slapd is pinned at 100% utilization
by Bryce Powell
Hi,
I have two OpenLDAP 2.4.11 servers, using BDB 4.6.21 (Patches 4.6.21.1 & 4.6.21.2 & 4.6.21.3 applied), hosted on CentOS 5.2, setup for multi-master replication. Works great except that every couple of months either one of the slapd servers will pin the CPU at 100%. Requests continue to be served without any noticeable degradation in response, and no discernable errors in the LDAP logs.
I see the forums frequently mention CPU utilization issues, but most of the time this seems to be related to non-indexed queries, which I don't believe is the cause in this case.
Restarting slapd resolves the issue, temporarily ...
Any suggestions would be appreciated.
Regards,
Bryce Powell
11 years, 9 months
schema replication problems with test059-slave-config
by Christopher Strider Cook
I have a setup based on the one created in test059-slave-config, but
complicating matters, the providers are a mirrormode pair. Running
2.4.25 under Debian Squeeze.
On this pair I have cn=config,cn=slave created as laid out in
test059-slave-config, with additional syncing to allow mirrormode operation.
dn: olcDatabase={2}ldif,cn=config
objectClass: olcConfig
objectClass: olcDatabaseConfig
objectClass: olcLdifConfig
objectClass: top
olcDatabase: {2}ldif
olcDbDirectory: /var/lib/ldap-slave-config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to * by dn.base="cn=admin,dc=savagebeast,dc=com"
olcAccess: {2}to * by dn.base="cn=repl,dc=savagebeast,dc=com"
olcAccess: {3}to dn.base="" by * write
olcMirrorMode: TRUE
olcRootDN: cn=admin,cn=config,cn=slave
olcRootPW: {SHA}xxx
olcSuffix: cn=config,cn=slave
olcSyncrepl: {0}rid=006 provider=ldaps://guess.savagebeast.com bindmethod=si
mple binddn="cn=admin,cn=config" credentials=xxx searchbase="cn=schema,cn
=config" schemachecking=off type=refreshAndPersist retry="60 +"
suffixmassa
ge="cn=schema,cn=config,cn=slave"
olcSyncrepl: {1}rid=005 provider=ldaps://who.savagebeast.com bindmethod=simp
le binddn="cn=admin,cn=config" credentials=xxx searchbase="cn=schema,cn=c
onfig" schemachecking=off type=refreshAndPersist retry="60 +"
suffixmassage
="cn=schema,cn=config,cn=slave"
olcSyncrepl: {2}rid=007 provider=ldaps://who.savagebeast.com bindmethod=simp
le binddn="cn=admin,cn=config,cn=slave" credentials=xxx searchbase="cn=co
nfig,cn=slave" schemachecking=on type=refreshAndPersist retry="60 +"
olcSyncrepl: {3}rid=008 provider=ldaps://guess.savagebeast.com bindmethod=si
mple binddn="cn=admin,cn=config,cn=slave" credentials=xxx searchbase="cn=
config,cn=slave" schemachecking=on type=refreshAndPersist retry="60 +"
createTimestamp: 20110609185532Z
creatorsName: cn=admin,cn=config
entryCSN: 20110616183041.867322Z#000000#002#000000
entryDN: olcDatabase={2}ldif,cn=config
entryUUID:: Y2JmNTE3MTAtMjcxNS0xMDMwLThkMGYtNWY4MDFiNjU0MGFl
modifiersName: cn=admin,cn=config
modifyTimestamp: 20110616183041Z
structuralObjectClass: olcLdifConfig
subschemaSubentry: cn=Subschema
{NB: To future google searchers; I originally had this database setup as
a HDB. After a week of use, this failed to allow new consumers to sync
with it because <ASSUMING> the database ordering dictates how the
initial sync is ordered, which normally wouldn't be a problem, but since
the cn=config database is interpreted as it's loaded ordering became
important. IE: defining a database before the back_ module used was
loaded; Moving to the ldif database format seems to provide a consistent
top down ordering.}
RID 7 and 8 work fine and configurations changes propagate between the
Mirrormode providers and the remote consumers.
