openldap-technical February 2013

openldap-technical@openldap.org

68 participants
72 discussions

integrating open ldap with kerberos and ssl
by Asmaa Ahmed 11 Feb '13

11 Feb '13

Hello, Is it possible to get an open ldap support the both way of authentication?I have a open ldap integrated already with MIT kerberos, and I wonder if I can adapt it to support SSL/TLS as well.The problem is that some applications allow only for simple binding which is not possible with Kerberos.If yes, does any one have a good tutorial for such kind of integration or some guide lines? Thanks.

1 0

valsort and telephone numbers
by Benin Technologies 10 Feb '13

10 Feb '13

Hi, Does anybody use the valsort overlay and its "weighted" method with telephone numbers ? Telephone numbers don't accept braces {} in their syntax, but the braces are used by valsort to define the attribute's weight. What's the best way around this ? An easy way would be to create a custom myMobile attribute, with syntax IA5 string (1.3.6.1.4.1.1466.115.121.1.26) instead of the telephone number syntax (1.3.6.1.4.1.1466.115.121.1.50). IA5 strings accept braces {}. But the tradeoff is that any string can be put in the myMobile attribute. The best way would be to enforce myMobile to accept only telephone numbers (syntax 1.3.6.1.4.1.1466.115.121.1.50), PLUS braces {} Can this be done ? any other idea ?

1 0

Problem with too many concurrent LDAP requests (Postfix+LDAP)
by Denis BUCHER (lists) 09 Feb '13

09 Feb '13

Dear all, I am using LDAP as backend for Postfix for all email accounts. Any email coming to the server is checked against LDAP to check if email is valid, and deliver it accordingly. It works almost perfectly but I have a big problem that arise when receiving (or sending) too many emails at the same time. It looks like slapd server is overwhelmed with too many requests at the same time, which makes postfix getting timeouts. On the postfix side hopefully it's only a "temporary lookup failure" but I want to correct that problem. In the logs I get two kind of LDAP errors : a) * postfix/trivial-rewrite: warning: dict_ldap_lookup: Search error -5: Timed out * postfix/trivial-rewrite: fatal: ldap:/etc/postfix/ldap-domains.cf(0,lock|fold_fix): table lookup problem b) * postfix/smtpd: warning: dict_ldap_connect: Unable to bind to server ldap://localhost:389 as cn=mailadmin, ou=mailservices, dc=domain, dc=ch: -5 (Timed out) If someone had a suggestion on how to optimize the LDAP server to be able to cope with the demand coming from postfix it would be great ! Denis

2 3

Using multi-value attributes for ACLs
by Andrew Heagle 08 Feb '13

08 Feb '13

Hi, At my work, we use LDAP as the backend for Puppet node definitions. Each host would have an LDAP entry specifying things like which puppet classes to apply, host specific variables, environment (which git branch to use for puppet manifests and a few other things. There are different teams that would like to be able to manage these attributes when deploying software. For example, DBA should be able to manage DB servers while QA need to be able to configure their hosts to test different software. Any hosts that DBA can manage has a role=DBA applied and likewise an QA hosts has role=QA set. Since role is multi-valued, a QA DB can have role=DBA and role=QA set on it, since both QA and DBAs might need to be able to make changes to the host. Our slapd.conf has these ACLS access to dn.subtree="ou=hosts,dc=example,dc=info" filter=(role=DBA) attrs=puppetclass,puppetvar,environment by group/groupOfUniqueNames/uniqueMember="cn=dba,ou=groups,dc=example,dc=info" write by group="cn=sysadmin,ou=ldapgroup,dc=example,dc=info" write by * read access to dn.subtree="ou=hosts,dc=example,dc=info" filter=(role=QA) attrs=puppetclass,puppetvar,environment by group/groupOfUniqueNames/uniqueMember="cn=qa,ou=groups,dc=example,dc=info" write by group="cn=sysadmin,ou=ldapgroup,dc=example,dc=info" write by * read let say a LDAP host entry looks like this: dn: cn=qadb1.int.example.info ,ou=QAServers,dc=tor,ou=hosts,dc=example,dc=info objectClass: puppetClient objectClass: device objectClass: exampleHost objectClass: dNSDomain2 cn=qadb1.int.example.info role: DBA role: QA environment: qa datacenter: tor aRecord: 10.10.12.53 dc: qadb1.int.example.info if a DBA wants to edit this entry, it hits the first ACL, sees the DBA user in the dba group and allows the change. If a QA person wants to edit the entry, it hits the first ACL, sees role=DBA, and checks the DBA group, but the QA user is not in the DBA group and rejects the change, even though the next ACL would have allowed the change, it just doesn't hit it. Is it possible to somehow use the ACLs above without have to make lots of ACL rules that combine all the possible combos, such as role=DBA, role=QA, role=DBAQA, role=DBADEV, role=DBABI, etc...? Such as adding a third entry (eg, this would work, but would like to find a more elegant solution): access to dn.subtree="ou=hosts,dc=example,dc=info" filter=(role=DBAQA) attrs=puppetclass,puppetvar,environment by group/groupOfUniqueNames/uniqueMember="cn=dba,ou=groups,dc=example,dc=info" write by group/groupOfUniqueNames/uniqueMember="cn=qa,ou=groups,dc=example,dc=info" write by group="cn=sysadmin,ou=ldapgroup,dc=example,dc=info" write by * read Thanks, Andrew

