openldap-technical December 2011

openldap-technical@openldap.org

88 participants
101 discussions

Using ldap_opt_x_tls_require_cert
by Thiyagu Rajendran 23 Dec '11

23 Dec '11

Hi all, I have few question on proper usage of ldap_opt_x_tls_require_cert option. when ldap_opt_x_tls_require_cert is set to LDAP_OPT_X_TLS_ALLOW on ldap handle after ldap_initialize, it was not working. It failed with certificate verify error. But according to the ldap.conf man page, setting LDAP_OPT_X_TLS_ALLOW option should not verify the server certificate After googling around found that LDAP_OPT_X_TLS_ALLOW should be set on global handle. Then got rid of certificate verify error. But I faced a new problem ,changing LDAP_OPT_X_TLS_ALLOW to LDAP_OPT_X_TLS_TRY in the same process doesnt verify the certificate. When i kill the process and restart it, it verifies the certificate properly. Somehow i managed to solve the problem by setting clearing the context using *LDAP_OPT_X_TLS_NEWCTX int tls=**LDAP_OPT_X_TLS_ALLOW* *ldap_set_option(NULL,**LDAP_OPT_X_TLS_REQUIRE_CERT,*&tls) *j=0 ldap_set_option(NULL,**LDAP_OPT_X_TLS_NEWCTX,&j) *But when i try to set *LDAP_OPT_X_TLS_REQUIRE_CERT *after clearing context, it is not working. Can someone explain the correct usage of *LDAP_OPT_X_TLS_REQUIRE_CERT * option* *Regards, Thiyagu

1 0

password-policy configuration problems: cannot change passwords
by Marco Weber 23 Dec '11

23 Dec '11

Hello, I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore. Michael Ströder told that an LDAP modify request should resolve this issue, but it didn't help. [root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password policy only allows one password value control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA= ppolicy: This is the log: Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 ACCEPT from IP=192.168.41.41:48899 (IP=0.0.0.0:636) Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 TLS established tls_ssf=256 ssf=256 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" method=128 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" mech=SIMPLE ssf=0 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 RESULT tag=97 err=0 text= Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 PASSMOD new Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 RESULT oid= err=19 text=Password policy only allows one password value Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=2 UNBIND Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 closed this is my default password policy: dn: cn=password-policy,dc=policies,dc=domain,dc=tld objectClass: person objectClass: pwdPolicy objectClass: top cn: password-policy pwdAttribute: userPassword sn: Default Password Policy pwdAllowUserChange: TRUE pwdExpireWarning: 604800 pwdInHistory: 3 pwdLockout: TRUE pwdLockoutDuration: 7200 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 180 pwdMinLength: 8 pwdMustChange: TRUE this is my password policy configuration: dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: ppolicy olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld olcPPolicyUseLockout: TRUE Thanks in advance for any reply, Marco

4 5

Re: ACL Problem
by Selcuk Yazar 23 Dec '11

23 Dec '11

Hi, Ok my rule is access to dn.regex="^mail=([^,]+),ou=([^,]+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example$" attrs=userPassword by dn.exact="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" write by dn.exact,expand="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" read by dn="cn=Manager,dc=myhosting,dc=example" write by users none by * none this doesn't work , users can't change their own password. Also try this; access to attrs=userpassword by self write by anonymous auth by dn="cn=Manager,dc=myhosting,dc=example" write by users none by * none doesn't work again. open ldap have another parameter for these things ??? ?? On Tue, Dec 20, 2011 at 8:56 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, December 20, 2011 4:28 PM +0200 Selcuk Yazar < > selcuk.yazar(a)gmail.com> wrote: > > access to >> dn.regex="(.*,ou=(.+),jvd=([^,**]+),o=hosting,dc=myhosting,dc=**example)" >> attrs=userPassword >> by self write >> by users write >> > > "by users write" will allow any authenticated user to overwrite anyone's > password. I'm guessing you really do *not* want this rule. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Selçuk YAZAR http://www.selcukyazar.blogspot.com