RID 5 and 6 performed the initial sync properly but have since started
issuing errors on both masters:
Jun 16 12:02:41 who slapd[9589]: do_syncrep2: rid=006
LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform
Jun 16 12:02:41 who slapd[9589]: do_syncrep2: rid=006 (53) Server is
unwilling to perform
Jun 16 12:02:41 who slapd[9589]: do_syncrepl: rid=006 rc -2 retrying
Jun 16 12:02:59 who slapd[9589]: do_syncrep2: rid=005
LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform
Jun 16 12:02:59 who slapd[9589]: do_syncrep2: rid=005 (53) Server is
unwilling to perform
Jun 16 12:02:59 who slapd[9589]: do_syncrepl: rid=005 rc -2 retrying
Running in full debug I see errors about the CSN timestamps:
ber_dump: buf=0x7fae40019d00 ptr=0x7fae40019dea end=0x7fae40019ded len=3
0000: 00 01 ff ...
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical)
<= get_ctrls: n=2 rc=0 err=""
attrs: * +
conn=1000 op=1 SRCH base="cn=schema,cn=config" scope=2 deref=0
filter="(objectClass=*)"
conn=1000 op=1 SRCH attr=* +
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=53 matched="" text="consumer state is newer than
provider!"
send_ldap_response: msgid=2 tag=101 err=53
ber_flush2: 52 bytes to sd 17
0000: 30 32 02 01 02 65 2d 0a 01 35 04 00 04 26 63 6f
02...e-..5...&co
0010: 6e 73 75 6d 65 72 20 73 74 61 74 65 20 69 73 20 nsumer
state is
0020: 6e 65 77 65 72 20 74 68 61 6e 20 70 72 6f 76 69 newer than
provi
0030: 64 65 72 21 der!
tls_write: want=165, written=165
0000: 17 03 02 00 a0 0b 68 27 f3 13 cc 34 a9 75 cd 8d
......h'...4.u..
0010: f7 f9 35 d5 b8 4c f5 a8 49 4e e1 fb e2 c5 3b 72
..5..L..IN....;r
0020: df f8 e0 d2 72 34 1e e3 bd 6e 26 ca 25 8a c1 3e
....r4...n&.%..>
0030: 20 65 e2 56 f5 f4 b0 60 09 a2 eb ab b5 b7 2f e2
e.V...`....../.
0040: 6a bd f3 48 12 c3 59 bb 87 cd 7d bd 99 76 5f 29
j..H..Y...}..v_)
0050: f9 5f 27 d4 09 4f 0e 31 a9 89 b6 33 43 f3 65 ab
._'..O.1...3C.e.
0060: 69 bf a1 19 3c 51 70 52 79 3d a6 d1 39 c7 c1 1d
i...<QpRy=..9...
0070: 5c 37 ac 89 a4 82 ed 68 cf f4 1a e4 52 90 20 6b
\7.....h....R. k
0080: 51 11 db 0e e2 a4 38 04 17 aa 65 b3 e2 38 5a 1e
Q.....8...e..8Z.
0090: 00 15 52 2e 75 2f 05 81 86 a0 41 cd 91 ca 5b 92
..R.u/....A...[.
00a0: e5 69 bd 41 d6 .i.A.
ldap_write: want=52, written=52
0000: 30 32 02 01 02 65 2d 0a 01 35 04 00 04 26 63 6f
02...e-..5...&co
0010: 6e 73 75 6d 65 72 20 73 74 61 74 65 20 69 73 20 nsumer
state is
0020: 6e 65 77 65 72 20 74 68 61 6e 20 70 72 6f 76 69 newer than
provi
0030: 64 65 72 21 der!
read1msg: ld 0x7fae44100d60 msgid 2 all 0
conn=1000 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=consumer
state is newer than provider!
ber_get_next
tls_read: want=5, got=5
0000: 17 03 02 00 a0 .....
tls_read: want=160, got=160
0000: 0b 68 27 f3 13 cc 34 a9 75 cd 8d f7 f9 35 d5 b8
.h'...4.u....5..
