openldap-technical June 2013

openldap-technical@openldap.org

58 participants
71 discussions

RE: Understanding PKI
by Dave Thompson 21 Jun '13

21 Jun '13

>From: owner-openssl-users(a)openssl.org On Behalf Of Rodney Simioni >Sent: Friday, 21 June, 2013 10:36 >I want to really understand certificates, pki, etc; so forgive me >if these questions are elementary. >Before creating a certificate, I need to generate the CSR on the >actual server where I am going to install the certificate? >(reason why I'm asking is because a wildcard csr was sent to me >and I don't know if I should use the wildcard csr or the one >generated on the server). It can vary depending on who does what, and whether you are doing only server-authentication or client-authentication as well, which is not common for SSL/TLS in general but I don't know for LDAP. Client-authentication is often called "client certificate", although this is loose wording because you actually need the cert *and key*. Similarly server-authentication is often called "server cerificate" but often it is left implicit since it is practically always there. (Formally there are non-authenticating "anonymous" suites in TLS, but they are rarely used and very rarely a good idea.) FWWIW http://www.openldap.org/doc/admin24/tls.html says "All servers are required to have valid certificates, whereas client certificates are optional. Clients must have a valid certificate in order to authenticate via SASL EXTERNAL." Optional could mean 95% but not 100%, or it could mean 2%. The canonical process is: - the "user" system that will be authenticated -- usually server, sometimes client -- generates a keypair and generates a CSR using that keypair (which includes the publickey part) - a CA uses the CSR to create a user cert (which copies the user publickey from the CSR and thus originally from the keypair); the cert is signed using the *CA* key-and-cert. This may be a "public" CA like Verisign or (in your case) GeoTrust, or it can be private, but see below - the user system uses its privatekey and its cert in SSL/TLS - each *peer* system -- all clients for a server usually -- must have the root cert of the CA in its truststore (which as described earlier can be a single file or a directory). For public CAs the roots are available both on the CA site and other places that can be used to confirm their correctness and legitimacy, like every copy of Windows (including IE) or Firefox or Java; private CA roots are generally only available from the CA, whom you must trust - if the CA uses an intermediate cert (or several) which in your case GeoTrust did, then the server *should* send the intermediate cert(s), and optionally the root, in the SSL/TLS handshake. How to do this varies, but in your case it appears openldap doesn't use openssl's option for a chainfile, so you must put the cert(s) in the truststore the server uses. For the rarer case of client authentication, s/server/client/. If someone else generates your key, they can give you the key and let you generate the CSR and request the cert; they can generate the keypair and CSR and let you request the cert; or they can generate the key and CSR and get the cert. In your case your "admin" gave you all three, implying the third choice. The third choice also includes the case where it's really their key; they created a key and CSR and got a cert and (then) decided to let you share their identity. Since this apparently is as you said a "company" cert (and key) it makes sense for you to share. >Once the CSR is created, a CA will use the CSR to create the certificate? Exactly. (The user cert, not the CA cert(s) which are different.) >A CA was sent to me, it's the company's CA (wildcard); if the above answer >is yes, do I use the CA, the private key, and CSR to create the certificate? You didn't get any CA, you got a user cert *issued by* (or from) GeoTrust. GeoTrust is the CA. If I remember (without searching) it is a cert *for* *.securesites.com which is a wildcard, so this cert can be used by any system whose DNSname matches that pattern. >A CSR will only work with the private key it was generated with? A CSR is generated from, and is for, a given keypair (private+public). A cert based on that CSR is for that publickey, and thus only works with that privatekey. Once you have the cert, you don't use the CSR for anything except possibly getting a new cert -- if you want a new cert for the same keypair and Subject name, and any extensions that are specified in the CSR and honored.

