brief tips and tricks for running ldaps on slackware
by Meena Ram
Dear folks:
If any one has a brief tips, tricks or cheatsheet for running slapd with SSL/TLS can you please post it.
plain ldap works perfect but ldaps search and related stuff seams to have some issues
Cheers!!!!!!!!
12 years, 2 months
Error code -12 with ldap_sasl_bind
by Thilko Richter
Hello,
In the following debug snippet I make an ldap_intit and an
ldap_sasl_bind_s afterwards. In the end an unbind follows.
My problem is, that I get an error code '-12' for the ldap_sasl_bind.
Does anyone has a clue why the bin doesnt work?
Mar 8 12:03:06 matrix slapd[3505]: conn=3 fd=15 ACCEPT from
IP=[::1]:56601 (IP=[::]:389)
Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on 1 descriptor
Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on:
Mar 8 12:03:06 matrix slapd[3505]:
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on 1 descriptor
Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on:
Mar 8 12:03:06 matrix slapd[3505]: 15r
Mar 8 12:03:06 matrix slapd[3505]:
Mar 8 12:03:06 matrix slapd[3505]: daemon: read active on 15
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: connection_get(15)
Mar 8 12:03:06 matrix slapd[3505]: connection_get(15): got connid=3
Mar 8 12:03:06 matrix slapd[3505]: connection_read(15): checking for
input on id=3
Mar 8 12:03:06 matrix slapd[3505]: op tag 0x42, time 1268046186
======== I think here is the problem
Mar 8 12:03:06 matrix slapd[3505]: ber_get_next on fd 15 failed
errno=0 (Success)
Mar 8 12:03:06 matrix slapd[3505]: connection_read(15): input
error=-2 id=3, closing.
========
Mar 8 12:03:06 matrix slapd[3505]: connection_closing: readying
conn=3 sd=15 for close
Mar 8 12:03:06 matrix slapd[3505]: connection_close: deferring conn=3 sd=15
Mar 8 12:03:06 matrix slapd[3505]: conn=3 op=0 do_unbind
Mar 8 12:03:06 matrix slapd[3505]: conn=3 op=0 UNBIND
Mar 8 12:03:06 matrix slapd[3505]: connection_resched: attempting
closing conn=3 sd=15
Mar 8 12:03:06 matrix slapd[3505]: connection_close: conn=3 sd=15
Mar 8 12:03:06 matrix slapd[3505]: daemon: removing 15
Mar 8 12:03:06 matrix slapd[3505]: conn=3 fd=15 closed
Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on 1 descriptor
Mar 8 12:03:06 matrix slapd[3505]: daemon: activity on:
Mar 8 12:03:06 matrix slapd[3505]:
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Mar 8 12:03:06 matrix slapd[3505]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Since I try to build up a ruby Binding for OpenLdap with ffi I dont
have c code here, but the ruby snippet is:
handle = ldap_init "localhost", 389
res = ldap_sasl_bind_s handle, 'cn=admin,ou=users,dc=thilko,dc=net',
'', 'x', nil, nil, nil
p " the result: #{res}"
and the result is '-12'. Note that I am using ffi, so the function
'ldap_sasl_bind_s' is a call to the native function defined in ldap.h.
I try to use LDAP_SASL_SIMPLE.
I also tried to use a ber_val struct as password and servercred - the
same effect. I stepped through some source code in openLdap, but I
dont know where the error code '-12' comes from and where to find some
documentation.
Thx a lot for help,
Thilko
12 years, 2 months
Is there an "authconfig" tool in ubuntu?
by Zengming Zhang
Hi everyone:
In redhat system there is a tool named "authconfig" which is used to
configure user authentication method on clients.
What I want to know is that is there a similar tool in ubuntu system? I
am going to set up a group system and all client computers are running
ubuntu linux.
I searched something use google, someone said that they are working on
it. But the history of ubuntu is not short, someone must use some
similar tools to change user authentication method on ubuntu.
Anyone knows something about it? Please let me know! Thanks in advance.
