openldap-technical August 2011

openldap-technical@openldap.org

87 participants
96 discussions

Re: Customizing organizationalUnit
by Erwann ABALEA 06 Aug '11

06 Aug '11

Le 6 août 2011 15:49, "Michael Ströder" <michael(a)stroeder.com> a écrit : > > harry.jede(a)arcor.de wrote: > > The cleanest approach is to modify your OU entries: > > > > objectClass: top > > objectClass: organizationalUnit > > objectClass: extensibleObject > > > > Now, all attributes which are defined in any schema are allowed :-) . > > That's what I consider bad advice and definitely not the cleanest approach. This is equivalent to your solutions 1 and 2, described 3 days ago.

2 2

Customizing organizationalUnit
by Derek Chen-Becker 06 Aug '11

06 Aug '11

Hello all, I'm migrating a server from an older OpenLDAP 2.1 install to 2.4.21 and I've run into a (hopefully) small issue. On our old install we had added some attributes to organizationalUnit ("mail" is really the important one) just by editing the schema files, but I can't figure out how to do the same on 2.4.21 using the LDAP interface. I found this email on the list: http://www.openldap.org/lists/openldap-technical/201106/msg00182.html But it doesn't seem to have any replies. I've been fiddling with ldapmodify but I keep on getting strange errors: root@lsmail:/etc/ldap/schema# ldapmodify -x -D cn=admin,dc=cpicorp,dc=com -W -f CPI-core.ldif Enter LDAP Password: modifying entry "cn=core,cn=schema,cn=config" ldap_modify: No such object (32) matched DN: cn=schema,cn=config Is this possible with 2.4.21, or do I need to stick with an older version of OpenLDAP? Thanks, Derek

4 6

copying a multi-master node to a standalone node
by Patrick H. 05 Aug '11

05 Aug '11

I am trying to create a duplicate of a production node that is in a multi-master replication setup to a standalone node for testing purposes. However whenever I try to make any changes to the testing database, I get the "shadow context; no update referral" error. I have removed all olcServerID attributes, set olcMirrorMode to false, removed the syncprov module and its overlay entries, and removed the olcSyncrepl attributes. But after all this its still giving the error. What am I missing here?

1 0

RE: TLS issue
by Naga Chaitanya Palle 05 Aug '11

05 Aug '11

Thanks Rosenberg for your suggestions. The issue was with wrong path mentioned for certificate files. Without commenting the TLSCipherSuite HIGH:MEDIUM:+SSLv2 line, also I could start slapd -----Original Message----- From: E.S. Rosenberg [mailto:esr@g.jct.ac.il] Sent: Thursday, August 04, 2011 10:06 PM To: Naga Chaitanya Palle Cc: openldap-technical(a)openldap.org Subject: Re: TLS issue 2011/8/4 Naga Chaitanya Palle <Naga.Chaitanya(a)aricent.com>: > Hi, > > > > I am trying to configure tls for my ldap server. > > After successfully creating the below files, I try to start the ldap server > and it fails. > > > > /etc/openldap/cacerts/cacert.pem > > /etc/openldap/cacerts/slapd-cert.pem > > /etc/openldap/cacerts/slapd-key.pem > > > > The log shows the below messages > > > > main: TLS init def ctx failed: -1 > > slapd stopped. > > connections_destroy: nothing to destry. > > > > Slapd.conf > > > > TLSCipherSuite HIGH:MEDIUM:+SSLv2 Try removing this line, if I'm not mistaken it's according to openssl syntax while openldap is (usually) compiled against gnu-tls which uses a different syntax. Also SSLv2 is generally not considered secure so unless you have some apps that cant do SSLv3 or better (TLSv1 == SSLv3.1) you should turn SSLv2 of. > > TLSCACertificateFile /etc/openldap/cacerts/cacert.pem > > TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem > > TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem Are your certs self-signed or from a CA? Did you make sure that the private key cert (and the other certs too?) are not stored encrypted (-nodes switch in openssl). > > > > database bdb > > suffix "dc=comverse-in,dc=com" > > rootdn "cn=Manager,dc=comverse-in,dc=com" > > rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr You may want to change your password since you have posted the hash (and also your domain) it is now possible to start brute forcing (or use rainbow tables) the hash and since the domain where this hash was used is known (and at least the LDAP username) that is a big security leak. Other than that version info and debug info (as Dan asks) is always good to provide when you have a question. Regards, Eli > > > > /etc/openldap/ldap.conf > > BASE dc=comverse-in,dc=com > > URI ldaps://devonly144.comverse-in.com > > > > TLS_CACERT /etc/openldap/cacerts/cacert.pem > > TLS_CACERTDIR /etc/openldap/cacerts > > TLS_REQCERT allow > > > > /etc/ldap.conf > > base dc=comverse-in,dc=com > > uri ldaps://devonly144.comverse-in.com > > ssl on > > > > Thanks and Regards, > > Naga chaitanya > > =============================================================================== > Please refer to http://www.aricent.com/legal/email_disclaimer.html > for important disclosures regarding this electronic communication. > =============================================================================== > =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================

