openldap-technical March 2012

openldap-technical@openldap.org

96 participants
116 discussions

REL_ENG versions produce different libraries?
by Nick Milas 01 Apr '12

01 Apr '12

Hi, I noticed that in an installation of openldap-ltb 2.4.30 the libraries are in the form: "libldap-2.4.so.2" etc. However, in an installation of a pre-30 (e.g. openldap-OPENLDAP_REL_ENG_2_4-eb3ea42.tar.gz with LTB 2.4.28 src.rpm on Centos 5.7 64bit) I see that libraries are in the form: "libldap-2.4-releng.so.2" etc. I guess these differences between the (names of the) libraries of the official release and the REL_ENG are intentional. (Probably to emphasize the fact that the package is not final.) ***The Question***: What should we change so as to build the package as a normal (i.e. non-test) package? This will allow better compatibility on the system (where the package is tested), because packages built with ldap lib dependencies expect the same ldap lib names (liblber-2.4.so.2 and libldap-2.4.so.2). I would expect some "test" parameter in build/version.var, but I didn't see any. An easy solution could be to edit build/version.sh to remove "-releng", but I don't think this is the best approach. Please advise. Thanks, Nick

4 6

Solaris client configuration
by Kline, Sara 29 Mar '12

29 Mar '12

Hey all, I am trying to get a Solaris 10 client to authenticate to our OpenLDAP (2.3.43) server, which was built on Red Hat 5.7. Linux clients (RHEL 4,5 and 6, and Oracle 5.7) authenticate without issue. I think it may be a simple misconfiguration but I am really not a Solaris person at all. Would someone be willing to send an ldapclient list to me? I would really appreciate it. Steps I have taken: 1. Imported the SSL cert according to Oracle's instructions 2. Made the 3 files cert8, keys3, and secmod readable to everyone with chmod 444 My current ldapclient list looks like this: LDAP_CLIENT_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=admin,dc=prod,dc=ourdomain,dc=com NS_LDAP_BINDPASSWD={NS1}ourpassword NS_LDAP_SERVERS=oly-infra-ldap1 (this is how the name appears on the cert, it is in the hosts file) NS_LDAP_SEARCH_BASEDN=dc=prod,dc=ourdomain,dc=com NS_LDAP_AUTH=tls:simple NS_LDAP_CACHETTL=0 NS_LDAP_CREDENTIAL_LEVEL=proxy NS_LDAP_SERVICE_AUTH_METHOD=pam_ldap:tls:simple NS_LDAP_HOST_CERTPATH=/var/ldap Any help would be greatly appreciated. Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 ________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

2 1

OpenLDAP integration with RSA Authentication Manager
by Michael Ströder 29 Mar '12

29 Mar '12

HI! We're trying to configure RSA Authentication Manager 7.1 (SecurID) to access an OpenLDAP server which is unfortunately not officially supported by this product. We chose SunONE DS as "identity source type" but it seems this brain-dead component checks something in rootDSE to determine whether it's the "right" type of LDAP server. Not sure what it expects. Before asking the RSA support and just receive a dumb "not supported": Anyone here having experience with this combination? Some insights what it expects in rootDSE? (I'd fake the expected attribute values with rootDSE <file>). Ciao, Michael.