1 0

RE: Is my process correct.: openldap using GeoTrust
by Dave Thompson 21 Jun '13

21 Jun '13

> From: owner-openssl-users(a)openssl.org On Behalf Of Rodney Simioni > Sent: Friday, 21 June, 2013 11:38 > Comments below. > > From: owner-openssl-users(a)openssl.org On Behalf Of Dave Thompson > Sent: Thursday, June 20, 2013 6:24 PM <snip> > The wildcard.securesites.com.cert you posted 6/19 has > Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI > 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A > > GeoTrust doesn't publish that anywhere I can find but > http://www.tbs-certificats.com/FAQ/en/603.html has <snip> > which is an intermediate (not root) cert (verifiably) under > Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI > C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E > [[Rod's comment]] I need clarification please. The 'Root 2' > is the root CA that I can download from geotrust and the one > provided to me by my sysadmin is an intermeadiate? > > and THAT is "Root 2" (one of several) on > http://www.geotrust.com/resources/root-certificates/index.html > (also in the standard Windows, Firefox, and Java truststores) > The cert from your admin is a *user* cert -- for *.securesites.com. The one I found on tbs-certificats is the relevant intermediate. "Root 2" from GeoTrust, or elsewhere, is the relevant root. > >What command do I use to make sure the key/pair that was > sent to me is > >compatible with GeoTrust's CA? > > Either concatenate the intermediate above and the correct > root (also in PEM) into one file say geotrustCAs.pem and do: > openssl verify -CAfile geotrustCAs.pem yourcertfile > [[Rod's comment]] Are you saying to concatenate the > intermediate root and 'Root 2' which should be downloaded > from geotrust? > The intermediate cert and the root cert. The intermediate is a CA cert, but is not a root cert (or root CA cert). > Or put them as separate files in some directory say mycadir, > create hashnames using c_rehash or by hand, and do: > openssl verify -CApath mycadir yourcertfile > > (The first is usually easier.) > > Assuming (as asked before) your opendlap is using openssl not > MozillaNSS, to use a key&cert with an intermediate cert > openssl requires either configuring a certchain file or > putting the chain cert(s) in the truststore (even if the > cert(s) or truststore aren't needed for verification). > [[Rod's comment]] As you said before, I'm probably using > MozNSS because of the errors I was getting several emails > ago. What should I do? Should I remove MozNSS pkg? I've already > Installed openssl-devel pkg. > Someone else suggested that and I was referring to them. Part of the errorlog you posted before looks consistent with MozNSS, but part looks consistent with openssl to me, so I can't tell. I expect openldap has a way to tell you which it uses, but I don't know how. 'devel' packages probably matter only if you are re-building openldap; are you? If you are in fact using MozNSS, the same principles still apply as to which key and certficates you need where (server vs client), but the specifics of what file(s) you put them are entirely different, so ignore those parts of my instructions. <snip>

1 0

RE: Is my process correct.: openldap using GeoTrust
by Dave Thompson 20 Jun '13

20 Jun '13

>From: owner-openssl-users(a)openssl.org On Behalf Of Rodney Simioni >Sent: Thursday, 20 June, 2013 12:04 >A key/pair was sent to me from my admin and it looked like it came >from GeoTrust. It's a wildcard cert. A privatekey (which in most formats including openssl's is really a keypair) and a matching certificate. You need both. >I downloaded the Root CA from GeoTrust 's web site because LDAP >requires the CA file. The wildcard.securesites.com.cert you posted 6/19 has Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA and AKI 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A GeoTrust doesn't publish that anywhere I can find but http://www.tbs-certificats.com/FAQ/en/603.html has it as -----BEGIN CERTIFICATE----- MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0 IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR 8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50 96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5 VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4 ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES 0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk 2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V 4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ= -----END CERTIFICATE----- which is an intermediate (not root) cert (verifiably) under Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA AKI C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E and THAT is "Root 2" (one of several) on http://www.geotrust.com/resources/root-certificates/index.html (also in the standard Windows, Firefox, and Java truststores) >What command do I use to make sure the key/pair that was sent to me >is compatible with GeoTrust's CA? Either concatenate the intermediate above and the correct root (also in PEM) into one file say geotrustCAs.pem and do: openssl verify -CAfile geotrustCAs.pem yourcertfile Or put them as separate files in some directory say mycadir, create hashnames using c_rehash or by hand, and do: openssl verify -CApath mycadir yourcertfile (The first is usually easier.) Assuming (as asked before) your opendlap is using openssl not MozillaNSS, to use a key&cert with an intermediate cert openssl requires either configuring a certchain file or putting the chain cert(s) in the truststore (even if the cert(s) or truststore aren't needed for verification). The manpage on http://linux.die.net/man/5/slapd-config does not indicate any option to configure a chain file; if that is true for the version you are using, use one of the above approaches with olcTLSCACertificateFile or Path .

