openldap-technical February 2011

openldap-technical@openldap.org

96 participants
102 discussions

tls_checkpeer directive
by Michael Starling 08 Feb '11

08 Feb '11

I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system: I believe I have TLS encryption working but I'd like to be able to verify my client connections. On my LDAP server I have the following in slapd.conf TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem On the client I have the following in /etc/ldap.conf uri ldaps://10.70.5.67/ ssl on tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no On the client /etc/openldap/ldap.conf URI ldaps://10.70.5.67/ TLS_CACERT /etc/openldap/cacerts/slapdcert.pem TLS_REQCERT demand These commands work both from the client and server. openssl s_client -connect servername:636 -showcerts ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W So my first question would be does this guarantee encrypted sessions? Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients? -Mike

2 1

Handling slapd.d in OpenLDAP and Kerberos
by sarathkrishna89＠gmail.com 08 Feb '11

08 Feb '11

Hi, We are currently trying to use OpenLDAP as the database for Kerberos in our lab. We installed OpenLDAP in Ubuntu 10.04 and is working without any problem (i,e. queries are showing the correct results) But we are not able to get Kerberos authenticate via OpenLDAP. For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue. We did the following for testing authentication via Kerberos: kinit username; ldapsearch -H ldaps://server.example.com And we got this result: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database We just want to perform this: authz-policy from authz-regexp uid=(.*),cn=example.com,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com We think adding this in slapd.conf should serve the purpose. Any suggestions/help is highly appreciated. -- Sarath

5 5

Multimaster replication of cn=config working too well?!
by Mark Cairney 08 Feb '11

08 Feb '11

Hi, Has anyone experienced problems with the cn=config directory syncing the same change across all nodes and breaking the configuration? In the past I've had problems where the syncrepl parameters are synced across all nodes, including that node itself, which results in the servers then trying to sync with themselves. The most recent problem however was that the olcSaslHost value was synced to be one particular server on all 3 nodes. As I was using GSSAPI to do the replication this broke it completely and it meant that I could only bind via GSSAPI to one of the 3 servers. In the meantime I've set the servers not to syncrepl cn=config but this isn't ideal. Anyone else on the list had similar problems? Kind regards, Mark /********************************* Mark Cairney ITI UNIX Section Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cairney(a)ed.ac.uk *********************************/ -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

2 1

slapd.d syntax help for ldap proxy server
by Anton Chu 07 Feb '11

07 Feb '11

I'm trying to setup a ldap proxy server for push based replication. I'm in need of help with providing the correct syntax on installing a ldap proxy using slapd.d instead of slapd.conf. The items in bold are the questionable syntax that can crossover to slapd.d. Here's my slapd.d configuration: Standalone LDAP Proxy: > > # load the schemas > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif > > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif > > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif > > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/misc.ldif > > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ldapns.ldif > > ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/openldap.ldif > > > # Load dynamic backend modules > > dn: cn=module,cn=config > > objectClass: olcModuleList > > cn: module > > olcModulepath: /usr/lib/ldap > > olcModuleload: back_hdb > > olcModuleload: syncprov > > > # Database settings > > dn: olcDatabase=hdb,cn=config > > objectClass: olcDatabaseConfig > > objectClass: olcHdbConfig > > olcDatabase: {1}hdb > > *olcHidden: TRUE* > > olcSuffix: dc=suretecsystems,dc=com > > olcDbDirectory: /var/lib/ldap > > olcRootDN: cn=admin,dc=suretecsystems,dc=com > > olcRootPW: secret > > *olcUri: ldap://localhost:9012/* > > > > # We don't need any access to this DSA > > *olcRestrict: ALL > > olcAcl-bind: bindmethod=simple > binddn="cn=replicator,dc=suretecsystems,dc=com" > credentials=testing* > > olcSyncrepl: rid=001 > provider=ldap://localhost:9011/ > binddn="cn=replicator,dc=suretecsystems,dc=com" > bindmethod=simple > credentials=testing > searchbase="dc=suretecsystems,dc=com" > type=refreshAndPersist > retry="5 5 300 5" > > Here's the slapd.conf provided at the site that I'm trying to convert: http://www.openldap.org/doc/admin24/replication.html The following configuration is an example of a standalone LDAP Proxy: > > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > > include /usr/local/etc/openldap/slapd.acl > > modulepath /usr/local/libexec/openldap > moduleload syncprov.la > moduleload back_ldap.la > > ############################################################################## > # Consumer Proxy that pulls in data via Syncrepl and pushes out via slapd-ldap > ############################################################################## > > database ldap > # ignore conflicts with other databases, as we need to push out to same suffix > hidden on > suffix "dc=suretecsystems,dc=com" > rootdn "cn=slapd-ldap" > uri ldap://localhost:9012/ > > lastmod on > > # We don't need any access to this DSA > restrict all > > acl-bind bindmethod=simple > binddn="cn=replicator,dc=suretecsystems,dc=com" > credentials=testing > > syncrepl rid=001 > provider=ldap://localhost:9011/ > binddn="cn=replicator,dc=suretecsystems,dc=com" > bindmethod=simple > credentials=testing > searchbase="dc=suretecsystems,dc=com" > type=refreshAndPersist > retry="5 5 300 5" > > overlay syncprov > >

