openldap-technical September 2012

openldap-technical@openldap.org

70 participants
88 discussions

Error, ldap_start_tls failed (-11)
by arun.sasi1＠wipro.com 17 Sep '12

17 Sep '12

Hello Guillaume Rousse/team, I am getting below error from the master server when I give 636 port number in my HDB config file Sep 16 06:41:59 gb0135embldap01 slapd[4672]: conn=349739 fd=39 ACCEPT from IP=163.183.2.145:43965 (IP=0.0.0.0:636) Sep 16 06:41:59 gb0135embldap01 slapd[4672]: conn=349739 fd=39 closed (TLS negotiation failure) and When I gibe 389 in my HDB config, I get below message from master server. Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349046 fd=38 ACCEPT from IP=163.183.2.145:49242 (IP=0.0.0.0:389) Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349046 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349046 op=0 STARTTLS Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349046 op=0 RESULT oid= err=0 text= Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349040 op=6 SRCH base="ou=Groups,dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=443298))" Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349040 op=6 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349040 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349044 op=2 UNBIND Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349044 fd=19 closed Sep 16 06:31:51 gb0135embldap01 slapd[4672]: conn=349037 fd=60 closed (connection lost) but there is no much data replication happened I get below message from slave server... for 636 Sep 16 10:47:26 ae0043app05 slapd[10982]: slap_client_connect: URI=ldap://gb0135embldap01.emb.slb.com:636 Error, ldap_start_tls failed (-1) Sep 16 10:47:26 ae0043app05 slapd[10982]: do_syncrepl: rid=365 rc -1 retrying for 389 Sep 16 10:31:42 ae0043app05 slapd[10282]: slap_client_connect: URI=ldap://gb0135embldap01.emb.slb.com:389 Error, ldap_start_tls failed (-11) I dont know how to check TLS manually... could you please help me... Thanks & Regards, Arun Sasi Venmalassery ------------------------------------------------------------------------------------------------------------------------------------- Sr. Engineer - Server Management (UNIX), Wipro Ltd (Dubai) |Mob: +971 566489491 | E: arun.sasi1(a)wipro.com ________________________________________ From: openldap-technical-bounces(a)OpenLDAP.org [openldap-technical-bounces(a)OpenLDAP.org] on behalf of openldap-technical-request(a)OpenLDAP.org [openldap-technical-request(a)OpenLDAP.org] Sent: Friday, September 14, 2012 5:30 PM To: openldap-technical(a)openldap.org Subject: openldap-technical Digest, Vol 58, Issue 12 ------------------------------ Message: 3 Date: Thu, 13 Sep 2012 14:38:20 +0200 From: Guillaume Rousse <guillomovitch(a)gmail.com> To: openldap-technical(a)openldap.org Subject: Re: Error, ldap_start_tls failed (-11) Message-ID: <5051D3BC.3020207(a)gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Le 13/09/2012 14:16, arun.sasi1(a)wipro.com a ?crit : > Hello Team, > > I have an issue with OpenLDAP TLS based replication > > Getting below error > slap_client_connect: URI=ldap://gb0135embldap01.emb.slb.com Error, > ldap_start_tls failed (-11) > Sep 13 16:13:34 ae0043app05 slapd[2582]: do_syncrepl: rid=365 rc -11 > retrying > > I have openLDAP in Ubuntu 9.04 version 2.4.19 then I thought to updgrade > it and first I upgraded on my consumer openldap server which I migrated > to Ubuntu 12.04 and version 2.4.28. > > I have created the certificate for my consumer from existing server. but > when I go for TLS based replication, the database is not syncing and it > is synching when remove starttls=no What does the master log say, and did you try a manual connection with the same credentials from the slave to the master, using TLS ? -- BOFH excuse #166: /pub/lunch The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

2 1

Need help on ACL
by Alexis GÜNST HORN 17 Sep '12

17 Sep '12

Hello to all, I need your help with OpenLDAP ACL. Here is my DIT : dc=example,dc=com ou=Users uid=user1 uid=user2 ou=Groups cn=... cn=... I use that to do Unix Auth with pam. It works fine. Now, i need to modify my tree like that : dc=example,dc=com ou=Users uid=user1 uid=user2 ou=Foo uid=user3 uid=user4 ou=Groups cn=... cn=... So, I've added the OU "foo" to "Ou=Users". In my network, all PCs are configured with pam_ldap reading "dc=example,dc=com". So, when i do : $ getent passwd I have : user1 user2 user3 user4 What I want : * if i'm "Ou=Users" member, for example "user1", with pam_ldap suffix : "dc=example,dc=com" : $ getent passwd user1 user2 * if i'm "Ou=Foo" member, for example "user_b", with pam_ldap suffix : "dc=example,dc=com" : $ getent passwd user3 user4 Is it possible to do so without modifying the DIT structure ? (only with ACL ?) Thanks a lot for your help. -- Alexis GÜNST HORN System administrator Exascale Computing Research