1 0

Fw: LDAP/SASL problems
by Krishnamoorthi Gopal 20 Jun '13

20 Jun '13

Hi, Thanks Is Possible to create active directory schema manually in openLDAP...? Regards Support Team. ----- Forwarded by Krishnamoorthi Gopal/Chennai/Vernalis/IN on 06/20/2013 09:20 PM ----- From: Vishesh kumar <linuxtovishesh(a)gmail.com> To: Krishnamoorthi Gopal <krishnamoorthi(a)vernal.is> Cc: Ricardo Sant Ana <ricksant2003(a)gmail.com>, openldap-technical-bounces(a)openldap.org, "openldap-technical(a)openldap.org" <openldap-technical(a)openldap.org> Date: 06/20/2013 09:18 PM Subject: Re: LDAP/SASL problems As per understanding, AD use different schema so OpenLDAP replication will not work. Thanks Vishesh Kumar http://www.linuxmantra.com/ On Tue, Jun 11, 2013 at 7:40 PM, Krishnamoorthi Gopal < krishnamoorthi(a)vernal.is> wrote: Hi Ricardo, Is possible to replicate Active directory users into OpenLDAP server. Can you confirm. Regards Support Team. From: Ricardo Sant Ana <ricksant2003(a)gmail.com> To: openldap-technical(a)openldap.org Date: 06/11/2013 07:36 PM Subject: LDAP/SASL problems Hello All I am instaling an OpenLDAP server (Ubuntu Precise) on a local network (Ip 10.67.123.146). I installed using : apt-get install slapd ldap-utils later, I used slapcat to insert data from a teste.ldif file. So, the problem: from local machine I used ldapsearch -D "cn=admin,dc=eb,dc=mil,dc=br" -w password -p 389 -h 10.67.123.146 -b "dc=eb,dc=mil,dc=br" -s sub "(objectclass=*)" and it works properly. But from a remote host: ldapsearch -D "cn=admin,dc=eb,dc=mil,dc=br" -w password -p 389 -h 10.67.123.146 -b "dc=eb,dc=mil,dc=br" -s sub "(objectclass=*)" returns: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) So, from a remote host, I had to add -x option: ldapsearch -x -D "cn=admin,dc=eb,dc=mil,dc=br" -w sped -p 389 -h 10.67.123.146 -b "dc=eb,dc=mil,dc=br" -s sub "(objectclass=*)" and it works again. So, after some google, it seems I need to configure/install SASL support; How do I do that ? thanks in advance Ricardo Sant'Ana VERNALIS SYSTEMS EMAIL NOTICE ----------------------------- The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. -- http://linuxmantra.com VERNALIS SYSTEMS EMAIL NOTICE ----------------------------- The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

