January 2012 - openldap-technical

by Kwasi Gyasi - Agyei

Hi, I'm trying to configure openldap using slapd.d style configuration, however command: #ldapadd -vxh localhost -D cn=admin,cn=config -w "" -f /usr/local/conf/shared/openldap/init-config.ldif fails with error ldap_initialize( ldap://localhost ) ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed #ldapadd -vxh localhost -f /usr/local/conf/shared/openldap/init-config.ldif fails with error ldap_initialize( ldap://localhost ) add objectClass: olcGlobal add olcLogFile: /var/log/openldap/openldap.log add olcLogLevel: -1 adding new entry "cn=config" ldap_add: Strong(er) authentication required (8) additional info: modifications require authentication any ideas? -- Multimedia and Communication | Property | Entertainment Kwasi Owusu Gyasi - Agyei *cell* (+27) (0) 76 466 4488 *website *www.4things.co.za *email *kwasi.gyasiagyei(a)4things.co.za *skype *kwasi.gyasiagyei *role* Developer.Designer.Software Architect

11 years, 7 months

2
1
0 / 0

Issues in implementing SASL

by Gaurav Gugnani

Hello All, I'm trying to configure SASL on openldap and did following steps: 1> Modify the password of the user: saslpasswd2 -c -u <realm> <username> 2> Then i modify slapd.conf: sasl-regexp uid=(.*),cn=<realm>,cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=<realm> 3> After this i try to do ldapsearch and it gave me an error: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed Somewhere i read that we have to provide SASL information in slapd.conf however when i write below mentioned content - then ldap doesn't re-start. dn:uid=<username>,ou=System,o=<realm> bindmethod=sasl saslmech=DIGEST-MD5 credentials=<password> realm=<realm> Please help in resolving SASL mechanism to be used. Thanks and Regards, Gaurav Gugnani

11 years, 7 months

2
1
0 / 0

OpenLDAP with BackSQL and Postgres. Upper on bigint?

by Manny

Hi there. I'm sorry for the SPAM. I'm posting this again as apparently I sent it to the wrong mailing list before. I then opened a bug report (ITS#7130) and was hinted that I should write to this mailing list instead, which I did, but it didn't go through (not in the archive) so I subscribed and now try it again. Really sorry if you got my mail many times :( I'm using the latest stable release of openldap, with back-sql and postgresql as a backend. I have an sssd which uses this openldap server for ID providing and authentication. A recent update in this sssd changed the filter used to retrieve groupids of users, which surfaced what seems to be a bug in backsql. >From my investigation it seems to me that when constructing the search query, openldap tries to use the UPPER function on every criteria in the WHERE clause, no matter which type it is. This causes an error in postgresql, as the gidNumber that is supposed to be filtered is of type "bigint". I could simply remove "upper_func" from my slapd.conf, but I need it for other queries. Changing the field gidNumber in the database to text would also be a workaround, but I'd rather prefer this fixed in backsql. Anyways, here is the important part of my slapd.conf: #----------------------------------------------- database sql suffix "dc=mydomain,dc=at" rootdn "cn=Manager,dc=mydomain,dc=at" rootpw mysecret dbname mydbname dbuser mydbuser dbpasswd myuserpw subtree_cond "UPPER(ldap_entries.dn) LIKE UPPER('%'||?)" insentry_stmt "insert into ldap_entries (id,dn,oc_map_id,parent,keyval) values ((select max(id)+1 from ldap_entries),?,?,?,?)" upper_func "upper" upper_needs_cast "yes" strcast_func "text" concat_pattern "?||?" has_ldapinfo_dn_ru no sizelimit -1 #----------------------------------------------- The error can be reproduced in my case when running this command: #----------------------------------------------- ldapsearch -H ldaps://127.0.0.1/ -b ou=groups,ou=myserver,dc=mydomain,dc=at -D "uid=myuser,ou=users,ou=myserver,dc=mydomain,DC=at" '(gidNumber=512)' -W #----------------------------------------------- Which results in this output: #----------------------------------------------- # extended LDIF # # LDAPv3 # base <ou=groups,ou=myserver,dc=mydomain,dc=at> with scope subtree # filter: (gidNumber=512) # requesting: ALL # # search result search: 2 result: 80 Other (e.g., implementation specific) error #----------------------------------------------- Here is the interesting part of the level 255 log output: #----------------------------------------------- <==backsql_oc_get_candidates(): 0 ==>backsql_oc_get_candidates(): oc="sambaDomain" ==>backsql_srch_query() ==>backsql_process_filter() <==backsql_process_filter() succeeded <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,samba_domain_ldap.id,text('sambaDomain') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,samba_domain_ldap WHERE samba_domain_ldap.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND UPPER(ldap_entries.dn) LIKE UPPER('%'||?) AND 7=7 Constructed query: SELECT DISTINCT ldap_entries.id,samba_domain_ldap.id,text('sambaDomain') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,samba_domain_ldap WHERE samba_domain_ldap.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND UPPER(ldap_entries.dn) LIKE UPPER('%'||?) AND 7=7 id: '6' (sub)dn: "%OU=GROUPS,OU=MYSERVER,DC=MYDOMAIN,DC=AT" <==backsql_oc_get_candidates(): 0 ==>backsql_oc_get_candidates(): oc="inetOrgPerson" ==>backsql_srch_query() ==>backsql_process_filter() ==>backsql_process_filter_attr(gidNumber) <==backsql_process_filter_attr(gidNumber) <==backsql_process_filter() succeeded <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,OS_USER.id,text('inetOrgPerson') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,OS_USER WHERE OS_USER.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND UPPER(ldap_entries.dn) LIKE UPPER('%'||?) AND (upper(OS_USER.gidnumber)='512') Constructed query: SELECT DISTINCT ldap_entries.id,OS_USER.id,text('inetOrgPerson') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,OS_USER WHERE OS_USER.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND UPPER(ldap_entries.dn) LIKE UPPER('%'||?) AND (upper(OS_USER.gidnumber)='512') id: '8' (sub)dn: "%OU=GROUPS,OU=MYSERVER,DC=MYDOMAIN,DC=AT" backsql_oc_get_candidates(): error executing query Return code: -1 nativeErrCode=7 SQLengineState=S1000 msg="[unixODBC]ERROR: function upper(bigint) does not exist at character 288;#012Error while executing the query" #----------------------------------------------- I got a hint that I might be able to configure this in ldap_attr_mappings, but as I can find no documentation on what the columns in this table mean, it's hard for me to figure out what to do. The only thing that I can tell is that I can not see the word UPPER anywhere in the sel_expr field (or any other field for that matter). Thanks a lot in advance for your help.

