openldap-technical June 2012

openldap-technical@openldap.org

66 participants
61 discussions

bind as users logging/authenticating into solaris with ldap client configured
by curious penguin 06 Jun '12

06 Jun '12

My solaris machine is configured to authenticate to an openldap server but is currently binding anonymously. How do I reconfigure its ldap client to bind as the user that its trying to query from the ldap server?

1 0

Pass-though Authentication with Saslauthd and Kerberos
by Jeff B 06 Jun '12

06 Jun '12

I'm attempting to get pass-though auth to work against saslauthd and kerberos and while the problem seems to be in sasl I think it's most likely to be seen in this type of configuration with opendap which I why I chose this mailing list. When I run testsaslauthd it works but when I run ldapsearch it fails. But the curious thing is where it is failing. in doing straces of saslauthd and packet traces I've found that when ldapsearch calls salsauthd, and not when I run saslauthd kerberos does not deliver the AS-REP packets till just after saslauthd times out. I can't find any difference in how I'm invoking saslauthd with testdaslauthd and how ldapsearch is invoking saslauthd. However the packet traces are quite different as you will see below. I've seen these kind of errors here and there on google but no resolutions that I can find. (http://www.openldap.org/lists/openldap-software/200602/msg00278.html) Centos 6 openldap-2.4.23-15.el6_1.3.x86_64 openldap-clients-2.4.23-15.el6_1.3.x86_64 openldap-servers-2.4.23-15.el6_1.3.x86_64 openldap-devel-2.4.23-15.el6_1.3.x86_64 krb5-server-1.9-9.el6_1.2.x86_64 krb5-server-ldap-1.9-9.el6_1.2.x86_64 krb5-workstation-1.9-9.el6_1.2.x86_64 krb5-libs-1.9-9.el6_1.2.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-gssapi-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 cyrus-sasl-devel-2.1.23-8.el6.x86_64 My slapd.conf contains nothing regarding kerberos / sasl / pass-through authentication. I'm using a slapd.conf file for the time being till i get it all worked out and plan on converting it to a cn=config configuration. In my DIT the userPassword field contains: {SASL}myuser@MYREALM where myuser and my realm are replaced with the proper values. /etc/sasl2/slapd.conf: mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux /etc/sysconfig/saslauthd KRB5_KTNAME=/etc/krb5.keytab SOCKETDIR=/var/run/saslauthd MECH=kerberos5 Which builds a daemon command line of: /usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5 My system keytab is: /etc/krb5.keytab (root.ldap 0640) host/my.hostname@realm ldap/my.hostname@realm My socket parent dir is: /var/run/saslauthd (root.ldap 0770) When I run testsaslauthd I get a packet trace between saslauthd and kerberos is all UDP and works: > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ < AS-REP > TGS-REQ < TGS-REP When I run ldapsearch the packet trace between saslauthd and kerberos is UDP and TCP communication. None of the kerberos replies come back for 18 seconds, the time it takes saslauthd to time out. > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ > TCP SYN < TCP SYN, ACK > TCP ACK > TCP AS-REQ < TCP ACK > AS-REQ > AS-REQ > TCP FIN, ACK <-- saslauthd times out and the AS-REPS all come back at once. < AS-REP < AS-REP < AS-REP < TCP AS-REP > TCP RST an strace of saslauthd supports this timeout theory as it shows the the timeouts and backoffs. I can't find any info regarding saslauthd and TCP or UDP or timeouts like this. Any ideas?

5 7

Wildcard and Internal Domain
by Leonardo 06 Jun '12

06 Jun '12

Dear Colleagues. I attempted implementing certificates with wildcard to my internals servers. I have a Internal Certification Authority and it certificate was distributed to ours Browsers on Workstations that have a need to access the servers by Web Browser. I generated a certificate with wildcard for my servers and when i access the servers by web browser the following message is showed "O servidor v221t001.prevnet usa um certificado de segurança inválido. O certificado é válido somente para *.prevnet. (Código do erro: ssl_error_bad_cert_domain)". I would like some help to solve it problem. I thank everyone for attention.

