openldap-technical February 2012

openldap-technical@openldap.org

98 participants
113 discussions

cert options in ssl/tls connections
by Qiang Xu 28 Feb '12

28 Feb '12

Hello All, Today I came across a strange problem. I wrote a program to test ldap ssl/tls connection with OpenLDAP library. Something like the code snippet as follows: int ret = LDAP_OPT_SUCCESS; int cert_flag = LDAP_OPT_X_TLS_NEVER; ... ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag); if (ret != LDAP_OPT_SUCCESS) { fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n", ldap_err2string(ret)); } ... // bind to the server cert_flag = LDAP_OPT_X_TLS_DEMAND; ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_flag); if (ret != LDAP_OPT_SUCCESS) { fprintf(stderr, "unable to set require cert option (LDAP_OPT_X_TLS_REQUIRE_CERT): %s\n", ldap_err2string(ret)); } ... // bind to the server The first binding is successful, as expected. However, the second binding is also successful, which is contrary to my expectation, because I didn't create any cert file yet. Another observation here is that if the first binding with LDAP_OPT_X_TLS_NEVER is removed, and the second binding with LDAP_OPT_X_TLS_DEMAND set is done right from the beginning, then it will fail, as expected. So, it seems the first value set to the option LDAP_OPT_X_TLS_REQUIRE_CERT will override the later values, isn't it? Is it possible to change this option's value on the fly (means different bindings use different values for this cert option)? Thanks, Qiang

1 0

Delta-syncrepl issue
by Abderamane Hamani 28 Feb '12

28 Feb '12

Good morning, Is it possible to use always delta-syncrepl even the replica consumer is too far from the provider ?? Many thanks in advance

2 3

Re: Delta-syncrepl issue
by Mauricio Tavares 28 Feb '12

28 Feb '12

On Tue, Feb 28, 2012 at 1:24 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, February 28, 2012 3:54 PM +0100 Abderamane Hamani > <ahamani(a)escpeurope.eu> wrote: > >> Good morning, >> Is it possible to use always delta-syncrepl even the replica consumer is >> too far from the provider ?? Many thanks in advance > > > Your question doesn't make sense as worded. Delta-syncrepl is not limited > by physical distance. > > --Quanah > Also, depending on the traffic and connection speed between both machines, you might experience some slowdown, but it will just catch up eventually. Unless you keep changing your ldap database all the time. ;) > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

olcMirrorMode attribute in N-way multimaster
by Christopher Jones 28 Feb '12

28 Feb '12

Hi all, I'm working on an multimaster setup using the LDIF configuration (as opposed to slapd.conf). From my understanding of the documentation, Mirror Mode is distinct from N-way Multimaster in that it is an 'active-active/hot swap' configuration, and writes need to go a single server. In the admin guide's example found here: http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master the N-way multimaster has this attribute set: add: olcMirrorMode olcMirrorMode: TRUE Could someone clarify what the olcMirrorMode attribute is for in the N-way multimaster configuration? Thanks for your help in advance, Chris

2 1

slapd/slaptest fail with cyrus-sasl-2.1.25
by Markus Wernig 28 Feb '12

28 Feb '12

Hello all I have openldap-2.4.29 on x86 Solaris 11, compiled from source. It links against cyrus-sasl libraries, also compiled from source. All was working well with cyrus-sasl-2.1.23. After upgrading sasl to 2.1.25 slapd refuses to start: # /usr/local/libexec/slapd -d 8 4f4a8bad @(#) $OpenLDAP: slapd 2.4.29 (Feb 26 2012 19:45:45) $ @xfer-srv01:/opt/build.d/openldap-2/tmp/openldap-2.4.29/servers/slapd 4f4a8bad slap_sasl_init: auxprop add plugin failed 4f4a8bad slapd stopped. 4f4a8bad connections_destroy: nothing to destroy. If i downgrade cyrus-sasl again to 2.1.23, the error does not occur and slapd works normally without recompiling. I have seen bug reports about a similar problem with debian, and from that report (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628237) it seemed that the problem lies with the sasl library, but should be fixed in the meantime. But still, I keep getting that error, and no configuration or compilation option (apart from totally disabling sasl) will help. Does anybody have an idea of how I could debug this further? Is this still a known issue? Thanks /markus