4 4

Re: slapo-lastbind
by Marco Pizzoli 07 Feb '11

07 Feb '11

On 7 Feb 2011 22:31, "Marco Pizzoli" <marco.pizzoli(a)gmail.com> wrote: > Hi Jonathan, > I understand the "locality" of the attribute, but my question is motivated > by the ppolicy_forward_updates directive that addresses this identical > problem. > Do you think it would be possible to have a similar feature with this > overlay? > > Thanks > Marco > On 7 Feb 2011 20:49, "Jonathan CLARKE" <jonathan.clarke(a)normation.com> > wrote:

3 2

slapo-lastbind
by Marco Pizzoli 07 Feb '11

07 Feb '11

Hi all, I used effectively the new slapo-lastbind overlay. I noticed that my authTimestamp attribute become populated for each user who successfully does a bind, but on my multi-master deploy I cannot have that attribute shared/replicated on all servers Any suggestions? Thanks Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

2 1

Compile contrib modules?
by Marco Pizzoli 07 Feb '11

07 Feb '11

Hi list, Today I downloaded the HEAD repository and tried to compile also the contrib module "lastbind". With the configure script I'm not able to have that module built in. I have to do something particular? Thanks Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

3 3

Search with filter doesn't return any results?
by Markku Tavasti 06 Feb '11

06 Feb '11

Hi! I have strange problem: I have newly built ldap database. System is running on Centos 5.5 (same as RHEL 5) # slapd -V @(#) $OpenLDAP: slapd 2.3.43 (Nov 29 2010 03:44:41) $ mockbuild@builder10.centos.org:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd I have configured syncrepl from ldap1 to ldap2. Both systems have same slapd.conf execpt on ldap1 syncprov overlay, ldap2 syncrepl consumer. To both servers ldapsearch without additional filters works fine, and returns content of database. However, to ldap1 (synrepl master) applying any search filter gives no results. Only filters I have noticed working are objectClass-filters. For example like this: --------- shell commands & output start --------- [root@srv]# ldapsearch -x -h ldap1 -b "dc=hq,dc=mydomain,dc=com" ... actual search results removed ..... # search result search: 2 result: 0 Success # numResponses: 33 # numEntries: 32 [root@srv]# ldapsearch -x -h ldap1 -b "dc=hq,dc=mydomain,dc=com" | grep tavasti memberUid: tavasti memberUid: tavasti memberUid: tavasti # tavasti, Users, hq.mydomain.com dn: uid=tavasti,ou=Users,dc=hq,dc=mydomain,dc=com uid: tavasti homeDirectory: /home/ldap/tavasti [root@srv]# ldapsearch -x -h ldap1 -b "dc=hq,dc=mydomain,dc=com" uid=tavasti # extended LDIF # # LDAPv3 # base <dc=hq,dc=mydomain,dc=com> with scope subtree # filter: uid=tavasti # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 --------- shell commands & output end --------- On log I get with the last one: Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 fd=15 ACCEPT from IP=10.x.x.x:347 25 (IP=0.0.0.0:389) Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 op=0 BIND dn="" method=128 Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 op=0 RESULT tag=97 err=0 text= Feb 4 18:29:54 ldap1 slapd[8611]: begin get_filter Feb 4 18:29:54 ldap1 slapd[8611]: EQUALITY Feb 4 18:29:54 ldap1 slapd[8611]: end get_filter 0 Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 op=1 SRCH base="dc=hq,dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=tavasti)" Feb 4 18:29:54 ldap1 slapd[8611]: => bdb_filter_candidates Feb 4 18:29:54 ldap1 slapd[8611]: AND Feb 4 18:29:54 ldap1 slapd[8611]: => bdb_list_candidates 0xa0 Feb 4 18:29:54 ldap1 slapd[8611]: => bdb_filter_candidates Feb 4 18:29:54 ldap1 slapd[8611]: OR Feb 4 18:29:54 ldap1 slapd[8611]: => bdb_list_candidates 0xa1 Feb 4 18:29:54 ldap1 slapd[8611]: => bdb_filter_candidates Feb 4 18:29:54 ldap1 slapd[8611]: EQUALITY Feb 4 18:29:54 ldap1 slapd[8611]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 4 18:29:54 ldap1 slapd[8611]: => bdb_filter_candidates Feb 4 18:29:54 ldap1 slapd[8611]: EQUALITY Feb 4 18:29:54 ldap1 slapd[8611]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 4 18:29:54 ldap1 slapd[8611]: <= bdb_list_candidates: id=0 first=0 last=0 Feb 4 18:29:54 ldap1 slapd[8611]: <= bdb_filter_candidates: id=0 first=0 last=0 Feb 4 18:29:54 ldap1 slapd[8611]: <= bdb_list_candidates: id=0 first=1 last=0 Feb 4 18:29:54 ldap1 slapd[8611]: <= bdb_filter_candidates: id=0 first=1 last=0 Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 op=2 UNBIND Feb 4 18:29:54 ldap1 slapd[8611]: conn=30 fd=15 closed ---------------------------------------------------------------------- On config I have 'loglevel filter config stats' Any ideas what on earth is going on? -- M. Tavasti / tavasti(a)tavasti.fi / +358-40-5078254

