openldap-technical June 2011

openldap-technical@openldap.org

80 participants
92 discussions

slapd is pinned at 100% utilization
by Bryce Powell 16 Jun '11

16 Jun '11

Hi, I have two OpenLDAP 2.4.11 servers, using BDB 4.6.21 (Patches 4.6.21.1 & 4.6.21.2 & 4.6.21.3 applied), hosted on CentOS 5.2, setup for multi-master replication. Works great except that every couple of months either one of the slapd servers will pin the CPU at 100%. Requests continue to be served without any noticeable degradation in response, and no discernable errors in the LDAP logs. I see the forums frequently mention CPU utilization issues, but most of the time this seems to be related to non-indexed queries, which I don't believe is the cause in this case. Restarting slapd resolves the issue, temporarily ... Any suggestions would be appreciated. Regards, Bryce Powell

2 1

schema replication problems with test059-slave-config
by Christopher Strider Cook 16 Jun '11

16 Jun '11

I have a setup based on the one created in test059-slave-config, but complicating matters, the providers are a mirrormode pair. Running 2.4.25 under Debian Squeeze. On this pair I have cn=config,cn=slave created as laid out in test059-slave-config, with additional syncing to allow mirrormode operation. dn: olcDatabase={2}ldif,cn=config objectClass: olcConfig objectClass: olcDatabaseConfig objectClass: olcLdifConfig objectClass: top olcDatabase: {2}ldif olcDbDirectory: /var/lib/ldap-slave-config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcAccess: {1}to * by dn.base="cn=admin,dc=savagebeast,dc=com" olcAccess: {2}to * by dn.base="cn=repl,dc=savagebeast,dc=com" olcAccess: {3}to dn.base="" by * write olcMirrorMode: TRUE olcRootDN: cn=admin,cn=config,cn=slave olcRootPW: {SHA}xxx olcSuffix: cn=config,cn=slave olcSyncrepl: {0}rid=006 provider=ldaps://guess.savagebeast.com bindmethod=si mple binddn="cn=admin,cn=config" credentials=xxx searchbase="cn=schema,cn =config" schemachecking=off type=refreshAndPersist retry="60 +" suffixmassa ge="cn=schema,cn=config,cn=slave" olcSyncrepl: {1}rid=005 provider=ldaps://who.savagebeast.com bindmethod=simp le binddn="cn=admin,cn=config" credentials=xxx searchbase="cn=schema,cn=c onfig" schemachecking=off type=refreshAndPersist retry="60 +" suffixmassage ="cn=schema,cn=config,cn=slave" olcSyncrepl: {2}rid=007 provider=ldaps://who.savagebeast.com bindmethod=simp le binddn="cn=admin,cn=config,cn=slave" credentials=xxx searchbase="cn=co nfig,cn=slave" schemachecking=on type=refreshAndPersist retry="60 +" olcSyncrepl: {3}rid=008 provider=ldaps://guess.savagebeast.com bindmethod=si mple binddn="cn=admin,cn=config,cn=slave" credentials=xxx searchbase="cn= config,cn=slave" schemachecking=on type=refreshAndPersist retry="60 +" createTimestamp: 20110609185532Z creatorsName: cn=admin,cn=config entryCSN: 20110616183041.867322Z#000000#002#000000 entryDN: olcDatabase={2}ldif,cn=config entryUUID:: Y2JmNTE3MTAtMjcxNS0xMDMwLThkMGYtNWY4MDFiNjU0MGFl modifiersName: cn=admin,cn=config modifyTimestamp: 20110616183041Z structuralObjectClass: olcLdifConfig subschemaSubentry: cn=Subschema {NB: To future google searchers; I originally had this database setup as a HDB. After a week of use, this failed to allow new consumers to sync with it because <ASSUMING> the database ordering dictates how the initial sync is ordered, which normally wouldn't be a problem, but since the cn=config database is interpreted as it's loaded ordering became important. IE: defining a database before the back_ module used was loaded; Moving to the ldif database format seems to provide a consistent top down ordering.} RID 7 and 8 work fine and configurations changes propagate between the Mirrormode providers and the remote consumers. RID 5 and 6 performed the initial sync properly but have since started issuing errors on both masters: Jun 16 12:02:41 who slapd[9589]: do_syncrep2: rid=006 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform Jun 16 12:02:41 who slapd[9589]: do_syncrep2: rid=006 (53) Server is unwilling to perform Jun 16 12:02:41 who slapd[9589]: do_syncrepl: rid=006 rc -2 retrying Jun 16 12:02:59 who slapd[9589]: do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform Jun 16 12:02:59 who slapd[9589]: do_syncrep2: rid=005 (53) Server is unwilling to perform Jun 16 12:02:59 who slapd[9589]: do_syncrepl: rid=005 rc -2 retrying Running in full debug I see errors about the CSN timestamps: ber_dump: buf=0x7fae40019d00 ptr=0x7fae40019dea end=0x7fae40019ded len=3 0000: 00 01 ff ... => get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical) <= get_ctrls: n=2 rc=0 err="" attrs: * + conn=1000 op=1 SRCH base="cn=schema,cn=config" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=* + send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=53 matched="" text="consumer state is newer than provider!" send_ldap_response: msgid=2 tag=101 err=53 ber_flush2: 52 bytes to sd 17 0000: 30 32 02 01 02 65 2d 0a 01 35 04 00 04 26 63 6f 02...e-..5...