3 4

Re: the root of the directory tree
by stefano 28 Feb '12

28 Feb '12

ok, thanks other question: i'm working on a lan with students, teachers, some guests and a pair of administrators. i need that everyone can authenticate himself on the lan. there are some computers in a room and i want they will be powered on will appear a display to log in. the same thing for every computer that will be connect to our local network. every user will have his permissions to visit different sites, to see server resources, etc. i don't know how prepare this but for the moment am preparing the server populating it with every user. Now i need to know one thing. with the my configuration idea, is it enough to have the Simple Binding inserting only the userPassword of Person objectClass? do i need also account and simpleSecurityObject classes? On 02/28/2012 10:11 AM, Turbo Fredriksson wrote: > On Tue, 28 Feb 2012 08:02:42 +0100, stefano wrote: >> I am preparing an ldap server to allow every user to access the LAN >> only with his username and password. the root of the directorytree can >> be invented? i invented a domain amahoro.bi, can be correct? > > Sure. As long as you don't plan on publish it in any way and ONLY use > it internally, > that would work. > > Your base DN would then be: 'dc=amahora,dc=bi'. > > It's not the best of ideas (best is to register a domain name and use > that), but > functionally perfectly fine. > -- > ... but you know as soon as Oracle starts waving its wallet at a > Company it's time to run - fast. > /illumos mailing list >

4 4

the root of the directory tree
by stefano 27 Feb '12

27 Feb '12

good morning. i have a simple question for you. I am preparinganldapserverto allowevery user toaccess theLANonly withhis usernameand password.therootof thedirectorytreecanbeinvented?iinventeda domainamahoro.bi, canbecorrect? thanks

1 0

Mozilla NSS -- how to deploy intermediate certificate
by Aaron Bennett 27 Feb '12

27 Feb '12

Hello, I need to publish the GeoTrust intermediate certificate; I'm using 2.4.29 built against Mozilla NSS. In OpenSSL world, I'd use -- I think -- TLSCACertificateFile /path/to/CA-certificates. Here's what I've tried: Download GeoTrust cert from https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id… ; save as intermediate.crt Import with: # certutil -d /etc/openldap/nssdb/ -A -t ",," -n geotrust-intermediate -i intermediate.crt Certutil -L now shows: # certutil -d /etc/openldap/nssdb/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI geotrust-intermediate ,, ds.clarku.edu Pu,Pu,Pu cn=config looks like this: olcTLSCACertificateFile: geotrust-intermediate olcTLSCACertificatePath: /etc/openldap/nssdb olcTLSCertificateFile: ds.clarku.edu But still clients cannot verify the cert. Any Mozilla NSS guru's know what I'm going wrong? Thanks, Aaron

4 14

Resync DEL
by Marc Patermann 27 Feb '12

27 Feb '12

Hi, due to the "DEL don't get replicated" issue, I have inconsistent data on the consumers. I set up a test pair with a provider with current master data and a consumer with current slave data. The data set differs in a few entries which DEL were not replicated. Is there any way to get the two server on sync again other then completely delete the database and refill (by slapadd from master or full resync) on the consumer? I tried (with various combinations of 2.4.26, 2.4.28 and current pre 2.4.30) to start the consumer with "-c rid=xxx,csn=" which starts a full sync, but the (on the master not existing) objects don't get deleted (on the slave). Marc

4 7

require StartTLS
by Daniel Pocock 26 Feb '12

26 Feb '12

Is there some way to ensure that a client who connects on port 389 can do nothing without StartTLS? Or is it necessary to just disable port 389 and only listen for ldaps:/// ?

6 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2012