2 1

Multi master replication
by 25Dollar Tech 20 Jun '13

20 Jun '13

Hello Team, I am facing an issue with multi-master replication. After Multi-Master configuration when I add entry it is susccessfully replicating only one time second time it is not repplicating. what could be the reson. below is the logs (stat and -1) stat logs from one server when I add entry in server 2 Jun 20 11:37:06 vm2 slapd[1559]: conn=-1 fd=21 ACCEPT from IP= 192.168.122.87:46965 (IP=0.0.0.0:389) Jun 20 11:37:06 vm2 slapd[1559]: do_syncrep2: rid=005 LDAP_RES_INTERMEDIATE - SYNC_ID_SET Jun 20 11:37:06 vm2 slapd[1559]: do_syncrep2: rid=005 LDAP_RES_SEARCH_RESULT Jun 20 11:37:06 vm2 slapd[1559]: do_syncrep2: rid=005 cookie=rid=005,csn=20130620073703.737390Z#000000#000#000000 Jun 20 11:37:06 vm2 slapd[1559]: nonpresent_callback: rid=005 present UUID 0cbd9aa0-6dba-1032-8208-dff4fce29a41, dn dc=emb,dc=slb,dc=com Jun 20 11:37:06 vm2 slapd[1559]: nonpresent_callback: rid=005 present UUID 0cbe2902-6dba-1032-8209-dff4fce29a41, dn cn=admin,dc=emb,dc=slb,dc=com Jun 20 11:37:06 vm2 slapd[1559]: nonpresent_callback: rid=005 present UUID 5c8269b0-6dc1-1032-80e1-8fddbab869b5, dn ou=Groups,dc=emb,dc=slb,dc=com Jun 20 11:37:06 vm2 slapd[1559]: slap_queue_csn: queing 0x7f5f10109b40 20130620073703.737390Z#000000#000#000000 Jun 20 11:37:06 vm2 slapd[1559]: slap_graduate_commit_csn: removing 0x7f5f1010b540 20130620073703.737390Z#000000#000#000000 Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 fd=19 ACCEPT from IP= 192.168.122.199:35866 (IP=0.0.0.0:389) Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=0 BIND dn="cn=admin,dc=emb,dc=slb,dc=com" method=128 Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=0 BIND dn="cn=admin,dc=emb,dc=slb,dc=com" mech=SIMPLE ssf=0 Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=0 RESULT tag=97 err=0 text= Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=1 SRCH base="dc=emb,dc=slb,dc=com" scope=2 deref=0 filter="(objectClass=*)" Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=1 SRCH attr=* + Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 op=2 UNBIND Jun 20 11:37:14 vm2 slapd[1559]: conn=1013 fd=19 closed loglevel -1 enabled and below are the logs from the server1 when I add entry in server2 Jun 20 16:30:13 vm2 slapd[13074]: => access_allowed: search access to "dc=emb,dc=slb,dc=com" "entryCSN" requested Jun 20 16:30:13 vm2 slapd[13074]: <= root access granted Jun 20 16:30:13 vm2 slapd[13074]: => access_allowed: search access granted by manage(=mwrscxd) Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter 6 Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter_and 6 Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter 6 Jun 20 16:30:13 vm2 slapd[13074]: nonpresent_callback: rid=005 present UUID b49be142-6dd7-1032-821e-bd2e8e19723c, dn dc=emb,dc=slb,dc=com Jun 20 16:30:13 vm2 slapd[13074]: => test_filter Jun 20 16:30:13 vm2 slapd[13074]: AND Jun 20 16:30:13 vm2 slapd[13074]: => test_filter_and Jun 20 16:30:13 vm2 slapd[13074]: => test_filter Jun 20 16:30:13 vm2 slapd[13074]: LE Jun 20 16:30:13 vm2 slapd[13074]: => access_allowed: search access to "cn=admin,dc=emb,dc=slb,dc=com" "entryCSN" requested Jun 20 16:30:13 vm2 slapd[13074]: <= root access granted Jun 20 16:30:13 vm2 slapd[13074]: => access_allowed: search access granted by manage(=mwrscxd) Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter 6 Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter_and 6 Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter 6 Jun 20 16:30:13 vm2 slapd[13074]: nonpresent_callback: rid=005 present UUID b49c7e5e-6dd7-1032-821f-bd2e8e19723c, dn cn=admin,dc=emb,dc=slb,dc=com Jun 20 16:30:13 vm2 slapd[13074]: => test_filter Jun 20 16:30:13 vm2 slapd[13074]: AND Jun 20 16:30:13 vm2 slapd[13074]: => test_filter_and Jun 20 16:30:13 vm2 slapd[13074]: => test_filter Jun 20 16:30:13 vm2 slapd[13074]: LE Jun 20 16:30:13 vm2 slapd[13074]: => access_allowed: search access to "ou=Groups4,dc=emb,dc=slb,dc=com" "entryCSN" requested Jun 20 16:30:13 vm2 slapd[13074]: <= root access granted Jun 20 16:30:13 vm2 slapd[13074]: => access_allowed: search access granted by manage(=mwrscxd) Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter 6 Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter_and 6 Jun 20 16:30:13 vm2 slapd[13074]: <= test_filter 6 Jun 20 16:30:13 vm2 slapd[13074]: nonpresent_callback: rid=005 present UUID 3e8b5198-6dd9-1032-8006-655e62f4c8e4, dn ou=Groups4,dc=emb,dc=slb,dc=com Jun 20 16:30:13 vm2 slapd[13074]: => test_filter Jun 20 16:30:13 vm2 slapd[13074]: AND Jun 20 16:30:13 vm2 slapd[13074]: => test_filter_and Jun 20 16:30:13 vm2 slapd[13074]: => test_filter ANybody please help me to solve this issue. Operating system Ubuntu 12.04 OpenLDAP version: openldap-2.4.28 (Debian build) Note:- When I try to delete /var/lib/ldap/* and start one server it is able to replicate but after that again stoped for any new entry or any changes in another server. -- *Thanks & Regards, 25dollarTech Team https://sites.google.com/site/25dollartech/* *Email: 25dollartechhelp(a)gmail.com*

