openldap-technical May 2010

openldap-technical@openldap.org

57 participants
66 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra 27 Dec '10

27 Dec '10

Hi, We have some problems with certificate authentication when the master server is behind a back-ldap proxy. We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and these are the details of our scenario: The master server: server1.example.com has the following slapd.conf file: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" read by * auth access to attrs=shadowLastChange by self write by * read access to * by * read # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /etc/ssl/certs/server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key TLSCACertificatePath /etc/ssl/cacerts/ TLSVerifyClient demand # #Log level # loglevel 256 # Require authentication require authc ####################################################################### # HDB database definitions ####################################################################### database hdb suffix "dc=example,dc=com" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=example,dc=com" rootpw secret # Indices to maintain index objectClass eq # Overlay ppolicy overlay ppolicy ---------------------- Authentication is required, and we give access to the user passwords for the dn of a certificate. When we search for passwords using the certificate we get the following: root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://server1.example.com userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= ----------------------- The root user (ldap client) has a ~/.ldaprc file with: TLS_CACERTDIR /etc/ssl/cacerts/ TLS_CERT /etc/ssl/certs/admin_w_cert.pem TLS_KEY /etc/ssl/private/admin_w_cert.key TLS_REQCERT demand SASL_MECH EXTERNAL In /var/log/messages we get: ldap-master[22358]: conn=1000 fd=11 ACCEPT from IP=server1.example.com:40899 (IP=server1.example.com:636) ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256 ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163 ldap-master[22358]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22358]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap-master[22358]: conn=1000 op=2 UNBIND ldap-master[22358]: conn=1000 fd=11 closed This is the correct behavior for us. The problem appears when we introduce a back-ldap proxy between the client and the master. The proxy server (proxy-server1.example.com) is listening in port 1636 and its slapd.conf file is: # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificatePath /etc/ssl/cacerts/ TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key TLSVerifyClient demand # Log level loglevel 256 ####################################################################### # Database definitions ####################################################################### database ldap rebind-as-user true suffix "dc=example,dc=com" uri "ldaps://server1.example.com" tls ldaps tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem tls_key=/etc/ssl/private/proxy-server1.example.com.key tls_cacertdir=/etc/ssl/cacerts/ ---------------------- If we search for passwords through the proxy we get: root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 Server is unwilling to perform (53) Additional information: authentication required In the /var/log/messages the following messages appear: ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636) ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256 ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163 ldap-proxy[22802]: conn=1001 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text= ldap-proxy[22802]: conn=1001 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=2 UNBIND ldap-proxy[22802]: conn=1001 fd=8 closed The /root/.ldaprc file is the same than the previous one. When we increase the logging level we discover this: .... ldap-proxy[23008]: conn=1000 op=0 do_bind ldap-proxy[23008]: >>> dnPrettyNormal: <> ldap-proxy[23008]: <<< dnPrettyNormal: <>, <> ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163 ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 ldap-proxy[23008]: SASL Canonicalize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: slap_sasl_getdn: conn 1000 id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61] ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing> ldap-proxy[23008]: SASL Canonicalize [conn=1000]: slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL proxy authorize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1 ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind: dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" sasl_ssf=0 ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0 ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-proxy[23008]: <== slap_sasl_bind: rc=0 .... ldap-proxy[23008]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword ldap-proxy[23008]: ==> limits_get: conn=1000 op=1 self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" this="uid=user_w_pass,ou=people,dc=example,dc=com" ldap-master[22983]: daemon: activity on 1 descriptor ldap-master[22983]: daemon: activity on: ldap-master[22983]: ldap-master[22983]: slap_listener_activate(7): ldap-master[22983]: daemon: epoll: listen=7 busy ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com) ..... ldap-master[22983]: conn=1000 op=0 do_bind ldap-master[22983]: >>> dnPrettyNormal: <> ldap-master[22983]: <<< dnPrettyNormal: <>, <> ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128 ldap-master[22983]: do_bind: version=3 dn="" method=128 ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3 ldap-master[22983]: send_ldap_result: err=0 matched="" text="" ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0 ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22983]: do_bind: v3 anonymous bind ---------------- Therefore the proxy is binding anonymously in the master, instead of using the dn of the certificate. Is there any problem with the SASL EXTERNAL method? If we use SIMPLE authentication through the proxy, there is no problem: root # ldapsearch -LLL -x -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 -D 'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword Enter LDAP Password: dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= Thanks in advance. --------------------------------------------------------------------------------------------- ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en