1 0

TLS issue
by Naga Chaitanya Palle 05 Aug '11

05 Aug '11

Hi, I am trying to configure tls for my ldap server. After successfully creating the below files, I try to start the ldap server and it fails. /etc/openldap/cacerts/cacert.pem /etc/openldap/cacerts/slapd-cert.pem /etc/openldap/cacerts/slapd-key.pem The log shows the below messages main: TLS init def ctx failed: -1 slapd stopped. connections_destroy: nothing to destry. Slapd.conf TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/cacerts/slapd-cert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapd-key.pem database bdb suffix "dc=comverse-in,dc=com" rootdn "cn=Manager,dc=comverse-in,dc=com" rootpw {SSHA}hBlwVEbzHMzm1Wof9Lb1dA/fcuJDt6pr /etc/openldap/ldap.conf BASE dc=comverse-in,dc=com URI ldaps://devonly144.comverse-in.com TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow /etc/ldap.conf base dc=comverse-in,dc=com uri ldaps://devonly144.comverse-in.com ssl on Thanks and Regards, Naga chaitanya =============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================

4 4

ldap.conf search order problem
by Michel Gruau 04 Aug '11

04 Aug '11

Hello, I have a proxy configuration with severall backend directories and one of them in TLS. I thus added the following line in ldap.conf in order to let it know the remote server server CA certificate TLS_CACERT /opt/openldap/etc/openldap/cacert.pem This is working when this line is inserted in $HOME/ldaprc or $HOME/.ldaprc but never working when inserted in the system-wide ldap configuration file (/usr/local/etc/openldap/ldap.conf). Not working neither when inserted in /opt/openldap/etc/openldap/ldap.conf (my proxy is installed in /opt/openldap). Is this a bug ? if not, what is the real ldap.conf search order ? Thanks, Michel Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net

3 3

Ldap issue
by renu abraham 03 Aug '11

03 Aug '11

*Ldap issue* I tried to search using below commnad and I am getting following error ldapsearch -x -H ldap://127.0.0.1:389/ -D "cn=manager,ou=system,o=example" -w secret *error:* ldap_bind: Invalid credentials (49) *My slapd.conf contents is as below:* database bdb suffix o=example.com rootdn cn=manager,ou=system,o=example.com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret #rootpw {SSHA}JvA5Ovk302pb39afL2yVk9VeAeMNCZAm # rootpw {crypt}ijFYNcSNctBYg #access to * # by * write access to dn.subtree="o=example.com" by dn="cn=ldaproot,ou=system,o=example.com" write by * auth allow update_anon access to * by anonymous read # This allows the ldaproot to extract as much info as possible from the DB limits dn.exact="cn=ldaproot,ou=system,o=example.com" size=unlimited time=unlimited # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # logging setting loglevel none # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM

