Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra
Hi,
We have some problems with certificate authentication when the master
server is behind a back-ldap proxy.
We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and
these are the details of our scenario:
The master server: server1.example.com has the following slapd.conf file:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty
Ltd,ST=Some-State,C=AU" read
by *
auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/ssl/certs/server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key
TLSCACertificatePath /etc/ssl/cacerts/
TLSVerifyClient demand
#
#Log level
#
loglevel 256
# Require authentication
require authc
#######################################################################
# HDB database definitions
#######################################################################
database hdb
suffix "dc=example,dc=com"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
# Indices to maintain
index objectClass eq
# Overlay ppolicy
overlay ppolicy
----------------------
Authentication is required, and we give access to the user passwords
for the dn of a certificate.
When we search for passwords using the certificate we get the following:
root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://server1.example.com userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
-----------------------
The root user (ldap client) has a ~/.ldaprc file with:
TLS_CACERTDIR /etc/ssl/cacerts/
TLS_CERT /etc/ssl/certs/admin_w_cert.pem
TLS_KEY /etc/ssl/private/admin_w_cert.key
TLS_REQCERT demand
SASL_MECH EXTERNAL
In /var/log/messages we get:
ldap-master[22358]: conn=1000 fd=11 ACCEPT from
IP=server1.example.com:40899 (IP=server1.example.com:636)
ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256
ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163
ldap-master[22358]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22358]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
ldap-master[22358]: conn=1000 op=2 UNBIND
ldap-master[22358]: conn=1000 fd=11 closed
This is the correct behavior for us. The problem appears when we
introduce a back-ldap proxy between the client and the master.
The proxy server (proxy-server1.example.com) is listening in port
1636 and its slapd.conf file is:
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificatePath /etc/ssl/cacerts/
TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key
TLSVerifyClient demand
# Log level
loglevel 256
#######################################################################
# Database definitions
#######################################################################
database ldap
rebind-as-user true
suffix "dc=example,dc=com"
uri "ldaps://server1.example.com"
tls ldaps
tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
tls_key=/etc/ssl/private/proxy-server1.example.com.key
tls_cacertdir=/etc/ssl/cacerts/
----------------------
If we search for passwords through the proxy we get:
root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://proxy-server1.example.com:1636 userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
Server is unwilling to perform (53)
Additional information: authentication required
In the /var/log/messages the following messages appear:
ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from
IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636)
ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256
ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163
ldap-proxy[22802]: conn=1001 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text=
ldap-proxy[22802]: conn=1001 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=2 UNBIND
ldap-proxy[22802]: conn=1001 fd=8 closed
The /root/.ldaprc file is the same than the previous one.
When we increase the logging level we discover this:
....
ldap-proxy[23008]: conn=1000 op=0 do_bind
ldap-proxy[23008]: >>> dnPrettyNormal: <>
ldap-proxy[23008]: <<< dnPrettyNormal: <>, <>
ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163
ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL
ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: slap_sasl_getdn: conn 1000
id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61]
ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name
cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN
ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing>
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL proxy authorize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization
allowed authzDN=""
ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1
ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind:
dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
sasl_ssf=0
ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0
ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-proxy[23008]: <== slap_sasl_bind: rc=0
....
ldap-proxy[23008]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword
ldap-proxy[23008]: ==> limits_get: conn=1000 op=1
self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
this="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-master[22983]: daemon: activity on 1 descriptor
ldap-master[22983]: daemon: activity on:
ldap-master[22983]:
ldap-master[22983]: slap_listener_activate(7):
ldap-master[22983]: daemon: epoll: listen=7 busy
ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com)
.....
ldap-master[22983]: conn=1000 op=0 do_bind
ldap-master[22983]: >>> dnPrettyNormal: <>
ldap-master[22983]: <<< dnPrettyNormal: <>, <>
ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128
ldap-master[22983]: do_bind: version=3 dn="" method=128
ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3
ldap-master[22983]: send_ldap_result: err=0 matched="" text=""
ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0
ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22983]: do_bind: v3 anonymous bind
----------------
Therefore the proxy is binding anonymously in the master, instead of
using the dn of the certificate.
