REL_ENG versions produce different libraries?
by Nick Milas
Hi,
I noticed that in an installation of openldap-ltb 2.4.30 the libraries
are in the form:
"libldap-2.4.so.2" etc.
However, in an installation of a pre-30 (e.g.
openldap-OPENLDAP_REL_ENG_2_4-eb3ea42.tar.gz with LTB 2.4.28 src.rpm on
Centos 5.7 64bit) I see that libraries are in the form:
"libldap-2.4-releng.so.2" etc.
I guess these differences between the (names of the) libraries of the
official release and the REL_ENG are intentional. (Probably to emphasize
the fact that the package is not final.)
***The Question***: What should we change so as to build the package as
a normal (i.e. non-test) package?
This will allow better compatibility on the system (where the package is
tested), because packages built with ldap lib dependencies expect the
same ldap lib names (liblber-2.4.so.2 and libldap-2.4.so.2).
I would expect some "test" parameter in build/version.var, but I didn't
see any.
An easy solution could be to edit build/version.sh to remove "-releng",
but I don't think this is the best approach.
Please advise.
Thanks,
Nick
11 years, 8 months
Solaris client configuration
by Kline, Sara
Hey all,
I am trying to get a Solaris 10 client to authenticate to our OpenLDAP (2.3.43) server, which was built on Red Hat 5.7. Linux clients (RHEL 4,5 and 6, and Oracle 5.7) authenticate without issue. I think it may be a simple misconfiguration but I am really not a Solaris person at all. Would someone be willing to send an ldapclient list to me? I would really appreciate it. Steps I have taken:
1. Imported the SSL cert according to Oracle's instructions
2. Made the 3 files cert8, keys3, and secmod readable to everyone with chmod 444
My current ldapclient list looks like this:
LDAP_CLIENT_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=admin,dc=prod,dc=ourdomain,dc=com
NS_LDAP_BINDPASSWD={NS1}ourpassword
NS_LDAP_SERVERS=oly-infra-ldap1 (this is how the name appears on the cert, it is in the hosts file)
NS_LDAP_SEARCH_BASEDN=dc=prod,dc=ourdomain,dc=com
NS_LDAP_AUTH=tls:simple
NS_LDAP_CACHETTL=0
NS_LDAP_CREDENTIAL_LEVEL=proxy
NS_LDAP_SERVICE_AUTH_METHOD=pam_ldap:tls:simple
NS_LDAP_HOST_CERTPATH=/var/ldap
Any help would be greatly appreciated.
Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495
________________________________
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
11 years, 8 months
OpenLDAP integration with RSA Authentication Manager
by Michael Ströder
HI!
We're trying to configure RSA Authentication Manager 7.1 (SecurID) to access
an OpenLDAP server which is unfortunately not officially supported by this
product.
We chose SunONE DS as "identity source type" but it seems this brain-dead
component checks something in rootDSE to determine whether it's the "right"
type of LDAP server. Not sure what it expects.
Before asking the RSA support and just receive a dumb "not supported":
Anyone here having experience with this combination?
Some insights what it expects in rootDSE? (I'd fake the expected attribute
values with rootDSE <file>).
Ciao, Michael.
11 years, 8 months
help with openldap-2.4.29-sasl-2.1.25 bind problems
by luxInteg
Greetings,
i am new to this list. I have a computer with these:-
cpu: amd64 2 cores
os linux 64bit distro=cblfs kernel-3.2.1, gcc-4.5.2
auth progs: MIT-kerberos-1.10, sasl-2.1.25. openldap-2.4.29
( I have an inhouse CA and generated a signed Certicate/Key pair on this
machine running openssl-0.9.8 I transferred these and the cacert.pem file
securely to the machine above and these are included in the slapd.conf file )
I verified ldap is running without sasl with the ldapsearch command like
so:-
ldapsearch -xWLLL "ou=people" -H ldaps://tester.example.com
When I tried the same command for a sasl bind:-
ldappsearch -LLL "ou=people" -H ldaps://tester.example.com
I get this
###################################################
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
###################################################
(For debugging ) I did the same with the -d -1 switch
ldappsearch -LLL -d -1 "ou=people" -H ldaps://tester.example.com
and excerpts from the output are below:-
######################################################
ldap_url_parse_ext(ldaps://tester.example.com)
ldap_create
ldap_url_parse_ext(ldaps://tester.example.com:636/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP tester.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.10.10.10:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS trace: SSL_connect:before/connect initialization
tls_write: want=211, written=211
0000: 16 03 01 00 ce 01 00 00 ca 03 01 4f 52 8f 3c 49 ...........OR.<I
0010: ca 19 83 08 c8 85 c3 00 94 20 0b 48 32 1a c1 40 ......... .H2..@
--------------
TLS trace: SSL_connect:SSLv2/v3 write client hello A
tls_read: want=7, got=7
-------------
--------------
TLS trace: SSL_connect:SSLv3 read server hello A
tls_read: want=5, got=5
0000: 16 03 01 06 5b
--------------
--------------
TLS trace: SSL_connect:SSLv3 read server certificate A
tls_read: want=5, got=5
0000: 16 03 01 00 8d .....