--
Zengming Zhang <nicegiving(a)gmail.com>
12 years, 2 months
Problem getting monitor backend and syncrepl overlay to work
by DeMoNs@web.de
Hi all,
i have a problem getting openldap to run monitor backend AND syncrepl
overlay.
i'm running freebsd-7.2-release-p6 in combination with
openldap-server-2.4.19 with sasl support compiled in.
i use the following slapd config:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ldapns.schema
include /usr/local/etc/openldap/schema/radius.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/slapd.log
password-hash {SSHA}
modulepath /usr/local/libexec/openldap
moduleload back_bdb
moduleload back_monitor
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by ssf=128 dn="cn=admin,dc=example,dc=de" write
by dn="cn=admin,dc=example,dc=de" peername.ip=127.0.0.1 write
by ssf=96 dn="cn=nssadmin,dc=example,dc=de" read
by dn="cn=nssadmin,dc=example,dc=de" peername.ip=127.0.0.1 read
by anonymous auth
by * none
access to attrs=userPassword
by self write
by anonymous auth
by * none
database bdb
suffix "dc=example,dc=de"
rootdn "dc=example,dc=de"
directory /var/db/openldap-data
index objectClass,entryCSN,entryUUID eq
index uid pres,eq,sub
index memberUID eq
index uidNumber,gidNumber eq
index host eq
database monitor
rootdn "cn=monitoring,cn=Monitor"
rootpw monitoring
access to dn.subtree="cn=Monitor"
by dn="cn=nssadmin,dc=example,dc=de"
by * none
syncrepl rid=041
provider=ldap://ldap-master.example.de
type=refreshOnly
interval=00:00:35:00
searchbase="dc=example,dc=de"
schemachecking=off
bindmethod=simple
starttls=yes
binddn="cn=syncuser,dc=example,dc=de"
credentials="strongsecretpassword"
TLSCertificateFile /usr/local/etc/openldap/ssl/ldap-crt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/ldap-key.pem
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
loglevel 256
now, when i run slaptest i receive following error:
/usr/local/etc/openldap/slapd.conf: line 59: database monitor does not
support operations required for syncrepl
slaptest: bad configuration file!
Line 59 corresponds to the credentials option in the synrepl statement.
i can't figure out whats wrong, so if anyone can point me in the right
direction that would be really helpful.
thanks in advance,
david
12 years, 2 months
Steps after Crash
by Jeff Burdon
Hello,
I have two LDAP-Master with refresh and persist configured. Both are located
in different countries and the bandwidth
between them is only 10Mbit/s. Both masters are used for read and writing
entires (writing from the local country), the Setup is running well.
But now, somehow one Server is crashing. My application is detecting this
and is now writing to the other remote Server in the different
country.
To recover the crashed server, I stop the slapd with the crashed database,
and delete the whole database directory and start the slapd again.
The slapd now is syncing with the other remote slapd (present and delete
phase). The syncing will take about 1,5 hour.
But what will happen during this time. My application is detection that the
local slapd is running again and will read an write
entires to the this server which is in the syncing state. In this same time,
the other server in the remote site is trying to establish
the replication to the crashed server who is not fully synchronized, but who
may have some new entires.
* Can it be, that the remote server now receive false information an gets
delete entires during this state?
* Do I have (manually) prevent for writing to the syncing server?
Can someone help me for this Setup - Especially the recovery procedure? ..
Thanx in advance
Jeff
12 years, 2 months
OpenLDAP replicated from Sun One DS 5.2?
by David Jeffress
Has anyone had any success getting automatic replication working to an
openldap from a Sun Directory Server?
Our university has a Sun DS that we are not allowed to auth against due to
licensing agreements, so we want to replicate that ldap to a secondary ldap
to use basically as a provisioning LDAP for all of our external accounts.
Has anyone had any success with replicating a Sun DS?
Thanks!
--
David Jeffress, Applications Analyst
Murray State University
david.jeffress(a)murraystate.edu
12 years, 2 months
LDAP_MOD_BVALUES / "Binary option"
by Peter Mogensen
Hi,
I'm trying to make sense of the use of "binary" in misc client API's.
Some API's (like perl Net::LDAPapi) seem to offer a "b" option do
add/modify operations which controls whether the ";binary"
AttributeOption is set on an attribute.
For Net::LDAPapi this translates (from what I see in the libldap source)
to LDAP_MOD_BVALUES
But when reading the sources and RFC it seems to me that
LDAP_MOD_BVALUES and ";binary" is two completely different things. (Also
";binary" has been removd from RFC4511).
Am I right in concluding that LDAP_MOD_BVALUES (and thus "b" in
Net::LDAPapi) only controls which BER type is used and as such is
completely orthogonal to whether one chooses to set the ";binary"
attributedescription options?
";binary" use often used with jpegPhoto, but does it have any influence
on which BER type the server uses to send data to the client?
I would assume that it would be completely safe to ignore ";binary" and
the only reason to set LDAP_MOD_BVALUES would be if the attribute value
data contained "\0" bytes. (which would prevent using a string)
Is this correct?