3 4

Multi master replication
by Aravind Divakaran 21 Jun '10

21 Jun '10

Hi All, I have configured two servers with multi master replication. Below is my configuration for synrepl on both servers. Server One ------------ serverID 001 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.100 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=example,dc=com" credentials=password mirrormode TRUE Server Two -------------- serverID 002 overlay syncprov syncprov-checkpoint 100 10 syncrepl rid=000 provider=ldap://192.168.10.25 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=example,dc=com" attrs="*,+" bindmethod=simple binddn="cn=syncuser,dc=example,dc=com" credentials=password mirrormode TRUE Today one of user said that he was not able to login. So i checked in the servers in one server i was able to login but on another server i was not able to login with the same password. I have checked the contextCSN on both server they are equal. In the log it is showing this syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 be_add uid=user,ou=People,dc=example,dc=com (68) Apr 28 12:14:17 mails slapd[16595]: dn_callback : entries have identical CSN uid=user,ou=People,dc=example,dc=com 20100422132507.789242Z#000000#002#000000 Can anyone help me why above message is showing in the log files and why the user is not able to login. Rgds, Aravind M D

7 14

smbk5pwd: ldappassword hangs
by Frank Van Damme 18 Jun '10

18 Jun '10

Hi list, I installed and configured the smbk5pwd overlay as described on http://student.physik.uni-mainz.de/~reiffert/smbk5pwd.html#smbk5pwd. This succeeded, the module is loaded etc. But an unwelcome side effect is that password changes don't function anymore. With the overlay/module disabled, there is no problem; if I enable it, the "ldappasswd" command hangs. I marked where I hit Ctrl-C on the hanging ldappasswd command. This is the slapd log... daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy >>> slap_listener(ldap://127.0.0.1/) daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: listen=7, new connection on 15 daemon: added 15r (active) listener=(nil) conn=1 fd=15 ACCEPT from IP=127.0.0.1:37250 (IP=127.0.0.1:389) daemon: activity on 2 descriptors daemon: activity on: 15r daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ldap_read: want=8, got=8 0000: 30 43 02 01 01 60 3e 02 0C...`>. ldap_read: want=61, got=61 0000: 01 03 04 2f 75 69 64 3d 74 72 79 6f 75 74 2c 6f .../uid=tryout,o 0010: 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f 74 65 63 u=People,dc=otec 0020: 2c 64 63 3d 76 75 62 2c 64 63 3d 61 63 2c 64 63 ,dc=vub,dc=ac,dc 0030: 3d 62 65 80 08 4d 68 43 30 47 6a 4d 4a =be..MhC0GjMJ ber_get_next: tag 0x30 len 67 contents: ber_dump: buf=0x824c518 ptr=0x824c518 end=0x824c55b len=67 0000: 02 01 01 60 3e 02 01 03 04 2f 75 69 64 3d 74 72 ...`>..../uid=tr 0010: 79 6f 75 74 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 yout,ou=People,d 0020: 63 3d 6f 74 65 63 2c 64 63 3d 76 75 62 2c 64 63 c=otec,dc=vub,dc 0030: 3d 61 63 2c 64 63 3d 62 65 80 08 4d 68 43 30 47 =ac,dc=be..MhC0G 0040: 6a 4d 4a jMJ ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x824c518 ptr=0x824c51b end=0x824c55b len=64 0000: 60 3e 02 01 03 04 2f 75 69 64 3d 74 72 79 6f 75 `>..../uid=tryou 0010: 74 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f t,ou=People,dc=o 0020: 74 65 63 2c 64 63 3d 76 75 62 2c 64 63 3d 61 63 tec,dc=vub,dc=ac 0030: 2c 64 63 3d 62 65 80 08 4d 68 43 30 47 6a 4d 