3 3

userCertificate, wrong attribute type?
by Nicolas KOWALSKI 22 Dec '11

22 Dec '11

Hello, Using OpenLDAP 2.4.12 (SLES 2011 SP1), I am trying to add a userCertificate attribute to an existing user (inetOrgPerson object). I converted the PEM file containing the certificate to DER format, then created this ldif: dn: cn=Nicolas.Kowalski,ou=people,dc=home,dc=lan changetype: modify add: userCertificate userCertificate;binary:< file:///root/ssl/Nicolas.Kowalski-crt.der But when I try to update the entry, I always get this error: # ldapmodify -x -W-D "cn=Manager,dc=home,dc=lan" -f the-ldif-above ldapmodify: wrong attributeType at line 4, entry "cn=Nicolas.Kowalski,ou=people,dc=home,dc=lan" What am I doing wrong? Thanks, -- Nicolas

1 1

Ldap problems in paradise, working with suse 12.1 miles stone 5
by John Tobin 22 Dec '11

22 Dec '11

Dear Ralf, Hi, I hope you are still here before the holidays, I would appreciate your advice and counsel. I have Suse 12.1 up, mile stone 5. It works well. I have installed and used ldap 2.4.26. It is also working with nss_ldap code. I am having some trouble on 2 counts. First I tried to get start_tls, and / or ldaps to work in that environment. I have not gotten tls to work. Was this tested at all in SUSE? TLS is critical to some success in the university lab I am running over here. I have posted the problem to the open ldap crew, and have heard nothing from anyone for solving the problem, or even assistance in how to debug it, or understand the failure I get.....[this is from nss_ldap] >> Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 op=0 STARTTLS >> Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls >> failed:stat=-1 >> Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept >> failure error=-1 id=1217, closing >> Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 fd=14 closed (TLS >> negotiation failure) >> Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 op=0 STARTTLS >> Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls >> failed:stat=-1 In the middle of this mess Chris wood mentioned this would be easier, and may well work under nslcd. OK. I installed nslcd.... I have the lastest I believe: 0.7.13-7.3 I setup nslcd.conf to the best of my ability. With just a : Uri ldap://192.168.0.10/ Base dc=dark,dc=net Scope sub It works fine. For user jtobin [is only in ldap server] I get a login But in a similar fashion to nss_ldap, when I turn on ssl start_tls And add to the nslcd.conf above: Ssl start_tls Tls_reqcert allow Tls_cacertfile /var/lib/ldap/cacert.pem Tls_cert /var/lib/ldap/server.crt Tls_key /var/lib/ldap/server.key It fails.... I get: user jtobin does not exist But worse... I get nothing in the /var/log/localmessages file for debugging. Certificates were created using www.opeldap.org/faq/data/cache/185.html Which to my knowledge is the referenced site for openldap The certificate is a self signed cert. Most of my testing at the moment is local.... Client and slapd server are on the same machine, so same certificate file for tls_cacertfile, tls_cert, tls_key, though I have tested on remote clients with the same results. I see your name on a number of the nslcd doc and email. Help me out here.... How can I get this working / debugged? Who would have some of the information I need? Who would be interested in helping me to get this working. So far all I have gotten is a number of messages from interested parties asking me if I have gotten to work yet... Drop me aline with some advice as to how to get this resolved, or if it is probably not a short term Priority for anyone, tell me that. I will find a different strategy for securing my lab ldap client and server machines. [is getting this to work a priority at SUSE? Is there someone I can work with?] Sincerely tob There are a number of comments but the real statements are: Uri ldap://192.168.0.10/ Base dc=dark,dc=net Scope sub Ssl start_tls