3 2

Re: Ldap issue
by Erwann ABALEA 03 Aug '11

03 Aug '11

Le 3 août 2011 19:08, "renu abraham" <ace.renu(a)gmail.com> a écrit : > ldapsearch -x -H ldap://127.0.0.1:389/ -D "cn=manager,ou=system,o=example" -w secret Is that the real command? There's a mismatch between "o=example" here, and the declared "o=example.com" below. > suffix o=example.com > rootdn cn=manager,ou=system,o=example.com

1 0

Using SSLv2 with ldapclient.
by Friedrich Clausen 03 Aug '11

03 Aug '11

Hi, We have a check (shell script) that talks to a customer's LDAP server (over which we have no control) and only SSLv2 seems to work when using "openssl s_client -connect". I am trying to make ldapclient use SSLv2 but it does not work (Our machine is running RHEL 5.4 x86_64.). First an the OpenSSL illustration ]# openssl s_client -ssl3 -connect 10.1.2.3:636 CONNECTED(00000003) depth=3 <omitted for privacy> verify return:1 depth=2 <omitted for privacy> verify return:1 depth=1 <omitted for privacy> verify return:1 depth=0 <omitted for privacy> verify return:1 6759:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: # but if we use SSLv2 then it works - I am able to establish a connection and see the certificate used. I have created a small ldap client config file with the following contents TLS_REQCERT never TLS_CIPHER_SUITE SSLv2 I make sure that config is used by setting the "LDAPCONF" variable while calling ldapsearch, like so # LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D 'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w 'secret' -b '' -d 1 ldap_create ldap_url_parse_ext(ldaps://10.1.2.3:636) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.1.2.3:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.1.2.3:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) # but it mysteriously fails. If I make the configuration file us SSLv3, then the following output is given (but that is expected as the server does not seem to want to speak SSLv3) - # LDAPCONF=./ldaprc ldapsearch -H ldaps://10.1.2.3:636 -x -s base -D 'CN=binder,OU=Service Accounts,OU=example ou,dc=example,dc=com' -w 'secret' -b '' -d 1 ldap_create ldap_url_parse_ext(ldaps://10.1.2.3:636) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 10.1.2.3:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.1.2.3:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 3, <omitted> TLS certificate verification: depth: 2, <omitted> TLS certificate verification: depth: 1, <omitted> TLS certificate verification: depth: 0, <omitted> TLS trace: SSL_connect:SSLv3 read server certificate A TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A TLS trace: SSL_connect:SSLv3 flush data TLS trace: SSL_connect:failed in SSLv3 read finished A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) any suggestions would be much appreciated. Regards, Fred.

1 0

Problems using idassert-bind
by michel.gruau 03 Aug '11

03 Aug '11

Hello, A have a slapd-meta configuration with 6 backend directories. All of them can be accessed anonymously except One of them need that need to be accessed through a technical account. This technical must be used whatever the proxy bind DN is: - anonymous - user account - manager account (cn=Manager,dc=example,dc=com) Below is my test configuration: database meta suffix dc=example,dc=com uri ldap://remote:389/dc=example,dc=com idassert-bind bindmethod=simple binddn="uid=tech,dc=example,dc=com" credentials="password" As no anonymous access were allowed, I had to add the following line: idassert-authzFrom "dn.regex:.*" This configuration allowed me to perform an anonymous search but the technical account were not used when connecting to the remote directory (anonymous account were used instead). I then tested "mode=self" and "mode=anonymous". But I received "protocol error" from the remote server when performing an anonymous search (search using user account and search using manager account were working). I managed to make it working using "mode=none". As the technical account were still not used when connecting to the proxy with a user account, I finally add the "flag=override". This latest configuration looks good to me but I have to questions : 1/ Do you confirm that "none" is the rigth mode for my need ? 2/ Do you now why I cannot use "self" and "anonymous" ? What could be the reason why I receive the "protocol error" using mode=none and mode=self ? FYI, remote server is a Sun One DS 5.2. I don't know whether it could explain. Thank you very much for your expertise. Michel Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2011