openldap-technical August 2010

openldap-technical@openldap.org

83 participants
85 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra 27 Dec '10

27 Dec '10

Hi, We have some problems with certificate authentication when the master server is behind a back-ldap proxy. We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and these are the details of our scenario: The master server: server1.example.com has the following slapd.conf file: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" read by * auth access to attrs=shadowLastChange by self write by * read access to * by * read # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /etc/ssl/certs/server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key TLSCACertificatePath /etc/ssl/cacerts/ TLSVerifyClient demand # #Log level # loglevel 256 # Require authentication require authc ####################################################################### # HDB database definitions ####################################################################### database hdb suffix "dc=example,dc=com" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=example,dc=com" rootpw secret # Indices to maintain index objectClass eq # Overlay ppolicy overlay ppolicy ---------------------- Authentication is required, and we give access to the user passwords for the dn of a certificate. When we search for passwords using the certificate we get the following: root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://server1.example.com userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= ----------------------- The root user (ldap client) has a ~/.ldaprc file with: TLS_CACERTDIR /etc/ssl/cacerts/ TLS_CERT /etc/ssl/certs/admin_w_cert.pem TLS_KEY /etc/ssl/private/admin_w_cert.key TLS_REQCERT demand SASL_MECH EXTERNAL In /var/log/messages we get: ldap-master[22358]: conn=1000 fd=11 ACCEPT from IP=server1.example.com:40899 (IP=server1.example.com:636) ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256 ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163 ldap-master[22358]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22358]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap-master[22358]: conn=1000 op=2 UNBIND ldap-master[22358]: conn=1000 fd=11 closed This is the correct behavior for us. The problem appears when we introduce a back-ldap proxy between the client and the master. The proxy server (proxy-server1.example.com) is listening in port 1636 and its slapd.conf file is: # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificatePath /etc/ssl/cacerts/ TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key TLSVerifyClient demand # Log level loglevel 256 ####################################################################### # Database definitions ####################################################################### database ldap rebind-as-user true suffix "dc=example,dc=com" uri "ldaps://server1.example.com" tls ldaps tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem tls_key=/etc/ssl/private/proxy-server1.example.com.key tls_cacertdir=/etc/ssl/cacerts/ ---------------------- If we search for passwords through the proxy we get: root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 Server is unwilling to perform (53) Additional information: authentication required In the /var/log/messages the following messages appear: ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636) ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256 ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163 ldap-proxy[22802]: conn=1001 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text= ldap-proxy[22802]: conn=1001 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=2 UNBIND ldap-proxy[22802]: conn=1001 fd=8 closed The /root/.ldaprc file is the same than the previous one. When we increase the logging level we discover this: .... ldap-proxy[23008]: conn=1000 op=0 do_bind ldap-proxy[23008]: >>> dnPrettyNormal: <> ldap-proxy[23008]: <<< dnPrettyNormal: <>, <> ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163 ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 ldap-proxy[23008]: SASL Canonicalize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: slap_sasl_getdn: conn 1000 id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61] ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing> ldap-proxy[23008]: SASL Canonicalize [conn=1000]: slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL proxy authorize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1 ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind: dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" sasl_ssf=0 ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0 ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-proxy[23008]: <== slap_sasl_bind: rc=0 .... ldap-proxy[23008]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword ldap-proxy[23008]: ==> limits_get: conn=1000 op=1 self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" this="uid=user_w_pass,ou=people,dc=example,dc=com" ldap-master[22983]: daemon: activity on 1 descriptor ldap-master[22983]: daemon: activity on: ldap-master[22983]: ldap-master[22983]: slap_listener_activate(7): ldap-master[22983]: daemon: epoll: listen=7 busy ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com) ..... ldap-master[22983]: conn=1000 op=0 do_bind ldap-master[22983]: >>> dnPrettyNormal: <> ldap-master[22983]: <<< dnPrettyNormal: <>, <> ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128 ldap-master[22983]: do_bind: version=3 dn="" method=128 ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3 ldap-master[22983]: send_ldap_result: err=0 matched="" text="" ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0 ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22983]: do_bind: v3 anonymous bind ---------------- Therefore the proxy is binding anonymously in the master, instead of using the dn of the certificate. Is there any problem with the SASL EXTERNAL method? If we use SIMPLE authentication through the proxy, there is no problem: root # ldapsearch -LLL -x -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 -D 'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword Enter LDAP Password: dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= Thanks in advance. --------------------------------------------------------------------------------------------- ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en