2 1

Auto increment (uidNext and uidNumber)
by Pablo 21 Dec '11

21 Dec '11

Hello, Based on this article: http://www.rexconsulting.net/ldap-protocol-uidNumber.html. I am trying to increment 'uidNumber'. For doing that, I am using this LDIF file: --------------- autoinc.ldif --------------------------- dn: cn=uidNext,dc=example,dc=com changetype: modify delete:uidNumber uidNumber: 610 - add: uidNumber uidNumber: 611 ------------------- EOF -------------------------------- And this command; but produce an error: $ ldapadd -x -D "cn=Admin,dc=example,dc=com" -wsecret -f ./autoinc.ldif adding new entry "cn=uidNext,dc=example,dc=com" ldapadd: Undefined attribute type (17) additional info: add: attribute type undefined $ This is the definition of the uidNext objectClass: ---------------------------------------------- objectClass ( 1.3.6.1.4.1.4203.666.599 NAME 'uidNext' SUP top STRUCTURAL MUST ( cn $ uidNumber ) ) ---------------------------------------------- Any idea of what I am doing wrong here? Thanks in advance. Pablo.

5 6

(no subject)
by Molo CoC 20 Dec '11

20 Dec '11

hi all, i hope i am in the correct list :( for lpic train iam using ldap 2.3.43 mit BerkleyDB 4.2 and libdb4.2 + libdb4.2-dev on latest Debian (64B) unfortunatly i am facing 2 Errors during installation of openLDAP: first is: getpeereid.c:52: error: storage size of ‘peercred’ isn’t known (during executing command: make) and a lot of: missing binary operator befor "(" i hope you can give ma an advice thanks a lot! ___________________________________________________________ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192

3 2

problem with openldap identity assertion to AD server
by John Uhlig 20 Dec '11

20 Dec '11

Hello. I am new to this list so please forgive any protocol violations :) I am starting with simple steps towards our goal to use the openldap server translucent overlay config to merge AD authentication for people at our company with local ldap account authentication for non-company people. I am using openldap 2.4.23 on RHEL6 server. At this point, the ldap server can access our AD servers with anonymous bind but I need authenticated access to get more information. I have been using variations of the "Identity Assertion" steps from the openldap FAQ page (http://www.openldap.org/faq/data/cache/532.html) without success. I am initially trying the simplest config e.g. bindmethod=simple with a valid AD account/password for this access. I have included my current minimalist slapd.conf file if of any help. If anyone can point me to sample working configuration file(s) or provide any recommendations, I would appreciate it. thanks, John. ------------------------------------------ # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ###TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificateFile /usr/var/openldap-data/cacert.pem ###TLSCertificateFile /etc/openldap/cacerts/parcldscert.pem ###TLSCertificateKeyFile /etc/openldap/cacerts/parclds.pem ###TLSVerifyClient allow TLSVerifyClient never ### Will use TLS after I get authenticated bind working ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=corp,dc=ad,dc=parc,dc=com" rootdn "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. sizelimit unlimited directory /var/lib/ldap # Indices to maintain index objectClass eq ### debug logging loglevel -1 # try transl overlay config here moduleload translucent overlay translucent translucent_local carLicense uri ldap://ADserver.corp.ad.parc.com lastmod off # idassert-bind bindmethod=simple binddn=cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com credentials="password" authzID=dn:cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com [root@virtuosity-vm84 configs]#

2 1

ACL Problem
by Selcuk Yazar 20 Dec '11

20 Dec '11

Hi, I want to ldap users to change their password. sample user dn is mail=edergi@.....mail......edu.tr<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&serv…> ,ou=<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&serv…> SOME_UNIT,jvd=.....mail.......edu.tr<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&serv…> ,o=hosting<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&serv…> and we have acl rules in slapd.conf access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example" attrs=userPassword by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example" write by * auth by * none access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example" by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example" write by * read access to * by * read i apply various rules from openldap documentation, but no one works. why users can't chage their password ? thanks in advance -- Selçuk YAZAR

5 6

ppolicy overlay
by Selcuk Yazar 20 Dec '11

20 Dec '11

Hi i've installed succefully, ppolicy overlay and ldap password policy objects my directroy. So what do i expected for now ? because nothing happened. we are using jamm mail account schemas and sample accounts very old, and i expected expire all of them but nothing happened. what is the correct settigns of ppolicy_default_dn ? thanks inadvance.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2011