2 2

Re: Delta replication don't starts if consumer supports SSL?
by paler cryptkeeper 08 Feb '13

08 Feb '13

Mmmm.. the fact is that is *in the consumer* that I had to disable ldaps, not on the provider, the provider is now supporting ldap and ldaps; if I enable ldaps in the consumer, replication does not start, even when specifying provider=ldap://provider-host:389.. One more thing that results strange to me is that if I put a wrong configuration under syncrepl on the consumer, the server does not start and logs some messages, but If the configuration is fine, the server starts but the replication does not, and nothing gets logged, in the consumer nor in the provider.. thanks! 2013/2/6 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Wednesday, February 06, 2013 6:33 PM -0200 paler cryptkeeper < > paler.cryptkeeper(a)gmail.com> wrote: > > >> Hi. >> >> Today I had to set up two OpenLDAP instances (2.4.33), with delta >> replication under SSL/TLS, something pretty common, I think. >> The installation (from source), initializing and TLS support setup went >> fine, and both, provider and consumer, started up without problems, and >> searches did well on both, with ldapd and ldaps. However, the replication >> never started. After a while (almost 2.5 hours!! and so many slapd.conf >> files..) I tried to start the consumer without ldaps support, only ldap, >> and the replication started perfectly! Is this normal? Could be something >> with the config? The only thing that changed between a not working state >> and a working one was that if 'slapd -d 256 -h "ldap:/// ldaps:///"' was >> used, replication didn't start, and with only 'slapd -d 256' the >> replication started normally.. I repeat that with the first option, >> beside replication, everything else worked fine, even searches using >> ldaps.. >> It's something I could not explain to or customer.. can someone explain >> it to me? :) >> Thanks! >> > > Likely it couldn't negotiate the SSL connection. I would guess you failed > to set the cert options in the syncrepl line. Since you provide no detail > into your configuration, all I can do is guess. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Cuando crees que ya has llegado al piso y que no puedes caer mas bajo, descubres que hay un subsuelo...

1 0

Enforce TLS?
by Patrick Lists 07 Feb '13

07 Feb '13

Hi, I've gone through slapd.access a couple of times but I can't wrap my head around the mountain of information. IMHO that man page could do with a few more examples for us mere mortals :-) FYI: I was not able to find what ssf=<n>, transport_ssf=<n>, tls_ssf=<n>, sasl_ssf=<n> mean and which possible values (+ meaning of those values) I can set them too. Missing info? Goal: allow 127.0.0.1 and ::1 non-TLS access and all other connections must use TLS. Anyone perhaps have an example that can get me started? Thanks! Patrick

2 2

import Certificate to userCertificate
by Алексей 07 Feb '13

07 Feb '13

*Hello. I have a problem with importing certificate to OPENLDAP. I had exported a Certificate from Active Directory and then tried to import it into userCertificate attribute. The system show me error because i didn't use binary in file ldif. After I had done correction of file "ldif", I received message value #0 normalization failed. When I change a SYNTAX of userCertificate from 1.3.6.1.4.1.1466.115.121.1.8 to 1.3.6.1.4.1.1466.115.121.1.40 the file was importing well, and LDAP Browser show me data in attribute userCertificate as Certificate. I could also export data from OPENLDAP. And now question: what difference between 1.3.6.1.4.1.1466.115.121.1.8 and 1.3.6.1.4.1.1466.115.121.1.40, and which of syntax is more correct to use in my case? In case if 1.3.6.1.4.1.1466.115.121.1.8 is more correct how can i understand where i make mistake? I was trying to import Certificate as base64. As example userCertificate;binary:: MIIHcjCCBxygAwIBAgIQQAAAANG9zQ1Jv2ZMAM6FJDANBgkrBgEEAZxWAQIFADCBgjETMBEGCgmSJo... * * With regards, * * Aleksey *