11 years, 7 months

1
0
0 / 0

ftp.openldap.org/incoming: No space left on device

by SATOH Fumiyasu

Hi, ftp://ftp.openldap.org/incoming has no disk free. ---> PASV <--- 227 Entering Passive Mode (204,152,186,57,233,61) ---- Connecting data socket to (204.152.186.57) port 59709 ---> STOR openldap-2.4.28-man1-add-o-option.patch <--- 150 Opening BINARY mode data connection for 'openldap-2.4.28-man1-add-o-option.patch'. <--- 452 Error writing to file: No space left on device. -- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- Personal Home: http://www.SFO.jp/blog/

11 years, 7 months

1
0
0 / 0

Re: Assertion failure -- using relay backend and translucent overlay

by Mattias Andersson

On Sun, 29 Jan 2012 17:10:00 +0100, Hallvard B Furuseth <h.b.furuseth(a)usit.uio.no> wrote: >>> ldapsearch -x -h localhost -b "dc=example,dc=com" -s base >>> "(objectClass=*)" 1.1 >> (...) >> Ok, here's the debug output from the above ldapsearch query: >> (...) >> conn=1000 op=1 SRCH base="dc=chalmers,dc=se" scope=2 deref=0 >> filter="(objectClass=*)" >> conn=1000 op=1 SRCH attr=1.1 > > Strange. Did you include -s base? scope=2 in the log is subtree. It automatically changed to scope=2 when I appended 1.1. > Anyway, I suggest you answer in the ITS instead. > A crash is certainly a bug which needs fixing. Ok, I'll post a bug report. Btw, I'm using slapd 2.4.25 (Nov 14 2011 21:34:11). Mattias