Is there any problem with the SASL EXTERNAL method?
If we use SIMPLE authentication through the proxy, there is no problem:
root # ldapsearch -LLL -x -b
'uid=user_w_pass,ou=people,dc=example,dc=com' -H
ldaps://proxy-server1.example.com:1636 -D
'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword
Enter LDAP Password:
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
Thanks in advance.
---------------------------------------------------------------------------------------------
ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php
WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en
12 years, 11 months
Multi master replication
by Aravind Divakaran
Hi All,
I have configured two servers with multi master replication. Below is my
configuration for synrepl on both servers.
Server One
------------
serverID 001
overlay syncprov
syncprov-checkpoint 100 10
syncrepl rid=000
provider=ldap://192.168.10.100
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=syncuser,dc=example,dc=com"
credentials=password
mirrormode TRUE
Server Two
--------------
serverID 002
overlay syncprov
syncprov-checkpoint 100 10
syncrepl rid=000
provider=ldap://192.168.10.25
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=syncuser,dc=example,dc=com"
credentials=password
mirrormode TRUE
Today one of user said that he was not able to login. So i checked in the
servers in one server i was able to login but on another server i was not
able to login with the same password. I have checked the contextCSN on
both server they are equal. In the log it is showing this
syncrepl_entry: rid=000 entry unchanged, ignored
(uid=user,ou=People,dc=example,dc=com)
Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000
uid=user,ou=People,dc=example,dc=com
Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 be_add
uid=user,ou=People,dc=example,dc=com (68)
Apr 28 12:14:17 mails slapd[16595]: dn_callback : entries have identical
CSN uid=user,ou=People,dc=example,dc=com
20100422132507.789242Z#000000#002#000000
Can anyone help me why above message is showing in the log files and why
the user is not able to login.
Rgds,
Aravind M D
13 years, 5 months
smbk5pwd: ldappassword hangs
by Frank Van Damme
Hi list,
I installed and configured the smbk5pwd overlay as described on
http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd.
This succeeded, the module is loaded etc. But an unwelcome side effect
is that password changes don't function anymore. With the
overlay/module disabled, there is no problem; if I enable it, the
"ldappasswd" command hangs. I marked where I hit Ctrl-C on the hanging
ldappasswd command.
This is the slapd log...
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
>>> slap_listener(ldap://127.0.0.1/)
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
daemon: listen=7, new connection on 15
daemon: added 15r (active) listener=(nil)
conn=1 fd=15 ACCEPT from IP=127.0.0.1:37250 (IP=127.0.0.1:389)
daemon: activity on 2 descriptors
daemon: activity on: 15r
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 15r
daemon: read active on 15
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
connection_get(15)
connection_get(15): got connid=1
connection_read(15): checking for input on id=1
ber_get_next
ldap_read: want=8, got=8
0000: 30 43 02 01 01 60 3e 02 0C...`>.
ldap_read: want=61, got=61
0000: 01 03 04 2f 75 69 64 3d 74 72 79 6f 75 74 2c 6f .../uid=tryout,o
0010: 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f 74 65 63 u=People,dc=otec
0020: 2c 64 63 3d 76 75 62 2c 64 63 3d 61 63 2c 64 63 ,dc=vub,dc=ac,dc
0030: 3d 62 65 80 08 4d 68 43 30 47 6a 4d 4a =be..MhC0GjMJ
ber_get_next: tag 0x30 len 67 contents:
ber_dump: buf=0x824c518 ptr=0x824c518 end=0x824c55b len=67
0000: 02 01 01 60 3e 02 01 03 04 2f 75 69 64 3d 74 72 ...`>..../uid=tr
0010: 79 6f 75 74 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 yout,ou=People,d
0020: 63 3d 6f 74 65 63 2c 64 63 3d 76 75 62 2c 64 63 c=otec,dc=vub,dc
0030: 3d 61 63 2c 64 63 3d 62 65 80 08 4d 68 43 30 47 =ac,dc=be..MhC0G
0040: 6a 4d 4a jMJ
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=1 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x824c518 ptr=0x824c51b end=0x824c55b len=64
0000: 60 3e 02 01 03 04 2f 75 69 64 3d 74 72 79 6f 75 `>..../uid=tryou