tls_read: want=141, got=141
--------------
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=210, written=210
--------------
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 16 03 01 00 ba .....
tls_read: want=186, got=186
------------------
--------------
TLS trace: SSL_connect:SSLv3 read server session ticket A
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
--------------
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_sasl_open: host=tester.example.com
SASL/GSSAPI authentication started
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x20ebed0 ptr=0x20ebed0 end=0x20ec16a len=666
--------------
ldap_msgfree
ldap_result ld 0x2018010 msgid 1
wait4msg ld 0x2018010 msgid 1 (infinite timeout)
wait4msg continue ld 0x2018010 msgid 1 all 1
** ld 0x2018010 Connections:
* host: tester.example.com port: 636 (default)
refcnt: 2 status: Connected
last used: Sat Mar 3 21:38:04 2012
** ld 0x2018010 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x2018010 request count 1 (abandoned 0)
** ld 0x2018010 Response Queue:
Empty
ld 0x2018010 response count 0
ldap_chkResponseList ld 0x2018010 msgid 1 all 1
ldap_chkResponseList returns ld 0x2018010 NULL
ldap_int_select
read1msg: ld 0x2018010 msgid 1 all 1
ber_get_next
tls_read: want=5, got=5
0000: 17 03 01 00 20 ....
tls_read: want=32, got=32
--------------
tls_read: want=5, got=5
0000: 17 03 01 00 70 ....p
tls_read: want=112, got=112
--------------
ldap_read: want=79, got=79
0000: 01 31 04 00 04 49 53 41 53 4c 28 2d 31 33 29 3a .1...ISASL(-13):
0010: 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 authentication
0020: 66 61 69 6c 75 72 65 3a 20 47 53 53 41 50 49 20 failure: GSSAPI
0030: 46 61 69 6c 75 72 65 3a 20 67 73 73 5f 61 63 63 Failure: gss_acc
0040: 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 78 74 ept_sec_context
ber_get_next: tag 0x30 len 85 contents:
--------------
read1msg: ld 0x2018010 0 new referrals
read1msg: mark request completed, ld 0x2018010 msgid 1
request done: ld 0x2018010 msgid 1
res_errno: 49, res_error: <SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: <null>
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x20eb750 ptr=0x20eb753 end=0x20eb7a5 len=82
--------------
#########################################################################
advice would be appreciated
sincerely
lux-integ
11 years, 8 months
Help with password policy
by Gabriella Turek
Setup: OpenLDAP 2.4 SUSE SLES11, chaining (read only) to an AD directory
I've set up a simple default pwd policy and configured it in slapd.conf:
- Included the schema /etc/openldap/schema/ppolicy.schema
- Under my db configuration added the entries
overlay ppolicy
ppolicy_default "cn=default,ou=pwpolicies,dc=niwa,dc=local"
- The policy is simply:
dn: cn=default,ou=pwpolicies,dc=example,dc=com
cn: default
…..
pwdMinLength: 8
pwdAllowUserChange: TRUE
But when I run tests with too short a password the password still gets changed. No error messages.
One thing I am confused about is that the documentation says to include the moduleload directive in slapd.con but I can't find any modules, the directory where they are supposed to be is empty. slapd –VVV indicates that it includes the static overlay.
Any help is highly appreciated, I am quite a newby at this.
Gaby
--
Dr Gabriella Turek
Sr. Software Engineer, Systems Development Team
NIWA Auckland, New Zealand
Tel: +64 9 3754645
www.niwa.co.nz
NIWA - Enhancing the benefit of New Zealand’s natural resources.
--
Please consider the environment before printing this email.
NIWA is the trading name of the National Institute of Water & Atmospheric Research Ltd.