0010: 4c f5 a8 49 4e e1 fb e2 c5 3b 72 df f8 e0 d2 72
L..IN....;r....r
0020: 34 1e e3 bd 6e 26 ca 25 8a c1 3e 20 65 e2 56 f5 4...n&.%..>
e.V.
0030: f4 b0 60 09 a2 eb ab b5 b7 2f e2 6a bd f3 48 12
..`....../.j..H.
0040: c3 59 bb 87 cd 7d bd 99 76 5f 29 f9 5f 27 d4 09
.Y...}..v_)._'..
0050: 4f 0e 31 a9 89 b6 33 43 f3 65 ab 69 bf a1 19 3c
O.1...3C.e.i...<
0060: 51 70 52 79 3d a6 d1 39 c7 c1 1d 5c 37 ac 89 a4
QpRy=..9...\7...
0070: 82 ed 68 cf f4 1a e4 52 90 20 6b 51 11 db 0e e2 ..h....R.
kQ....
0080: a4 38 04 17 aa 65 b3 e2 38 5a 1e 00 15 52 2e 75
.8...e..8Z...R.u
0090: 2f 05 81 86 a0 41 cd 91 ca 5b 92 e5 69 bd 41 d6
/....A...[..i.A.
ldap_read: want=8, got=8
0000: 30 32 02 01 02 65 2d 0a 02...e-.
ldap_read: want=44, got=44
0000: 01 35 04 00 04 26 63 6f 6e 73 75 6d 65 72 20 73
.5...&consumer s
0010: 74 61 74 65 20 69 73 20 6e 65 77 65 72 20 74 68 tate is
newer th
0020: 61 6e 20 70 72 6f 76 69 64 65 72 21 an provider!
ber_get_next: tag 0x30 len 50 contents:
ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013a0 end=0x7fae340013d2 len=50
0000: 02 01 02 65 2d 0a 01 35 04 00 04 26 63 6f 6e 73
...e-..5...&cons
0010: 75 6d 65 72 20 73 74 61 74 65 20 69 73 20 6e 65 umer state
is ne
0020: 77 65 72 20 74 68 61 6e 20 70 72 6f 76 69 64 65 wer than
provide
0030: 72 21 r!
read1msg: ld 0x7fae44100d60 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013a3 end=0x7fae340013d2 len=47
0000: 65 2d 0a 01 35 04 00 04 26 63 6f 6e 73 75 6d 65
e-..5...&consume
0010: 72 20 73 74 61 74 65 20 69 73 20 6e 65 77 65 72 r state is
newer
0020: 20 74 68 61 6e 20 70 72 6f 76 69 64 65 72 21 than
provider!
read1msg: ld 0x7fae44100d60 0 new referrals
read1msg: mark request completed, ld 0x7fae44100d60 msgid 2
request done: ld 0x7fae44100d60 msgid 2
res_errno: 53, res_error: <consumer state is newer than provider!>,
res_matched: <>
ldap_free_request (origid 2, msgid 2)
do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013a3 end=0x7fae340013d2 len=47
0000: 65 2d 0a 01 35 04 00 04 26 63 6f 6e 73 75 6d 65
e-..5...&consume
0010: 72 20 73 74 61 74 65 20 69 73 20 6e 65 77 65 72 r state is
newer
0020: 20 74 68 61 6e 20 70 72 6f 76 69 64 65 72 21 than
provider!
ber_scanf fmt (}) ber:
ber_dump: buf=0x7fae340013a0 ptr=0x7fae340013d2 end=0x7fae340013d2 len=0
ldap_err2string
do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to
perform
ldap_err2string
ldap_err2string
do_syncrep2: rid=005 (53) Server is unwilling to perform
ldap_err2string
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
Any pointers on where to troubleshoot and resolve this?