3 7

meta backend and bad configuration file
by francesco.policastro＠selex-es.com 07 Feb '13

07 Feb '13

Hi, I am running slapd 2.4.33 on RHEL, compiled from the sources. I successfully configured meta backend using old style slapd.conf. My aim is to browse two Active Directories in two separate forests (success) and to collect in a new group all users members of two local groups, one for each domain (not done yet). For the latter I read that the dynlist overlay is what I need and I created a hdb database. The configuration examples I found for dynlist are in the cn=config style, so I felt pushed to convert my configuration (slapd -f slapd.conf -F slapd.d). I did it, but the results are not as expected, because slapd starts, but slaptest for the new config issues an error. # slaptest -f slapd.conf 51137c4c hdb_monitor_db_open: monitoring disabled; configure monitor database to enable config file testing succeeded # slaptest 51137c5a olcDbURI: value #0: unable to parse URI #0 in "olcDbURI <protocol>://<server>[:port]/<naming context>". 51137c5a config error processing olcMetaSub={0}uri,olcDatabase={1}meta,cn=config: unable to parse URI #0 in "olcDbURI <protocol>://<server>[:port]/<naming context>" slaptest: bad configuration file! I assume, please tell me if I am wrong, that if you have the new cn=config files, then slapd.conf is not used. But I remove or rename it slapd does not start and the error message is the same as for slaptest. olcDbURI: value #0: unable to parse URI #0 in "olcDbURI <protocol>://<server>[:port]/<naming context>". config error processing olcMetaSub={0}uri,olcDatabase={1}meta,cn=config: unable to parse URI #0 in "olcDbURI <protocol>://<server>[:port]/<naming context>" slapd stopped. So I am wondering if the new config files are even read when slapd starts correctly (i.e. when called with both "-f" and "-F" flags). I know that one of the new features of version 2.4.33 is just the cn=config support for meta. Any ideas? Thanks in advance, Francesco

2 1

Delta replication don't starts if consumer supports SSL?
by paler cryptkeeper 06 Feb '13

06 Feb '13

Hi. Today I had to set up two OpenLDAP instances (2.4.33), with delta replication under SSL/TLS, something pretty common, I think. The installation (from source), initializing and TLS support setup went fine, and both, provider and consumer, started up without problems, and searches did well on both, with ldapd and ldaps. However, the replication never started. After a while (almost 2.5 hours!! and so many slapd.conf files..) I tried to start the consumer without ldaps support, only ldap, and the replication started perfectly! Is this normal? Could be something with the config? The only thing that changed between a not working state and a working one was that if 'slapd -d 256 -h "ldap:/// ldaps:///"' was used, replication didn't start, and with only 'slapd -d 256' the replication started normally.. I repeat that with the first option, beside replication, everything else worked fine, even searches using ldaps.. It's something I could not explain to or customer.. can someone explain it to me? :) Thanks! -- Cuando crees que ya has llegado al piso y que no puedes caer mas bajo, descubres que hay un subsuelo...

2 1

Re: TLS problem
by Quanah Gibson-Mount 05 Feb '13

05 Feb '13

--On Monday, February 04, 2013 9:16 AM +0200 Chris <chris(a)flamengro.co.za> wrote: > Thank you for the link. I have downloaded the newest version. Please keep replies on the list. > I get the following error message in my messages file when I start slapd > > Feb 4 09:15:53 ibm-01 slapd[25637]: [INFO] Using /etc/default/slapd for > configuration > Feb 4 09:15:53 ibm-01 slapd[25642]: [INFO] Launching OpenLDAP > configuration test... > Feb 4 09:15:53 ibm-01 nslcd[18834]: [a6c6dc] failed to bind to LDAP > server ldaps://ibm-01: Can't contact LDAP server > ldpasearch gives the following results > > ldapsearch -x -Z -b'dc=flamengro,dc=co,dc=za' uid=izak > ldap_start_tls: Protocol error (2) > additional info: unsupported extended operation Are you using startTLS (extended operation) or ldaps? These are two different things, and yet it seems you are trying to use both. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2013