3 4

cn=config and ACL formatting
by Victor Mataré 09 Sep '10

09 Sep '10

Hi everyone, I just switched our servers from slapd.conf to cn=config in slapd.d, and I'm a bit annoyed with my ACLs now. The problem is that olcAccess attributes tend to be somewhat lengthy and I'd really appreciate some newlines in them, but slapd seems to eat those. Is there any way to tell the server to preserve the newlines in attribute values, or maybe use some other character that causes a line break? Of course I might edit the files in /etc/slapd.d, but then the whole cn=config thingy becomes pointless, doesn't it? greetings, Victor

5 5

Back-ldap configuration and id-assertion.
by Mustafa A. Hashmi 07 Sep '10

07 Sep '10

Hi all, I am wondering if I am going about my setup the right way and am hoping someone can give me a bit of input. Using openldap-2.4.23 on Debian Linux, I have nssov configured to retrieve host, user and group information on my primary server, with back-ldap and nssov configured on a secondary machine doing the same. The back-ldap configuration is as follows: database ldap suffix dc=zivios,dc=net uri "ldap://dev03.zivios.net" acl-bind bindmethod=simple binddn="" credentials="" idassert-bind bindmethod=simple mode=self binddn="uid=zproxyauth,ou=zusers,ou=core control,ou=zivios,dc=zivios,dc=net" credentials="foo" idassert-authzFrom "dn.regex:.*" overlay nssov nssov-map group uniqueMember member nssov-ssd passwd ldap:///dc=zivios,dc=net??sub nssov-ssd group ldap:///dc=zivios,dc=net??sub nssov-ssd hosts ldap:///dc=zivios,dc=net??sub nssov-pam hostservice nssov-pam-session sshd nssov-pam-session login On the primary server, I have the authz policy set to "to", with an authzto rule as follows for the zproxyauth user: {0}ldap:///dc=zivios,dc=net??sub?(objectClass=posixAccount) I have setup appropriate ACLs that allow access to the authorizedService attribute for certain groups and, testing ssh & logins is working as required (on the primary server). However, when connections come in from the back-ldap server, the proxy auth works initially, with every "other" request failing. The back-ldap server log reports: send_ldap_result: err=123 matched="" text="anonymous proxied authorization not allowed" This is quite easily reproducible via simple getent passwd/group calls. Every second request fails with the aforementioned error. SSH access to the secondary server (with a successful regex, id-assertion and compare operation) works if I restart the back-ldap server, however, all subsequent requests fail. Below is the complete log of a failed request from the back-ldap server on a getent passwd command: dev02:/opt/zivios/openldap/etc/openldap# getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin zopenldap:x:945:945::/home/zopenldap:/bin/false daemon: activity on 1 descriptor daemon: activity on: 10r daemon: read active on 10 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL connection_get(10) connection_get(10): got connid=0 nssov: connection from uid=0 gid=0 daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL nssov_passwd_all() str2filter "(objectClass=posixAccount)" put_filter: "(objectClass=posixAccount)" put_filter: simple put_simple_filter: "objectClass=posixAccount" begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0xf6e8f010 ptr=0xf6e8f010 end=0xf6e8f02d len=29 0000: a3 1b 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass. 0010: 0c 70 6f 73 69 78 41 63 63 6f 75 6e 74 .posixAccount end get_filter 0 =>ldap_back_getconn: conn 0x9398940 fetched refcnt=1. ldap_search_ext put_filter: "(objectClass=posixAccount)" put_filter: simple put_simple_filter: "objectClass=posixAccount" ldap_build_search_req ATTRS: uid userPassword uidNumber gidNumber gecos cn homeDirectory loginShell objectClass ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x9397070 ptr=0x9397070 end=0x939716f len=255 0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi 0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net..... 0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix 0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0\..uid.. 0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui 0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb 0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h 0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo 0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object 00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16. 00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4 00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe 00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0, 00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e 00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth ber_scanf fmt ({) ber: ber_dump: buf=0x9397070 ptr=0x9397076 end=0x939716f len=249 0000: 63 81 9c 04 10 64 63 3d 7a 69 76 69 6f 73 2c 64 c....dc=zivios,d 0010: 63 3d 6e 65 74 0a 01 02 0a 01 00 02 01 00 02 01 c=net........... 0020: 00 01 01 00 a3 1b 04 0b 6f 62 6a 65 63 74 43 6c ........objectCl 0030: 61 73 73 04 0c 70 6f 73 69 78 41 63 63 6f 75 6e ass..posixAccoun 0040: 74 30 5c 04 03 75 69 64 04 0c 75 73 65 72 50 61 t0\..uid..userPa 0050: 73 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 65 ssword..uidNumbe 0060: 72 04 09 67 69 64 4e 75 6d 62 65 72 04 05 67 65 r..gidNumber..ge 0070: 63 6f 73 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 cos..cn..homeDir 0080: 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 ectory..loginShe 0090: 6c 6c 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 a0 ll..objectClass. 