0010: 74 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f t,ou=People,dc=o
0020: 74 65 63 2c 64 63 3d 76 75 62 2c 64 63 3d 61 63 tec,dc=vub,dc=ac
0030: 2c 64 63 3d 62 65 80 08 4d 68 43 30 47 6a 4d 4a ,dc=be..MhC0GjMJ
ber_scanf fmt (m}) ber:
ber_dump: buf=0x824c518 ptr=0x824c551 end=0x824c55b len=10
0000: 00 08 4d 68 43 30 47 6a 4d 4a ..MhC0GjMJ
>>> dnPrettyNormal: <uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be>
=> ldap_bv2dn(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be,0)
<= ldap_bv2dn(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be)=0
<<< dnPrettyNormal: <uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be>,
<uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be>
daemon: activity on 1 descriptor
conn=1 op=0 BIND dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" method=128
do_bind: version=3
dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" method=128
==> hdb_bind: dn: uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be
bdb_dn2entry("uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be")
=> hdb_dn2id("ou=people,dc=otec,dc=vub,dc=ac,dc=be")
<= hdb_dn2id: got id=0x4
=> hdb_dn2id("uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be")
<= hdb_dn2id: got id=0x22
entry_decode: ""
<= entry_decode()
=> access_allowed: auth access to
"uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" "userPassword"
requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be", attr "userPassword"
requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=otec,dc=vub,dc=ac,dc=be
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
conn=1 op=0 BIND dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be"
mech=SIMPLE ssf=0
do_bind: v3 bind: "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" to
"uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be"
send_ldap_result: conn=1 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 15
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
conn=1 op=0 RESULT tag=97 err=0 text=
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 15r
daemon: read active on 15
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
connection_get(15)
connection_get(15): got connid=1
connection_read(15): checking for input on id=1
ber_get_next
ldap_read: want=8, got=8
0000: 30 1e 02 01 02 77 19 80 0....w..
ldap_read: want=24, got=24
0000: 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 .1.3.6.1.4.1.420
0010: 33 2e 31 2e 31 31 2e 31 3.1.11.1
ber_get_next: tag 0x30 len 30 contents:
ber_dump: buf=0x824d060 ptr=0x824d060 end=0x824d07e len=30
0000: 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4
0010: 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 31 .1.4203.1.11.1
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=1 op=1 do_extended
ber_scanf fmt ({m) ber:
ber_dump: buf=0x824d060 ptr=0x824d063 end=0x824d07e len=27
0000: 77 19 80 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1.
0010: 34 32 30 33 2e 31 2e 31 31 2e 31 4203.1.11.1
conn=1 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
CTRL-C
daemon: activity on 1 descriptor
daemon: activity on: 15r
daemon: read active on 15
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
connection_get(15)
connection_get(15): got connid=1
connection_read(15): checking for input on id=1
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 15 failed errno=0 (Success)
connection_read(15): input error=-2 id=1, closing.
connection_closing: readying conn=1 sd=15 for close
connection_close: conn=1 sd=15
daemon: activity on 1 descriptor
daemon: removing 15
daemon: activity on:
conn=1 fd=15 closed (connection lost)
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: epoll: listen=9 active_threads=0 tvp=zero
daemon: epoll: listen=10 active_threads=0 tvp=zero
--
Frank Van Damme
A: Because it destroys the flow of the conversation.
Q: Why is it bad?
A: No, it's bad.
Q: Should I top post in replies to mailing lists or on Usenet?
13 years, 5 months
help SSL on Openldap and java
by s g
>
> Our requirement is that we need to test if a server certificate from
> Openldap server is valid and then upload to our trust store and use the
> certificate for further communications using SSL to the ldap server.