&co 0010: 6e 73 75 6d 65 72 20 73 74 61 74 65 20 69 73 20 nsumer state is 0020: 6e 65 77 65 72 20 74 68 61 6e 20 70 72 6f 76 69 newer than provi 0030: 64 65 72 21 der! tls_write: want=165, written=165 0000: 17 03 02 00 a0 0b 68 27 f3 13 cc 34 a9 75 cd 8d ......h'...4.u.. 0010: f7 f9 35 d5 b8 4c f5 a8 49 4e e1 fb e2 c5 3b 72 ..5..L..IN....;r 0020: df f8 e0 d2 72 34 1e e3 bd 6e 26 ca 25 8a c1 3e ....r4...n&.%..> 0030: 20 65 e2 56 f5 f4 b0 60 09 a2 eb ab b5 b7 2f e2 e.V...`....../. 0040: 6a bd f3 48 12 c3 59 bb 87 cd 7d bd 99 76 5f 29 j..H..Y...}..v_) 0050: f9 5f 27 d4 09 4f 0e 31 a9 89 b6 33 43 f3 65 ab ._'..O.1...3C.e. 0060: 69 bf a1 19 3c 51 70 52 79 3d a6 d1 39 c7 c1 1d i...<QpRy=..9... 0070: 5c 37 ac 89 a4 82 ed 68 cf f4 1a e4 52 90 20 6b \7.....h....R. k 0080: 51 11 db 0e e2 a4 38 04 17 aa 65 b3 e2 38 5a 1e Q.....8...e..8Z. 0090: 00 15 52 2e 75 2f 05 81 86 a0 41 cd 91 ca 5b 92 ..R.u/....A...[. 00a0: e5 69 bd 41 d6 .i.A. ldap_write: want=52, written=52 0000: 30 32 02 01 02 65 2d 0a 01 35 04 00 04 26 63 6f 02...e-..5...&co 0010: 6e 73 75 6d 65 72 20 73 74 61 74 65 20 69 73 20 nsumer state is 0020: 6e 65 77 65 72 20 74 68 61 6e 20 70 72 6f 76 69 newer than provi 0030: 64 65 72 21 der! read1msg: ld 0x7fae44100d60 msgid 2 all 0 conn=1000 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=consumer state is newer than provider! ber_get_next tls_read: want=5, got=5 0000: 17 03 02 00 a0 ..... tls_read: want=160, got=160 0000: 0b 68 27 f3 13 cc 34 a9 75 cd 8d f7 f9 35 d5 b8 .h'...4.u....5.. 0010: 4c f5 a8 49 4e e1 fb e2 c5 3b 72 df f8 e0 d2 72 L..IN....;r....r 0020: 34 1e e3 bd 6e 26 ca 25 8a c1 3e 20 65 e2 56 f5 4...n&.%..> e.V. 0030: f4 b0 60 09 a2 eb ab b5 b7 2f e2 6a bd f3 48 12 ..`....../.j..H. 0040: c3 59 bb 87 cd 7d bd 99 76 5f 29 f9 5f 27 d4 09 .Y...}..v_)._'.. 0050: 4f 0e 31 a9 89 b6 33 43 f3 65 ab 69 bf a1 19 3c O.1...3C.e.i...< 0060: 51 70 52 79 3d a6 d1 39 c7 c1 1d 5c 37 ac 89 a4 QpRy=..9...\7... 0070: 82 ed 68 cf f4 1a e4 52 90 20 6b 51 11 db 0e e2 ..h....R. kQ.... 0080: a4 38 04 17 aa 65 b3 e2 38 5a 1e 00 15 52 2e 75 .8...e..8Z...R.u 0090: 2f 05 81 86 a0 41 cd 91 ca 5b 92 e5 69 bd 41 d6 /....A...[..i.A. ldap_read: want=8, got=8 0000: 30 32 02 01 02 65 2d 0a 02...e-. ldap_read: want=44, got=44 0000: 01 35 04 00 04 26 63 6f 6e 73 75 6d 65 72 20 73 .5...&consumer s 0010: 74 61 74 65 20 69 73 20 6e 65 77 65 72 20 74 68 tate is newer th 0020: 61 6e 20 70 72 6f 76 69 64 65 72 21 an provider! ber_get_next: tag 0x30 len 50 contents: ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013a0 end=0x7fae340013d2 len=50 0000: 02 01 02 65 2d 0a 01 35 04 00 04 26 63 6f 6e 73 ...e-..5...&cons 0010: 75 6d 65 72 20 73 74 61 74 65 20 69 73 20 6e 65 umer state is ne 0020: 77 65 72 20 74 68 61 6e 20 70 72 6f 76 69 64 65 wer than provide 0030: 72 21 r! read1msg: ld 0x7fae44100d60 msgid 2 message type search-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013a3 end=0x7fae340013d2 len=47 0000: 65 2d 0a 01 35 04 00 04 26 63 6f 6e 73 75 6d 65 e-..5...&consume 0010: 72 20 73 74 61 74 65 20 69 73 20 6e 65 77 65 72 r state is newer 0020: 20 74 68 61 6e 20 70 72 6f 76 69 64 65 72 21 than provider! read1msg: ld 0x7fae44100d60 0 new referrals read1msg: mark request completed, ld 0x7fae44100d60 msgid 2 request done: ld 0x7fae44100d60 msgid 2 res_errno: 53, res_error: <consumer state is newer than provider!>, res_matched: <> ldap_free_request (origid 2, msgid 2) do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013a3 end=0x7fae340013d2 len=47 0000: 65 2d 0a 01 35 04 00 04 26 63 6f 6e 73 75 6d 65 e-..5...&consume 0010: 72 20 73 74 61 74 65 20 69 73 20 6e 65 77 65 72 r state is newer 0020: 20 74 68 61 6e 20 70 72 6f 76 69 64 65 72 21 than provider! ber_scanf fmt (}) ber: ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013d2 end=0x7fae340013d2 len=0 ldap_err2string do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform ldap_err2string ldap_err2string do_syncrep2: rid=005 (53) Server is unwilling to perform ldap_err2string ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind Any pointers on where to troubleshoot and resolve this?