1 0

help with openldap-2.4.29-sasl-2.1.25 bind problems
by luxInteg 29 Mar '12

29 Mar '12

Greetings, i am new to this list. I have a computer with these:- cpu: amd64 2 cores os linux 64bit distro=cblfs kernel-3.2.1, gcc-4.5.2 auth progs: MIT-kerberos-1.10, sasl-2.1.25. openldap-2.4.29 ( I have an inhouse CA and generated a signed Certicate/Key pair on this machine running openssl-0.9.8 I transferred these and the cacert.pem file securely to the machine above and these are included in the slapd.conf file ) I verified ldap is running without sasl with the ldapsearch command like so:- ldapsearch -xWLLL "ou=people" -H ldaps://tester.example.com When I tried the same command for a sasl bind:- ldappsearch -LLL "ou=people" -H ldaps://tester.example.com I get this ################################################### SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context ################################################### (For debugging ) I did the same with the -d -1 switch ldappsearch -LLL -d -1 "ou=people" -H ldaps://tester.example.com and excerpts from the output are below:- ###################################################### ldap_url_parse_ext(ldaps://tester.example.com) ldap_create ldap_url_parse_ext(ldaps://tester.example.com:636/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP tester.example.com:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.10.10.10:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization tls_write: want=211, written=211 0000: 16 03 01 00 ce 01 00 00 ca 03 01 4f 52 8f 3c 49 ...........OR.<I 0010: ca 19 83 08 c8 85 c3 00 94 20 0b 48 32 1a c1 40 ......... .H2..@ -------------- TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 ------------- -------------- TLS trace: SSL_connect:SSLv3 read server hello A tls_read: want=5, got=5 0000: 16 03 01 06 5b -------------- -------------- TLS trace: SSL_connect:SSLv3 read server certificate A tls_read: want=5, got=5 0000: 16 03 01 00 8d ..... tls_read: want=141, got=141 -------------- TLS trace: SSL_connect:SSLv3 read server certificate request A TLS trace: SSL_connect:SSLv3 read server done A TLS trace: SSL_connect:SSLv3 write client certificate A TLS trace: SSL_connect:SSLv3 write client key exchange A TLS trace: SSL_connect:SSLv3 write change cipher spec A TLS trace: SSL_connect:SSLv3 write finished A tls_write: want=210, written=210 -------------- TLS trace: SSL_connect:SSLv3 flush data tls_read: want=5, got=5 0000: 16 03 01 00 ba ..... tls_read: want=186, got=186 ------------------ -------------- TLS trace: SSL_connect:SSLv3 read server session ticket A tls_read: want=5, got=5 0000: 14 03 01 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 01 00 30 ....0 tls_read: want=48, got=48 -------------- TLS trace: SSL_connect:SSLv3 read finished A ldap_int_sasl_open: host=tester.example.com SASL/GSSAPI authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x20ebed0 ptr=0x20ebed0 end=0x20ec16a len=666 -------------- ldap_msgfree ldap_result ld 0x2018010 msgid 1 wait4msg ld 0x2018010 msgid 1 (infinite timeout) wait4msg continue ld 0x2018010 msgid 1 all 1 ** ld 0x2018010 Connections: * host: tester.example.com port: 636 (default) refcnt: 2 status: Connected last used: Sat Mar 3 21:38:04 2012 ** ld 0x2018010 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x2018010 request count 1 (abandoned 0) ** ld 0x2018010 Response Queue: Empty ld 0x2018010 response count 0 ldap_chkResponseList ld 0x2018010 msgid 1 all 1 ldap_chkResponseList returns ld 0x2018010 NULL ldap_int_select read1msg: ld 0x2018010 msgid 1 all 1 ber_get_next tls_read: want=5, got=5 0000: 17 03 01 00 20 .... tls_read: want=32, got=32 -------------- tls_read: want=5, got=5 0000: 17 03 01 00 70 ....p tls_read: want=112, got=112 -------------- ldap_read: want=79, got=79 0000: 01 31 04 00 04 49 53 41 53 4c 28 2d 31 33 29 3a .1...ISASL(-13): 0010: 20 61 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 20 authentication 0020: 66 61 69 6c 75 72 65 3a 20 47 53 53 41 50 49 20 failure: GSSAPI 0030: 46 61 69 6c 75 72 65 3a 20 67 73 73 5f 61 63 63 Failure: gss_acc 0040: 65 70 74 5f 73 65 63 5f 63 6f 6e 74 65 78 74 ept_sec_context ber_get_next: tag 0x30 len 85 contents: -------------- read1msg: ld 0x2018010 0 new referrals read1msg: mark request completed, ld 0x2018010 msgid 1 request done: ld 0x2018010 msgid 1 res_errno: 49, res_error: <SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: <null> ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x20eb750 ptr=0x20eb753 end=0x20eb7a5 len=82 -------------- ######################################################################### advice would be appreciated sincerely lux-integ

3 4

Help with password policy
by Gabriella Turek 29 Mar '12

29 Mar '12

Setup: OpenLDAP 2.4 SUSE SLES11, chaining (read only) to an AD directory I've set up a simple default pwd policy and configured it in slapd.conf: - Included the schema /etc/openldap/schema/ppolicy.schema - Under my db configuration added the entries overlay ppolicy ppolicy_default "cn=default,ou=pwpolicies,dc=niwa,dc=local" - The policy is simply: dn: cn=default,ou=pwpolicies,dc=example,dc=com cn: default ….. pwdMinLength: 8 pwdAllowUserChange: TRUE But when I run tests with too short a password the password still gets changed. No error messages. One thing I am confused about is that the documentation says to include the moduleload directive in slapd.con but I can't find any modules, the directory where they are supposed to be is empty. slapd –VVV indicates that it includes the static overlay. Any help is highly appreciated, I am quite a newby at this. Gaby -- Dr Gabriella Turek Sr. Software Engineer, Systems Development Team NIWA Auckland, New Zealand Tel: +64 9 3754645 www.niwa.co.nz NIWA - Enhancing the benefit of New Zealand’s natural resources. -- Please consider the environment before printing this email. NIWA is the trading name of the National Institute of Water & Atmospheric Research Ltd.

