openldap-technical February 2012

openldap-technical@openldap.org

98 participants
113 discussions

LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
by Qiang Xu 05 Mar '12

05 Mar '12

Hello All, Today I came across a strange problem. I wrote a program to test ldap ssl/tls connection with OpenLDAP library. Something like the code snippet as follows: int ret = LDAP_OPT_SUCCESS; int cert_flag = LDAP_OPT_X_TLS_NEVER; ... ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag); if (ret != LDAP_OPT_SUCCESS) { fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n", ldap_err2string(ret)); } ... // bind to the server cert_flag = LDAP_OPT_X_TLS_DEMAND; ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag); if (ret != LDAP_OPT_SUCCESS) { fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n", ldap_err2string(ret)); } ... // bind to the server The first binding is successful, as expected. However, the second binding is also successful, which is contrary to my expectation, because I didn't create any cert file yet. Another observation here is that if the first binding with LDAP_OPT_X_TLS_NEVER is removed, and the second binding with LDAP_OPT_X_TLS_DEMAND set is done right from the beginning, then it will fail, as expected. So, it seems the first value set to the option LDAP_OPT_X_TLS_REQUIRE_CERT will override the later values, isn't it? Is it possible to change this option's value on the fly (means different bindings use different values for this cert option)? Thanks, Qiang

4 8

i don't find a new user added in getent passwd list
by stefano 02 Mar '12

02 Mar '12

hi, i started to work with posixAccount objectClass. i installed libnss-ldap on debian squeeze server. i configured it during install time and i modified nsswitch.conf as follow: passwd files ldap group files ldap shadow files ldap and i didn't modify the remains lines. i succesfully added a structure.ldif file as follow #the root of the directory dn: dc=amahoro,dc=bi dc: amahoro o: amahoro.bi objectClass: top objectClass: dcObject objectClass: organization #subtree for the administrators dn: cn=Administrators,dc=amahoro,dc=bi cn: Administrators gidNumber: 100 objectClass: posixGroup i succesfully added a administrators.ldif file as follow: #Stefano Malini dn: uid=name,cn=Administrators,dc=amahoro,dc=bi cn: Administrators uid: name uidNumber: 100 gidNumber:100 homeDirectory: /home/name/ #Name info cn: Name Surname sn: Surname givenName: Name displayName: Name Surname #Work info title: System Administrator mail: address@mail #Misc userPassword: {SSHA}vB/RyxNdsVkwc9dDxEuS/sIGESBAkzTw objectClass: posixAccount objectClass: inetOrgPerson Now, with getent command-line there is not this user. Why?

3 7

memberOf and glued databases
by Marc Patermann 02 Mar '12

02 Mar '12

Hi, short question first: Is overlay memberOf supposed to work with glued databases in any direction? I tried with 2.4.28 and get the following results: slapd.conf with two databases 1. step ------- This is simple. MemberOf overlay only in one database ou=groups,ou=foo,ou=bar (subordinated). database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... - created one inetOrgPerson object employeenumber=11,ou=groups,ou=foo,ou=bar - created one group ou=2,ou=groups,ou=foo,ou=bar with member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. => no modifications in superior database ou=bar 2. step ------- overlay loaded in both databases database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof => modification in the subordinated database work in 1. step. - created one inetOrgPerson object employeenumber=1,ou=bar - created one group ou=1,ou=bar with member: employeenumber=1,ou=bar => memberOf in employeenumber=1,ou=bar is set and unset just fine. memberOf is working in the superior database. - setting group ou=1,ou=bar member: employeenumber=11,ou=groups,ou=foo,ou=bar => memberOf in employeenumber=11,ou=groups,ou=foo,ou=bar is set and unset just fine. Changes in groups of superior databases work in subordinate databases! - setting group ou=2,ou=groups,ou=foo,ou=bar member: employeenumber=1,ou=bar => does _not_ work: memberof_value_modify DN="employeenumber=1,ou=bar" add memberOf ="ou=2,ou=groups,ou=foo,ou=bar" failed err=32 Changes in groups of subordinated databases do not work in the superior database! 3. step ------- setting "overlay glue" explicitly and removing overlay memberof from the subordinate database: database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof overlay glue => changes in the subordinated database are _not_ managed by the overlay. => changes in groups of superior databases work in subordinate databases and in the superior database! 3. step II ---------- if glue is located in slapd.conf before memberof (which is IMHO wrong) and MOD on member in a group in the subordinated database is send, slapd segfaults! 4. step ------- setting "overlay glue" explicitly and overlay memberof in both databases: database hbd suffix ou=groups,ou=foo,ou=bar subordinate ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof database bdb suffix ou=bar ... overlay memberof memberof-group-ac groupOfNames memberof-member-ad member memberof-memberof-ad memberof overlay glue => like 2. step So the best I get is - memberOf works in the database, where it is set - memberOf works for group changes in superior database on members in subordinated databases - memberOf does not work for group changes in subordinated databases to members in superior databases. Is this the way it is supposed to work? What I really wanted to achieve is to get memerOf to work between database (under glue) of the same level. (Like ou=1,ou=foo and ou=2,ou=foo both subordinated of ou=foo.) But while my testings above did not succeed, it did not tried. Marc

