July 2011 - openldap-technical

looking for entires with objectclass=glue

by Andreas Haubod

Hello, I've running two ldap server using N-Way multimaster replication. I want find all objects with "objectclass=glue". If I use JXEplorer to search "objectclass=glue" I get 136 entries back. If I use ldapsearch or Apache DS and do the same, no entries are found. In the slapcat backup from the ldap server the entires with objectclass: glue exists. So I turned "loglevel 256" in the slapd.conf. I got for JXEplorer and ldapsearch the same search: JXEplorer: slapd[23362]: conn=1001 op=7 SRCH base="ou=root" scope=2 deref=3 filter="(objectClass=glue)" slapd[23362]: conn=1001 op=7 SRCH attr=objectClass slapd[23362]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=136 text= ldapsearch: slapd[23362]: conn=1004 op=1 SRCH base="ou=root" scope=2 deref=3 filter="(objectClass=glue)" slapd[23362]: conn=1004 op=1 SRCH attr=objectclass slapd[23362]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= How can I get the glue entires via ldapsearch? Thanks Andreas

9 years, 9 months

1
1
0 / 0

ppolicy in Solaris 10

by Wynand Jansen van Vuuren

My slapd.conf file is as follow # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload ppolicy.la # moduleload /usr/local/libexec/openldap/ppolicy.so # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la and overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=rorotika,dc=com" ppolicy_use_lockout When I start slapd in debug with d 255, I get the following "error"? ine 21 (loglevel 4) line 22 (pidfile /usr/local/var/run/slapd.pid) line 23 (argsfile /usr/local/var/run/slapd.args) line 26 (modulepath /usr/local/libexec/openldap) line 27 (moduleload ppolicy.la) loaded module ppolicy.la module ppolicy.la: null module registered line 65 (access to dn.base="" by * read) >>> dnNormalize: <> <<< dnNormalize: <> Backend ACL: access to dn.base="" by * read The line that consern me is "module ppolicy.la: null module registered", is this a problem? The ppolicy does not seen to overlay... It seems that the Solaris 10 settings is still valid, for example It seems that this policy is not activated, for example the pwdMinLength: is set to 3, but when the user changes his/her password, it seems that the Solaris policy takes over from the /etc/default/passwd file test5:/ $ ssh admin777(a)10.1.1.5 * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING AND AUDITING. * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * Password: Last login: Tue Jul 12 11:14:22 2011 from test5.example. Sun Microsystems Inc. SunOS 5.10 Generic January 2005 Sun Microsystems Inc. SunOS 5.10 Generic January 2005 Sourcing //.profile-EIS..... test5:/ $ id uid=5011(admin777) gid=1000(users) groups=1000(users) test5:/ $ passwd passwd: Changing password for admin777 Enter existing login password: New Password: passwd: Password too short - must be at least 8 characters. Please try again New Password: test5:/ $ cat /etc/default/passwd #ident @(#)passwd.dfl 1.7 04/04/22 SMI # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # MAXWEEKS=13 MINWEEKS= PASSLENGTH=8 # NAMECHECK enables/disables login name checking. Could someone point me in the right direction please?

9 years, 9 months

1
0
0 / 0

Database indexing: use of slapindex

by anax

Hi listers Installation here: openldap-servers-2.4.15-7.fc11.i586 One master server, two backup servers (syncrepl). All authentication and mailing is managed through ldap. 1. About indexing: When i check the slapd-log, i see many <= bdb_equality_candidates: (uidNumber) not indexed <= bdb_equality_candidates: (gidNumber) not indexed In the discussion about slapd tuning http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i read that if each entry in a certain set of ldap-entries has got the candidate-attribute, it is not worth while to index the attribute, because slapd needs to read each entry in any case in order to find the requested one. this is the case for uidNumber as well as gidNumber, because both are compulsory attributes for objectClass posixAccount. My first question: is it therefore correct to disregard the above indexing requests of slapd? 2. About slapindex: When it comes to use slapindex, the docu is not clear about how to do that. Some places say, that you need to stop slapd entirely, some places say that it is sufficient to put slapd in read-only mode for the corresponding background database, which in this case would be /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif this file contains both the olcReadOnly and the olcDbIndex attributes. So i could just add the following two lines in the above file: olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq set the olcReadOnly attribute to TRUE, and restart slapd, and everything would be done automatically? Or would i need to invoke slapindex additionally with the following command slapindex -c And if i had to start slapindex additionally, would slapindex tell me, that the database is in read-only mode, so no changes are possible, not even index changes? And, if i had to start slapindex additionally, i would do it as root. the files generated by slapindex would they be owned by root (inaccessible by slapd) or by the slapd user? Would the new indexes be propagated to the backup servers by syncrepl automatically? If not, what would i have to change on the backup servers? Thank you for your attention suomi