2 2

Password Policy
by ldap＠mm.st 14 Jun '11

14 Jun '11

Running RH5 with openldap-2.3.43. We have a script that pulls ssha passwords from a ldap server out of our control. So when a user updates their passwords on that server, the script pulls the password periodically and updates our ldap servers so users can use our ldap servers with posix attributes to authenticate to systems using ldap and pam settings. We need to inactivate accounts after a period of inactivity. We can do this using the shadowInactive attribute in ldap that is based on when the user password expired. So the issue we have is that when the user logs into a system and their accounts are expired they can enter a new password and our ldap servers our updated with the new password, but when the script runs at a later time, the password is reset back to whatever is in the ldap server we pull passwords from. We would like users to not be able to change their password using the password command. We can accomplish this in a few ways including: 1. pam_password_prohibit_message in ldap.conf 2. Just commenting out the ldap module in pam that controls password updates. The problem is that we have a small group of users that are added manually that we would like to be able to change their passwords using the passwd command. The above will impact all users. We are looking for suggestions on how to handle the above. We thought of the following: 1. Use the ppolocy overlay and create a default policy for all users that sets pwdAllowUserChange to no and then create individual policies to that allow certain users to change their pass. In this method, what happens to all the shadow attributes, are they overwridden by the ppolicy. I don't see anything regarding Inactive accounts in ppolicy like the shadowInactive attribute. 2. Could we accomplish this by figuring out a ACL in slapd.conf that only users with a special attribute value are able to write to the userPassword attribute? Any other suggestions?