4a ,dc=be..MhC0GjMJ ber_scanf fmt (m}) ber: ber_dump: buf=0x824c518 ptr=0x824c551 end=0x824c55b len=10 0000: 00 08 4d 68 43 30 47 6a 4d 4a ..MhC0GjMJ >>> dnPrettyNormal: <uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be> => ldap_bv2dn(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be,0) <= ldap_bv2dn(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be)=0 <<< dnPrettyNormal: <uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be>, <uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be> daemon: activity on 1 descriptor conn=1 op=0 BIND dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" method=128 do_bind: version=3 dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" method=128 ==> hdb_bind: dn: uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be bdb_dn2entry("uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be") => hdb_dn2id("ou=people,dc=otec,dc=vub,dc=ac,dc=be") <= hdb_dn2id: got id=0x4 => hdb_dn2id("uid=tryout,ou=people,dc=otec,dc=vub,dc=ac,dc=be") <= hdb_dn2id: got id=0x22 entry_decode: "" <= entry_decode() => access_allowed: auth access to "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=otec,dc=vub,dc=ac,dc=be <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => slap_access_allowed: auth access granted by auth(=xd) => access_allowed: auth access granted by auth(=xd) conn=1 op=0 BIND dn="uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" mech=SIMPLE ssf=0 do_bind: v3 bind: "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" to "uid=tryout,ou=People,dc=otec,dc=vub,dc=ac,dc=be" send_ldap_result: conn=1 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 15 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........ conn=1 op=0 RESULT tag=97 err=0 text= daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ldap_read: want=8, got=8 0000: 30 1e 02 01 02 77 19 80 0....w.. ldap_read: want=24, got=24 0000: 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 .1.3.6.1.4.1.420 0010: 33 2e 31 2e 31 31 2e 31 3.1.11.1 ber_get_next: tag 0x30 len 30 contents: ber_dump: buf=0x824d060 ptr=0x824d060 end=0x824d07e len=30 0000: 02 01 02 77 19 80 17 31 2e 33 2e 36 2e 31 2e 34 ...w...1.3.6.1.4 0010: 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 31 .1.4203.1.11.1 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=1 op=1 do_extended ber_scanf fmt ({m) ber: ber_dump: buf=0x824d060 ptr=0x824d063 end=0x824d07e len=27 0000: 77 19 80 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 34 32 30 33 2e 31 2e 31 31 2e 31 4203.1.11.1 conn=1 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero CTRL-C daemon: activity on 1 descriptor daemon: activity on: 15r daemon: read active on 15 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero connection_get(15) connection_get(15): got connid=1 connection_read(15): checking for input on id=1 ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 15 failed errno=0 (Success) connection_read(15): input error=-2 id=1, closing. connection_closing: readying conn=1 sd=15 for close connection_close: conn=1 sd=15 daemon: activity on 1 descriptor daemon: removing 15 daemon: activity on: conn=1 fd=15 closed (connection lost) daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: epoll: listen=9 active_threads=0 tvp=zero daemon: epoll: listen=10 active_threads=0 tvp=zero -- Frank Van Damme A: Because it destroys the flow of the conversation. Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mailing lists or on Usenet?