2 1

ppolicy not respecting overrides
by Michael Proto 20 Jun '13

20 Jun '13

Hello all, I'm currently seeing an issue with slapo-ppolicy and individual account overrides not being respected. CentOS 6.4 with system-provided openldap-2.4.23-32.el6_4.1.x86_64 slapd.conf: include /etc/openldap/schema/ppolicy.schema ... moduleload ppolicy.la ... database bdb suffix "dc=domain" ... overlay ppolicy ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=domain" ppolicy_hash_cleartext ppolicy_use_lockout # PasswordPolicy, Policies, domain dn: cn=PasswordPolicy,ou=Policies,dc=domain sn: PasswordPolicy cn: PasswordPolicy objectClass: person objectClass: top objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: TRUE pwdAllowUserChange: TRUE pwdInHistory: 4 pwdMinLength: 8 pwdFailureCountInterval: 600 pwdMaxFailure: 6 pwdLockoutDuration: 600 pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdMaxAge: 7776000 pwdMustChange: TRUE pwdExpireWarning: 1209600 This works for all user accounts (passwords expire, history is stored, lockouts work). Now I use a bind account for all LDAP-authenticated systems named cn=system,dc=domain that I don't want aligned with the above policy (namely I don't want its password to expire, no password history, no lockout, etc... as it is managed by my admins), so I set the following on that account: # system, domain dn: cn=system,dc=domain sn: system cn: system objectClass: inetOrgPerson objectClass: top objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: FALSE pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdExpireWarning: 0 pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdMustChange: FALSE pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 userPassword:: xxxxxx Earlier today it appears the password for this account expired, which is precisely what I don't want. What I saw in my slapd.log when all systems started failing authentication across the board: Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128 Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0 Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 RESULT tag=97 err=49 text= Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128 Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0 Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins My immediate fix was to use ldappasswd as cn=Manager and change the password 4 times and then change it back to its original, which then allowed systems to authenticate to the directory once again. Obviously this has me concerned as I have a replication user and a chain user to chain modifications from my slaves back to my master, and if their passwords expire I expect to be in for a fair amount of work to fix. What I've done in the interim is create a new ppolicy container with no expiration and assigned my system account's pwdPolicySubentry attribute to that: # NoPasswordPolicy, Policies, domain dn: cn=NoPasswordPolicy,ou=Policies,dc=domain sn: NoPasswordPolicy cn: NoPasswordPolicy objectClass: person objectClass: top objectClass: pwdPolicy pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinLength: 0 pwdMustChange: FALSE pwdAllowUserChange: FALSE # system, domain dn: cn=system,dc=domain pwdPolicySubentry: cn=NoPasswordPolicy,ou=Policies,dc=domain (I'm hoping this works like I want/expect it to, if not all ideas are welcome...) >From the slapo-ppolicy man page: pwdMaxAge This attribute contains the number of seconds after which a modified password will expire. If this attribute is not present, or if its value is zero (0), then passwords will not expire. With cn=system,dc=domain having a MaxAge attribute set to 0, why would that account's password expire? I'm somewhat stumped here. Thanks, Michael Proto

2 2

Re: Is my process correct.
by Oliver Loch 20 Jun '13

20 Jun '13

"openssl verify" does the trick. http://www.openssl.org/docs/apps/verify.html# And to test if the key and the cert belong together: openssl x509 -in $cert -noout -modulus | openssl md5 openssl rsa -in $key -noout -modulus | openssl md5 If the md5 sums don't match, the key or the cert is invalid. Cu Am 20.06.2013 um 18:04 schrieb "Rodney Simioni" <rodney.simioni(a)verio.net>: > Hi, > > A key/pair was sent to me from my admin and it looked like it came from GeoTrust. It’s a wildcard cert. > > I downloaded the Root CA from GeoTrust ‘s web site because LDAP requires the CA file. > > What command do I use to make sure the key/pair that was sent to me is compatible with GeoTrust’s CA? > > Rod > > > This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you. >

1 0

LDAP/SASL problems
by Ricardo Sant Ana 20 Jun '13

20 Jun '13

Hello All I am instaling an OpenLDAP server (Ubuntu Precise) on a local network (Ip 10.67.123.146). I installed using : apt-get install slapd ldap-utils later, I used slapcat to insert data from a teste.ldif file. So, the problem: from local machine I used ldapsearch -D "cn=admin,dc=eb,dc=mil,dc=br" -w password -p 389 -h 10.67.123.146 -b "dc=eb,dc=mil,dc=br" -s sub "(objectclass=*)" and it works properly. But from a remote host: ldapsearch -D "cn=admin,dc=eb,dc=mil,dc=br" -w password -p 389 -h 10.67.123.146 -b "dc=eb,dc=mil,dc=br" -s sub "(objectclass=*)" returns: SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) So, from a remote host, I had to add -x option: ldapsearch -x -D "cn=admin,dc=eb,dc=mil,dc=br" -w sped -p 389 -h 10.67.123.146 -b "dc=eb,dc=mil,dc=br" -s sub "(objectclass=*)" and it works again. So, after some google, it seems I need to configure/install SASL support; How do I do that ? thanks in advance Ricardo Sant'Ana

