openldap-technical October 2013

openldap-technical@openldap.org

63 participants
67 discussions

sasl/plain with hashed password not working
by btb 10 Oct '13

10 Oct '13

i've enabled the plain sasl mech, and testing with ldapwhoami works, but only if the userpassword is left as plaintext. if hashing [ssha] is used, it fails. a simple bind succeeds. what am i doing wrong? >ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w 'xxxxxxxx' SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 slap_listener_activate(7): 524b7989 daemon: epoll: listen=7 busy 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 >>> slap_listener(ldap:///) 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 daemon: listen=7, new connection on 16 524b7989 daemon: added 16r (active) listener=(nil) 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 conn=1014 fd=16 ACCEPT from IP=192.168.1.81:35171 (IP=0.0.0.0:389) 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 16r524b7989 524b7989 daemon: read active on 16 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 connection_get(16) 524b7989 connection_get(16): got connid=1014 524b7989 connection_read(16): checking for input on id=1014 ber_get_next ldap_read: want=8, got=8 0000: 30 22 02 01 01 60 1d 02 0"...`.. ldap_read: want=28, got=28 0000: 01 03 04 00 a3 16 04 05 50 4c 41 49 4e 04 0d 00 ........PLAIN... 0010: 66 6c 61 73 68 00 74 69 67 67 65 72 flash.xxxxxxx ber_get_next: tag 0x30 len 34 contents: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103750 end=0x7f1580103772 len=34 0000: 02 01 01 60 1d 02 01 03 04 00 a3 16 04 05 50 4c ...`..........PL 0010: 41 49 4e 04 0d 00 66 6c 61 73 68 00 74 69 67 67 AIN...flash.xxxx 0020: 65 72 xxxxxx 524b7989 op tag 0x60, time 1380678025 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable 524b7989 conn=1014 op=0 do_bind 524b7989 daemon: activity on 1 descriptor ber_scanf fmt ({imt) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103753 end=0x7f1580103772 len=31 0000: 60 1d 02 01 03 04 00 a3 16 04 05 50 4c 41 49 4e `..........PLAIN 0010: 04 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72 ...flash.xxxxxxxx ber_scanf fmt ({m) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f158010375a end=0x7f1580103772 len=24 0000: 00 16 04 05 50 4c 41 49 4e 04 0d 00 66 6c 61 73 ....PLAIN...flas 0010: 68 00 74 69 67 67 65 72 h.xxxxxxxxx ber_scanf fmt (m) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103763 end=0x7f1580103772 len=15 0000: 00 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72 ...flash.xxxxxxx ber_scanf fmt (}}) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103772 end=0x7f1580103772 len=0 524b7989 >>> dnPrettyNormal: <> 524b7989 <<< dnPrettyNormal: <>, <> 524b7989 conn=1014 op=0 BIND dn="" method=163 524b7989 do_bind: dn () SASL mech PLAIN 524b7989 ==> sasl_bind: dn="" mech=PLAIN datalen=13 524b7989 SASL Canonicalize [conn=1014]: authcid="flash" 524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5] => ldap_dn2bv(16) <= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0 524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth 524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0) <= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0 524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth> 524b7989 ==>slap_sasl2dn: converting SASL name uid=flash,cn=plain,cn=auth to a DN 524b7989 ==> rewrite_context_apply [depth=1] string='uid=flash,cn=plain,cn=auth' 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_context_apply [depth=1] res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'} 524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" -> "uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 slap_parseURI: parsing uid=flash,ou=people,ou=accounts,dc=example,dc=com ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com) 524b7989 >>> dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> => ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0) <= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 524b7989 <<< dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> 524b7989 <==slap_sasl2dn: Converted SASL name to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 slap_sasl_getdn: dn:id converted to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 SASL Canonicalize [conn=1014]: slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 SASL Canonicalize [conn=1014]: authcid="flash" 524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5] => ldap_dn2bv(16) <= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0 524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth 524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0) <= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0 524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth> 524b7989 ==>slap_sasl2dn: converting SASL name uid=flash,cn=plain,cn=auth to a DN 524b7989 ==> rewrite_context_apply [depth=1] string='uid=flash,cn=plain,cn=auth' 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_context_apply [depth=1] res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'} 524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" -> "uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 slap_parseURI: parsing uid=flash,ou=people,ou=accounts,dc=example,dc=com ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com) 524b7989 >>> dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> => ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0) <= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 524b7989 <<< dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> 524b7989 <==slap_sasl2dn: Converted SASL name to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 slap_sasl_getdn: dn:id converted to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 SASL Canonicalize [conn=1014]: slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 => mdb_search 524b7989 mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=com") 524b7989 => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=com") 524b7989 <= mdb_dn2id: got id=0x2c 524b7989 => mdb_entry_decode: 524b7989 <= mdb_entry_decode 524b7989 => access_allowed: auth access to "uid=flash,ou=people,ou=accounts,dc=example,dc=com" "entry" requested 524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 => acl_get: [2] matched 524b7989 => acl_get: [2] attr entry 524b7989 => acl_mask: access to entry "uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "entry" requested 524b7989 => acl_mask: to all values by "", (=0) 524b7989 <= check a_dn_pat: self 524b7989 <= check a_dn_pat: users 524b7989 <= check a_dn_pat: anonymous 524b7989 <= acl_mask: [3] applying auth(=xd) (stop) 524b7989 <= acl_mask: [3] mask: auth(=xd) 524b7989 => slap_access_allowed: auth access granted by auth(=xd) 524b7989 => access_allowed: auth access granted by auth(=xd) 524b7989 base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=com" (0x0000002c) 524b7989 => test_filter 524b7989 daemon: activity on:524b7989 PRESENT 524b7989 => access_allowed: auth access to "uid=flash,ou=people,ou=accounts,dc=example,dc=com" "objectClass" requested 524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 => acl_get: [2] matched 524b7989 => acl_get: [2] attr objectClass 524b7989 => acl_mask: access to entry "uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "objectClass" requested 524b7989 => acl_mask: to all values by "", (=0) 524b7989 <= check a_dn_pat: self 524b7989 <= check a_dn_pat: users 524b7989 <= check a_dn_pat: anonymous 524b7989 <= acl_mask: [3] applying auth(=xd) (stop) 524b7989 <= acl_mask: [3] mask: auth(=xd) 524b7989 => slap_access_allowed: auth access granted by auth(=xd) 524b7989 => access_allowed: auth access granted by auth(=xd) 524b7989 <= test_filter 6 524b7989 => access_allowed: auth access to "uid=flash,ou=people,ou=accounts,dc=example,dc=com" "userPassword" requested 524b7989 => acl_get: [1] attr userPassword 524b7989 => acl_mask: access to entry "uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "userPassword" requested 524b7989 => acl_mask: to all values by "", (=0) 524b7989 <= check a_dn_pat: anonymous 524b7989 <= acl_mask: [1] applying auth(=xd) (stop) 524b7989 <= acl_mask: [1] mask: auth(=xd) 524b7989 => slap_access_allowed: auth access granted by auth(=xd) 524b7989 => access_allowed: auth access granted by auth(=xd) 524b7989 slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined 524b7989 send_ldap_result: conn=1014 op=0 p=3 524b7989 send_ldap_result: err=0 matched="" text="" 524b7989 SASL [conn=1014] Failure: Password verification failed 524b7989 send_ldap_result: conn=1014 op=0 p=3 524b7989 send_ldap_result: err=49 matched="" text="SASL(-13): user not found: Password verification failed" 524b7989 send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 69 bytes to sd 16 0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41 0C...a>..1...7SA 0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13): user no 0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found: Passwor 0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d verification f 0040: 61 69 6c 65 64 ailed ldap_write: want=69, written=69 0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41 0C...a>..1...7SA 0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13): user no 0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found: Passwor 0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d verification f 0040: 61 69 6c 65 64 ailed 524b7989 conn=1014 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed 524b7989 <== slap_sasl_bind: rc=49 524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 16r524b7989 524b7989 daemon: read active on 16 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 connection_get(16) 524b7989 connection_get(16): got connid=1014 524b7989 connection_read(16): checking for input on id=1014 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 02 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x7f1584117620 ptr=0x7f1584117620 end=0x7f1584117625 len=5 0000: 02 01 02 42 00 ...B. 524b7989 op tag 0x42, time 1380678025 ber_get_next ldap_read: want=8, got=0 524b7989 ber_get_next on fd 16 failed errno=0 (Success) 524b7989 connection_read(16): input error=-2 id=1014, closing. 524b7989 connection_closing: readying conn=1014 sd=16 for close 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 connection_close: deferring conn=1014 sd=16 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 conn=1014 op=1 do_unbind 524b7989 conn=1014 op=1 UNBIND 524b7989 connection_resched: attempting closing conn=1014 sd=16 524b7989 connection_close: conn=1014 sd=16 524b7989 daemon: removing 16 524b7989 conn=1014 fd=16 closed

