sasl/plain with hashed password not working
by btb
i've enabled the plain sasl mech, and testing with ldapwhoami works, but
only if the userpassword is left as plaintext. if hashing [ssha] is
used, it fails. a simple bind succeeds. what am i doing wrong?
>ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx'
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password verification failed
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 slap_listener_activate(7):
524b7989 daemon: epoll: listen=7 busy
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 >>> slap_listener(ldap:///)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 daemon: listen=7, new connection on 16
524b7989 daemon: added 16r (active) listener=(nil)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 conn=1014 fd=16 ACCEPT from IP=192.168.1.81:35171 (IP=0.0.0.0:389)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989 16r524b7989
524b7989 daemon: read active on 16
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 connection_get(16)
524b7989 connection_get(16): got connid=1014
524b7989 connection_read(16): checking for input on id=1014
ber_get_next
ldap_read: want=8, got=8
0000: 30 22 02 01 01 60 1d 02 0"...`..
ldap_read: want=28, got=28
0000: 01 03 04 00 a3 16 04 05 50 4c 41 49 4e 04 0d 00
........PLAIN...
0010: 66 6c 61 73 68 00 74 69 67 67 65 72
flash.xxxxxxx
ber_get_next: tag 0x30 len 34 contents:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103750 end=0x7f1580103772 len=34
0000: 02 01 01 60 1d 02 01 03 04 00 a3 16 04 05 50 4c
...`..........PL
0010: 41 49 4e 04 0d 00 66 6c 61 73 68 00 74 69 67 67
AIN...flash.xxxx
0020: 65 72 xxxxxx
524b7989 op tag 0x60, time 1380678025
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
524b7989 conn=1014 op=0 do_bind
524b7989 daemon: activity on 1 descriptor
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103753 end=0x7f1580103772 len=31
0000: 60 1d 02 01 03 04 00 a3 16 04 05 50 4c 41 49 4e
`..........PLAIN
0010: 04 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72
...flash.xxxxxxxx
ber_scanf fmt ({m) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f158010375a end=0x7f1580103772 len=24
0000: 00 16 04 05 50 4c 41 49 4e 04 0d 00 66 6c 61 73
....PLAIN...flas
0010: 68 00 74 69 67 67 65 72 h.xxxxxxxxx
ber_scanf fmt (m) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103763 end=0x7f1580103772 len=15
0000: 00 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72
...flash.xxxxxxx
ber_scanf fmt (}}) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103772 end=0x7f1580103772 len=0
524b7989 >>> dnPrettyNormal: <>
524b7989 <<< dnPrettyNormal: <>, <>
524b7989 conn=1014 op=0 BIND dn="" method=163
524b7989 do_bind: dn () SASL mech PLAIN
524b7989 ==> sasl_bind: dn="" mech=PLAIN datalen=13
524b7989 SASL Canonicalize [conn=1014]: authcid="flash"
524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0
524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth
524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0
524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth>
524b7989 ==>slap_sasl2dn: converting SASL name
uid=flash,cn=plain,cn=auth to a DN
524b7989 ==> rewrite_context_apply [depth=1]
string='uid=flash,cn=plain,cn=auth'
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_context_apply [depth=1]
res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}
524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->
"uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 slap_parseURI: parsing
uid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
524b7989 <==slap_sasl2dn: Converted SASL name to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 slap_sasl_getdn: dn:id converted to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 SASL Canonicalize [conn=1014]:
slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 SASL Canonicalize [conn=1014]: authcid="flash"
524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0
524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth
524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0
524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth>
524b7989 ==>slap_sasl2dn: converting SASL name
uid=flash,cn=plain,cn=auth to a DN
524b7989 ==> rewrite_context_apply [depth=1]
string='uid=flash,cn=plain,cn=auth'
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_context_apply [depth=1]
res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}
524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->
"uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 slap_parseURI: parsing
uid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
524b7989 <==slap_sasl2dn: Converted SASL name to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 slap_sasl_getdn: dn:id converted to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 SASL Canonicalize [conn=1014]:
slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 => mdb_search
524b7989 mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=com")
524b7989 => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=com")
