Re: Customizing organizationalUnit
by Erwann ABALEA
Le 6 août 2011 15:49, "Michael Ströder" <michael(a)stroeder.com> a écrit :
>
> harry.jede(a)arcor.de wrote:
> > The cleanest approach is to modify your OU entries:
> >
> > objectClass: top
> > objectClass: organizationalUnit
> > objectClass: extensibleObject
> >
> > Now, all attributes which are defined in any schema are allowed :-) .
>
> That's what I consider bad advice and definitely not the cleanest
approach.
This is equivalent to your solutions 1 and 2, described 3 days ago.
11 years, 7 months
Customizing organizationalUnit
by Derek Chen-Becker
Hello all,
I'm migrating a server from an older OpenLDAP 2.1 install to 2.4.21
and I've run into a (hopefully) small issue. On our old install we had
added some attributes to organizationalUnit ("mail" is really the
important one) just by editing the schema files, but I can't figure out
how to do the same on 2.4.21 using the LDAP interface. I found this
email on the list:
http://www.openldap.org/lists/openldap-technical/201106/msg00182.html
But it doesn't seem to have any replies. I've been fiddling with
ldapmodify but I keep on getting strange errors:
root@lsmail:/etc/ldap/schema# ldapmodify -x -D
cn=admin,dc=cpicorp,dc=com -W -f CPI-core.ldif
Enter LDAP Password:
modifying entry "cn=core,cn=schema,cn=config"
ldap_modify: No such object (32)
matched DN: cn=schema,cn=config
Is this possible with 2.4.21, or do I need to stick with an older
version of OpenLDAP?
Thanks,
Derek
11 years, 7 months
copying a multi-master node to a standalone node
by Patrick H.
I am trying to create a duplicate of a production node that is in a
multi-master replication setup to a standalone node for testing
purposes. However whenever I try to make any changes to the testing
database, I get the "shadow context; no update referral" error.
I have removed all olcServerID attributes, set olcMirrorMode to false,
removed the syncprov module and its overlay entries, and removed the
olcSyncrepl attributes. But after all this its still giving the error.
What am I missing here?
11 years, 7 months
RE: TLS issue
by Naga Chaitanya Palle
Thanks Rosenberg for your suggestions.
The issue was with wrong path mentioned for certificate files.
Without commenting the TLSCipherSuite HIGH:MEDIUM:+SSLv2 line, also I could start slapd
-----Original Message-----
From: E.S. Rosenberg [mailto:esr@g.jct.ac.il]
Sent: Thursday, August 04, 2011 10:06 PM
To: Naga Chaitanya Palle
Cc: openldap-technical(a)openldap.org
Subject: Re: TLS issue
2011/8/4 Naga Chaitanya Palle <Naga.Chaitanya(a)aricent.com>:
> Hi,
>
>
>
> I am trying to configure tls for my ldap server.
>
> After successfully creating the below files, I try to start the ldap server
> and it fails.
>
>
>
> /etc/openldap/cacerts/cacert.pem
>
> /etc/openldap/cacerts/slapd-cert.pem
>
> /etc/openldap/cacerts/slapd-key.pem
>
>
>
> The log shows the below messages
>
>
>
> main: TLS init def ctx failed: -1
>
> slapd stopped.
>
> connections_destroy: nothing to destry.
>
>
>
> Slapd.conf
>
>
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
Try removing this line, if I'm not mistaken it's according to openssl
syntax while openldap is (usually) compiled against gnu-tls which uses
a different syntax.
Also SSLv2 is generally not considered secure so unless you have some
apps that cant do SSLv3 or better (TLSv1 == SSLv3.1) you should turn
SSLv2 of.
>
> TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
>
> TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
>
> TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
Are your certs self-signed or from a CA?
Did you make sure that the private key cert (and the other certs too?)
are not stored encrypted (-nodes switch in openssl).
>
>
>
> database bdb
>
> suffix "dc=comverse-in,dc=com"
>
> rootdn "cn=Manager,dc=comverse-in,dc=com"
>
> rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
You may want to change your password since you have posted the hash
(and also your domain) it is now possible to start brute forcing (or
use rainbow tables) the hash and since the domain where this hash was
used is known (and at least the LDAP username) that is a big security
leak.
Other than that version info and debug info (as Dan asks) is always
good to provide when you have a question.
Regards,
Eli
>
>
>
> /etc/openldap/ldap.conf
>
> BASE dc=comverse-in,dc=com
>
> URI ldaps://devonly144.comverse-in.com
>
>
>
> TLS_CACERT /etc/openldap/cacerts/cacert.pem
>
> TLS_CACERTDIR /etc/openldap/cacerts
>
> TLS_REQCERT allow
>
>
>
> /etc/ldap.conf
>
> base dc=comverse-in,dc=com
>
> uri ldaps://devonly144.comverse-in.com
>
> ssl on
>
>
>
> Thanks and Regards,
>
> Naga chaitanya
>
> ===============================================================================
> Please refer to http://www.aricent.com/legal/email_disclaimer.html
> for important disclosures regarding this electronic communication.
> ===============================================================================
>
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
11 years, 7 months
TLS issue
by Naga Chaitanya Palle
Hi,
I am trying to configure tls for my ldap server.
After successfully creating the below files, I try to start the ldap server and it fails.
/etc/openldap/cacerts/cacert.pem
/etc/openldap/cacerts/slapd-cert.pem
/etc/openldap/cacerts/slapd-key.pem
The log shows the below messages
main: TLS init def ctx failed: -1
slapd stopped.
connections_destroy: nothing to destry.