4 7

slapcat backup with empty DNs
by Samir Cury 10 Oct '13

10 Oct '13

Dear all, The problem I'm having is simple, although I didn't find much eplanations for it, once I try to backup the database with : slapcat -v -l ldap-backup5.ldif It works nicely, except that _all_ entries have : dn: structuralObjectClass: organizationalUnit dn: objectClass: organizationalRole cn: Manager dn: structuralObjectClass: inetOrgPerson entryUUID: e8ef2300-f04c-10fb-9b02-a54a91b9c30b (empty DNs) Although the information is still there, if I ldapsearch one of the entities it comes easily : ldapsearch -x -LLL '(uid=samir)' dn: cn=Samir Cury,ou=abc,ou=def,dc=org,dc=edu cn: Samir Cury Siqueira objectClass: inetOrgPerson is this problem obvious to any of you? The only similar case I found in the history was :http://www.openldap.org/lists/openldap-technical/201201/msg00160.html Which doesn't have a clear outcome. Any hint on where to look at? Thanks, Samir ==== Aditional information - just in case ==== My setup is a 1 Master 1 Slave of slapd 2.3.43. Relevant information is that after the master's hardware died, few days later the slave started to misbehave and probably got the DB corrupted. slapd_db_recover seems to have fixed it as now it is working just fine, log messages from before the error / recovery : #slapcat -v -l ldap-backup.ldif bdb_db_open: unclean shutdown detected; attempting recovery. bdb_db_open: Recovery skipped in read-only mode. Run manual recovery if errors are encountered. #slapd_db_recover -v -h /var/lib/ldap Finding last valid log LSN: file: 2 offset 6078834 Recovery starting from [2][6065934] Recovery complete at Wed Oct 9 16:42:55 2013 Maximum transaction ID 8000c207 Recovery checkpoint [2][6091589] -- slapcat now has no warnings/errors -- I suspect slightly of this as I've read that corrupted databases can cause such effects, but the ldapsearch with full DNs makes me think that it didn't happen. ==== / Aditional information ====