3 4

Re: Client App and STARTLS auth
by Massimiliano Pala 14 Jun '11

14 Jun '11

Hi Rich, to provide a better vision, I am trying to use openldap to connect to a server and ignoring errors in authentication of the certificates. I am working on a *client*. In particular the code I wrote is like this: ldap_initialize(&ld, url); if(crypto_api == LDAP_CRYPTO_API_OPENSSL) { // This Works.. SSL_CTX *ctx = NULL; ... } else { int opt_val = 0; if(ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &opt_val) != LDAP_OPT_SUCCESS) { /// ERROR if here (does not happen) } // This works till now opt_val = LDAP_OPT_X_TLS_TRY; if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) != LDAP_OPT_SUCCESS) { if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) != LDAP_OPT_SUCCESS) { // Error .. } } m_error = ldap_start_tls_s(corePnt->m_ldap, NULL, NULL); ... Note that m_error gets a -11... On the server the output (-d 1) is: connection_get(14): got connid=1007 connection_read(14): checking for input on id=1007 TLS: error: accept - force handshake failure: errno 11 - moznss error -5938 TLS: can't accept: (unknown). I have no clue why this is not working. Another thing which is interesting.. on Ubuntu I tried to change the TLS_CERTREQ option to "allow" ... and the code works - but I can not have it working by using the ldap_set_option().. (on Fedora 14/15 setting the option in the ldap.conf file - in /etc/openldap/ - does not work..). Heeeeeellp!!! :D Cheers, Max On 06/10/2011 10:50 PM, Rich Megginson wrote: > On Fri, Jun 10, 2011 at 4:19 PM, Massimiliano Pala<pala(a)isis.poly.edu> wrote: >> Hi Philip, all, >> >> thanks for the advice. I have changed the code.. and the option is set >> correctly. Question, do you think it is safe to do this as a fallback: >> >> if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) != >> LDAP_OPT_SUCCESS) >> { >> if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) != >> LDAP_OPT_SUCCESS) >> { >> /// Total Failure >> } >> } >> >> Still.. although I set the option, I still get the -11 error when >> trying to bind. > > What -11 error? Client or server? Can you run with -d 1 to get > detailed trace information? > >> >> Is there any other option I have to set to "disable" certificate >> verification for non-openssl crypto api ? >> >> Cheers, >> Max >> >> >> On 06/10/2011 05:23 PM, Philip Guenther wrote: >> [..] >>> >>> Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_* >>> constant and not a string; I just wanted to add that in version 2.3 and >>> earlier, that option (and most of the other TLS options) could only be set >>> globally: ldap_set_option() would fail for them if the first argument >>> wasn't NULL. So, make sure you're building against a current version. >>> >>> >>> Philip Guenther >> >> >> -- >> >> http://member.acm.org/~openca/ >> >> Massimiliano Pala, Ph.D. >> Director, OpenCA Labs >> Professor, NYU Poly >> >> -- http://member.acm.org/~openca/ Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly

2 3

How to migrate master and keep slave in sync?
by Stefano Zanmarchi 14 Jun '11

14 Jun '11

Hi, we have a 2.4.21 master on Solaris and a syncrepl 2.4.21 slave on Linux, and need to migrate the master to a new platform (Linux) and new version (2.4.21). Of course we need that the syncrepl slave (not managed by us) keeps in sync with the new master. Given that the ip, ports and certificates of the new master will not change, would it be enough to do the following? 1) stop the "old" 2.4.21/Solaris master 2) import its contents (via slapcat and slapadd) into the "new" 2.4.23/Linux (stopped) master 3) start the new 2.4.23/Linux master Thank you very much, Stefano