Slapd.conf
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem
database bdb
suffix "dc=comverse-in,dc=com"
rootdn "cn=Manager,dc=comverse-in,dc=com"
rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr
/etc/openldap/ldap.conf
BASE dc=comverse-in,dc=com
URI ldaps://devonly144.comverse-in.com
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
/etc/ldap.conf
base dc=comverse-in,dc=com
uri ldaps://devonly144.comverse-in.com
ssl on
Thanks and Regards,
Naga chaitanya
===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================
11 years, 7 months
ldap.conf search order problem
by Michel Gruau
Hello,
I have a proxy configuration with severall backend directories and one of them in TLS.
I thus added the following line in ldap.conf in order to let it know the remote server server CA certificate
TLS_CACERT /opt/openldap/etc/openldap/cacert.pem
This is working when this line is inserted in $HOME/ldaprc or $HOME/.ldaprc but never working when inserted in the system-wide ldap configuration file (/usr/local/etc/openldap/ldap.conf).
Not working neither when inserted in /opt/openldap/etc/openldap/ldap.conf (my proxy is installed in /opt/openldap).
Is this a bug ? if not, what is the real ldap.conf search order ?
Thanks,
Michel
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
11 years, 7 months
Ldap issue
by renu abraham
*Ldap issue*
I tried to search using below commnad and I am getting following error
ldapsearch -x -H ldap://127.0.0.1:389/ -D "cn=manager,ou=system,o=example"
-w secret
*error:*
ldap_bind: Invalid credentials (49)
*My slapd.conf contents is as below:*
database bdb
suffix o=example.com
rootdn cn=manager,ou=system,o=example.com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
#rootpw {SSHA}JvA5Ovk302pb39afL2yVk9VeAeMNCZAm
# rootpw {crypt}ijFYNcSNctBYg
#access to *
# by * write
access to dn.subtree="o=example.com"
by dn="cn=ldaproot,ou=system,o=example.com" write
by * auth
allow update_anon
access to * by anonymous read
# This allows the ldaproot to extract as much info as possible from the DB
limits dn.exact="cn=ldaproot,ou=system,o=example.com" size=unlimited
time=unlimited
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# logging setting
loglevel none
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
11 years, 7 months
Using SSLv2 with ldapclient.
by Friedrich Clausen
Hi,
We have a check (shell script) that talks to a customer's LDAP server
(over which we have no control) and only SSLv2 seems to work when
using "openssl s_client -connect". I am trying to make ldapclient use
SSLv2 but it does not work (Our machine is running RHEL 5.4 x86_64.).
First an the OpenSSL illustration
]# openssl s_client -ssl3 -connect 10.1.2.3:636
CONNECTED(00000003)
depth=3 <omitted for privacy>
verify return:1
depth=2 <omitted for privacy>
verify return:1
depth=1 <omitted for privacy>
verify return:1
depth=0 <omitted for privacy>
verify return:1
6759:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
#
but if we use SSLv2 then it works - I am able to establish a
connection and see the certificate used.
I have created a small ldap client config file with the following contents
TLS_REQCERT never
TLS_CIPHER_SUITE SSLv2
I make sure that config is used by setting the "LDAPCONF" variable
while calling ldapsearch, like so
# LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D
'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w
'secret' -b '' -d 1
ldap_create
ldap_url_parse_ext(ldaps://10.1.2.3:636)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.1.2.3:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.2.3:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
#
but it mysteriously fails. If I make the configuration file us SSLv3,
then the following output is given (but that is expected as the server
does not seem to want to speak SSLv3) -
# LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D
'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w
'secret' -b '' -d 1
ldap_create
ldap_url_parse_ext(ldaps://10.1.2.3:636)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.1.2.3:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.1.2.3:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 3, <omitted>
TLS certificate verification: depth: 2, <omitted>
TLS certificate verification: depth: 1, <omitted>
TLS certificate verification: depth: 0, <omitted>
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
any suggestions would be much appreciated.
Regards,
Fred.
11 years, 7 months
Problems using idassert-bind
by michel.gruau
Hello,
A have a slapd-meta configuration with 6 backend directories. All of them can be accessed anonymously except One of them need that need to be accessed through a technical account.
This technical must be used whatever the proxy bind DN is:
- anonymous
- user account
- manager account (cn=Manager,dc=example,dc=com)
Below is my test configuration:
database meta
suffix dc=example,dc=com
uri ldap://remote:389/dc=example,dc=com
idassert-bind bindmethod=simple
binddn="uid=tech,dc=example,dc=com"
credentials="password"
As no anonymous access were allowed, I had to add the following line:
idassert-authzFrom "dn.regex:.*"
This configuration allowed me to perform an anonymous search but the technical account were not used when connecting to the remote directory (anonymous account were used instead).
I then tested "mode=self" and "mode=anonymous". But I received "protocol error" from the remote server when performing an anonymous search (search using user account and search using manager account were working).
I managed to make it working using "mode=none". As the technical account were still not used when connecting to the proxy with a user account, I finally add the "flag=override".
This latest configuration looks good to me but I have to questions :
1/ Do you confirm that "none" is the rigth mode for my need ?
2/ Do you now why I cannot use "self" and "anonymous" ? What could be the reason why I receive the "protocol error" using mode=none and mode=self ?
FYI, remote server is a Sun One DS 5.2. I don't know whether it could explain.
Thank you very much for your expertise.
Michel
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
11 years, 7 months