11 years, 9 months
Password Policy
by ldap@mm.st
Running RH5 with openldap-2.3.43. We have a script that pulls ssha
passwords from a ldap server out of our control. So when a user updates
their passwords on that server, the script pulls the password
periodically and updates our ldap servers so users can use our ldap
servers with posix attributes to authenticate to systems using ldap and
pam settings.
We need to inactivate accounts after a period of inactivity. We can do
this using the shadowInactive attribute in ldap that is based on when
the user password expired.
So the issue we have is that when the user logs into a system and their
accounts are expired they can enter a new password and our ldap servers
our updated with the new password, but when the script runs at a later
time, the password is reset back to whatever is in the ldap server we
pull passwords from. We would like users to not be able to change their
password using the password command. We can accomplish this in a few
ways including:
1. pam_password_prohibit_message in ldap.conf
2. Just commenting out the ldap module in pam that controls password
updates.
The problem is that we have a small group of users that are added
manually that we would like to be able to change their passwords using
the passwd command. The above will impact all users. We are looking
for suggestions on how to handle the above. We thought of the
following:
1. Use the ppolocy overlay and create a default policy for all users
that sets pwdAllowUserChange to no and then create individual policies
to that allow certain users to change their pass.
In this method, what happens to all the shadow attributes, are they
overwridden by the ppolicy. I don't see anything regarding Inactive
accounts in ppolicy like the shadowInactive attribute.
2. Could we accomplish this by figuring out a ACL in slapd.conf that
only users with a special attribute value are able to write to the
userPassword attribute?
Any other suggestions?
11 years, 9 months
Re: Client App and STARTLS auth
by Massimiliano Pala
Hi Rich,
to provide a better vision, I am trying to use openldap to connect to a server
and ignoring errors in authentication of the certificates. I am working on a
*client*.
In particular the code I wrote is like this:
ldap_initialize(&ld, url);
if(crypto_api == LDAP_CRYPTO_API_OPENSSL)
{
// This Works..
SSL_CTX *ctx = NULL;
...
}
else
{
int opt_val = 0;
if(ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &opt_val) != LDAP_OPT_SUCCESS)
{
/// ERROR if here (does not happen)
}
// This works till now
opt_val = LDAP_OPT_X_TLS_TRY;
if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) !=
LDAP_OPT_SUCCESS)
{
if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &opt_val) !=
LDAP_OPT_SUCCESS)
{
// Error
..
}
}
m_error = ldap_start_tls_s(corePnt->m_ldap, NULL, NULL);
...
Note that m_error gets a -11...
On the server the output (-d 1) is:
connection_get(14): got connid=1007
connection_read(14): checking for input on id=1007
TLS: error: accept - force handshake failure: errno 11 - moznss error -5938
TLS: can't accept: (unknown).
I have no clue why this is not working.
Another thing which is interesting.. on Ubuntu I tried to change the TLS_CERTREQ
option to "allow" ... and the code works - but I can not have it working by
using the ldap_set_option().. (on Fedora 14/15 setting the option in the
ldap.conf file - in /etc/openldap/ - does not work..).
Heeeeeellp!!! :D
Cheers,
Max
On 06/10/2011 10:50 PM, Rich Megginson wrote:
> On Fri, Jun 10, 2011 at 4:19 PM, Massimiliano Pala<pala(a)isis.poly.edu> wrote:
>> Hi Philip, all,
>>
>> thanks for the advice. I have changed the code.. and the option is set
>> correctly. Question, do you think it is safe to do this as a fallback:
>>
>> if(ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) !=
>> LDAP_OPT_SUCCESS)
>> {
>> if(ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,&level) !=
>> LDAP_OPT_SUCCESS)
>> {
>> /// Total Failure
>> }
>> }
>>
>> Still.. although I set the option, I still get the -11 error when
>> trying to bind.
>
> What -11 error? Client or server? Can you run with -d 1 to get
> detailed trace information?