> I configured Openldap for SSL as per the Openldap admin guide - generated
> the 3 certificates cacert.pem,servercert.pem and serverkey.pem and put the
> corresponding entries in slapd.conf file. My assumption is cacert.pem is the
> file for the CA,servercert.pem is the server certificate file(?!) and the
> serverkey.pem is the file containing the private key to the server. After
> configuring my client ldap.conf file to point to cacert.pem as per the
> following directives -
>
> TLS_CACERTDIR <path to my cacert.pem file>
> TLS_REQCERT hard
>
> I was able to execute an ldapsearch command successfully. My problem is
> that after adding cacert.pem to my truststore, I am unable to use the
> certificate in java using SSL. I get the following exception -
>
> javax.naming.CommunicationException: simple bind failed:
> vcheung-181.lab.xxxx.net:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: Netscape cert type does not
> permit use for SSL server]
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197)
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
> at
> com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
> at
> javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
> at
> javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
> at javax.naming.InitialContext.init(InitialContext.java:223)
> at javax.naming.InitialContext.<init>(InitialContext.java:197)
> at
> javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
> at
> com.xxxx.analyst.manager.database.LDAPSchemaTest.areAllAttributesPresent(LDAPSchemaTest.java:84)
> at
> com.xxxx.analyst.presentation.action.ReCreateDomainAction.doAttributeCheck(ReCreateDomainAction.java
> :249)
> at
> com.xxxx.analyst.presentation.action.ReCreateDomainAction.execute(ReCreateDomainAction.java:182)
> at
> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
> at
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
> at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
> at
> org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at com.xxxx.util.ReLiveUserFilter.doFilter(ReLiveUserFilter.java:70)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at
> com.xxxx.analyst.util.ReAccessFilter.doFilter(ReAccessFilter.java:191)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at
> org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
> at
> org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.jav
> a:744)
> at
> org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
> at
> org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
> at java.lang.Thread.run(Thread.java:619)
>
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: Netscape cert type does not
> permit use for SSL server
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> at
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:393)
> at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
> at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192)
> ... 47 more
>
>
> I googled for the above exception and from what I got, I thought I had to
> configure for a client certificate but we have to test the server
> certificate for validity not the client certificate. I am not sure I am
> following the procedure correctly. My question is -
> Is servercert.pem the file that I need to use as server certificate. How
> can I validate it(I mean make sure that it is a valid server certificate
> file)? (Pointing to the servercert.pem file in ldap.conf gave me an error) -
ldap_create
ldap_url_parse_ext(ldaps://vcheung-181.lab.xxxx.net:636)
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP vcheung-181.lab.xxxx.net:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.25.4.181:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject:
/C=US/ST=California/O=yyyy/OU=yyyy/CN=vcheung-181.lab.xxxx.net, issuer:
/C=US/ST=California/O=yyyy/OU=yyyy/CN=vcheung-181.lab.xxxx.net
TLS certificate verification: Error, self signed certificate in certificate
chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
Is there some other directive in ldap.conf file which points to this file (
> I thought only 3 valid directives are present
> TLS_CACERTDIR,TLS_CACERT,TLS_REQCERT). There were other directives TLS_CERT
> - but these point to the client certificate.
> Thanks
Sirisha.
13 years, 6 months
Bidirectional sync using openldap and active directory
by Benjamin MONTHOUEL
Hi,
I'd like to know which method is recommended by openldap.org to perform
a bidirectional sync with Microsoft Active Directory.
This method has to notice that users changed their password by
themselves. Kerberos token ???
Thanks for any information.
--
Benjamin MONTHOUËL
Systems Administrator Assistant
NETASQ France - We Secure IT
Villeneuve d'Ascq
13 years, 6 months
replication issue
by Lennart Job
Hi there,
I've got some problems with ldap replication. Ever since I've updated
the master from Debian Etch to Lenny changes are no longer synced. I've
got v2.4.11 running on both servers. The slave is still running Etch.
SSL is active, so maybe there's a problem with the certificates...
However, if I restart the slave slapd he does replicate properly. Do you
know any reasons for this behavior?
In addition, synchronization with samba on the master doesn't work
properly anymore. I can create accounts but password changes don't take
effect. So everybody has to use his first ever password to connect to
samba...
Thanks for your help!
Kind regards,
Lennart
--
Lennart Job
Ressort IT / Wissensmanagement
fuks e.V.