2 1

another CSN too old N-WAY master
by Lanfeust troy 10 Oct '13

10 Oct '13

hi all, sometimes my server a not in sync. because server ignoring entry: do_syncrep2: rid=102 CSN too old, ignoring 20130923090023.266239Z#000000#002#000000 @(#) $OpenLDAP: slapd 2.4.33 (....) 4 server host1 and host 2: only one database c=fr ( contain an ou=apps-ext ) host3 and host 4: tow database: first ou=apps-ext (glued with c=fr ). writable by host1,2,3,4 second c=fr writable only by host1,2 ldap-int1 and ldap-int2 cn=config also into syncrepl mirrorMode ldap-ext1 and ldap-ext2 cn=config also into syncrepl mirrorMode Configuration: grep serverID /etc/openldap/slapd.d/* /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 1 ldaps://ldap-int1.dom.fr /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 2 ldaps://ldap-int2.dom.fr /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 3 ldaps:// ldap-ext1.vlandata.dom.fr /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 4 ldaps:// ldap-ext2.vlandata.dom.fr syncrepl: ldap-int1 and ldap-int2 cn=config also into syncrepl olcSyncrepl: {0}rid=101 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea rchbase="c=fr" tls_reqcert=never type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 olcSyncrepl: {1}rid=102 provider=ldaps://ldap-int2.cdoms.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea rchbase="c=fr" tls_reqcert=never type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 olcSyncrepl: {2}rid=103 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XX XXXX tls_reqcert=never searchbase="o=apps-ext,c=fr" type=refreshAndPersist r etry="5 5 300 +" timeout=1 olcSyncrepl: {3}rid=104 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXX XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r etry="5 5 300 +" timeout=1 syncrepl host3 and host4: database apps-ext: olcSyncrepl: {0}rid=303 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXX XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r etry="5 5 300 +" timeout=1 olcSyncrepl: {1}rid=304 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXX XXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r etry="5 5 300 +" timeout=1 database c=fr: olcSyncrepl: {0}rid=201 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea rchbase="c=fr" tls_reqcert=never type=refreshOnly interval=00:00:00:10 retry= "5 5 300 +" timeout=1 olcSyncrepl: {1}rid=202 provider=ldaps://ldap-int2.dom.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXX tls _reqcert=never searchbase="c=fr" type=refreshOnly interval=00:00:00:10 retry= "5 5 300 +" timeout=1 log message into ldap-int1: ep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 LDAP_RES_INTERMEDIATE - NEW_COOKIE Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE: rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923081114.470856Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000 Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 LDAP_RES_INTERMEDIATE - NEW_COOKIE Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE: rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923090023.733719Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000 Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_queue_csn: queing 0x7f3787471a90 20130923090023.733719Z#000000#002#000000 Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing 0x7f37873baa10 20130923090023.733719Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: syncprov_matchops: skipping original sid 002 Sep 23 09:00:27 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing 0x7f37803e9320 20130923090023.225026Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: syncrepl_entry: rid=102 be_add cn=502257-dt-global-gridded-adt-ref,ou=affectations,ou=console,o=apps,c=fr (0) Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 cookie=rid=102,sid=002,csn=20130923090023.266239Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old, ignoring 20130923090023.266239Z#000000#002#000000 (cn=502257-dt-med-gridded-sla-ref,ou=affectations,ou=console,o=apps,c=fr) Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 cookie=rid=102,sid=002,csn=20130923090023.278474Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old, ignoring 20130923090023.278474Z#000000#002#000000 (cn=502257-dt-blacksea-alongtrack-sla-ref,ou=affectations,ou=console,o=apps,c=fr) time sync host1 ntpq> lpeers remote refid st t when poll reach delay offset jitter ============================================================================== *date.dom.fr 145.238.203.10 3 u 676 1024 377 1.592 0.284 0.018 +date2.dom.fr 145.238.203.10 3 u 295 1024 377 2.681 -0.410 0.326 host2 ntpq> lpeers remote refid st t when poll reach delay offset jitter ============================================================================== *date.dom.fr 145.238.203.10 3 u 954 1024 377 1.028 1.012 0.343 +date2.dom.fr 145.238.203.10 3 u 413 1024 377 2.171 0.098 0.606 does somebody see what is wrong . thanks

6 14

Solaris 10 tls:simple binding to OpenLDAP
by Ben Babich 10 Oct '13

10 Oct '13

Folks, I have been fighting along getting some Solaris 10 nodes (both SPARC and x86) to talk via TLS/SSL to our OpenLDAP infrastructure. Without SSL (tls:simple) it binds and functions fine which in my mind rules out most of the usual culprits. As for the certificates, I have verified connectivity with the certificate via openssl s_client -connect <fqdn> -CAfile <cacert> -showcerts but I cannot get the correct version/combination of certutil to setup the appropriate keystore (cert[78].db, key3.db and secmod.db) and make the native SUN ldapsearch or native ldapclient work correctly. Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258 daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed to initialize TLS security (security library: bad database.) Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100 daemon.warning] libsldap: could not remove <ldapserver> from servers list Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn. # certutil -d /var/ldap -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA certificate CT,, # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= <masked> NS_LDAP_BINDPASSWD= <masked> NS_LDAP_SERVERS= <masked> NS_LDAP_SEARCH_BASEDN= <masked> NS_LDAP_AUTH= tls:simple NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_HOST_CERTPATH= /var/ldap # I've tried a few of the older certutil's getting around, including the one from here: along with libraries from openCSW to get it all working http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz I'm pretty sure its the cert database or something to do with certutill being painful. Any suggestions? Thanks Ben