/Peter
12 years, 2 months
getting ca/ca subordinate cert to work with openldap
by Chris Jacobs
Hello,
I'm having a heck of a time getting certs to function correctly. This server is being setup with another server in mirrormode - and currently they cannot talk to each other (or themselves when using ldapsearch).
We have a root CA, with a subordinate CA used to sign the cert our ldap server is using.
I have both appended to the /etc/pki/tls/certs/ca-bundle.crt file (CentOS5) - root first, sub second.
I have both (also in the same order) in the cacert.pem used by slapd.conf. TLS directives:
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/ldapcrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/ldapkey.pem
When I test the cacert.pem file or the ldapcrt.pem file using "openssl verify [cert]", everything comes back with OK (I tested removing those from the ca-bundle.crt file and they fail - those are below too). I have those certs available separately and tested them too.
------ Test with CA and Sub-CA in ca-bundle.crt ------
# openssl verify cacert.pem
cacert.pem: OK
# openssl verify ldapcrt.pem
ldapcrt.pem: OK
# openssl verify carootcrt.pem
carootcrt.pem: OK
# openssl verify casubcrt.pem
casubcrt.pem: OK
------ Test without CA and Sub-CA in ca-bundle.crt ------
# openssl verify cacert.pem
cacert.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA
error 18 at 0 depth lookup:self signed certificate
OK
# openssl verify ldapcrt.pem
corp-ldapcrt.pem: [verify specific cert subject snipped]
error 20 at 0 depth lookup:unable to get local issuer certificate
# openssl verify carootcrt.pem
carootcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA
error 18 at 0 depth lookup:self signed certificate
OK
# openssl verify casubcrt.pem
casubcrt.pem: /DC=edu/DC=apollogrp/CN=Apollo Group Subordinate CA
error 20 at 0 depth lookup:unable to get local issuer certificate
I'm using OpenLDAP build: 2.4.21 built with the following options:
./configure --with-tls=openssl \
--enable-crypt \
--enable-dynamic \
--enable-ldap \
--enable-lmpasswd \
--enable-modules \
--enable-overlays \
--enable-spasswd \
--sysconfdir=/etc
After loading ldif data from our older 2.2 openldap servers, I verified the data was there using Apache Directory Studio (even got some work done on removing/re-adding/comparing ldifs).
Ldapsearch though is another beast all together though.
# ldapsearch -H ldaps://localhost/
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
If you're interested in more details:
# ldapsearch -H ldaps://localhost/ -d5
ldap_url_parse_ext(ldaps://localhost/)
ldap_create
ldap_url_parse_ext(ldaps://localhost:636/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 19, subject: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA, issuer: /DC=edu/DC=apollogrp/CN=Apollo Group Enterprise CA
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
Help?
- chris
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
12 years, 2 months
DNS discovery for OpenLDAP?
by Jaap Winius
Hi all,
In the course of my research into a solution involving Kerberos,
OpenLDAP and OpenAFS (a.k.a. the Magic Trio), I've discovered that
both Kerberos and OpenAFS support methods of DNS discovery, but that
OpenLDAP apparently does not. Is this correct?
If so, might there be a reason for this, other than that it has
occurred to the developers, but that they just haven't had time yet to
create it? It seems to me that it would be great to have.
Thanks,
Jaap
12 years, 2 months
Many entries, deletes getting painfully slow
by Peter Mogensen
Hi,
I have a database with close to 11 million entries and lately deletes
have started to get painfully slow.
I've set up a new server with a lot of improvements, but if anyone have
an idea about what the deciding factor for the performance difference
is, then I would be grateful.
On the old server:
-16 cores. 42Gb RAM, entire database in memory
-XFS file system on (hw)RAID-1
-Database and BerkeleDB log on same filesystem
-some, but not much load (~35 read waiters)
-time to delete 157 entries: 9 minutes.
New server:
-16 cores, 48Gb RAM, entire database in memory
-ext3 filesystem on (hw)RAID-10
-Database and log on difference disk
-no load.
-time to delete the same 157 entries: 6.2 seconds
I'm aware that the new server has all the benefits, but even under low
load conditions, the old server is only able to delete an entry every 3
seconds and there's orders of magnitude difference between 6 and 540
seconds.
My suspicion is that there's one of the above factors (XFS?, db/log on
same fs?) which get very pronounced when the database gets above a
certain size, since this slowdown for deletes seem to have accelerated
with the growth of the database the last few months.
/Peter
12 years, 2 months