4 6

help SSL on Openldap and java
by s g 10 Jun '10

10 Jun '10

> > Our requirement is that we need to test if a server certificate from > Openldap server is valid and then upload to our trust store and use the > certificate for further communications using SSL to the ldap server. > I configured Openldap for SSL as per the Openldap admin guide - generated > the 3 certificates cacert.pem,servercert.pem and serverkey.pem and put the > corresponding entries in slapd.conf file. My assumption is cacert.pem is the > file for the CA,servercert.pem is the server certificate file(?!) and the > serverkey.pem is the file containing the private key to the server. After > configuring my client ldap.conf file to point to cacert.pem as per the > following directives - > > TLS_CACERTDIR <path to my cacert.pem file> > TLS_REQCERT hard > > I was able to execute an ldapsearch command successfully. My problem is > that after adding cacert.pem to my truststore, I am unable to use the > certificate in java using SSL. I get the following exception - > > javax.naming.CommunicationException: simple bind failed: > vcheung-181.lab.xxxx.net:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: Netscape cert type does not > permit use for SSL server] > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) > at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658) > at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) > at > com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) > at > com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) > at > com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) > at > javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) > at > javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) > at javax.naming.InitialContext.init(InitialContext.java:223) > at javax.naming.InitialContext.<init>(InitialContext.java:197) > at > javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82) > at > com.xxxx.analyst.manager.database.LDAPSchemaTest.areAllAttributesPresent(LDAPSchemaTest.java:84) > at > com.xxxx.analyst.presentation.action.ReCreateDomainAction.doAttributeCheck(ReCreateDomainAction.java > :249) > at > com.xxxx.analyst.presentation.action.ReCreateDomainAction.execute(ReCreateDomainAction.java:182) > at > org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) > at > org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) > at > org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) > at > org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) > at com.xxxx.util.ReLiveUserFilter.doFilter(ReLiveUserFilter.java:70) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) > at > com.xxxx.analyst.util.ReAccessFilter.doFilter(ReAccessFilter.java:191) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) > at > org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) > at > org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39) > at > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:153) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) > at > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.jav > a:744) > at > org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) > at > org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) > at java.lang.Thread.run(Thread.java:619) > > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: Netscape cert type does not > permit use for SSL server > at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591) > at > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187) > at > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123) > at > com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) > at > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623) > at > com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59) > at > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65) > at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123) > at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:393) > at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334) > at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:192) > ... 47 more > > > I googled for the above exception and from what I got, I thought I had to > configure for a client certificate but we have to test the server > certificate for validity not the client certificate. I am not sure I am > following the procedure correctly. My question is - > Is servercert.pem the file that I need to use as server certificate. How > can I validate it(I mean make sure that it is a valid server certificate > file)? (Pointing to the servercert.pem file in ldap.conf gave me an error) - ldap_create ldap_url_parse_ext(ldaps://vcheung-181.lab.xxxx.net:636) ldap_bind_s ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP vcheung-181.lab.xxxx.net:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.25.4.181:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=California/O=yyyy/OU=yyyy/CN=vcheung-181.lab.xxxx.net, issuer: /C=US/ST=California/O=yyyy/OU=yyyy/CN=vcheung-181.lab.xxxx.net TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) Is there some other directive in ldap.conf file which points to this file ( > I thought only 3 valid directives are present > TLS_CACERTDIR,TLS_CACERT,TLS_REQCERT). There were other directives TLS_CERT > - but these point to the client certificate. > Thanks Sirisha.

3 4

Bidirectional sync using openldap and active directory
by Benjamin MONTHOUEL 07 Jun '10

07 Jun '10

Hi, I'd like to know which method is recommended by openldap.org to perform a bidirectional sync with Microsoft Active Directory. This method has to notice that users changed their password by themselves. Kerberos token ??? Thanks for any information. -- Benjamin MONTHOUËL Systems Administrator Assistant NETASQ France - We Secure IT Villeneuve d'Ascq

2 2

replication issue
by Lennart Job 01 Jun '10

01 Jun '10

Hi there, I've got some problems with ldap replication. Ever since I've updated the master from Debian Etch to Lenny changes are no longer synced. I've got v2.4.11 running on both servers. The slave is still running Etch. SSL is active, so maybe there's a problem with the certificates... However, if I restart the slave slapd he does replicate properly. Do you know any reasons for this behavior? In addition, synchronization with samba on the master doesn't work properly anymore. I can create accounts but password changes don't take effect. So everybody has to use his first ever password to connect to samba... Thanks for your help! Kind regards, Lennart -- Lennart Job Ressort IT / Wissensmanagement fuks e.V. Waldhornstraße 27 76131 Karlsruhe Büro +49 721 38 42 313 Fax +49 721 37 98 24 Privat +49 721 20 46 845 Mobil +49 173 78 87 643 E-Mail lennart.job(a)fuks.org Web www.fuks.org fuks e.V. - Vorsitz: André Fuchs - VR: 791 (Amtsgericht Karlsruhe)