9 15

delta-syncrepl and mirrormode problem (2.4.29)
by frank.offermanns＠caseris.de 01 Mar '12

01 Mar '12

Hi, I want to use delta-syncrepl replication with 2 masters. But each slapd-process permanently needs about 25 % CPU usage without any traffic on it. The log looks endless like this: ** ld 01e43698 Outstanding Requests: * msgid 55, origid 55, status InProgress outstanding referrals 0, parent count 0 ld 01e43698 request count 1 (abandoned 18) ** ld 01e43698 Response Queue: Empty ld 01e43698 response count 0 ldap_chkResponseList ld 01e43698 msgid 55 all 0 ldap_chkResponseList returns ld 01e43698 NULL ldap_int_select read1msg: ld 01e43698 msgid 55 all 0 ber_get_next ber_get_next: tag 0x30 len 1187 contents: abandoned/discarded ld 01e43698 msgid 53 message type search-entry wait4msg continue ld 01e43698 msgid 55 all 0 ** ld 01e43698 Connections: * host: secondmaster.mydomain.local port: 389 (default) refcnt: 2 status: Connected last used: Mon Feb 13 11:26:53 2012 ** ld 01e43698 Outstanding Requests: * msgid 55, origid 55, status InProgress outstanding referrals 0, parent count 0 ld 01e43698 request count 1 (abandoned 18) ** ld 01e43698 Response Queue: Empty ld 01e43698 response count 0 ldap_chkResponseList ld 01e43698 msgid 55 all 0 ldap_chkResponseList returns ld 01e43698 NULL ldap_int_select read1msg: ld 01e43698 msgid 55 all 0 ber_get_next ber_get_next: tag 0x30 len 1187 contents: abandoned/discarded ld 01e43698 msgid 53 message type search-entry wait4msg continue ld 01e43698 msgid 55 all 0 ** ld 01e43698 Connections: * host: secondmaster.mydomain.local port: 389 (default) refcnt: 2 status: Connected last used: Mon Feb 13 11:26:53 2012 here is my configuration (completely the same for both masters): ----------------------------------------------------------------------------------------------------- ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/Personcaesar.schema include ./schema/ConfigObjects.schema loglevel 0 logfile "C:/test/slapd.log" pidfile ./run/slapd.pid argsfile ./run/slapd.args access to * by dn.one="ou=Admins,o=caesar" write by anonymous auth ServerID 1 "ldap://firstmaster.mydomain.local" ServerID 2 "ldap://secondmaster.mydomain.local" ###################################################################### database config rootdn cn=config rootpw {SHA}secret ####################################################################### # BDB database definitions ####################################################################### # Accesslog database definitions database hdb suffix cn=accesslog checkpoint 1024 5 cachesize 10000 directory "C:/test/accessdata" dbconfig set_cachesize 0 30000000 1 dbconfig set_flags DB_LOG_AUTOREMOVE dbconfig set_lg_regionmax 1048576 dbconfig set_lg_max 10485760 dbconfig set_lg_bsize 2097152 rootdn cn=accesslog index objectClass,entryCSN,entryUUID eq # I even tried removing reqMod, reading your docs I am not sure if this is needed here index reqEnd,reqResult,reqMod,reqStart eq overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE # Let the replica DN have limitless searches limits dn.exact="cn=Replicator,ou=admins,o=caesar" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited # Primary database definitions database hdb suffix "o=caesar" checkpoint 1024 5 cachesize 10000 idlcachesize 30000 rootdn "cn=Administrator,o=caesar" rootpw {SHA}secret directory "C:/test/data" dbconfig set_cachesize 0 100000000 1 dbconfig set_flags DB_LOG_AUTOREMOVE dbconfig set_lg_regionmax 1048576 dbconfig set_lg_max 10485760 dbconfig set_lg_bsize 2097152 # syncprov specific indexing index sn pres,eq index cn pres,eq,sub ... index entryUUID eq index entryCSN eq index objectClass eq # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 syncprov-sessionlog 10000 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 7 days logpurge 07+00:00 01+00:00 sizelimit size.soft=100 size.hard=1000 size.prtotal=unlimited # Let the replica DN have limitless searches limits dn.exact="cn=Replicator,ou=admins,o=caesar" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited syncrepl rid=001 provider="ldap://firstmaster.mydomain.local" searchbase="o=caesar" type=refreshAndPersist retry="5 3 15 +" binddn="cn=Replicator,ou=admins,o=caesar" bindmethod=simple credentials="secret" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on syncdata=accesslog syncrepl rid=002 provider="ldap://secondmaster.mydomain.local" searchbase="o=caesar" type=refreshAndPersist retry="5 3 15 +" binddn="cn=Replicator,ou=admins,o=caesar" bindmethod=simple credentials="secret" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on syncdata=accesslog MirrorMode On ----------------------------------------------------------------------------------------------------- I did my test on 2 Windows PCs and OpenLDAP 2.4.29 with Berkeley 5.1 . Thanks for any hints, FO