>
>>
>> Is there any other option I have to set to "disable" certificate
>> verification for non-openssl crypto api ?
>>
>> Cheers,
>> Max
>>
>>
>> On 06/10/2011 05:23 PM, Philip Guenther wrote:
>> [..]
>>>
>>> Howard has already pointed out that the value must be an LDAP_OPT_X_TLS_*
>>> constant and not a string; I just wanted to add that in version 2.3 and
>>> earlier, that option (and most of the other TLS options) could only be set
>>> globally: ldap_set_option() would fail for them if the first argument
>>> wasn't NULL. So, make sure you're building against a current version.
>>>
>>>
>>> Philip Guenther
>>
>>
>> --
>>
>> http://member.acm.org/~openca/
>>
>> Massimiliano Pala, Ph.D.
>> Director, OpenCA Labs
>> Professor, NYU Poly
>>
>>
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
11 years, 9 months
How to migrate master and keep slave in sync?
by Stefano Zanmarchi
Hi,
we have a 2.4.21 master on Solaris and a syncrepl 2.4.21 slave on
Linux, and need to migrate the master
to a new platform (Linux) and new version (2.4.21).
Of course we need that the syncrepl slave (not managed by us) keeps in
sync with the new master.
Given that the ip, ports and certificates of the new master will not
change, would it be enough to do the following?
1) stop the "old" 2.4.21/Solaris master
2) import its contents (via slapcat and slapadd) into the "new"
2.4.23/Linux (stopped) master
3) start the new 2.4.23/Linux master
Thank you very much,
Stefano
11 years, 9 months
Linking Clients - which Crypto API ?
by Massimiliano Pala
Hi all,
I have a little problem. I am implementing an application that uses the
OpenLDAP libraries. Until not too much time ago, linking with OpenSSL was
sufficiently safe (on almost every Linux distros) and providing my own
verification function through the SSL_CTX (by using the ldap_set_option(m_ldap,
LDAP_OPT_SERVER_CERTIFICATE, _my_verify)) was easy.
Now, Linux distros started to use GnuTLS, NSS, and OpenSSL as the crypto
API.
My question is: how do I develop an application that when deployed on different
systems might need to use functions and data structures from different crypto-api
(e.g., when I distribute the binaries of my app) ?
How can I retrieve that info *at runtime* (I'd like my binaries to be compatible) ?
At least, is there a function that allows me to know which crypto APIs are
expected by libldap_r (so that I don't pass in the wrong data structure
since it is a (void *)) ? Or at least, is there a way to set/get options so that
I would know which API is in use ?
Thanks,
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
11 years, 9 months
OpenLDAp + OpenSSL: decrypt error
by Nguyen, Quoc Khanh
Hi all,
I'm confusing about this problem. Please help...
I
installed OpenLDAP (2.4.25) with Cyrus SASL (2.1.23) and OpenSSL (0.9.8r).
I started LDAP with SSL port:
#./slapd -h 'ldaps:///'
Everything OK,
but when i test uid of OpenLDAP with SASL, i have a problem:
root@ftp:/usr/local/sasl2/sbin# ./testsaslauthd -u khanhnq -p 123456
0: NO
"authentication failed"
I check log and have a message:
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying
127.0.0.1:636
ldap_pvt_connect: fd: 10 tm: 5 async: 0
ldap_ndelay_on: 10
ldap_int_poll: fd: 10 tm: 5
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace:
SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth:
1, err: 0, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer:
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
TLS certificate verification: depth:
0, err: 7, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer:
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
TLS certificate verification: Error,
certificate signature failure
TLS trace: SSL3 alert write:fatal:decrypt
error
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS
trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't
connect: error:14090086:SSL routines:func(144):reason(134) (certificate
signature failure).