2 2

Ghost/invisible subtree
by David Mohr 06 Feb '11

06 Feb '11

Hi, I'm having a strange issue. I'm running openldap 2.4.23 (on debian), and after playing around with some software using my ldap server I now have a ghost subtree. 'Ghost' meaning that I cannot see this subtree, but if I try to add an entry that used to exist, I get an 'Already exists (68)' error. With slapcat I can see all the invisible entries. I tried to run slapindex, but that did not help. Then I created a dump using slapcat, deleted the database, and used slapadd to fill it with data again. Yet my subtree is still invisible. Does anyone have suggestions on how to solve this issue? I can't seem to find any information beyond slapcat & slapadd. I don't see any obvious issues in the ldif dump either. Any help? Thanks, ~David

1 1

AccessLog behaviour
by Marco Pizzoli 05 Feb '11

05 Feb '11

Hi all, I would like to know the internal behaviour of slapo-accesslog. I would like to have accesslog with a data retention of 10 days. In my ldap usage scenario this retention produce an accesslog db of quite 10GB of data. Things are working quite fine, but when the log db contains data older than the retention I defined after restart slapd has a thread allocated at 100% of cpu of one processor. I logged at loglevel 992 = 512 + 256 + 128 + 64 + 32, blocked with iptables every external ldap access and saw these lines in the log: [cut] Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042854.000008Z,cn=log03,dc=mycorp.it" "reqStart" requested Feb 3 09:37:08 ldap03 slapd[16289]: <= root access granted Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access granted by manage(=mwrscxd) Feb 3 09:37:08 ldap03 slapd[16289]: <= test_filter 6 Feb 3 09:37:08 ldap03 slapd[16289]: => test_filter Feb 3 09:37:08 ldap03 slapd[16289]: LE Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042854.000010Z,cn=log03,dc=mycorp.it" "reqStart" requested Feb 3 09:37:08 ldap03 slapd[16289]: <= root access granted Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access granted by manage(=mwrscxd) Feb 3 09:37:08 ldap03 slapd[16289]: <= test_filter 6 Feb 3 09:37:08 ldap03 slapd[16289]: => test_filter Feb 3 09:37:08 ldap03 slapd[16289]: LE Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042854.000012Z,cn=log03,dc=mycorp.it" "reqStart" requested Feb 3 09:37:08 ldap03 slapd[16289]: <= root access granted Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access granted by manage(=mwrscxd) Feb 3 09:37:08 ldap03 slapd[16289]: <= test_filter 6 Feb 3 09:37:08 ldap03 slapd[16289]: => test_filter Feb 3 09:37:08 ldap03 slapd[16289]: LE Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042854.000014Z,cn=log03,dc=mycorp.it" "reqStart" requested Feb 3 09:37:08 ldap03 slapd[16289]: <= root access granted Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access granted by manage(=mwrscxd) Feb 3 09:37:08 ldap03 slapd[16289]: <= test_filter 6 Feb 3 09:37:08 ldap03 slapd[16289]: => test_filter Feb 3 09:37:08 ldap03 slapd[16289]: LE Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042855.000000Z,cn=log03,dc=mycorp.it" "reqStart" requested Feb 3 09:37:08 ldap03 slapd[16289]: <= root access granted Feb 3 09:37:08 ldap03 slapd[16289]: => access_allowed: search access granted by manage(=mwrscxd) Feb 3 09:37:08 ldap03 slapd[16289]: <= test_filter 6 Feb 3 09:37:09 ldap03 slapd[16289]: => test_filter Feb 3 09:37:09 ldap03 slapd[16289]: LE Feb 3 09:37:09 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042855.000002Z,cn=log03,dc=mycorp.it" "reqStart" requested Feb 3 09:37:09 ldap03 slapd[16289]: <= root access granted Feb 3 09:37:09 ldap03 slapd[16289]: => access_allowed: search access granted by manage(=mwrscxd) Feb 3 09:37:09 ldap03 slapd[16289]: <= test_filter 6 Feb 3 09:37:09 ldap03 slapd[16289]: => test_filter Feb 3 09:37:09 ldap03 slapd[16289]: LE Feb 3 09:37:09 ldap03 slapd[16289]: => access_allowed: search access to "reqStart=20110202042855.000004Z,cn=log03,dc=mycorp.it" "reqStart" requested [cut] I could assume that slapo-accesslog is querying all entries older than the retention and passes to delete them. What if this step to end the job will take more time than the interval time of re-starting? Augmenting the frequency of this job could help in this meaning? Every best practice to follow to use accesllog effectively will be very appreciated! :-) Thanks Marco Pizzoli -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

2 3

← Newer
1
...
5
6
7
8
9
10
11
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2011