program that overrides gss_release_buffer returning always 0 (what is expected after normal operation) and compiled it as a library. The program code is nothing more than just: int gss_release_buffer(void *a, void *b) { return 0; } we ld_preloaded the library, and when we ran ldapwhoami the outcome was: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2529638919 for mech unknown) When we ran it with no kerberos tickets, we got: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown) The exact same errors as the aforementioned client 4 (esxi, amd64)!!!!!!!!!!!!! What on earth is happening?!?!!?!?! Now one can easily see that there is a definite problem regarding memory freeing, and after overcoming that the mech-code 2529638919 implies that some segment in memory is overwritten by some "random" value, so mech-code returns the number 2529638919 instead of a number of marginality 1. What is more definite, is that openldap doesn't work out-of-the-box if gssapi support is required, and behaves randomly in different architectures/virtualHosts/platforms. The problem may have been something related to line 96 in /usr/bin/krb5-config... I don't know. What is sure, is that I am having second thoughts on using fbsd as my openldap/heimdal server for my setup, which would be quite disappointing for me, since I am using fbsd for the last many-many years, on all my laptops and servers. The only "good part" is that the only machine that works seamlessly (until now, at least) is the heimdal/ldap server. Thank you all in advance and I hope that we will find an answer to all this. -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379

2 5

Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources) server
by Jose G. Torres 22 Feb '10

22 Feb '10

Hello everyone!, I am trying to get my solaris 10 openldap 2.4.21 server to use my check_password.so module using the ppolicy overlay. When I try to change a user's password from a linux client, I get the following error message. passwd ldapuser Changing password for ldapuser. Enter login(LDAP) password: New Password: Reenter New Password: LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied Within my logs, I do not see any error messages from my check_password.so module. I created the directory /opt/openldap/etc/openldap/modules and placed my module in that directory and I added the modulepath in my slapd.conf. Is there something I missed? Is this a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server. Help. I included part of my slapd.conf, openldap configure, check_password.c source, makefile and ldd of my check_password.so. Thanks!!!! Jose Torres openldap configure ****************** CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ ./configure --prefix=/opt/openldap --with-tls \ --enable-spasswd --enable-crypt --with-gnu-ld \ --enable-ppolicy --enable-modules --enable-dynamic slapd.conf: ********** include /opt/openldap/etc/openldap/schema/ppolicy.schema # Add password policies. modulepath /opt/openldap/etc/openldap/modules overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=caci,dc=ymp,dc=com" ppolicy_use_lockout I tried ppolicy_clear_txt I still have the same problem. check_password.c: **************** #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include "portable.h" #include "slap.h" int init_module() { return 0; } int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry) { char error=0; char retmsg[255]; char *message,*buffer,*token; const char special[] ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"; const char number[] ="1234567890"; const char CAPS[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZ"; error = 0; if (strstr( pPasswd, " ") != NULL) { error = 1; strcpy(retmsg , "******** CHECKPW: Password contains SPACES! ********"); } buffer = strdup(pPasswd); token = strtok(buffer,special); if ( !(strcmp(token,pPasswd)) || (token == NULL) ) { error = 1; strcpy(retmsg , "******** CHECKPW: Password does not contain any special c haracters! ********"); } buffer = strdup(pPasswd); token = strtok(buffer,number); if ( !(strcmp(token,pPasswd)) || (token == NULL) ) { error = 1; strcpy(retmsg , "******** CHECKPW: Password does not contain any numbers! ********"); } buffer = strdup(pPasswd); token = strtok(buffer,number); if ( !(strcmp(token,pPasswd)) || (token == NULL) ) { error = 1; strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L ETTERS! ********"); } if (error) { /* Allocate */ message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1)); /* Copy the contents of the string. */ strcpy(message, retmsg); *ppErrStr=message; } return error; } Makefile: ********* check_password.so: check_password.o gcc -L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo rd.o check_password.o: check_password.c gcc -fpic -I../../include -I. -c check_password.c clean: rm check_password.so check_password.o It seems to find the right libraries. $ ldd modules/check_password.so libldap-2.4.so.2 => /opt/openldap/lib/libldap-2.4.so.2 libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1 liblber-2.4.so.2 => /opt/openldap/lib/liblber-2.4.so.2 libresolv.so.2 => /usr/lib/libresolv.so.2 libgen.so.1 => /usr/lib/libgen.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libsasl.so.1 => /usr/lib/libsasl.so.1 libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7 libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7 libc.so.1 => /usr/lib/libc.so.1 libmp.so.2 => /usr/lib/libmp.so.2 libmd.so.1 => /usr/lib/libmd.so.1 libscf.so.1 => /usr/lib/libscf.so.1 libdoor.so.1 => /usr/lib/libdoor.so.1 libuutil.so.1 => /usr/lib/libuutil.so.1 libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7 libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7 libm.so.2 => /usr/lib/libm.so.2

1 0

Re: objectclass not found inetorgperson?
by Ray Carrender 22 Feb '10

22 Feb '10

Actually it was that slapd.conf wasn't restarting correctly, I did a full reboot on my server and got this stuff to start to work. Not exactly sure why this is the case versus /usr/local/libexec/slapd.d restart but it works now and I'm all the wiser. Thanks! *Ray* Message: 13 > Date: Mon, 22 Feb 2010 05:47:12 +0100 > From: "Dieter Kluenter" <dieter(a)dkluenter.de> > Subject: Re: objectclass not found inetorgperson? > To: openldap-technical(a)openldap.org > Message-ID: <87zl3198rz.fsf(a)rubin.avci.de> > Content-Type: text/plain; charset=utf-8 > > Ray Carrender <mrsmiley32(a)gmail.com> writes: > > > I keep getting a ldap_add: Invalid syntax (21) > > ???????????????????????????? additional info: objectclass: value #0 > invalid > > per syntax > > > > (ldif) > > dn: cn=Charlton Heston,ou=people,dc=afranius,dc=com > > cn: Charlton > > sn: Heston > > mail: heston(a)actor.com > > telephoneNumber:508-555-1212 > > objectclass: inetOrgPerson > > check the ldif file whether inetorgPerson is followed by a space. > > -Dieter > > -- > Dieter Kl?nter | Systemberatung > http://dkluenter.de > GPG Key ID:8EF7B6C6 > 53?37'09,95"N > 10?08'02,42"E >

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2010