9 years, 9 months

1
0
0 / 0

Database indexing: slapindex

by openldap＠ayni.com

Hi listers Installation here: openldap-servers-2.4.15-7.fc11.i586 One master server, two backup servers (syncrepl). All authentication and mailing is managed by ldap. 1. About indexing: When i check the slapd-log, i see many <= bdb_equality_candidates: (uidNumber) not indexed <= bdb_equality_candidates: (gidNumber) not indexed In the discussion about slapd tuning http://www.openldap.org/doc/admin24/tuning.html#Indexes, however, i read that if each entry in a certain set of ldap-entries has got the candidate-attribute, it is not worth while to index the attribute, because slapd needs to read each entry in any case in order to find the requested one. this is the case for uidNumber as well as gidNumber, because both are compulsory attributes for objectClass posixAccount. My first question: is it therefore correct to disregard the above indexing requests of slapd? 2. About slapindex: When it comes to use slapindex, the docu is not clear about how to do that. Some places say, that you need to stop slapd entirely, some places say that it is sufficient to put slapd in read-only mode for the corresponding background database, which in this case would be /etc/openldap/slapd.d/cn=config/olcDatabase\=\{2\}bdb.ldif this file contains both the olcReadOnly and the olcDbIndex attributes. So i could just add the following two lines in the above file: olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq set the olcReadOnly attribute to TRUE, and restart slapd, and everything would be done automatically? Or would i need to invoke slapindex additionally with the following command slapindex -c And if i had to start slapindex additionally, would slapindex tell me, that the database is in read-only mode, so no changes are possible, not even index changes? And, if i had to start slapindex additionally, i would do it as root. the files generated by slapindex would they be owned by root (inaccessible by slapd) or by the slapd user? Would the new indexes be propagated to the backup servers by syncrepl automatically? If not, what would i have to change on the backup servers? Thank you for your attention suomi

9 years, 9 months

1
0
0 / 0

Re: Simple Bind w/TLS without SASL/Kerberos possible to AD?

by David Mitton

Thanks for the reply, sorry about the poor quoting, I'm cut and pasting from the web archive. ------ From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo(a)gmail.com> Date: Fri, 8 Jul 2011 08:58:16 -0430 Greetings, On Thu, Jul 7, 2011 at 4:08 PM, David Mitton <david(a)mitton.com> wrote: I am trying to use OpenLDAP from an embedded Linux system to authenticate (PAM LDAP) against a Windows AD server. I must use TLS to secure this, but I would rather not use SASL or Kerberos if possible. pam_ldap = http://www.padl.com/pam_ldap.html[1] OR http://arthurdejong.org/nss-pam-ldapd/[2] .... you are not dealing here with OpenLDAP.... DJM> Good point, I will look at exactly which module(s) I'm using and > come back to that later. I beleive for the moment I'm using whatever is in > Centos. I have Arthur Jong's modules as well, but I don't think > I've installed them yet. I have been able to mock this up on a Centos system without TLS, and the PAM worked fine. When I turn on TLS, the Windows server handshakes the TLS but then has a problem with the first message. I am also working that side. I have walked through the handshake with s_client, and the connection is happy. I am now working with ldapsearch and trying things.... The first thing I notice is that it seems to try an SASL bind. Can I stop this? I'm not sure I have SASL actually installed on this system, and I'm not sure I want it in my target. ldapsearch -x <--- does simple auth instead of sasl. Is this possible? from both the OpenLDAP client and/or Windows AD? Ideas on the correct alphabet soup to try this with ldapsearch would be appreciated. Thanks. Well, I have seen this done through samba, but you *should* be able to use AD's LDAP to authenticate your Linux workstation, I guess. Sincerely, Ildefonso Camargo ------- I tried the following command and here are the results... note that after the simple_bind, a SASL_bind line appears. I'd like to dig into this deeper.... What will give me more info? Thanks, Dave. ldapsearch -d 1 -v -x -H ldaps://172.16.9.3:363 -b "dc=foobar,dc=local" -D 'FOOBAR\mgr' -w 'Strongpw@09' '(sAMAccountName=mgr)' ldap_initialize( ldaps://172.16.9.3:363 ) ldap_create ldap_url_parse_ext(ldaps://172.16.9.3:363) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 172.16.9.3:363 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.16.9.3:363 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_perror ldap_bind: Can't contact LDAP server (-1)

9 years, 9 months

2
1
0 / 0

Re: basic login fails : here are some logs ...