2 1

insert an olcAccess line in cn=config?
by Aaron Bennett 13 Sep '12

13 Sep '12

Hi, This might be more of an Apache Directory Studio question, so please forgive me... I'm using Apache Directory studio to edit cn=config and I have some lines like this: olcAccess: {0}to attrs=foo by <stuff> olcAccess: {1}to attrs=bar by <stuff> olcAccess: {2}to attrs=booboo <stuff> olcAccess: {3}to * by <stuff> read Order is important in these - so how do I add a value between {1} and {2}, for example? If I add olcAccess: to mailattr by <stuff> read then it goes in as oldAccess: {4} and as I understand ACLs it will never get it because the preceding * will match first, right? - Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS

3 3

Openldap to radius
by Jason Sigurdur 13 Sep '12

13 Sep '12

Hi, we have a service that only implement's ldap authentication. We would like to use radius. Is there a method to allow bridging from ldap to radius? jason

2 1

Error, ldap_start_tls failed (-11)
by arun.sasi1＠wipro.com 13 Sep '12

13 Sep '12

Hello Team, I have an issue with OpenLDAP TLS based replication Getting below error slap_client_connect: URI=ldap://gb0135embldap01.emb.slb.com Error, ldap_start_tls failed (-11) Sep 13 16:13:34 ae0043app05 slapd[2582]: do_syncrepl: rid=365 rc -11 retrying I have openLDAP in Ubuntu 9.04 version 2.4.19 then I thought to updgrade it and first I upgraded on my consumer openldap server which I migrated to Ubuntu 12.04 and version 2.4.28. I have created the certificate for my consumer from existing server. but when I go for TLS based replication, the database is not syncing and it is synching when remove starttls=no Any idea why this is causing Thanks & Regards, Arun Sasi Venmalassery ------------------------------------------------------------------------------------------------------------------------------------- Sr. Engineer - Server Management (UNIX), Wipro Ltd (Dubai) |Mob: +971 566489491 | E: arun.sasi1(a)wipro.com<mailto:koresh.dash@wipro.com> Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

2 1

Re: ACL entry creation restricted to objectClass
by deepee＠gmx.net 12 Sep '12

12 Sep '12

>> is it possible to restrict the creation of an entry to a specific >> objectClass? If so, any hint or assistance would be very welcome. >> >> Thank you very much! >> >> Background information follows here: >> >> The attrs "@person" within the following acl statement seems to have no >> effect (during creation). It seems to me attrs=entry already is granting >> access to "all values" (of all kind of attributes?): >@<objectClass name> is a shortcut for "all attributes required/allowed by >objectClass 'name'". In order to restrict access to specific values of >the objectClass attribute you need to use the form >access to attrs=objectClass val=person ... >p. Many thanks for your answer. hmmm, so my usage of @<objectClass name> sound correct to me. Please have a look into my original example: I wanted to restrict newly created entry to be of class "person" only. Thus I restricted the attrs using @person, in the hope that account-specific attributes (uid, serialNumber) are denied. Nevertheless, the logs show that an account entry is created. The sample acl statement works as intended in case of a modify-operation (ldapmodify'ing a single attribute of an existsing entry). During creation the attr=entry seems to overwrite the oc-specific restriction or slapd cannot differ between differen objectclasses and/or attributes during entry creation (ldapadd)? If I'm wrong, could you please give me a short example acl set that denies the creation of account but grants creation of person entries? Thanks again!

2 1

slapindex with mdb
by Marco Schirrmeister 12 Sep '12

12 Sep '12

Hi, when I run slapindex with my mdb backend the data.mdb files grows and grows and when the configured maxsize (100GB) is reached it stops with cannot allocate memory. 50505d1e => mdb_idl_insert_keys: c_put id failed: Cannot allocate memory (12) 50505d1e => mdb_tool_entry_reindex: txn_aborted! err=80 To test, I created a very basic config. See below. Created a test ldif file with the LDIFGen.jar with 100000 DNs. The file is 110MB. In the slapd.conf is only 1 index configured. uid with eq,sub. When I load this file with slapadd the data.mdb file gets 268MB. (Without any configured index 220MB) When I then run a slapindex, the data.mdb grows to 20GB. If I add 2 more attributes to index. data.mdb gets 36GB index givenname eq,sub index sn eq,sub My question is, is this normal? Why does the data file get's so big with a slapindex and not with a slapadd? OpenLDAP version is 2.4.32 on CentOS6 64bit. # cat /etc/openldap2.4/slapd.conf include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/corba.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/java.schema include /usr/share/openldap2.4/schema/krb5-kdc.schema include /usr/share/openldap2.4/schema/kerberosobject.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/autofs.schema pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args modulepath /usr/lib64/oldap24/openldap2.4 moduleload back_monitor.la moduleload accesslog.la moduleload syncprov.la moduleload auditlog.la loglevel stats serverID 40 ldap://ds71.ogilvy.com database mdb suffix "dc=ogilvy,dc=com" rootdn "cn=manager,dc=ogilvy,dc=com" rootpw secret directory /var/lib/ldap2.4/ogilvy.com limits dn.exact="cn=manager,dc=ogilvy,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited sizelimit 90000 checkpoint 256 5 dbnosync maxsize 104857600000 index uid eq,sub monitoring on database config rootdn "cn=admin,cn=config" rootpw secret database monitor rootdn cn=monitor rootpw secret -- Marco