11 years, 7 months

1
1
0 / 0

Assertion failure -- using relay backend and translucent overlay

by Mattias Andersson

Hi, I have configured a proxy server with its own local database that is used both to override existing attributes of a remote database and to add its own entries to the directory. I have configured the local database as subordinate and I have configured a relay database that is also pointing to the local database, but it is using the translucent overlay to connect to the remote ldap directory. My slapd.conf configuration: backend hdb backend ldap database hdb directory /var/lib/ldap suffix "dc=foo,dc=example,dc=com" rootdn "cn=admin,dc=foo,dc=example,dc=com" rootpw secret index objectClass eq subordinate database relay suffix "dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=foo,dc=example,dc=com" overlay translucent uri ldap://ldap.example.com translucent_bind_local This configuration actually does exactly what I have been trying to achieve. I can override user attributes and at the same time I can add additional group entries without having root access to the remote server. I have tested it with the ldap nss service in linux and it works without errors. The updated user accounts are correctly retrieved and the new groups are added transparently. If I use ldapsearch, it will search both the local and the remote server. The problem that I've experienced is that when I'm using a different ldap client, such as Softerra LDAP Administrator, then the daemon crashes when a search query is performed: slapd starting conn=1000 fd=11 ACCEPT from IP=X.X.X.X:61230 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="" method=128 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="dc=example,dc=com" scope=0 deref=0 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=1.1 conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self. slapd: /build/buildd/openldap-2.4.25/servers/slapd/attr.c:236: attr_dup2: Assertion `j < i' failed. Aborted The message that "back-relay would call itself" is also logged when using ldapsearch, but ldapsearch does not cause an assertion failure: slapd starting conn=1000 fd=11 ACCEPT from IP=127.0.0.1:36760 (IP=0.0.0.0:389) conn=1000 op=0 BIND dn="" method=128 conn=1000 op=0 RESULT tag=97 err=0 text= conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" conn=1000 op=1: back-relay for DN="dc=example,dc=com" would call self. PROXIED attributeDescription "ORCLNETDESCSTRING" inserted. conn=1000 op=1 SEARCH RESULT tag=101 err=4 nentries=300 text= conn=1000 op=2 UNBIND conn=1000 fd=11 closed I'm happy with the proxy functionality that I've managed to configure (which is working), but it's definitely a security vulnerability when simply using a different LDAP client causes the server to crash. Is there any way I could avoid the assertion failure? Should I post a bug report? TIA, Mattias

11 years, 7 months

2
2
0 / 0

syncrepl failing with ldap_start_tls failed (-11)

by Iain Georgeson

Hello, * Summary: I'm trying to set up syncrepl in my LDAP infrastructure. The logs on my consumer show that syncrepl is failing to negotiate TLS when connecting to the provider. Other LDAP commands such as ldapsearch and sssd show no problem connecting using the same TLS configuration. At this point, I don't have a good idea of how to continue debugging this problem. Are there any more configuration items affecting TLS I should be looking at? Or any way of getting more details on the TLS nagotiation? * The provider ("auth-00.[MYDOMAIN]"): slapd 2.4.23 from openldap-servers-2.4.23-15.el6.x86_64 on Scientific Linux 6. TLS is configured with [cn=config] olcTLSCACertificateFile: /etc/ssl/[MYCA].pem olcTLSCertificateFile: /etc/ssl/certs/auth-00.crt.pem # Has CN=auth-00.[MYDOMAIN] olcTLSCertificateKeyFile: /etc/ssl/private/auth-00.key.pem olcTLSVerifyClient: never If I try: $ ldapsearch -ZZ -x -H ldap://auth-00.[MYDOMAIN]/ uid=iain it connects and cheerfully returns objects * The provider ("auth-01.MYDOMAIN"): Same slapd version, same package, same OS. syncrepl configuration: olcSyncrepl: rid=001 provider=ldap://auth-00.[MYDOMAIN]:389 bindmethod=simple timeout=0 network-timeout=0 binddn="cn=syncrepl,dc=[MYDOMAIN]" credentials="[MYPASSWORD]" keepalive=0:0:0 filter="(objectClass=*)" searchbase="dc=[MYDOMAIN]" scope=sub schemachecking=off type=refreshAndPersist retry="10 3 120 5 600 +" starttls=critical tls_cacert=/etc/ssl/MYCA.pem * The error Consumer: Jan 28 11:53:12 auth-01 slapd[5595]: slapd starting Jan 28 11:53:12 auth-01 slapd[5595]: slap_client_connect: URI=ldap://auth-00.[MYDOMAIN]:389 Error, ldap_start_tls failed (-11) Jan 28 11:53:13 auth-01 slapd[5595]: do_syncrepl: rid=001 rc -11 retrying (2 retries left) Provider receiving syncrepl connection: Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 ACCEPT from IP=[AUTH-01'S IP]:42669 (IP=0.0.0.0:389) Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 STARTTLS Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 op=0 RESULT oid= err=0 text= Jan 28 11:53:23 auth-00 slapd[10701]: conn=7849 fd=32 closed (TLS negotiation failure) Provider receiving ldapsearch connection: Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 ACCEPT from IP=[AUTH-01'S IP]:42765 (IP=0.0.0.0:389) Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 STARTTLS Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=0 RESULT oid= err=0 text= Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 fd=103 TLS established tls_ssf=256 ssf=256 Jan 28 13:55:59 auth-00 slapd[22621]: conn=1099 op=1 BIND [...] Thanks, Iain. -- Systems Engineer KAUST Visualisation Laboratory