by Olivier

I have problem to use my openldap 2.4 server for authentication on a fedora 14 : it sounds that the problem is on the on the client side configuration. Here are some logs : your help to diag would be appreciated. -> I have an ldap server that that stores posixAccount and respond to ldap queries. -> I have configure a client machine to use this ldap server for authentication when login : ***** LOGS *** **** CLIENT side **** login: olivier passe : Login incorrect **** SERVER when login on the client *** Here is what I see on the server side (IP=10.1.92.24) when I try to log in as "olivier" on the client (10.1.86.93) using /bin/login (debug level 256) : conn=1220 fd=13 ACCEPT from IP=10.1.86.93:54458 (IP=10.1.92.24:389) conn=1220 op=0 BIND dn="" method=128 conn=1220 op=0 RESULT tag=97 err=0 text= conn=1220 op=1 SRCH base="ou=People,ou=staff,dc=mydomain,dc=fr" scope=2 deref=0 filter="(uid=olivier)" conn=1220 op=1 SRCH attr=host authorizedService shadowExpire shadowFlag shadowInactive shadowLastChange shadowMax shadowMin shadowWarning uidNumber conn=1220 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= *** CLIENT When using ldappasswd ***** I manage to change the "userPassword" attributes using ldappasswd command, here are the logs on the client and server side : Client side : $ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier" dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier ... objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s= $ ldappasswd -h -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -s newpass $ ldapsearch -h ldap-master1.mydomain.fr -D "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier" dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr uid: olivier ... objectClass: account objectClass: posixAccount objectClass: top userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s= *** SERVER side When using ldappasswd ***** Server side, here are the logs related to ldapppasswd : conn=1000 fd=11 ACCEPT from IP=10.1.86.93:52074 (IP=10.1.92.24:389) conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" method=128 conn=1000 op=0 BIND dn="cn=Manager,dc=mydomain,dc=fr" mech=SIMPLE ssf=0 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1000 op=1 PASSMOD id="uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" new conn=1000 op=1 RESULT oid= err=0 text= conn=1000 op=2 UNBIND conn=1000 fd=11 closed Thanks for your help, ---- Olivier On Tue, Jul 12, 2011 at 7:59 PM, Olivier Guillard <olivier(a)guillard.nom.fr> wrote: > Hello > > Here is the result of an ldapsearch on a client host : > > $ ldapsearch -h ldap-master1.mydomain.fr -D > "cn=Manager,dc=mydomain,dc=fr" -w secret "uid=olivier" > > dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr > uid: olivier > loginShell: /bin/tcsh > cn: Olivier > uidNumber: 1130 > gidNumber: 18104 > homeDirectory: /home/olivier > objectClass: account > objectClass: posixAccount > objectClass: top > userPassword:: e1NTSEF9UmlYdnk4MWtaZ0NMS2hyZnBvd2hlaezrbTd7aR5LU0s= > > I have the same output with this : > > $ ldapsearch -h ldap-master1.mydomain.fr -D > "uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr" -w pass-olivier > "uid=olivier" > > Although if I omit the -w I get this : > > ldap_bind: Server is unwilling to perform (53) > additional info: unauthenticated bind (DN with no password) disallowed > > > --->> the openldap server respond. > > ================ > > On the client side (fedora 14), I have followed the documentation to > set up for ldap authentication when login : > > /etc/nsswitch.conf /etc/ldap.conf /etc/nss_ldap.conf > /etc/pam_ldap.conf /etc/openldap/ldap.conf and /etc/pam.d/ > > are configured for the system to query the ldap-master.mydomain.fr > server for authentication : > > in ldap.conf files I have : > > uri ldap://ldap-master1.mydomain.fr and > "rootbinddn cn=Manager,dc=mydomain,dc=fr" > > in nsswitch.conf : > passwd: ldap > shadow: ldap > > and in pam.d/password-auth and pam.d/system-auth and pam.d/system-auth-ac > I have the lines : > > auth sufficient pam_ldap.so use_first_pass > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > password sufficient pam_ldap.so use_authtok > session optional pam_ldap.so > > I use no particular security mechanism at this stage at this stage (no > TLS, simple auth, etc.). > > ==== > > WITH ALL THIS, here is what I get in the logs when I try to login as > "olivier" on the client machine: > > Jul 12 19:32:20 fouine login: nss_ldap: failed to bind to LDAP server > ldap://ldap-master1.mydomain.fr: Can't contact LDAP server > Jul 12 19:32:20 fouine login: nss_ldap: could not search LDAP server - > Server is unavailable > > Of course, i can't log in. > > Any help ??? I'm getting mad... > > ( may be could you suggest which debug level I should use on the > server to try to track what's going on). > > Thanks, > > --- > Olivier >