Waldhornstraße 27
76131 Karlsruhe
Büro +49 721 38 42 313
Fax +49 721 37 98 24
Privat +49 721 20 46 845
Mobil +49 173 78 87 643
E-Mail lennart.job(a)fuks.org
Web www.fuks.org
fuks e.V. - Vorsitz: André Fuchs - VR: 791 (Amtsgericht Karlsruhe)
13 years, 6 months
Server certificate
by Daniel Gomes
Hey there,
I've got a simple enough question: is it possible to use a certificate
for TLS (through the TLSCertificateFile directive) on which the FQDN of
the LDAP server is not on the CN but instead on the alternative name? I
tried this, but I'm getting a "TLS init def ctx failed: -64" and I
thought it might be because of this issue. I also couldn't find a list
of the error numbers and their descriptions, making it harder for me to
understand what's wrong...
Cheers,
--
Daniel Gomes (SysAdmin)
dgomes(a)ipfn.ist.utl.pt
Ext. 3487 - 218419487
Instituto de Plasmas e Fusão Nuclear
Instituto Superior Técnico - UTL
Av. Rovisco Pais - 1049-001 Lisboa - Portugal
13 years, 6 months
Re: Q: status of component matching?
by Lehnert, Hartmut
Hi all!
To avoid the slapd's core dump when using component match filters (see
ITS # 6556) I removed line 556 of file "servers/slapd/filter.c":
case LDAP_FILTER_EXT:
//mra_free( op, f->f_mra, 1 );
break;
Now component match filter search requests are answered by slapd but
don't work correctly. In fact nothing is found! For example the request
/home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p
9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s sub
"(userCertificate:componentFilterMatch:=item:{ component
\"toBeSigned.serialNumber\", rule allComponentsMatch, value 449 })"
sncertnr
Is answered with
# extended LDIF
#
# LDAPv3
# base <o=CustomerCA,c=de> with scope subtree
# filter: (userCertificate:componentFilterMatch:=item:{ component
"toBeSigned.serialNumber", rule allComponentsMatch, value 449 })
# requesting: sncertnr
#
# search result
search: 2
result: 0 Success
# numResponses: 1
But in the database of slapd there are several certificates with
serialNumber 449:
lehnert.hartmut@sn-ocspr4:/opt/lehnert/Openldap-Support$ ./dumpasn1
449.cer
0 30 702: SEQUENCE {
4 30 551: SEQUENCE {
8 A0 3: [0] {
10 02 1: INTEGER 2
: }
13 02 2: INTEGER 449
17 30 13: SEQUENCE {
19 06 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
30 05 0: NULL
: }
32 30 111: SEQUENCE {
34 31 11: SET {
36 30 9: SEQUENCE {
38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
43 13 2: PrintableString 'DE'
: }
: }
47 31 12: SET {
On slapd's side the debug message
bdb_search: <integer> does not match filter
is written out for every record.
What's going wrong here?
Regards,
Hartmut
13 years, 6 months
multiple instances
by mj romero
Hello,
I installed a server (RHEL5 x86_64) with three instances of OpenLDAP 2.3.43.
ldap 6572 1 0 May24 ? 00:49:12 /usr/sbin/slapd -u ldap -g ldap -h ldap://X.Y.Z.104:389 -f /etc/openldap/slapd.conf -l LOCAL4ldap 6612 1 0 May24 ? 00:49:09 /usr/sbin/slapd -u ldap -g ldap -h ldap://X.Y.Z.105:389 -f /etc/openldap/slapd_i3.conf -l LOCAL6ldap 8031 1 0 01:01 ? 00:01:26 /usr/sbin/slapd -u ldap -g ldap -h ldap://X.Y.Z.104:389 -f /etc/openldap/slapd_i2.conf -l LOCAL5
At first everything worked perfect but after several days working properly one instance stopped.I started the instance again but after several days one instance stopped (not the same).I don't understand what happens. Any help is very useful to me.
Thank you very much.
_________________________________________________________________
Disfruta de Messenger y Hotmail en tu BlackBerry ¡Hazlo ya!
http://serviciosmoviles.es.msn.com/messenger/blackberry.aspx
13 years, 6 months