2 1

Allow invalid certificates for a single host
by Jared 09 Oct '13

09 Oct '13

Hi, all. I'm having trouble figuring out how to allow SSL connections (using ldapsearch) to a single host with an invalid certificate. I know this can be done using TLS_REQCERT=allow (or never), but the same account also connects to multiple other hosts using certificate-based authentication, and the problem is that I can get those two configurations to work together. To illustrate, here's the current ~/.ldaprc file for this user: TLS_CERT /home/ldap/certs/admin.crt TLS_KEY /home/ldap/certs/admin.key TLS_REQCERT demand SASL_MECH external That works fine for everything but this one new host. I'm not able to fix the the SSL issue on this host, so for now I need to work around it. If I replace the above ~/.ldaprc with this: HOST server.domain.com PORT 636 TLS_REQCERT allow Then ldapsearch works fine for this new server, but, of course, SASL/cert auth fails for everything else. So, how do I get these to work together, with that first configuration example set as the default for all hosts *except* server.domain.com? Here's what I've tried so far: * Appending the configuration for server.domain.com to the existing ~/.ldaprc file - it doesn't have an effect, like the global stuff is overriding the host-specific options * Adding the server.domain.com config to /etc/openldap/ldap.conf, but ~/.ldaprc takes precedence over this, so again it has no effect. * Creating a separate ~/.ldaprc-server file and exporting LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND ~/.ldaprc-server are sourced (found using strace), so again my host-specific settings are ignored. * exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that prevents either rc file from being sourced * exporting LDAPNOINIT=true and calling ldapsearch with: LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this also seems to have no effect, though I'm sure I must be missing something simple, but I'm out of ideas at this point. Would appreciate any tips or pointers. Thanks! -- Jared

4 13

Modification hooks for the OpenLDAP system
by Mailing Lists 09 Oct '13

09 Oct '13

Hi, I was looking into OpenLDAP and couldn't find the following information in the documentation: Is there any possibility to have hooks in the openLDAP system which allow a customizable action to be performed when records are added/deleted/updated? An example for this would be to send a message to an external system in case a modification of the directory service has occured, so that this system can act on this (the 'external' system could, of course, belong to the same organization as well). E.g. for improving synchronization with GAE (but I could name some other uses for it too). I have found a prior post on hooks for authentication (http://www.openldap.org/lists/openldap-software/200510/msg00549.html) but this is not what I am looking for. If it is not supported in openLDAP, are there any plug-ins which do support it? Thanks in advance!

3 2

New release request
by Marco Pizzoli 09 Oct '13

09 Oct '13

Hi all, considered the importance of the patches which have landed in the last few days, could I ask to start with a testing call for a new release? I'm confident they could solve the crashes I have been facing since I started working heavily with back-mdb and I'm only allowed to work with "official" releases. Thanks in advance as usual Marco

2 1

Some things strange
by Jacques Foucry 09 Oct '13

09 Oct '13

Hello list, On a test VM I create a replica of my LDAP server, install pureFtp-ldap and configure it. It work perfectly. I can login on my vm, use ftp user too. But when I try to start ldap with the init script, it failed. I found that on the log file: > Oct 8 16:02:38 ldap-test slapd[3507]: @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $#012#011root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd > Oct 8 16:02:38 ldap-test slapd[3507]: daemon: bind(10) failed errno=2 (No such file or directory) > Oct 8 16:02:38 ldap-test slapd[3507]: slapd stopped. > Oct 8 16:02:38 ldap-test slapd[3507]: connections_destroy: nothing to destroy. If I launch it on the cli: # slapd Everything work perfectly. I can figure what's wrong with the startup script. Is somebody could see what's wrong ? Thanks in advance, Jacques Foucry -- Jacques Foucry *NOVΛSPARKS * IT Manager Tel : +33 (0)1 42 68 12 61 jacques.foucry(a)novasparks.com

2 2

slapo-lastbind and chaining
by Christian Kratzer 08 Oct '13

08 Oct '13

Hi, it seems this has been asked before but I am not sure of the conclusion: http://www.openldap.org/lists/openldap-technical/201211/msg00078.html I have setup setup with slapo-lastbind configured on some slaves that have a working chaining configuration to the masters. It seems that the authTimestmap attribute from slapo-lastbind is not getting replicated. >From looking at the source code for lastbind it seems we would need to implement something similar to olcPPolicyForwardUpdates from ppolicy.c If none of the gurus here don't object the code looks clean enough that I would attempt to port forwarding of updates from slapo-ppolicy to slapo-lastbind. ( olcLastbindForwardUpdates ) Greetings Christian -- Christian Kratzer CK Software GmbH Email: ck(a)cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer

4 6

Problem TLS
by felas 07 Oct '13

07 Oct '13

Hi i have installed OpenLdap in local, and i try to enabled the TLS Auth. I follow this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-ser… but when i try to auth with my program(in Eclipse) i have this error: Unable to connect to server 192.168.1.156:636 (91) Connect Error java.net.ConnectException: Connection Refused

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2013