2 4

Controlled LDAP Proxy/Relay
by W.Siebert＠t-systems.com 01 Mar '12

01 Mar '12

Hello, I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD targets. One target is customers AD, the second our AD for management purposes. Problem: slapd-meta tries to authenticate the user first by one target and if this user there not exist will be the second target connected. Means: in both directories Intrusion Detection register a lot of unsuccessfully authentication. Is it possible to implement the controlled proxy with OpenLDAP ? E.g., like Radiusproxy based on realm: when username is xxx(a)domain01.com<mailto:xxx@domain01.com> go to the target1, and when username is xxx(a)domain99.net<mailto:xxx@domain99.net> go to the target2. Kind regards Waldemar

3 2

ssh group membership access
by Daniel Bahena 29 Feb '12

29 Feb '12

Hi, I have a set of servers in which I want to configure ssh access based on the users group membership. I'm using CentOS 5 and this version of openldap [root@centos5 ldifs]# rpm -qa | grep ldap openldap-servers-2.3.43-12.el5_7.10 php-ldap-5.1.6-27.el5_7.5 openldap-servers-overlays-2.3.43-12.el5_7.10 openldap-2.3.43-12.el5_7.10 nss_ldap-253-42.el5_7.4 openldap-2.3.43-12.el5_7.10 nss_ldap-253-42.el5_7.4 openldap-clients-2.3.43-12.el5_7.10 [root@centos5 ldifs]# And this is my ldap.conf base dc=homelinux,dc=net timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_groupdn cn=access,ou=Group,dc=homelinux,dc=net pam_member_attribute member nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm uri ldap://127.0.0.1/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 And this is the contents of cn=access [root@centos5 ldifs]# ldapsearch -x -W -D 'cn=Manager,dc=homelinux,dc=net' -h 127.0.0.1 "cn=access" # access, Group, homelinux.net dn: cn=access,ou=Group,dc=homelinux,dc=net cn: access objectClass: top objectClass: groupOfNames objectClass: labeledURIObject member: uid=nobody,ou=People,dc=homelinux,dc=net labeledURI: ldap:///ou=People,dc=homelinux,dc=net??one?(gidNumber=10060) labeledURI: ldap:///ou=People,dc=homelinux,dc=net??one?(host=jumpbox) [root@centos5 ldifs]# And this is the contents of the gid 10060 (unixsa) [root@centos5 ldifs]# ldapsearch -x -W -D 'cn=Manager,dc=homelinux,dc=net' -h 127.0.0.1 "cn=unixsa" # unixsa, Group, homelinux.net dn: cn=unixsa,ou=Group,dc=homelinux,dc=net gidNumber: 10060 description: unixsa objectClass: top objectClass: posixGroup cn: unixsa memberUid: uid=dan,ou=People,dc=homelinux,dc=net memberUid: dan [root@centos5 ldifs]# And when I try to ssh into this box I get the following: [kwame@vader ~]$ ssh dan@centos5 dan@centos5's password: You must be a member of cn=access,ou=Group,dc=homelinux,dc=net to login. Connection closed by 192.168.122.225 [kwame@vader ~]$ This is the info for the user dan [root@centos5 ldifs]# id dan uid=10051(uid=dan,ou=People,dc=homelinux,dc=net) gid=10051(dan) groups=10051(dan),10060(unixsa) Comments? Thoughts? Words of wisdom? Best regards