2 1

Linking Clients - which Crypto API ?
by Massimiliano Pala 14 Jun '11

14 Jun '11

Hi all, I have a little problem. I am implementing an application that uses the OpenLDAP libraries. Until not too much time ago, linking with OpenSSL was sufficiently safe (on almost every Linux distros) and providing my own verification function through the SSL_CTX (by using the ldap_set_option(m_ldap, LDAP_OPT_SERVER_CERTIFICATE, _my_verify)) was easy. Now, Linux distros started to use GnuTLS, NSS, and OpenSSL as the crypto API. My question is: how do I develop an application that when deployed on different systems might need to use functions and data structures from different crypto-api (e.g., when I distribute the binaries of my app) ? How can I retrieve that info *at runtime* (I'd like my binaries to be compatible) ? At least, is there a function that allows me to know which crypto APIs are expected by libldap_r (so that I don't pass in the wrong data structure since it is a (void *)) ? Or at least, is there a way to set/get options so that I would know which API is in use ? Thanks, -- http://member.acm.org/~openca/ Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly

2 5

OpenLDAp + OpenSSL: decrypt error
by Nguyen, Quoc Khanh 13 Jun '11

13 Jun '11

Hi all, I'm confusing about this problem. Please help... I installed OpenLDAP (2.4.25) with Cyrus SASL (2.1.23) and OpenSSL (0.9.8r). I started LDAP with SSL port: #./slapd -h 'ldaps:///' Everything OK, but when i test uid of OpenLDAP with SASL, i have a problem: root@ftp:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456 0: NO "authentication failed" I check log and have a message: ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 10 tm: 5 async: 0 ldap_ndelay_on: 10 ldap_int_poll: fd: 10 tm: 5 ldap_is_sock_ready: 10 ldap_ndelay_off: 10 ldap_pvt_connect: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: depth: 0, err: 7, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: Error, certificate signature failure TLS trace: SSL3 alert write:fatal:decrypt error TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:func(144):reason(134) (certificate signature failure). ldap_err2string ldap_unbind ldap_create ldap_url_parse_ext(ldaps://localhost) ldap_simple_bind_s ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 10 ldap_prepare_socket: 10 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 10 tm: 5 async: 0 ldap_ndelay_on: 10 ldap_int_poll: fd: 10 tm: 5 ldap_is_sock_ready: 10 ldap_ndelay_off: 10 ldap_pvt_connect: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 0, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: depth: 0, err: 7, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com TLS certificate verification: Error, certificate signature failure TLS trace: SSL3 alert write:fatal:decrypt error TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect: error:14090086:SSL routines:func(144):reason(134) (certificate signature failure). ldap_err2string saslauthd[766] :do_auth : auth failure: [user=khanhnq] [service=imap] [realm=] [mech=ldap] [reason=Unknown] saslauthd[766] :do_request : response: NO What i'm doing wrong? I test OpenSSL using client authenticate and it's work OK. # openssl s_client -connect localhost:636 -state -CAfile /var/myCA/demoCA/cacert.pem -cert /var/myCA/clientcrt.pem -key /var/myCA/clientkey.pem CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com verify return:1 depth=0 /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com i:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com 1 s:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com i:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com --- Server certificate -----BEGIN CERTIFICATE----- MIICiTCCAfKgAwIBAgIJAMmeK8RVIEWgMA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNV BAYTAlZOMQwwCgYDVQQIEwNIQ00xDDAKBgNVBAoTA1NHVDELMAkGA1UECxMCTlcx