2 1

Server certificate
by Daniel Gomes 01 Jun '10

01 Jun '10

Hey there, I've got a simple enough question: is it possible to use a certificate for TLS (through the TLSCertificateFile directive) on which the FQDN of the LDAP server is not on the CN but instead on the alternative name? I tried this, but I'm getting a "TLS init def ctx failed: -64" and I thought it might be because of this issue. I also couldn't find a list of the error numbers and their descriptions, making it harder for me to understand what's wrong... Cheers, -- Daniel Gomes (SysAdmin) dgomes(a)ipfn.ist.utl.pt Ext. 3487 - 218419487 Instituto de Plasmas e Fusão Nuclear Instituto Superior Técnico - UTL Av. Rovisco Pais - 1049-001 Lisboa - Portugal

3 3

Re: Q: status of component matching?
by Lehnert, Hartmut 31 May '10

31 May '10

Hi all! To avoid the slapd's core dump when using component match filters (see ITS # 6556) I removed line 556 of file "servers/slapd/filter.c": case LDAP_FILTER_EXT: //mra_free( op, f->f_mra, 1 ); break; Now component match filter search requests are answered by slapd but don't work correctly. In fact nothing is found! For example the request /home/openldap/openldap-2.4.21-install/bin/ldapsearch -h localhost -p 9389 -D cn=openldapadmin -w welcome -b o=CustomerCA,c=de -s sub "(userCertificate:componentFilterMatch:=item:{ component \"toBeSigned.serialNumber\", rule allComponentsMatch, value 449 })" sncertnr Is answered with # extended LDIF # # LDAPv3 # base <o=CustomerCA,c=de> with scope subtree # filter: (userCertificate:componentFilterMatch:=item:{ component "toBeSigned.serialNumber", rule allComponentsMatch, value 449 }) # requesting: sncertnr # # search result search: 2 result: 0 Success # numResponses: 1 But in the database of slapd there are several certificates with serialNumber 449: lehnert.hartmut@sn-ocspr4:/opt/lehnert/Openldap-Support$ ./dumpasn1 449.cer 0 30 702: SEQUENCE { 4 30 551: SEQUENCE { 8 A0 3: [0] { 10 02 1: INTEGER 2 : } 13 02 2: INTEGER 449 17 30 13: SEQUENCE { 19 06 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 30 05 0: NULL : } 32 30 111: SEQUENCE { 34 31 11: SET { 36 30 9: SEQUENCE { 38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 43 13 2: PrintableString 'DE' : } : } 47 31 12: SET { On slapd's side the debug message bdb_search: <integer> does not match filter is written out for every record. What's going wrong here? Regards, Hartmut

1 0

multiple instances
by mj romero 30 May '10

30 May '10

Hello, I installed a server (RHEL5 x86_64) with three instances of OpenLDAP 2.3.43. ldap 6572 1 0 May24 ? 00:49:12 /usr/sbin/slapd -u ldap -g ldap -h ldap://X.Y.Z.104:389 -f /etc/openldap/slapd.conf -l LOCAL4ldap 6612 1 0 May24 ? 00:49:09 /usr/sbin/slapd -u ldap -g ldap -h ldap://X.Y.Z.105:389 -f /etc/openldap/slapd_i3.conf -l LOCAL6ldap 8031 1 0 01:01 ? 00:01:26 /usr/sbin/slapd -u ldap -g ldap -h ldap://X.Y.Z.104:389 -f /etc/openldap/slapd_i2.conf -l LOCAL5 At first everything worked perfect but after several days working properly one instance stopped.I started the instance again but after several days one instance stopped (not the same).I don't understand what happens. Any help is very useful to me. Thank you very much. _________________________________________________________________ Disfruta de Messenger y Hotmail en tu BlackBerry ¡Hazlo ya! http://serviciosmoviles.es.msn.com/messenger/blackberry.aspx

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2010