524b7989 <= mdb_dn2id: got id=0x2c
524b7989 => mdb_entry_decode:
524b7989 <= mdb_entry_decode
524b7989 => access_allowed: auth access to
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "entry" requested
524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 => acl_get: [2] matched
524b7989 => acl_get: [2] attr entry
524b7989 => acl_mask: access to entry
"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "entry" requested
524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: self
524b7989 <= check a_dn_pat: users
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [3] applying auth(=xd) (stop)
524b7989 <= acl_mask: [3] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 base_candidates: base:
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" (0x0000002c)
524b7989 => test_filter
524b7989 daemon: activity on:524b7989 PRESENT
524b7989 => access_allowed: auth access to
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "objectClass" requested
524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 => acl_get: [2] matched
524b7989 => acl_get: [2] attr objectClass
524b7989 => acl_mask: access to entry
"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "objectClass"
requested
524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: self
524b7989 <= check a_dn_pat: users
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [3] applying auth(=xd) (stop)
524b7989 <= acl_mask: [3] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 <= test_filter 6
524b7989 => access_allowed: auth access to
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "userPassword" requested
524b7989 => acl_get: [1] attr userPassword
524b7989 => acl_mask: access to entry
"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "userPassword"
requested
524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [1] applying auth(=xd) (stop)
524b7989 <= acl_mask: [1] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type
undefined
524b7989 send_ldap_result: conn=1014 op=0 p=3
524b7989 send_ldap_result: err=0 matched="" text=""
524b7989 SASL [conn=1014] Failure: Password verification failed
524b7989 send_ldap_result: conn=1014 op=0 p=3
524b7989 send_ldap_result: err=49 matched="" text="SASL(-13): user not
found: Password verification failed"
524b7989 send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 69 bytes to sd 16
0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41
0C...a>..1...7SA
0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13):
user no
0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found:
Passwor
0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d
verification f
0040: 61 69 6c 65 64 ailed
ldap_write: want=69, written=69
0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41
0C...a>..1...7SA
0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13):
user no
0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found:
Passwor
0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d
verification f
0040: 61 69 6c 65 64 ailed
524b7989 conn=1014 op=0 RESULT tag=97 err=49 text=SASL(-13): user not
found: Password verification failed
524b7989 <== slap_sasl_bind: rc=49
524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989 16r524b7989
524b7989 daemon: read active on 16
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 connection_get(16)
524b7989 connection_get(16): got connid=1014
524b7989 connection_read(16): checking for input on id=1014
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 02 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f1584117620 ptr=0x7f1584117620 end=0x7f1584117625 len=5
0000: 02 01 02 42 00 ...B.
524b7989 op tag 0x42, time 1380678025
ber_get_next
ldap_read: want=8, got=0
524b7989 ber_get_next on fd 16 failed errno=0 (Success)
524b7989 connection_read(16): input error=-2 id=1014, closing.
524b7989 connection_closing: readying conn=1014 sd=16 for close
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 connection_close: deferring conn=1014 sd=16
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 conn=1014 op=1 do_unbind
524b7989 conn=1014 op=1 UNBIND
524b7989 connection_resched: attempting closing conn=1014 sd=16
524b7989 connection_close: conn=1014 sd=16
524b7989 daemon: removing 16
524b7989 conn=1014 fd=16 closed
9 years, 7 months
slapcat backup with empty DNs
by Samir Cury
Dear all,
The problem I'm having is simple, although I didn't find much
eplanations for it, once I try to backup the database with :
slapcat -v -l ldap-backup5.ldif
It works nicely, except that _all_ entries have :
dn:
structuralObjectClass: organizationalUnit
dn:
objectClass: organizationalRole
cn: Manager
dn:
structuralObjectClass: inetOrgPerson
entryUUID: e8ef2300-f04c-10fb-9b02-a54a91b9c30b
(empty DNs)
Although the information is still there, if I ldapsearch one of the
entities it comes easily :
ldapsearch -x -LLL '(uid=samir)'
dn: cn=Samir Cury,ou=abc,ou=def,dc=org,dc=edu
cn: Samir Cury Siqueira
objectClass: inetOrgPerson
is this problem obvious to any of you?