11 years, 8 months
Can dynlist query from database hdb access entries in a database ldap on the same slapd?
by Judd Maltin
START slapd.conf:
overlay dynlist
dynlist-attrset myGroupOfURLs myMemberURL
# happy.net: I can query through this proxy just fine.
database ldap
suffix "dc=happy,dc=net"
uri "ldap://ldap1.lga6.us.happy.net"
acl-bind bindmethod=simple binddn="cn=replicant,ou=Service
Accounts,dc=happy,dc=net" credentials=my!!replicant
# happy.com: the following database has dc=happy,dc=com data in it already.
database hdb
suffix ""
rootdn "cn=Manager,dc=happy,dc=com"
rootpw secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# indexes for replication
index entryCSN,entryUUID eq
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 200
END slapd.conf
START good dynlist entry
dn: cn=admin2,ou=Groups,dc=happy,dc=com
objectClass: posixGroup
objectClass: top
objectClass: myGroupOfURLs
cn: admin2
gidNumber: 20005
myMemberURL: ldap:///cn=sysadmins,ou=Groups,dc=happy,dc=com?memberUID?base?(objectClass=posixGroup)
works great and populates my memberUID just great.
END good dynlist entry
START bad dynlist entry
dn: cn=admin2,ou=Groups,dc=happy,dc=com
objectClass: posixGroup
objectClass: top
objectClass: myGroupOfURLs
cn: admin2
gidNumber: 20005
myMemberURL: ldap:///cn=sysadmins,ou=Groups,dc=happy,dc=net?memberUID?base?(objectClass=posixGroup)
FAILS no entries in memeberUID - it a naming context mixup because
"suffix ''" above?
--
Judd Maltin
T: 917-882-1270
F: 501-694-7809
A loving heart is never wrong.
11 years, 8 months
Not deleted in Syncrepl
by s_hira@nifty.com
Hi, All
I confirmed the problem that was not deleted in syncrepl of V2.4.30.
The provider operates it in "syncprov-sessionlog 100".
After I delete 150 in a provider, and going syncrepl
Only 100 cases are deleted in the consumer side.
After examining it, the following parts seem to have a problem.
servers/slapd/overlays/syncprov.c:2638
if ( sl->sl_num > 0 ) {
int i;
for ( i=0; i<sl->sl_numcsns; i++ ) {
/* SID not present == new enough */
if ( minsid < sl->sl_sids[i] ) {
do_play = 1;
break;
}
/* SID present and new enough */
if ( minsid == sl->sl_sids[i]
&& ber_bvcmp( &mincsn, &sl->sl_mincsn[i] ) >= 0 ) {
do_play = 1;
break;
}
}
/* SID not present == new enough */
if ( i == sl->sl_numcsns )
do_play = 1;
}
if ( do_play ) {
do_present = 0;
/* mutex is unlocked in playlog */
syncprov_playlog( op, rs, sl, srs, ctxcsn, numcsns, sids );
} else {
ldap_pvt_thread_mutex_unlock( &sl->sl_mutex );
}
Then, it corrected as follows.
===
- if ( minsid == sl->sl_sids[i]
- && ber_bvcmp( &mincsn, &sl->sl_mincsn[i] ) >= 0 ) {
+ if ( minsid == sl->sl_sids[i] ) {
+ if ( ber_bvcmp( &mincsn, &sl->sl_mincsn[i] ) >= 0 ) {
do_play = 1;
+ }
break;
}
Is this correction wrong?
HIRABAYASHI Satoshi
s_hira(a)nifty.com
11 years, 8 months
How to bind ldap2.4 with user certificate ?
by Olivier
Hello,
is there any way to bind an ldap server using user certificates rather than
user/password ?
I have experimented that using "bindmethod=sasl" and "saslmech=external"
"tls_cacert=CAFILE" and "tls_cert=PROXYUSERFILE" in olcSyncRepl section,
but I would like to also be able to bind ldap with a personnal certificate
rather
than with a "user/passwd" when using ldapsearch for example.
How should I configure my "ldap.conf" and call "ldapsearch" to bind as such
?
Thanks
---
Olivier
11 years, 8 months
Cannot convert slapd.conf with blanks in pathes
by frank.offermanns@caseris.de
slaptest has problems with blanks in pathes:
slapd.conf extraction:
logfile "C:/temp/Blank Dir/log/slapd.log"
...
directory "C:/temp/Blank Dir/accessdata"
slaptest -f "C:\temp\Blank Dir\slapd.conf" -F "C:\temp\Blank Dir\slapd.d"
will succeed when a blank is in the path of "logfile" or "directory" but
when I start slapd I get a
"<olcLogFile> extra cruft after <file>".
When I remove the quotation marks slaptest fails with the message
"<logfile> extra cruft after <file>".
I can only fix this by manually editing the config.ldif-files, which I
know is forbidden.
But due to the fact that I can't start slapd I can't use ldapmodify to
modify it.
So what to do?
I tested with windows version of OpenLDAP.
Regards,
Frank
11 years, 8 months
client ldap with 2 ldap.conf
by stefano
hi,
a second question.
i installed ldap-auth-config on a client. i've seen that i have
/etc/ldap.conf and also /etc/ldap/ldap.conf
which one is available? how could i understand which is in use?
11 years, 8 months