ldap_err2string
ldap_unbind
ldap_create
ldap_url_parse_ext(ldaps://localhost)
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host:
TCP localhost:636
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 10 tm: 5
async: 0
ldap_ndelay_on: 10
ldap_int_poll: fd: 10 tm: 5
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
TLS
trace: SSL_connect:before/connect initialization
TLS trace:
SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3
read server hello A
TLS certificate verification: depth: 1, err: 0,
subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer:
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
TLS certificate verification: depth:
0, err: 7, subject: /C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com, issuer:
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
TLS certificate verification: Error,
certificate signature failure
TLS trace: SSL3 alert write:fatal:decrypt
error
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS
trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't
connect: error:14090086:SSL routines:func(144):reason(134) (certificate
signature failure).
ldap_err2string
saslauthd[766] :do_auth : auth
failure: [user=khanhnq] [service=imap] [realm=] [mech=ldap]
[reason=Unknown]
saslauthd[766] :do_request : response: NO
What i'm
doing wrong? I test OpenSSL using client authenticate and it's work OK.
# openssl s_client -connect localhost:636 -state -CAfile
/var/myCA/demoCA/cacert.pem -cert /var/myCA/clientcrt.pem -key
/var/myCA/clientkey.pem
CONNECTED(00000003)
SSL_connect:before/connect
initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
verify return:1
depth=0
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
verify return:1
SSL_connect:SSLv3
read server certificate A
SSL_connect:SSLv3 read server certificate
request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write
client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write
change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3
flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
0
s:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
i:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
1
s:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
i:/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
---
Server certificate
-----BEGIN
CERTIFICATE-----
MIICiTCCAfKgAwIBAgIJAMmeK8RVIEWgMA0GCSqGSIb3DQEBBQUAMEgxCzAJBgNV
BAYTAlZOMQwwCgYDVQQIEwNIQ00xDDAKBgNVBAoTA1NHVDELMAkGA1UECxMCTlcx
EDAOBgNVBAMTB2FiYy5jb20wHhcNMTEwNjEzMDYzMDQ3WhcNMTIwNjEyMDYzMDQ3
WjBIMQswCQYDVQQGEwJWTjEMMAoGA1UECBMDSENNMQwwCgYDVQQKEwNTR1QxCzAJ
BgNVBAsTAk5XMRAwDgYDVQQDEwdhYmMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDEW/sP8n2M7y0LT7ONPZQSnWdOC+E2qyngXaouoKEZauyLkTwWJyQY
MkCeGKwQo1KMGd1O04sw5uD2IWgYBfGuynSalyfGfwETGc4Y/xPHV+FpOY5KRssn
qzmL5Gso276vIOR4KnjZdm5Msp3WQ2z4aNUkLbMspyBugKP9GgjfAwIDAQABo3sw
eTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD
ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUD7QVqUbn35Jgi1yQdumsHRBdAkswHwYDVR0j
BBgwFoAUAdNX4GIDCCQpSpUEfLXJPW74L2IwDQYJKoZIhvcNAQEFBQADgYEAMf8i
zRpqasBFf6acpRvGG/AkLU+Cz10ffH6zE3DsoKngxP6zEDFOb1quX+E7RE98W/0T
iQPLqS5XLIuLX6BNRjnv79DdyynpwsFVip6pHvDZafWBXrzWVn7WEXy5+VpfjBxe
CADHvgvp4LXh7EtvppO1vPyvphCCexsmCIzoxyA=
-----END CERTIFICATE-----
subject=/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
issuer=/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
---
Acceptable client
certificate CA names
/C=VN/ST=HCM/O=SGT/OU=NW/CN=abc.com
---
SSL
handshake has read 2431 bytes and written 1804 bytes
---
New,
TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure
Renegotiation IS supported
Compression: zlib compression
Expansion: zlib
compression
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
B79630EC32BF14F01931D1EAB3DC0CF7DA29B42E012C8BD8171EEF46D993BB96
Session-ID-ctx:
Master-Key:
230F7D9D0736A40EB148CA9091BA0105E6949721E55FD9F84AD057C1CBA38F0A1B2269CAB07E7E71E3310954DDF260BF
Key-Arg : None
TLS session ticket:
0000 - 07 19 41 07 ec 4c 66 10-24 a0
dd be 02 ff 05 90 ..A..Lf.$.......