The only similar case I found in the history was
:http://www.openldap.org/lists/openldap-technical/201201/msg00160.html
Which doesn't have a clear outcome.
Any hint on where to look at?
Thanks,
Samir
==== Aditional information - just in case ====
My setup is a 1 Master 1 Slave of slapd 2.3.43. Relevant information
is that after the master's hardware died, few days later the slave
started to misbehave and probably got the DB corrupted.
slapd_db_recover seems to have fixed it as now it is working just
fine, log messages from before the error / recovery :
#slapcat -v -l ldap-backup.ldif
bdb_db_open: unclean shutdown detected; attempting recovery.
bdb_db_open: Recovery skipped in read-only mode. Run manual recovery
if errors are encountered.
#slapd_db_recover -v -h /var/lib/ldap
Finding last valid log LSN: file: 2 offset 6078834
Recovery starting from [2][6065934]
Recovery complete at Wed Oct 9 16:42:55 2013
Maximum transaction ID 8000c207 Recovery checkpoint [2][6091589]
-- slapcat now has no warnings/errors --
I suspect slightly of this as I've read that corrupted databases can
cause such effects, but the ldapsearch with full DNs makes me think
that it didn't happen.
==== / Aditional information ====
9 years, 7 months
another CSN too old N-WAY master
by Lanfeust troy
hi all,
sometimes my server a not in sync. because server ignoring entry:
do_syncrep2: rid=102 CSN too old, ignoring
20130923090023.266239Z#000000#002#000000
@(#) $OpenLDAP: slapd 2.4.33 (....)
4 server
host1 and host 2: only one database c=fr ( contain an ou=apps-ext )
host3 and host 4: tow database:
first ou=apps-ext (glued with c=fr ). writable by host1,2,3,4
second c=fr writable only by host1,2
ldap-int1 and ldap-int2 cn=config also into syncrepl mirrorMode
ldap-ext1 and ldap-ext2 cn=config also into syncrepl mirrorMode
Configuration:
grep serverID /etc/openldap/slapd.d/*
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 1 ldaps://ldap-int1.dom.fr
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 2 ldaps://ldap-int2.dom.fr
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 3 ldaps://
ldap-ext1.vlandata.dom.fr
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 4 ldaps://
ldap-ext2.vlandata.dom.fr
syncrepl:
ldap-int1 and ldap-int2 cn=config also into syncrepl
olcSyncrepl: {0}rid=101 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea
rchbase="c=fr" tls_reqcert=never type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +" timeout=1
olcSyncrepl: {1}rid=102 provider=ldaps://ldap-int2.cdoms.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea
rchbase="c=fr" tls_reqcert=never type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +" timeout=1
olcSyncrepl: {2}rid=103 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XX
XXXX tls_reqcert=never searchbase="o=apps-ext,c=fr" type=refreshAndPersist
r
etry="5 5 300 +" timeout=1
olcSyncrepl: {3}rid=104 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XXX
XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist
r
etry="5 5 300 +" timeout=1
syncrepl host3 and host4:
database apps-ext:
olcSyncrepl: {0}rid=303 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XXX
XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist
r
etry="5 5 300 +" timeout=1
olcSyncrepl: {1}rid=304 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XXX
XXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r
etry="5 5 300 +" timeout=1
database c=fr:
olcSyncrepl: {0}rid=201 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea
rchbase="c=fr" tls_reqcert=never type=refreshOnly interval=00:00:00:10
retry=
"5 5 300 +" timeout=1
olcSyncrepl: {1}rid=202 provider=ldaps://ldap-int2.dom.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXX tls
_reqcert=never searchbase="c=fr" type=refreshOnly interval=00:00:00:10
retry=
"5 5 300 +" timeout=1
log message into ldap-int1:
ep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104
LDAP_RES_INTERMEDIATE - NEW_COOKIE
Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE:
rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923081114.470856Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000
Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104
LDAP_RES_INTERMEDIATE - NEW_COOKIE
Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE:
rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923090023.733719Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000
Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_queue_csn: queing
0x7f3787471a90 20130923090023.733719Z#000000#002#000000
Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing
0x7f37873baa10 20130923090023.733719Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: syncprov_matchops: skipping
original sid 002
Sep 23 09:00:27 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing
0x7f37803e9320 20130923090023.225026Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: syncrepl_entry: rid=102 be_add
cn=502257-dt-global-gridded-adt-ref,ou=affectations,ou=console,o=apps,c=fr
(0)
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102
cookie=rid=102,sid=002,csn=20130923090023.266239Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old,
ignoring 20130923090023.266239Z#000000#002#000000
(cn=502257-dt-med-gridded-sla-ref,ou=affectations,ou=console,o=apps,c=fr)
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102
cookie=rid=102,sid=002,csn=20130923090023.278474Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old,
ignoring 20130923090023.278474Z#000000#002#000000
(cn=502257-dt-blacksea-alongtrack-sla-ref,ou=affectations,ou=console,o=apps,c=fr)
time sync
host1
ntpq> lpeers
remote refid st t when poll reach delay offset
jitter
==============================================================================
*date.dom.fr 145.238.203.10 3 u 676 1024 377 1.592 0.284
0.018
+date2.dom.fr 145.238.203.10 3 u 295 1024 377 2.681 -0.410
0.326
host2
ntpq> lpeers
remote refid st t when poll reach delay offset
jitter
==============================================================================
*date.dom.fr 145.238.203.10 3 u 954 1024 377 1.028 1.012
0.343
+date2.dom.fr 145.238.203.10 3 u 413 1024 377 2.171 0.098
0.606
does somebody see what is wrong .
thanks
9 years, 7 months
Solaris 10 tls:simple binding to OpenLDAP
by Ben Babich
Folks,
I have been fighting along getting some Solaris 10 nodes (both SPARC
and x86) to talk via TLS/SSL to our OpenLDAP infrastructure.
Without SSL (tls:simple) it binds and functions fine which in my mind
rules out most of the usual culprits.
As for the certificates, I have verified connectivity with the
certificate via openssl s_client -connect <fqdn> -CAfile <cacert>
-showcerts but I cannot get the correct version/combination of
certutil to setup the appropriate keystore (cert[78].db, key3.db and
secmod.db) and make the native SUN ldapsearch or native ldapclient
work correctly.
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 91 Mesg: createTLSSession: failed
to initialize TLS security (security library: bad database.)
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 292100
daemon.warning] libsldap: could not remove <ldapserver> from servers
list
Oct 10 10:48:29 solaris1 /usr/lib/nfs/nfsmapid[3668]: [ID 293258
daemon.warning] libsldap: Status: 7 Mesg: Session error no available
conn.
# certutil -d /var/ldap -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= <masked>
NS_LDAP_BINDPASSWD= <masked>
NS_LDAP_SERVERS= <masked>
NS_LDAP_SEARCH_BASEDN= <masked>
NS_LDAP_AUTH= tls:simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_HOST_CERTPATH= /var/ldap
#
I've tried a few of the older certutil's getting around, including the
one from here: along with libraries from openCSW to get it all working
http://www.gurulabs.com/downloads/certutil-1.0-sol9-sun4u-local.gz
I'm pretty sure its the cert database or something to do with
certutill being painful. Any suggestions?
Thanks
Ben
9 years, 7 months
Allow invalid certificates for a single host
by Jared
Hi, all. I'm having trouble figuring out how to allow SSL connections
(using ldapsearch) to a single host with an invalid certificate. I know
this can be done using TLS_REQCERT=allow (or never), but the same
account also connects to multiple other hosts using certificate-based
authentication, and the problem is that I can get those two
configurations to work together.
To illustrate, here's the current ~/.ldaprc file for this user:
TLS_CERT /home/ldap/certs/admin.crt
TLS_KEY /home/ldap/certs/admin.key
TLS_REQCERT demand
SASL_MECH external
That works fine for everything but this one new host. I'm not able to
fix the the SSL issue on this host, so for now I need to work around it.