1 0

SSL handshake failure
by Bryce Powell 29 Feb '12

29 Feb '12

Hi, I can't get slapd to respond successfully to TLS or SSL connections using an RSA 2048-bit PEM certificate: $ ldapsearch -x -ZZ -d1 -H ldap://FQDNhostname TLS: loaded CA certificate file /etc/openldap/cacerts/FQDNhostname.cacert.pem. TLS: error: tlsm_PR_Recv returned 0 - error 21:Is a directory TLS: error: connect - force handshake failure: errno 21 - moznss error -5938 TLS: can't connect: TLS error -5938:Encountered end of file. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -5938:Encountered end of file $ openssl s_client -connect FQDNhostname:636 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem CONNECTED(00000003) 140457427965768:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 113 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- The following packages are installed on CentOS 6.2: openldap-servers-2.4.23-20.el6.x86_64 openldap-2.4.23-20.el6.x86_64 openldap-clients-2.4.23-20.el6.x86_64 openssl-1.0.0-20.el6_2.1.x86_64 openssl-devel-1.0.0-20.el6_2.1.x86_64 gnutls-2.8.5-4.el6.x86_64 gnutls-devel-2.8.5-4.el6.x86_64 nss-pam-ldapd-0.7.5-14.el6_2.1.x86_64 The /etc/openldap/ldap.conf file contains: TLS_CACERT /etc/openldap/cacerts/FQDNhostname.cacert.pem , which contains a chain of three certificates (root CA, intermediate/functional, and issuing). The /etc/openldap/slapd.conf file contains: TLSCipherSuite HIGH:+SSLv3 TLSCertificateFile /etc/openldap/FQDNhostname.cert.pem TLSCertificateKeyFile /etc/openldap/FQDNhostname.key.pem The server is acting as a proxy to an Active Directory, and therefore I only have one LDAP database defined. My intention is to use LDAPS for communication between the client and LDAP proxy servers: database ldap suffix "dc=abc,dc=local" rebind-as-user uri "ldap://IPaddress1/ ldap://IPaddress2/ ldap://IPaddress3/ ldap://IPaddress4/" chase-referrals yes noundeffilter yes use-temporary-conn yes The certificate and private key are located in /etc/openldap/, with the following permissions : -r--r-----. 1 ldap ldap 2076 Feb 21 15:30 FQDNhostname.cert.pem -r--r-----. 1 ldap ldap 1675 Feb 21 15:35 FQDNhostname.sdi.key.pem The CN of the certificate matches the FQDN host name of the LDAP server. The private key is not password protected. Everything checks out OK by testing the certificate using openssl: $ openssl verify -purpose sslserver -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem /etc/openldap/FQDNhostname.cert.pem /etc/openldap/FQDNhostname.cert.pem: OK OpenSSL client/server connections work fine too: openssl s_server -cert /etc/openldap/FQDNhostname.cert.pem -key /etc/openldap/FQDNhostname.key.pem -cipher 'HIGH:+SSLv3 openssl s_client -connect FQDNhostname:4433 -CAfile /etc/openldap/cacerts/FQDNhostname.cacert.pem Bryce Powell