0010 - a0 f8 64 d3 08 77 a0 bf-24 81 ad
04 b8 d9 e6 9a ..d..w..$.......
0020 - 04 5a df 4a d5 a1 65 2b-52 4c d4 a2
c2 d6 8b 7f .Z.J..e+RL......
0030 - fa 66 c7 05 54 58 fa 5d-9a a3 75 82 d0
e8 76 dd .f..TX.]..u...v.
0040 - 4f da 54 ac 8e 40 95 68-7c da 6f 08 7f 52
a3 f6 O.T..@.h|.o..R..
0050 - c2 bd 44 ff dd 95 b3 0c-e5 9e 16 95 7c c8 6d
ee ..D.........|.m.
0060 - 96 03 6b db ae 8c 34 8e-a3 29 87 16 f0 a6 0e 8c
..k...4..)......
0070 - ac fa c2 76 4a 2d 75 f5-fc b7 1e 83 ec a7 47 0a
...vJ-u.......G.
0080 - 72 50 e8 24 e2 22 34 5f-ff 6a b1 ea f0 cc 2e 55
rP.$."4_.j.....U
0090 - 9f ec ea 1b b5 da 12 70-f4 0c ee 10 5b d0 4e 7a
.......p....[.Nz
00a0 - 0d 60 06 70 02 f7 eb a3-f3 79 a7 69 5d c3 61 d3
.`.p.....y.i].a.
00b0 - 51 2a 8a 82 c2 11 70 c9-8b 4f 19 58 50 83 6b 0e
Q*....p..O.XP.k.
00c0 - bf 9e aa 6a 8f 72 59 9c-10 da cc 8f 90 05 db e2
...j.rY.........
00d0 - 08 31 d8 62 1a 24 0d 50-a4 e1 75 e6 ee 49 19 32
.1.b.$.P..u..I.2
00e0 - 1f b6 0e 77 11 42 ce 3a-7e 7e 9c 2b be 59 d4 b4
...w.B.:~~.+.Y..
00f0 - 24 36 b0 a5 39 30 9f 3a-49 f7 19 10 73 f1 3e 06
$6..90.:I...s.>.
0100 - b4 04 58 3a 5f 4c 02 29-54 b1 25 c7 2f 06 4a 62
..X:_L.)T.%./.Jb
0110 - fb 4b 52 82 ea 50 7e 12-0e 8b 5a eb a4 34 77 3c
.KR..P~...Z..4w<
0120 - 9f f4 0d 85 0f 43 9a 5d-f1 ba 3e 28 ab 86 98 17
.....C.]..>(....
0130 - d1 10 49 d2 a6 f3 e7 32-72 62 41 ac 4c 51 4b 05
..I....2rbA.LQK.
0140 - bd e7 a3 30 cd 47 37 95-f9 76 1d 4a f1 a2 58 b0
...0.G7..v.J..X.
0150 - 0b a8 ca 4e 4f a1 67 ff-01 3e 11 29 a9 db f1 3e
...NO.g..>.)...>
0160 - 43 64 f8 58 4e d3 44 6f-ee cc 61 6d b3 82 ab 77
Cd.XN.Do..am...w
0170 - e7 3b 6b 83 af b7 42 76-89 e2 e0 d6 8e 66 61 fe
.;k...Bv.....fa.
0180 - df 7c d8 28 63 04 22 06-cd 41 28 46 d4 08 00 b4
.|.(c."..A(F....
0190 - 2b 9e 90 ec ee 9f 8e 34-9b 15 5c 71 e8 29 88 c8
+......4..q.)..
01a0 - 35 4d 88 aa c3 05 53 0a-b8 bd 90 38 68 cf 8b 0b
5M....S....8h...