If I replace the above ~/.ldaprc with this:
HOST server.domain.com
PORT 636
TLS_REQCERT allow
Then ldapsearch works fine for this new server, but, of course,
SASL/cert auth fails for everything else.
So, how do I get these to work together, with that first configuration
example set as the default for all hosts *except* server.domain.com?
Here's what I've tried so far:
* Appending the configuration for server.domain.com to the existing
~/.ldaprc file - it doesn't have an effect, like the global stuff is
overriding the host-specific options
* Adding the server.domain.com config to /etc/openldap/ldap.conf, but
~/.ldaprc takes precedence over this, so again it has no effect.
* Creating a separate ~/.ldaprc-server file and exporting
LDAPRC=.ldaprc-server - in this case, both ~/.ldaprc AND
~/.ldaprc-server are sourced (found using strace), so again my
host-specific settings are ignored.
* exporting both LDAPNOINIT=true and LDAPRC=.ldaprc-server, but that
prevents either rc file from being sourced
* exporting LDAPNOINIT=true and calling ldapsearch with:
LDAPTLS_REQCERT=allow ldapsearch -H ldaps://server.domain.com ... - this
also seems to have no effect, though
I'm sure I must be missing something simple, but I'm out of ideas at
this point. Would appreciate any tips or pointers.
Thanks!
--
Jared
9 years, 7 months
Modification hooks for the OpenLDAP system
by Mailing Lists
Hi,
I was looking into OpenLDAP and couldn't find the following information in the documentation:
Is there any possibility to have hooks in the openLDAP system which allow a customizable action to be performed when records are added/deleted/updated?
An example for this would be to send a message to an external system in case a modification of the directory service has occured, so that this system can act on this (the 'external' system could, of course, belong to the same organization as well). E.g. for improving synchronization with GAE (but I could name some other uses for it too).
I have found a prior post on hooks for authentication (http://www.openldap.org/lists/openldap-software/200510/msg00549.html) but this is not what I am looking for.
If it is not supported in openLDAP, are there any plug-ins which do support it?
Thanks in advance!
9 years, 7 months
New release request
by Marco Pizzoli
Hi all,
considered the importance of the patches which have landed in the last few
days, could I ask to start with a testing call for a new release?
I'm confident they could solve the crashes I have been facing since I
started working heavily with back-mdb and I'm only allowed to work with
"official" releases.
Thanks in advance as usual
Marco
9 years, 7 months
Some things strange
by Jacques Foucry
Hello list,
On a test VM I create a replica of my LDAP server, install pureFtp-ldap
and configure it.
It work perfectly. I can login on my vm, use ftp user too.
But when I try to start ldap with the init script, it failed. I found
that on the log file:
> Oct 8 16:02:38 ldap-test slapd[3507]: @(#) $OpenLDAP: slapd (Apr 23 2013 12:16:04) $#012#011root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
> Oct 8 16:02:38 ldap-test slapd[3507]: daemon: bind(10) failed errno=2 (No such file or directory)
> Oct 8 16:02:38 ldap-test slapd[3507]: slapd stopped.
> Oct 8 16:02:38 ldap-test slapd[3507]: connections_destroy: nothing to destroy.
If I launch it on the cli:
# slapd
Everything work perfectly.
I can figure what's wrong with the startup script.
Is somebody could see what's wrong ?
Thanks in advance,
Jacques Foucry
--
Jacques Foucry
*NOVΛSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry(a)novasparks.com
9 years, 7 months
slapo-lastbind and chaining
by Christian Kratzer
Hi,
it seems this has been asked before but I am not sure of the conclusion:
http://www.openldap.org/lists/openldap-technical/201211/msg00078.html
I have setup setup with slapo-lastbind configured on some slaves that
have a working chaining configuration to the masters.
It seems that the authTimestmap attribute from slapo-lastbind is not
getting replicated.
>From looking at the source code for lastbind it seems we would need
to implement something similar to olcPPolicyForwardUpdates from
ppolicy.c
If none of the gurus here don't object the code looks clean enough
that I would attempt to port forwarding of updates from slapo-ppolicy
to slapo-lastbind. ( olcLastbindForwardUpdates )
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
9 years, 7 months