11 years, 7 months

2
2
0 / 0

ldapsearch -y works great, -w barks

by Randy Schultz

Howdy, I'm confused as to why an operation with the -y filename works great, but the same operation with the -w pw dies with "ldap_bind: Invalid credentials (49)". The first file I've attached is with the -y, it works. The second is with the -w. I did notice the difference where the working one had a "." at the end of the pw, which was not present when using the -w option. To make sure I was not entering a typo on the commandline pw, I wrote a quick script, just a #!/bin/sh P=`cat p2` echo "|$P|" ldapsearch -v -d -1 -x -w "$P" -D cn=manager,dc=earlham,dc=edu -b ou=People,dc=earlham,dc=edu -h xaga This also died with invalid credentials after printing out the pw. Anybody have an idea what's going on? -- Randy (schulra(a)earlham.edu) 765.983.1283 <*> nosce te ipsum

11 years, 7 months

4
4
0 / 0

Trying to get passthrough auth working with OpenLDAP and Kerberos

by Chastity Blackwell

For the last two weeks I have been on a sojourn through the wonderful world of LDAP, Kerberos, and SASL, which has had me banging my head against the desk more often than not. Today I'm finally crying uncle and asking for some help. We're running Centos 5.4, currently with OpenLDAP for user info and Kerberos for authentication, but we want to be able to use LDAP for authentication on a bunch of devices that can't use Kerberos natively. So I've been trying to get the passthrough auth working. So far, I think I've made a lot of progress, but I've run into a wall. Kerberos and LDAP are working in my testbed, and I can kinit and do an ldapwhoami no problem. testsaslauthd also gives me a success when I run it. However, when try to do a simple bind: [chas@ldapsandbox]$ ldapwhoami -x -D 'uid=chas,ou=People,dc=test,dc=domain' -W Enter LDAP Password: ldap_bind: Invalid credentials (49) [chas@ldapsandbox]$ syslog shows this: 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 fd=15 ACCEPT from IP=10.17.136.50:55923 (IP=0.0.0.0:389) 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 op=0 BIND dn="uid=chas,ou=People,dc=test,dc=domain" method=128 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: SASL [conn=6] Failure: cannot connect to saslauthd server: No such file or directory 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 op=0 RESULT tag=97 err=49 text= 2012-01-25T12:04:55-08:00 ldapsandbox slapd[14363]: conn=6 fd=15 closed (connection lost) Meanwhile, the saslauthd I'm running with /usr/sbin/saslauthd -a kerberos5 -d doesn't even show a connection or anything to the console. Any idea why it can't connect to the saslauthd server? Here's my OpenLDAP slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/openldap/cacert.crt TLSCertificateFile /etc/openldap/ldapsandbox.crt TLSCertificateKeyFile /etc/openldap/ldapsandbox.key authz-regexp uid=([^/]*),cn=gssapi,cn=auth uid= $1,ou=People,dc=test,dc=domain access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read database bdb suffix "dc=test,dc=domain" directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub And here's my /etc/sasl2/slapd.conf: pwcheck_method: saslauthd saslauthd_path: /var/run/sasl2/mux Any ideas?

11 years, 7 months

4
18
0 / 0

How to enable monitoring in OpenLdap with cn=config Backend

by Axel Birndt

Hi @All, i would like to ask you how could i enable the monitoring backend in Openldap. I'am using the cn=config Backend. A little bit "googling" does not give me the needed information. I found something like this: http://dkluenter.gmxhome.de/ffg-tutorium.pdf , but with no information, how to enable the monitoring. At openldap.org, the section http://www.openldap.org/devel/admin/monitoringslapd.html#Monitor configuration via cn=config(5) the section "18.1. Monitor configuration via cn=config(5)" is empty. In the archive from this list i found the following thread http://www.openldap.org/lists/openldap-technical/201110/msg00122.html but this thread don't help me to got an idea what i should do, to configure the monitoring in openldap. Do you have a doc or howto with further information about this? I need the documentation for the cn=config backend. I don't have an slapd.conf! Thanks and regards, Axel -- Gruß Axel ------------------------------

11 years, 7 months

6
24
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2012