00a0: 58 30 56 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e X0V..2.16.840.1. 00b0: 31 31 33 37 33 30 2e 33 2e 34 2e 31 38 04 3a 64 113730.3.4.18.:d 00c0: 6e 3a 67 69 64 4e 75 6d 62 65 72 3d 30 2b 75 69 n:gidNumber=0+ui 00d0: 64 4e 75 6d 62 65 72 3d 30 2c 63 6e 3d 70 65 65 dNumber=0,cn=pee 00e0: 72 63 72 65 64 2c 63 6e 3d 65 78 74 65 72 6e 61 rcred,cn=externa 00f0: 6c 2c 63 6e 3d 61 75 74 68 l,cn=auth ber_flush2: 255 bytes to sd 13 0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi 0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net..... 0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix 0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0\..uid.. 0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui 0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb 0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h 0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo 0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object 00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16. 00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4 00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe 00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0, 00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e 00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth ldap_write: want=255, written=255 0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi 0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net..... 0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix 0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0\..uid.. 0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui 0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb 0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h 0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo 0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object 00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16. 00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4 00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe 00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0, 00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e 00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth ldap_result ld 0x9398980 msgid 19 wait4msg ld 0x9398980 msgid 19 (timeout 100000 usec) wait4msg continue ld 0x9398980 msgid 19 all 0 ** ld 0x9398980 Connections: * host: dev03.zivios.net port: 389 (default) refcnt: 2 status: Connected last used: Tue Aug 31 20:07:02 2010 ** ld 0x9398980 Outstanding Requests: * msgid 19, origid 19, status InProgress outstanding referrals 0, parent count 0 ld 0x9398980 request count 1 (abandoned 0) ** ld 0x9398980 Response Queue: Empty ld 0x9398980 response count 0 ldap_chkResponseList ld 0x9398980 msgid 19 all 0 ldap_chkResponseList returns ld 0x9398980 NULL ldap_int_select read1msg: ld 0x9398980 msgid 19 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 37 02 01 13 65 32 0a 07...e2. ldap_read: want=49, got=49 0000: 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f 75 73 20 .{...+anonymous 0010: 70 72 6f 78 69 65 64 20 61 75 74 68 6f 72 69 7a proxied authoriz 0020: 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c 6f 77 65 ation not allowe 0030: 64 d ber_get_next: tag 0x30 len 55 contents: ber_dump: buf=0x93988f0 ptr=0x93988f0 end=0x9398927 len=55 0000: 02 01 13 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e ...e2..{...+anon 0010: 79 6d 6f 75 73 20 70 72 6f 78 69 65 64 20 61 75 ymous proxied au 0020: 74 68 6f 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 thorization not 0030: 61 6c 6c 6f 77 65 64 allowed read1msg: ld 0x9398980 msgid 19 message type search-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x93988f0 ptr=0x93988f3 end=0x9398927 len=52 0000: 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f e2..{...+anonymo 0010: 75 73 20 70 72 6f 78 69 65 64 20 61 75 74 68 6f us proxied autho 0020: 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c rization not all 0030: 6f 77 65 64 owed ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 19 read1msg: ld 0x9398980 0 new referrals read1msg: mark request completed, ld 0x9398980 msgid 19 request done: ld 0x9398980 msgid 19 res_errno: 123, res_error: <anonymous proxied authorization not allowed>, res_matched: <> ldap_free_request (origid 19, msgid 19) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x93988f0 ptr=0x93988f3 end=0x9398927 len=52 0000: 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f e2..{...+anonymo 0010: 75 73 20 70 72 6f 78 69 65 64 20 61 75 74 68 6f us proxied autho 0020: 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c rization not all 0030: 6f 77 65 64 owed ber_scanf fmt (}) ber: ber_dump: buf=0x93988f0 ptr=0x9398927 end=0x9398927 len=0 ldap_msgfree send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=123 matched="" text="anonymous proxied authorization not allowed" ---- The primary server log shows only one line: Aug 31 20:13:53 dev03 slapd[32705]: conn=1604 op=19 do_search: get_ctrls failed ---- I am not sure why an anonymous request is made by back-ldap -- probably my lack of understanding on how it should be configured. If anyone can point out where I am going wrong, it would be greatly appreciated. Mustafa.