EDAOBgNVBAMTB2FiYy5jb20wHhcNMTEwNjEzMDYzMDQ3WhcNMTIwNjEyMDYzMDQ3 WjBIMQswCQYDVQQGEwJWTjEMMAoGA1UECBMDSENNMQwwCgYDVQQKEwNTR1QxCzAJ BgNVBAsTAk5XMRAwDgYDVQQDEwdhYmMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEW/sP8n2M7y0LT7ONPZQSnWdOC+E2qyngXaouoKEZauyLkTwWJyQY MkCeGKwQo1KMGd1O04sw5uD2IWgYBfGuynSalyfGfwETGc4Y/xPHV+FpOY5KRssn qzmL5Gso276vIOR4KnjZdm5Msp3WQ2z4aNUkLbMspyBugKP9GgjfAwIDAQABo3sw eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUD7QVqUbn35Jgi1yQdumsHRBdAkswHwYDVR0j BBgwFoAUAdNX4GIDCCQpSpUEfLXJPW74L2IwDQYJKoZIhvcNAQEFBQADgYEAMf8i zRpqasBFf6acpRvGG/AkLU+Cz10ffH6zE3DsoKngxP6zEDFOb1quX+E7RE98W/0T iQPLqS5XLIuLX6BNRjnv79DdyynpwsFVip6pHvDZafWBXrzWVn7WEXy5+VpfjBxe CADHvgvp4LXh7EtvppO1vPyvphCCexsmCIzoxyA= -----END CERTIFICATE----- subject=/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com issuer=/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com --- Acceptable client certificate CA names /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com --- SSL handshake has read 2431 bytes and written 1804 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: B79630EC32BF14F01931D1EAB3DC0CF7DA29B42E012C8BD8171EEF46D993BB96 Session-ID-ctx: Master-Key: 230F7D9D0736A40EB148CA9091BA0105E6949721E55FD9F84AD057C1CBA38F0A1B2269CAB07E7E71E3310954DDF260BF Key-Arg : None TLS session ticket: 0000 - 07 19 41 07 ec 4c 66 10-24 a0 dd be 02 ff 05 90 ..A..Lf.$....... 0010 - a0 f8 64 d3 08 77 a0 bf-24 81 ad 04 b8 d9 e6 9a ..d..w..$....... 0020 - 04 5a df 4a d5 a1 65 2b-52 4c d4 a2 c2 d6 8b 7f .Z.J..e+RL...... 0030 - fa 66 c7 05 54 58 fa 5d-9a a3 75 82 d0 e8 76 dd .f..TX.]..u...v. 0040 - 4f da 54 ac 8e 40 95 68-7c da 6f 08 7f 52 a3 f6 O.T..@.h|.o..R.. 0050 - c2 bd 44 ff dd 95 b3 0c-e5 9e 16 95 7c c8 6d ee ..D.........|.m. 0060 - 96 03 6b db ae 8c 34 8e-a3 29 87 16 f0 a6 0e 8c ..k...4..)...... 0070 - ac fa c2 76 4a 2d 75 f5-fc b7 1e 83 ec a7 47 0a ...vJ-u.......G. 0080 - 72 50 e8 24 e2 22 34 5f-ff 6a b1 ea f0 cc 2e 55 rP.$."4_.j.....U 0090 - 9f ec ea 1b b5 da 12 70-f4 0c ee 10 5b d0 4e 7a .......p....[.Nz 00a0 - 0d 60 06 70 02 f7 eb a3-f3 79 a7 69 5d c3 61 d3 .`.p.....y.i].a. 00b0 - 51 2a 8a 82 c2 11 70 c9-8b 4f 19 58 50 83 6b 0e Q*....p..O.XP.k. 00c0 - bf 9e aa 6a 8f 72 59 9c-10 da cc 8f 90 05 db e2 ...j.rY......... 00d0 - 08 31 d8 62 1a 24 0d 50-a4 e1 75 e6 ee 49 19 32 .1.b.$.P..u..I.2 00e0 - 1f b6 0e 77 11 42 ce 3a-7e 7e 9c 2b be 59 d4 b4 ...w.B.:~~.+.Y.. 00f0 - 24 36 b0 a5 39 30 9f 3a-49 f7 19 10 73 f1 3e 06 $6..90.:I...s.>. 0100 - b4 04 58 3a 5f 4c 02 29-54 b1 25 c7 2f 06 4a 62 ..X:_L.)T.%./.Jb 0110 - fb 4b 52 82 ea 50 7e 12-0e 8b 5a eb a4 34 77 3c .KR..P~...Z..4w< 0120 - 9f f4 0d 85 0f 43 9a 5d-f1 ba 3e 28 ab 86 98 17 .....C.]..>(.... 0130 - d1 10 49 d2 a6 f3 e7 32-72 62 41 ac 4c 51 4b 05 ..I....2rbA.LQK. 0140 - bd e7 a3 30 cd 47 37 95-f9 76 1d 4a f1 a2 58 b0 ...0.G7..v.J..X. 0150 - 0b a8 ca 4e 4f a1 67 ff-01 3e 11 29 a9 db f1 3e ...NO.g..>.)...> 0160 - 43 64 f8 58 4e d3 44 6f-ee cc 61 6d b3 82 ab 77 Cd.XN.Do..am...w 0170 - e7 3b 6b 83 af b7 42 76-89 e2 e0 d6 8e 66 61 fe .;k...Bv.....fa. 0180 - df 7c d8 28 63 04 22 06-cd 41 28 46 d4 08 00 b4 .|.(c."..A(F.... 0190 - 2b 9e 90 ec ee 9f 8e 34-9b 15 5c 71 e8 29 88 c8 +......4..q.).. 01a0 - 35 4d 88 aa c3 05 53 0a-b8 bd 90 38 68 cf 8b 0b 5M....S....8h... 01b0 - b0 f3 48 c0 02 8a 9f be-05 1b 13 4a 49 67 32 8f ..H........JIg2. 01c0 - 66 f2 41 18 11 f1 eb ed-2a d0 a4 de d9 10 83 95 f.A.....*....... 01d0 - c6 aa 1a 74 83 36 31 db-68 b1 88 37 2b 18 da 6b ...t.61.h..7+..k 01e0 - b9 be 87 36 64 5c a0 b1-23 eb df d9 8f 96 10 ae ...6d..#....... 01f0 - 4e db 3b c2 77 65 a4 11-df 65 a8 26 98 4f df 69 N.;.we...e....... 0210 - f6 93 93 b1 c0 89 65 3a-0d bc 16 e8 f0 5f 9f 5c ......e:....._. 0220 - 8a bc ea 56 b7 e7 d4 75-4c 19 6d 18 73 64 3c 95 ...V...uL.m.sd. 0260 - 78 0d 94 f1 3a 1a 64 35-b5 54 b5 84 76 44 62 b1 x...:.d5.T..vDb. 0270 - 36 5c 1d d6 79 27 6d 1c-3c df bb d2 bf 2c 06 40 6..y'm.