01b0 - b0 f3 48 c0 02 8a 9f be-05 1b 13 4a 49 67 32 8f
..H........JIg2.
01c0 - 66 f2 41 18 11 f1 eb ed-2a d0 a4 de d9 10 83 95
f.A.....*.......
01d0 - c6 aa 1a 74 83 36 31 db-68 b1 88 37 2b 18 da 6b
...t.61.h..7+..k
01e0 - b9 be 87 36 64 5c a0 b1-23 eb df d9 8f 96 10 ae
...6d..#.......
01f0 - 4e db 3b c2 77 65 a4 11-df 65 a8 26 98 4f df 69
N.;.we...e.......
0210 - f6 93 93 b1 c0 89 65 3a-0d bc 16 e8 f0 5f 9f 5c
......e:....._.
0220 - 8a bc ea 56 b7 e7 d4 75-4c 19 6d 18 73 64 3c 95
...V...uL.m.sd.
0260 - 78 0d 94 f1 3a 1a 64 35-b5 54 b5 84 76 44 62 b1
x...:.d5.T..vDb.
0270 - 36 5c 1d d6 79 27 6d 1c-3c df bb d2 bf 2c 06 40
6..y'm.
11 years, 9 months
issue regarding ldap apache authentication in public_html/*
by VIKAS MARWAHA
hi
I need a little help. I am implementing LDAP services in my college.
The apache LDAP authentication works fine with any directory viz.
/var/www/*/*
/home/username/
but it doesn't works with
/home/username/public_html/anyfolder/
i.e with a subfolder in public_html.
The issue is whenever i write the lines in http.conf the folder stops
appearing in the browser.
i dont see the folder when i browse
http://localhost/~username/foldername
i don't see the folder in browser.
lines in http.conf file
<Directory /home/vikasmarwaha/public_html/private/>
Authtype Basic
AuthName "Secured Area : Vikas Marwaha's Page : Secured with LDAP :
Authorized personal only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=example,dc=com?uid?"
require ldap-user vikasmarwaha
</Directory>
Please tell me where am i wrong.!
this one works perfect..
<Directory /home/vikasmarwaha/>
Authtype Basic
AuthName "Secured Area : Vikas Marwaha's Page : Secured with LDAP :
Authorized personal only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=example,dc=com?uid?"
require ldap-user vikasmarwaha
</Directory>
but it doesn't satisfies my requirements. Need to secure the subfolder(under
public_html -- user's web space.) not the whole user directory.
--
Vikas Marwaha
http://vikasmarwaha.co.cc
Sent via HP Touchsmart powered by Backtrack 5 Linux
Technology of Future.
11 years, 9 months
passwords disappear
by Bidwell, Matt
If a user changes passwords on and ldap client machine, the shadow
entry disappears. This is true for all hash methods except for
{CRYPT}. Clearly I would like {SSHA} or {MD5} over {CRYPT}.
The client machines are pretty standard RHEL 5 machines. I have
exop in the config on the client. Setting the password on the LDAP
server works correctly. Running the server in debug didn't make
anything jump out at me. Anyone have any ideas? Perhaps I'm missing
an ACL I don't know about.
Matt
11 years, 9 months
Client App and STARTLS auth
by Massimiliano Pala
Hi all,
are there examples on how to use STARTLS without requiring that the
server's certificate is trusted ?
If the crypto api used in the ldap library is OpenSSL, that is easy:
- create a new ssl_ctx() with SSL_CTX_new()
- set my function as the verify function with SSL_CTX_set_verify()
- use the LDAP_OPT_X_TLS_CTX option to point to my new ssl_ctx
My problem is: when GnuTLS or NSS crypto libraries are used instead,
how do I force the same behavior ? Or, if providing my own function
is not possible, how do I force the STARTLS to go on also if it finds
non-trusted server/CA certificates ?
Thanks,
Max
--
http://member.acm.org/~openca/
Massimiliano Pala, Ph.D.
Director, OpenCA Labs
Professor, NYU Poly
11 years, 9 months