2 8

TLS fails
by Frederik Bosch 01 Sep '10

01 Sep '10

After getting my ACL right (thanks Dieter!), I have problems installing an official certificate. I bought a certificate at RapidSSL. Starting slapd gives me the following error. TLS init def ctx failed: -69 This error is thrown in openldap 2.4.17. Since I am on debian, slapd is compiled against GnuTLS. When I was using 2.4.11 I had another error: TLS init def ctx failed: -207 When I had a self-signed certificate I had no trouble. What could be wrong?

4 7

RE: Getting Solaris to use Openldap
by Stuart Cherrington 01 Sep '10

01 Sep '10

> Date: Fri, 27 Aug 2010 21:33:42 +1200 > From: ian(a)ianshome.com > To: stuart_cherrington(a)hotmail.co.uk > Subject: Re: Getting Solaris to use Openldap > > On 08/27/10 08:48 PM, Stuart Cherrington wrote: > > Hi, > > > > I Have an OpenLDAP 2.4.18 server on RHEL 5.3. I can get Linux clients > > to use the master by use of the /etc/ldap.conf file. I'm now trying to > > get a SOlaris 10 client to use the master by initialising with the > > default profileName. If I run: > > > > ldapclient -v init -a proxypassword=xxxxx -a > > proxydn=cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -a > > domainname=ldn.sw.com 10.2.250.15 > > > I also add a -a profileName=default Shouldn't need to add this as ldapclient takes 'default' as the default profilename if not specified. I did try it with this anyway but got same error. > > > So the 2 errors are the *NOTFOUND nisDomainObject *which is there when > > I check on the master: > > > > [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D > > cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxx-b > > dc=ldn,dc=sw,dc=com -s base > > # extended LDIF > > # > > # LDAPv3 > > # base <dc=ldn,dc=sw,dc=com> with scope baseObject > > # filter: (objectclass=*) > > # requesting: ALL > > # > > > > # ldn.sw.com > > dn: dc=ldn,dc=sw,dc=com > > dc: ldn > > o: ldn > > associatedDomain: ldn.sw.com > > nisDomain: ldn.sw.com > > objectClass: dcObject > > objectClass: organization > > objectClass: domainRelatedObject > > *objectClass: nisDomainObject* > > objectClass: top > > > That looks OK. > > > > The other error is 'Failed to find defaultSearchBase for domain > > ldn.sw.com' > > > > [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D > > cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w 5wap5proxy -b > > cn=default,ou=profile,dc=ldn,dc=sw,dc=com -s base > > # extended LDIF > > # > > # LDAPv3 > > # base <cn=default,ou=profile,dc=ldn,dc=sw,dc=com> with scope baseObject > > # filter: (objectclass=*) > > # requesting: ALL > > # > > Do you have a cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com entry? Yeh [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxx -b cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -s base # extended LDIF # # LDAPv3 # base <cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # proxyagent, profile, ldn.sw.com dn: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com cn: proxyagent sn: proxyagent objectClass: top objectClass: person userPassword:: e0NSWVBUfXYuTWpqUDJEb3lpMXc= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 > > > # default, profile, ldn.sw.com > > dn: cn=default,ou=profile,dc=ldn,dc=sw,dc=com > > *defaultSearchBase: dc=ldn,dc=sw,dc=com* > > authenticationMethod: simple > > followReferrals: TRUE > > profileTTL: 43200 > > searchTimeLimit: 30 > > objectClass: DUAConfigProfile > > defaultServerList: 10.2.250.15 > > credentialLevel: proxy > > cn: default > > defaultSearchScope: one > > You should add > > serviceSearchDescriptor: passwd:<people base> > serviceSearchDescriptor: group:<group base> I initially had these (and one for shadow) but they didn't make any difference the error, but I expect I'll need them when its in operation. > > -- > Ian. >