2 2

issue regarding ldap apache authentication in public_html/*
by VIKAS MARWAHA 13 Jun '11

13 Jun '11

hi I need a little help. I am implementing LDAP services in my college. The apache LDAP authentication works fine with any directory viz. /var/www/*/* /home/username/ but it doesn't works with /home/username/public_html/anyfolder/ i.e with a subfolder in public_html. The issue is whenever i write the lines in http.conf the folder stops appearing in the browser. i dont see the folder when i browse http://localhost/~username/foldername i don't see the folder in browser. lines in http.conf file <Directory /home/vikasmarwaha/public_html/private/> Authtype Basic AuthName "Secured Area : Vikas Marwaha's Page : Secured with LDAP : Authorized personal only" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=example,dc=com?uid?" require ldap-user vikasmarwaha </Directory> Please tell me where am i wrong.! this one works perfect.. <Directory /home/vikasmarwaha/> Authtype Basic AuthName "Secured Area : Vikas Marwaha's Page : Secured with LDAP : Authorized personal only" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=example,dc=com?uid?" require ldap-user vikasmarwaha </Directory> but it doesn't satisfies my requirements. Need to secure the subfolder(under public_html -- user's web space.) not the whole user directory. -- Vikas Marwaha http://vikasmarwaha.co.cc Sent via HP Touchsmart powered by Backtrack 5 Linux Technology of Future.

2 1

passwords disappear
by Bidwell, Matt 10 Jun '11

10 Jun '11

If a user changes passwords on and ldap client machine, the shadow entry disappears. This is true for all hash methods except for {CRYPT}. Clearly I would like {SSHA} or {MD5} over {CRYPT}. The client machines are pretty standard RHEL 5 machines. I have exop in the config on the client. Setting the password on the LDAP server works correctly. Running the server in debug didn't make anything jump out at me. Anyone have any ideas? Perhaps I'm missing an ACL I don't know about. Matt

2 1

Client App and STARTLS auth
by Massimiliano Pala 10 Jun '11

10 Jun '11

Hi all, are there examples on how to use STARTLS without requiring that the server's certificate is trusted ? If the crypto api used in the ldap library is OpenSSL, that is easy: - create a new ssl_ctx() with SSL_CTX_new() - set my function as the verify function with SSL_CTX_set_verify() - use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx My problem is: when GnuTLS or NSS crypto libraries are used instead, how do I force the same behavior ? Or, if providing my own function is not possible, how do I force the STARTLS to go on also if it finds non-trusted server/CA certificates ? Thanks, Max -- http://member.acm.org/~openca/ Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly

4 6

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011