2 1

ACL entry creation restricted to objectClass
by deepee＠gmx.net 12 Sep '12

12 Sep '12

Hi, is it possible to restrict the creation of an entry to a specific objectClass? If so, any hint or assistance would be very welcome. Thank you very much! Background information follows here: The attrs "@person" within the following acl statement seems to have no effect (during creation). It seems to me attrs=entry already is granting access to "all values" (of all kind of attributes?): ----------------------- #slapd version: HEAD (also REL_ENG_2_4) ----------------------- #acl: access to dn.base="dc=example,dc=org" attrs=children by users write access to dn.one="dc=example,dc=org" attrs=entry,@person by users write by anonymous auth ----------------------- #ldapmodify -x -H "ldap://localhost:333/" -D "uid=user,dc=example,dc=org" -w user -f /tmp/example_operation.ldif ----------------------- #/tmp/example_operation.ldif: #add a person entry: dn: cn=hello,dc=example,dc=org changetype: add objectClass: person objectClass: top cn: hello sn: hello userPassword: hello #add an account entry: dn: cn=world,dc=example,dc=org changetype: add objectClass: device objectClass: top cn:world serialNumber: 1 #both operation do succeed, see log below ----------------------- #log (level 128): 5050a940 => access_allowed: result not in cache (userPassword) 5050a940 => access_allowed: auth access to "uid=user,dc=example,dc=org" "userPassword" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => dn: [2] dc=example,dc=org 5050a940 => acl_get: [2] matched 5050a940 => acl_get: [2] attr userPassword 5050a940 => acl_mask: access to entry "uid=user,dc=example,dc=org", attr "userPassword" requested 5050a940 => acl_mask: to value by "", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= check a_dn_pat: anonymous 5050a940 <= acl_mask: [2] applying auth(=xd) (stop) 5050a940 <= acl_mask: [2] mask: auth(=xd) 5050a940 => slap_access_allowed: auth access granted by auth(=xd) 5050a940 => access_allowed: auth access granted by auth(=xd) 5050a940 => access_allowed: add access to "dc=example,dc=org" "children" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => acl_get: [1] matched 5050a940 => acl_get: [1] attr children 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access to "cn=hello,dc=example,dc=org" "entry" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => dn: [2] dc=example,dc=org 5050a940 => acl_get: [2] matched 5050a940 => acl_get: [2] attr entry 5050a940 => acl_mask: access to entry "cn=hello,dc=example,dc=org", attr "entry" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access to "dc=example,dc=org" "children" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => acl_get: [1] matched 5050a940 => acl_get: [1] attr children 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access to "cn=world,dc=example,dc=org" "entry" requested 5050a940 => dn: [1] dc=example,dc=org 5050a940 => dn: [2] dc=example,dc=org 5050a940 => acl_get: [2] matched 5050a940 => acl_get: [2] attr entry 5050a940 => acl_mask: access to entry "cn=world,dc=example,dc=org", attr "entry" requested 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0) 5050a940 <= check a_dn_pat: users 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop) 5050a940 <= acl_mask: [1] mask: write(=wrscxd) 5050a940 => slap_access_allowed: add access granted by write(=wrscxd) 5050a940 => access_allowed: add access granted by write(=wrscxd)

2 1

pam_password exop
by teoman.onay＠degroof.be 12 Sep '12

12 Sep '12

Hi, Could you give me some more info on that parameter : pam_password exop All what i've found is this : The directive "pam_password exop" tells pam-ldap to change passwords in a way that allows OpenLDAP to apply the hashing algorithm specified in /etc/ldap/slapd.conf, instead of attempting to hash locally and write the result directly into the database. Does this mean that the password is sent clear to the ldap server then hashed over there ? It looks like a huge security flaw ... i've used tcpdump and unfortunately my password appears clearly ... using does imply enabling TLS ? Regards Teoman ONAY P before printing this email, think about the environment. ******************************************************************************* This e-mail is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged information. Any copying, disclosure, distribution or other use of the content of this e-mail by persons or entities other than the intended recipient is prohibited. Please contact immediately the sender if you have received this e-mail in error and delete it from all locations of your computer. The company on behalf of which the present e-mail is sent is validly committed only if the rules on the delegation of powers, as set out in the appropriate documents, have been complied with. Furthermore, due to the risks inherent to the use of the Internet, the company is not liable for the content of this e-mail if altered, changed or falsified. *******************************************************************************

4 6

HashCat for {CRYPT}
by Selcuk Yazar 12 Sep '12

12 Sep '12

Hi, Can ve decrypt OpenLDAP userpassword object values with HasCat ? i try with md5 hash type but it gaves line length exception oclHashcat-plus64.exe --hash-type 500 C:\hashcat\oclHashcat-plus\example500.hash C:\rockyou.txt C:\hashcat\oclHashcat-plus\example.dict thanks in advance -- Selçuk YAZAR

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2012