3 7

Re: OpenLDAP to replace Oracle Internet Directory
by Matheus Morais 30 Aug '10

30 Aug '10

Hi Gavin, Sorry for the late reply, I need to organize my mail box, I just not seen this email! On Mon, Jul 26, 2010 at 2:24 PM, Gavin Henry <ghenry(a)openldap.org> wrote: > > I want thank every one responsible to keep OpenLDAP project with that > high > > level of quality and I am really proud about that kind of quality has > been > > produced by a free software project (free as in freedom). > > Excellent news! How is it going now? Did you use our docs to help you? > We're doing really well at this time. Right now we're waiting for the dev team to correct one of our LDAP API which was using substring search for distinguishedName attributes and that works on Oracle Internet Directory but as RFC 2256 say, section 5.50 more precisely, the 'client must not assume that LDAP servers are capable of performing attribute subtyping'. They are testing and after put on production we will be ready to change the last systems which still using Oralce Internet Directory. I most used the Administrator's Guide for version 2.4 and all the manuals available. I think the documentation is very complete in general but could be improved in some points, like the session of Monitor backend for example. I also would be happy if we had a portuguese version of Admin's Guide. Since I'm not a developer I could help on the documention at my spare time. I would be glad if I could help in some aspect. > Do you have any suggestions for improvements to the docs? > > Thanks. > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ > Thanks, Matheus Morais!

2 1

I can't see my /etc/ldap/slapd.conf file after reinstall
by Eric KOM 28 Aug '10

28 Aug '10

Hi Dear Team! Please, I got problem with my OpenLDAP server on Debian Testing. I try to purge slapd package with aptitude purge slapd and remove all files and directories with rm on /etc/ldap/. after reinstall slapd, I can't see the main configuration file /etc/ldap/slapd.conf? but the server is running. Thank you in advance. -- Yours truly, Eric KOM 110 LAWN STREET ROSETTENVILLE 2190 JOHANNESBURG SOUTH AFRICA Phone: +27 (0) 788 791 334 Fax: +27 (0) 865 563 009 E-mail: erickom(a)namekom.co.za Websites: www.erickom.co.za | www.namekom.co.za/erickom | www.namekom.co.za

5 11

to much archive logs
by isso2＠gmx.de 27 Aug '10

27 Aug '10

Hello team, our openldap-server (OS: Redhat 5) was succesfully installed and it works. But sometimes it gets out of control, that means: every 3 minutes it generates an archive-log. Shutdown and start is not successfully. We have do to a db_recover. Any idea ? Thanks a lot. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

2 3

syncrepl help
by Adam Cassar 27 Aug '10

27 Aug '10

Hi All, I would appreciate some insight with a syncrepl issue that I have. The scenario is as follows: (1) LDAP master running debian slapd v2.3.30 replicating using syncrepl to (2) LDAP master running debian slapd v2.4.11 The initial data for this node was seeded using slapcat/slapadd due to the db size. This is replicating via syncrepl to (3) LDAP slave running debian slapd v2.4.11 On (3) the slave I am receiving the error: do_syncrep2: cookie=rid=001,csn=20100825064231Z#000000#00#000000 do_syncrep2: rid=001 CSN too old, ignoring 20100825064231Z#000000#00#000000 for all replication events that are being received. What I am trying to achieve is to deprecate server (1) with as little downtime as possible, server (2) becomes the new master and (3) the new slave Replication between 1 & 2 works correctly but not between 2 & 3. The time is correct on the servers. Server (3) database is seeded using syncrepl. Configurations for 1, 2 & 3 are attached.

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2010