3 6

slapd-meta and LDAPS/SSL problem.
by Jim Vanes 29 Feb '12

29 Feb '12

Hello, Sorry, I tried posting this yesterday but it didn't seem to make it on the list - trying again. I currently have OpenLDAP (2.4.28) running on a Linux box with a local database and a meta backend which represents the local database along with a remote Active Directory server (2008 R2). Below is a snapshot of my slapd.conf. #------------------------------------------------------------ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema loglevel -1 modulepath /usr/lib/openldap/ allow bind_v2 database bdb suffix "dc=local,dc=example,dc=com" directory /var/lib/ldap rootdn "cn=root,dc=local,dc=example,dc=com" rootpw secret database meta suffix "dc=example,dc=com" rootdn "cn=root,dc=example,dc=com" rootpw secret ## Local uri ldap://localhost/ou=Users,dc=local,dc=example,dc=com idassert-bind bindmethod=simple binddn="cn=root,dc=local,dc=example,dc=com" credentials=secret ##Remote Active Directory uri ldap://ad.example.com/cn=Users,dc=example,dc=com idassert-bind bindmethod=simple binddn="cn=sync,cn=users,dc=example,dc=com" credentials=secret # tls_cacert=/etc/openldap/cacerts/ad-ca.cer # tls_cert=/etc/openldap/local.pem # tls_key=/etc/openldap/local.key #----------------------------------------------------------- When I run the following command: ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com " -H ldap://localhost Everything works as expected with the above config , meaning I see the local and remote/proxied entries on AD with the root credentials specified above. Logs on AD indicate that a user sync preformed a search. As I understand, id-assertion is working?? Now if I change the remote entry to the following (enable ssl): ##Remote Active Directory uri ldaps://ad.example.com/cn=Users,dc=example,dc=com idassert-bind bindmethod=simple binddn="cn=sync,cn=users,dc=example,dc=com" credentials=secret tls_cacert=/etc/openldap/cacerts/ad-ca.cer tls_cert=/etc/openldap/local.pem tls_key=/etc/openldap/local.key The same command (ldapsearch -x -D "cn=root, dc=example,dc=com" -w secret -b " dc=example,dc=com " -H ldap://localhost) binds locally successfully but does not list any remote attributes from AD. Verbose logging enabled on Active Directory indicates an anonymous bind and subsequent failure. This is what I'm trying to understand. However, if I search using an account that resides on the AD server (-D " cn=sync,cn=users,dc=example,dc=com" -w secret) it works and the traffic is encrypted. The root account "seems" to be ignored when it comes to the assertion butonly when ssl is enabled. Now, if I use TLS instead, ##Remote Active Directory uri ldap://ad.example.com/cn=Users,dc=example,dc=com tls start idassert-bind bindmethod=simple binddn="cn=sync,cn=users,dc=example,dc=com" credentials=secret tls_cacert=/etc/openldap/cacerts/ad-ca.cer tls_cert=/etc/openldap/local.pem tls_key=/etc/openldap/local.key Everything works, and I see the remote entries in AD using the meta root credentials. I've verified the network traffic to ensure it was indeed encrypted. I've also verified that using ldapsearch directly (ex: -H ldaps://ad.exmaple.com) to AD and it also functions as intended. I did play around with slapd-ldap and it seemed behave the same as meta regarding ldaps. In my eyes, something in my configuration makes the proxy seemingly ignore ldaps entries. Hopefully I didn't miss anything painfully obvious in the docs :) Thanks,

1 0

Configure OpenLDAP with MySQL backend
by Bruce Wen 28 Feb '12

28 Feb '12

Hi Dears, Do you have experience in configuring OpenLDAP with MySQL backend? If true, could you please share the key points? Bruce Wen iSoftStone Information Technology ( Group ) Co. Ltd. Jiahua Plaza, Shangdi 3rd Rd, Haidian District / Phone: 86-10-58749844 / Mobile: 13466687621 地址：北京市海淀区上地三街9号嘉华大厦E座8层

1 0

JIS X 0213
by suzuka46 28 Feb '12

28 Feb '12

Hi, I would like to install Openldap in Japanese environment. Is "JIS X 0213" of a Japanese character code supported in OpenLDAP?

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012