3 2

ldap slave version greater than master version
by Bruno Furtado 19 Jun '13

19 Jun '13

Can I have a master server with 2.2 version and the slave with 2.4 version? regards -- Bruno Furtado

2 1

OpenLDAP multimaster
by 25Dollar Tech 19 Jun '13

19 Jun '13

Hello Team, I am facing an issue with setting up OpenLDAP multimaster replicaiton. It is happening only one time and it is giving an error in the server log file that *"hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found". * Below are my configuration details. Operating system: Ubuntu 12.04.2 cat /etc/ldap/slapd.d/cn\=config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 96647d53 dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcLogLevel: -1 olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal creatorsName: cn=config olcAllows: bind_v2 olcServerID: 3 ldap://vm3.test.example.com olcServerID: 4 ldap://vm4.test.example.com entryUUID: 7bfbb79a-6d19-1032-9008-c1a20821a82c createTimestamp: 20130619104813Z entryCSN: 20130619104813.603914Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130619104813Z contextCSN: 20130619104818.925492Z#000000#000#000000 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 2b434e34 dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=test,dc=example,dc=com olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 7bfd08b6-6d19-1032-9012-c1a20821a82c createTimestamp: 20130619104813Z creatorsName: cn=config olcRootDN: cn=admin,dc=test,dc=example,dc=com olcRootPW:: YWRtaW5AMTIz olcSyncrepl: {0}rid=500 provider=ldap://vm3.test.example.combinddn="cn=admin,dc=te st,dc=example,dc=com" bindmethod=simple credentials=admin@123searchbase="dc=emb,d c=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout =1 olcSyncrepl: {1}rid=600 provider=ldap://vm4.test.example.combinddn="cn=admin,dc=te st,dc=example,dc=com" bindmethod=simple credentials=admin@123searchbase="dc=emb,d c=slb,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 +" timeout =1 olcMirrorMode: TRUE entryCSN: 20130619105336.281097Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20130619105336Z -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- cat /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 882cef38 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break structuralObjectClass: olcDatabaseConfig entryUUID: e237277c-6d1b-1032-87ac-4153a9d6c230 creatorsName: cn=config createTimestamp: 20130619110523Z olcRootDN: cn=admin,cn=config olcRootPW:: YWRtaW5AMTIz olcSyncrepl: {0}rid=100 provider=ldap://vm3.test.example.combinddn="cn=admin,cn=co nfig" bindmethod=simple credentials=admin@123 searchbase="cn=config" type=ref reshAndPersist retry="5 5 300 5" timeout=1 olcSyncrepl: {1}rid=200 provider=ldap://vm4.test.example.combinddn="cn=admin,cn=co nfig" bindmethod=simple credentials=admin@123 searchbase="cn=config" type=ref reshAndPersist retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE entryCSN: 20130619110524.008790Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20130619110524Z ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :/var/lib/ldap# ls -ltrh total 1.4M -rw-r--r-- 1 openldap openldap 96 Jun 19 15:05 DB_CONFIG -rw------- 1 openldap openldap 8.0K Jun 19 15:05 objectClass.bdb -rw------- 1 openldap openldap 32K Jun 19 15:05 id2entry.bdb -rw------- 1 openldap openldap 8.0K Jun 19 15:05 dn2id.bdb -rw------- 1 openldap openldap 10M Jun 19 15:05 log.0000000001 -rw------- 1 openldap openldap 32K Jun 19 15:05 __db.006 -rw------- 1 openldap openldap 160K Jun 19 15:05 __db.004 -rw------- 1 openldap openldap 360K Jun 19 15:05 __db.002 -rw------- 1 openldap openldap 24K Jun 19 15:05 __db.001 -rw-r--r-- 1 openldap openldap 2.0K Jun 19 15:05 alock -rw------- 1 openldap openldap 2.6M Jun 19 15:05 __db.003 -rw------- 1 openldap openldap 1.3M Jun 19 15:05 __db.005 -- *Thanks & Regards, 25dollarTech Team https://sites.google.com/site/25dollartech/* *Email: 25dollartechhelp(a)gmail.com*

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2013