2 3

slaptest conversion of acl regex's drops backslashes
by Nick Milas 06 Jun '12

06 Jun '12

Hi, I used slaptest to convert a set of ACLs from standard to dynamic format using slaptest. I noticed that backslashes (used to escape characters) in regexes are silently dropped after conversion. For example: access to dn.regex="^dc=\b\d{1,3}\.\d{1,3}\.\d{1,3}\b\.in-addr\.arpa,ou=dns,dc=example,dc=com$" by group.exact="cn=Admins,ou=Groups,dc=example,dc=com" write becomes: olcAccess: {xx}to dn.regex="^dc=\b\d{1,3}\.\d{1,3}\.\d{1,3}\b\.in-addr\.arpa,ou=dns,dc=example,dc=com$" by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=noa,dc=gr" write Is this expected behavior? Or am I doing something wrong? Please advise. Thanks, Nick

2 6

ACL rule match if client certificate was used?
by Patrick Hemmer 05 Jun '12

05 Jun '12

Is there any way to create an ACL rule which will match if a client certificate was used on the connection or not? I'd like to do an ACL such as to attrs=userPassword by peername.ip="1.2.3.0%255.255.255.0" auth by client_ssf="64" auth Also set olcTLSVerifyClient=try This will let our internal network authenticate against ldap without needing a client cert, but anyone outside our internal network must have one. We would then use our own CA to create certificates for all the clients and tell OpenLDAP to trust only that CA. Obviously client_ssf doesnt exist, but is there another way of accomplishing this goal? -Patrick

3 4

openldap gssapi bind
by Sajid K 05 Jun '12

05 Jun '12

hi, i'm writing an AD client for mac i'm able to get a kerberos ticket and can also bind to AD using ldap_gssapi_bind and everything works fine I can do searches modify/create attributes etc. when I unbind and try to bind to a different server, it hangs in a "select" call inside openldap lib. even though I've successfully got a TGS ticket before binding. I'm using heimdal for kerberos implementation. I also have cyrusSASL in the project. in one of my test environments it tries to go back to old "server" to get ticket. so I'm assuming there is some sort of caching involved here. before rebinding I always delete the credential cache file and krb5.conf and re create them for new server. I'm not using an conf file with openldap. What could be going on is there some kind of caching somewhere in library? there are no errors when unbinding and I can also see a call getting to server when I unbind. Thanks..

3 2

Re: Replication and user password change
by Hugo Deprez 04 Jun '12

04 Jun '12

Hello, I am trying to do some quite the same thing : trying to send failed authentification made on the consumer to the master. I am using ppolicy overlay. I added the following to the consumer : # Referal updateref ldaps://master.domain.fr ppolicy_forward_updates When I add this on the consumer, accounts are not anymore locked on failed authentification. pwdFailureTime are not register or sent to the master.. Should I use slapo-chain too ? Regards, Hugo On 6 April 2012 18:12, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Friday, April 06, 2012 3:57 PM +0200 Jacques Foucry > <jacques.foucry(a)novasparks.com> wrote: > >> On 04/04/2012 05:59 PM, anax wrote: >> >> Hello, >> >>> updateref ldap://ldapmaster.symas.com >>> >>> http://www.openldap.org/doc/admin24/replication.html#Replication%20Techn >>> ology >> >> >> Well after reading the docs, I made some test on a VM. >> >> My goal is to allow users to change there password. >> >> I have a working replication VM. On this VM I can login with my LDAP >> password (PAM on this VM is client of the replica). >> >> When I try to change the password, using the passwd cmd this error occurs: > > > I suggest you look at slapo-chain. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

3 4

ACL control with break
by Nick Milas 04 Jun '12

04 Jun '12

At slapd.access we read (about the control keywords): One useful application is to easily grant write privileges to an updatedn that is different from the rootdn. In this case, since the updatedn needs write access to (almost) all data, one can use access to * by dn.exact="cn=The Update DN,dc=example,dc=com" write by * break as the first access rule. As a consequence, unless the operation is performed with the updatedn identity, control is passed straight to the subsequent rules. I have the following question. If below the above ACL we add another ACL like: access to dn.subtree="ou=people,dc=example,dc=com" by dn.exact="cn=Some Other DN,dc=example,dc=com" by * none ...doesn't this mean that the second ACL will override the first, so that "The Update DN" will no longer have access to the whole DIT (as was intended), since, based on the second ACL, "The Update DN"does not have access to "ou=people" branch? If this is the case, then the first ACL is not enough, but care must be taken to avoid any privilege revocation(s) from "The Update DN", by following ACLs. Or the existence of the former rule means that access has been *definitively decided* for "The Update DN" (i.e. "by" clause match(es) in the first ACL) and any subsequent access statements (later ACLs) can affect *ONLY* other users (i.e. whatever "by" clause matches, *except* "The Update DN")?? This is what I understand from the statement "As a consequence, unless the operation is performed with the updatedn identity, control is passed straight to the subsequent rules." Can you please clarify which is the case? Thanks, Nick