9 years, 9 months

4
3
0 / 0

OpenLPDAP client tools exit codes

by Liam Gretton

Hi, I've started relying on undocumented exit codes for ldapmodify in places. These are defined in ldap.h, e.g.: #define LDAP_CONSTRAINT_VIOLATION 0x13 #define LDAP_TYPE_OR_VALUE_EXISTS 0x14 Presumably these are undocumented for good reason, but in practice can they be relied on not to change, at least as far as OpenLDAP 2 is concerned (additional exit codes are obviously not an issue). -- Liam Gretton liam.gretton(a)le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

9 years, 9 months

2
2
0 / 0

Recommended strategy for replicating cn=config database

by Jonathan Underwood

Hi, I currently have a working N-way multimaster setup (where N=2) and am using sasl/gssapi/kerberos for authenticated binding. I am using the ldap service principals for each host to authenticate, and this is working fine for allowing me to replicate databases other than the cn=config database, where I see the following in the logs: Jul 12 18:28:04 auth1 slapd[4411]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Jul 12 18:28:04 auth1 slapd[4411]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (32) No such object Jul 12 18:28:04 auth1 slapd[4411]: do_syncrep2: rid=001 (32) No such object Jul 12 18:28:04 auth1 slapd[4411]: do_syncrepl: rid=001 rc -2 retrying (29 retries left) where rid=001 corresponds to the entry: olcSyncRepl: rid=001 provider=ldap://auth0.domain bindmethod=sasl saslmech=gssapi searchbase="cn=config" type=refreshAndPersist retry="30 30 300 +" timeout=1 The reason this isn't working is clear: slapd on the consumer is not binding as the rootdn of the cn=config tree, and so therefore cannot search that database. I am not sure what the best fix is for this, particularly from a security point-of-view. My first thought was to add an ACL to the cn=config database such as olcAccess: to * by users read by * none, but this then opens up the cn=config tree to be readable by any authenticated user, which is somewhat undesirable. Does anyone have a suggestion as to a good strategy to allow cn=config replication in this situation? Thanks in advance, Jonathan.

9 years, 9 months

2
2
0 / 0

LDAP handle structural integrity function

by Khaled Blah

Hallo, I use OpenLDAP in an authentication project and I would like to correctly deal with fauly networks. I mean networks that have packet losses and such. That is why I would like to know whether there is a function in OpenLDAP which allows to check (and maybe sanitize) possibly corrupted sockets associated with the LDAP handle? Many thanks for all your replies Regards, Khaled

9 years, 9 months

3
3
0 / 0

ppolicy with Solaris 10

by Wynand Jansen van Vuuren

My slapd.conf file is as follow # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload ppolicy.la # moduleload /usr/local/libexec/openldap/ppolicy.so # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la and overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=rorotika,dc=com" ppolicy_use_lockout When I start slapd in debug with d 255, I get the following "error"? ine 21 (loglevel 4) line 22 (pidfile /usr/local/var/run/slapd.pid) line 23 (argsfile /usr/local/var/run/slapd.args) line 26 (modulepath /usr/local/libexec/openldap) line 27 (moduleload ppolicy.la) loaded module ppolicy.la module ppolicy.la: null module registered line 65 (access to dn.base="" by * read) >>> dnNormalize: <> <<< dnNormalize: <> Backend ACL: access to dn.base="" by * read The line that consern me is "module ppolicy.la: null module registered", is this a problem? The ppolicy does not seen to overlay... It seems that the Solaris 10 settings is still valid, for example It seems that this policy is not activated, for example the pwdMinLength: is set to 3, but when the user changes his/her password, it seems that the Solaris policy takes over from the /etc/default/passwd file test5:/ $ ssh admin777(a)10.1.1.5 * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING AND AUDITING. * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * Password: Last login: Tue Jul 12 11:14:22 2011 from test5.example. Sun Microsystems Inc. SunOS 5.10 Generic January 2005 Sun Microsystems Inc. SunOS 5.10 Generic January 2005 Sourcing //.profile-EIS..... test5:/ $ id uid=5011(admin777) gid=1000(users) groups=1000(users) test5:/ $ passwd passwd: Changing password for admin777 Enter existing login password: New Password: passwd: Password too short - must be at least 8 characters. Please try again New Password: test5:/ $ cat /etc/default/passwd #ident @(#)passwd.dfl 1.7 04/04/22 SMI # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # MAXWEEKS=13 MINWEEKS= PASSLENGTH=8 # NAMECHECK enables/disables login name checking. Could someone point me in the right direction please?

9 years, 9 months

1
0
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2011