3 2

Can dynlist query from database hdb access entries in a database ldap on the same slapd?
by Judd Maltin 28 Mar '12

28 Mar '12

START slapd.conf: overlay dynlist dynlist-attrset myGroupOfURLs myMemberURL # happy.net: I can query through this proxy just fine. database ldap suffix "dc=happy,dc=net" uri "ldap://ldap1.lga6.us.happy.net" acl-bind bindmethod=simple binddn="cn=replicant,ou=Service Accounts,dc=happy,dc=net" credentials=my!!replicant # happy.com: the following database has dc=happy,dc=com data in it already. database hdb suffix "" rootdn "cn=Manager,dc=happy,dc=com" rootpw secret directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub # indexes for replication index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 200 END slapd.conf START good dynlist entry dn: cn=admin2,ou=Groups,dc=happy,dc=com objectClass: posixGroup objectClass: top objectClass: myGroupOfURLs cn: admin2 gidNumber: 20005 myMemberURL: ldap:///cn=sysadmins,ou=Groups,dc=happy,dc=com?memberUID?base?(objectClass=posixGroup) works great and populates my memberUID just great. END good dynlist entry START bad dynlist entry dn: cn=admin2,ou=Groups,dc=happy,dc=com objectClass: posixGroup objectClass: top objectClass: myGroupOfURLs cn: admin2 gidNumber: 20005 myMemberURL: ldap:///cn=sysadmins,ou=Groups,dc=happy,dc=net?memberUID?base?(objectClass=posixGroup) FAILS no entries in memeberUID - it a naming context mixup because "suffix ''" above? -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong.

3 3

Not deleted in Syncrepl
by s_hira＠nifty.com 27 Mar '12

27 Mar '12

Hi, All I confirmed the problem that was not deleted in syncrepl of V2.4.30. The provider operates it in "syncprov-sessionlog 100". After I delete 150 in a provider, and going syncrepl Only 100 cases are deleted in the consumer side. After examining it, the following parts seem to have a problem. servers/slapd/overlays/syncprov.c:2638 if ( sl->sl_num > 0 ) { int i; for ( i=0; i<sl->sl_numcsns; i++ ) { /* SID not present == new enough */ if ( minsid < sl->sl_sids[i] ) { do_play = 1; break; } /* SID present and new enough */ if ( minsid == sl->sl_sids[i] && ber_bvcmp( &mincsn, &sl->sl_mincsn[i] ) >= 0 ) { do_play = 1; break; } } /* SID not present == new enough */ if ( i == sl->sl_numcsns ) do_play = 1; } if ( do_play ) { do_present = 0; /* mutex is unlocked in playlog */ syncprov_playlog( op, rs, sl, srs, ctxcsn, numcsns, sids ); } else { ldap_pvt_thread_mutex_unlock( &sl->sl_mutex ); } Then, it corrected as follows. === - if ( minsid == sl->sl_sids[i] - && ber_bvcmp( &mincsn, &sl->sl_mincsn[i] ) >= 0 ) { + if ( minsid == sl->sl_sids[i] ) { + if ( ber_bvcmp( &mincsn, &sl->sl_mincsn[i] ) >= 0 ) { do_play = 1; + } break; } Is this correction wrong? HIRABAYASHI Satoshi s_hira(a)nifty.com

2 1

How to bind ldap2.4 with user certificate ?
by Olivier 27 Mar '12

27 Mar '12

Hello, is there any way to bind an ldap server using user certificates rather than user/password ? I have experimented that using "bindmethod=sasl" and "saslmech=external" "tls_cacert=CAFILE" and "tls_cert=PROXYUSERFILE" in olcSyncRepl section, but I would like to also be able to bind ldap with a personnal certificate rather than with a "user/passwd" when using ldapsearch for example. How should I configure my "ldap.conf" and call "ldapsearch" to bind as such ? Thanks --- Olivier

2 1

Cannot convert slapd.conf with blanks in pathes
by frank.offermanns＠caseris.de 27 Mar '12

27 Mar '12

slaptest has problems with blanks in pathes: slapd.conf extraction: logfile "C:/temp/Blank Dir/log/slapd.log" ... directory "C:/temp/Blank Dir/accessdata" slaptest -f "C:\temp\Blank Dir\slapd.conf" -F "C:\temp\Blank Dir\slapd.d" will succeed when a blank is in the path of "logfile" or "directory" but when I start slapd I get a "<olcLogFile> extra cruft after <file>". When I remove the quotation marks slaptest fails with the message "<logfile> extra cruft after <file>". I can only fix this by manually editing the config.ldif-files, which I know is forbidden. But due to the fact that I can't start slapd I can't use ldapmodify to modify it. So what to do? I tested with windows version of OpenLDAP. Regards, Frank

1 0

client ldap with 2 ldap.conf
by stefano 27 Mar '12

27 Mar '12

hi, a second question. i installed ldap-auth-config on a client. i've seen that i have /etc/ldap.conf and also /etc/ldap/ldap.conf which one is available? how could i understand which is in use?

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2012