3 9

Syncrepl partial replication based on attribute problem
by Jeffrey Crawford 02 Jun '12

02 Jun '12

Hello, I had thought I tested this beforehand but I seem to be able to reliably reproduce the following situation: We have an installation where the provider server has information that is replicated to downstream replicas using the syncrepl protocol. The account used to replicate is allowed to see records where certain attributes meet specific values, a silly example is an attribute is set dn: uid=somerecord,ou=people,dc=ucsc,dc=edu replicateMe: TRUE ... When an account has that attribute set it then replicates to the downstream replica, however if later we set replicateMe to FALSE so that the account used for replication can no longer see the entry, it seems to be orphaned and is not removed in the replica. We are using OpenLDAP 2.4.26 and I have the syncprov sessionlog set to 500 and the replica is set to refreshAndPersist. Is this something that is simply not supported? or would a case like this be expected to work and I've either got a configuration issue or a bug? Thanks Jeffrey

3 7

Several questions on Openldap for migration
by Francois Gnu 01 Jun '12

01 Jun '12

Hello everybody, First of all, sorry in advance for my approximate English. I have several questions. Questions for which I did not find answer until today, despite one very large number of reading of docs, faqs, tickets etc. (I did not necessarily read everything, internet is so vast). Presentation: I have to migrate all the servers of the company, from ubuntu 10.04.3lts (package openldap 2.4.21) to ubuntu 12.04lts (package openldap 2.4.28). Configuration: Configuration of openldap, identical on all the servers (Masters and Slaves), configuration of dynamic type (with cn=config ), with reference ldap Masters in the config of slaves ; syncrepl (N-Way) Multi-Master mode. All servers are VMs on kvm. Questions: Questions according to several scenarios: - there are problems of synchronization between 2 Masters, if the one is in 2.4.21 and the other one in 2.4.28? - there are problems of synchronization between 2 servers, if 1 Master is in 2.4.21 and 1/severals Slave(s) in 2.4.28? - there are problems of synchronization between 2 servers, if 1 Master is in 2.4.28 and 1/several Slaves in 2.4.21? - I want to do an update of part of the slaves servers. What it is better to use?: acl or in syscrepl? Which is the most flexible? MDB backend: - can one use now the backend-mdb new in "production mode" with openldap 2.4.28? Is it with good/enough stability? Or do I have to stay with the backend-hdb and migrate towards backend-mdb later? - Is it pisible to migrate from backend-hdb towards backend-mdb for server in production, in the future? Tcmalloc: - I placed tcmalloc in this file '/etc/init.d/slapd' as this "LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.0". Is it good? Is it the good place/file? - where can I find track of its load (of tcmalloc)? How can I see the functioning of tcmalloc? In what file of log? The LSOF command no give nothing. - it is indicated in the site "[URL="http://code.google.com/r/heybrowny-higmysql/source/browse/google-perftools-…"]http://code.google.com/.../google-perftools-1.8.3/README[/URL]" > "TCMALLOC_DEBUG=<level> -- the higher level, the more messages malloc emits". It is indicated that more the number increase and more tcmalloc verbose. But it is not indicated/informed has what corresponds the numeros (levels) of log and until how much? -to use "TCMALLOC_DEBUG", I have to use "LD_PRELOAD=/usr/lib/libtcmalloc_minimal_debug.so.0" or keep "LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.0"? Backups and restore: -the opinions diverge. Indeed, to make a backup/restore, slapadd command is enough with the file created with slapcat? Or i need to integrate (with slapadd) at first the config file (cn=config file) and then the acl config file and then the data of the users that were created at the first installation of openldap 2.4.21? So, I installed and configured openldap in 2005 on a debian for the needs of a company but today many things changed and difficult to find itself there. Thank you in advance for taking time and your answers. Francois ------ Librement

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2012