openldap-technical July 2013

openldap-technical@openldap.org

68 participants
86 discussions

TLS, integrity and root DSE
by Ulrich Windl 24 Jul '13

24 Jul '13

Hi! When trying to require integrity for LDAP connections by specifying "ssf=1" in Security, I have a problem with Perl where the cat bites its tail: It's recommended to query the root DSE for TLS extension before trying to use TLS like this: my $dse = $ldap->root_dse(); if ($dse->supported_extension(LDAP_EXTENSION_START_TLS)) { my $msg = $ldap->start_tls('verify' => 'require', 'capath' => '/etc/ssl/certs'); ... Unfortunately the root_dse() fails with the security restriction: "confidentiality required" Note: The manual says: "0 (zero) implies no protection, 1 implies integrity protection only" So is "confidentiality" actually "integrity" here, and are here any solutions to this problem? Regards, Ulrich Windl

3 2

root cannot change user password with command "passwd", sssd, pam, openldap
by Augustin Wolf 23 Jul '13

23 Jul '13

Hi list, I'm using CentOs 6.4, and moved user management to OpenLDAP. As far as it works fine for user - user can login, do `passwd` to change his password, etc. - it fails for root to change users passwords. Root have to use ldapmodify. Is it normal behavior, or do I have some configuration errors? For now, LDAP ACL was "turned off" - every user has manage permission. I know it's a security issue, but I wanted to remove potential interference. I will change this as soon as root can change users password. SELlinux was also turned off to eliminate it's potential interference. Iptables was "turned off", as well, though I thing it doesn't matter as long as port 389 is open. My configs, logs, etc are in here: http://fpaste.org/26708/ Thanks in advance, Augustyn

3 4

undocumented TLSProtocolMin
by Manuel Gaupp 23 Jul '13

23 Jul '13

Hi, OpenLDAP seems to support an undocumented configuration parameter "TLSProtocolMin" when linked against OpenSSL. It allows to set the minimum SSL/TLS protocol version: * TLSProtocolMin 768 # (3 << 8) disables SSLv2 * TLSProtocolMin 769 # ((3 << 8)+1) disables SSLv2 and SSLv3 As there's no documentation for TLSProtocolMin: Is this feature ready for production or is it experimental? Best regards, Manuel

3 2

need help interpreting "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?"
by Steve Eckmann 23 Jul '13

23 Jul '13

The answer would be obvious if we had a misconfigured URI, but I don't think we do. In fact, we are getting this error from the ldap/translucent proxy on a first attempt to retrieve a DN from a remote Active Directory, then a second identical ldapsearch always succeeds. That makes us think there might be a timing issue getting from our openldap server, through a forwarding proxy out of a DMZ, and finally to the target AD server. But since all the openldap log messages appear with the same timestamp, there would have to be a sub-second timeout somewhere in the path. Does openldap have any default sub-second timeouts? I haven't configured any of the slapd or slapd-ldap timeout options. Here is a typical log from a failed search: Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 fd=10 ACCEPT from IP=172.20.11.85:54864 (IP=0.0.0.0:636) Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 fd=10 TLS established tls_ssf=256 ssf=256 Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=0 BIND dn="cn=localuser,ou=users,ou=Native,dc=example,dc=com" method=128 Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=0 BIND dn="cn=localuser,ou=users,ou=Native,dc=example,dc=com" mech=SIMPLE ssf=0 Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=0 RESULT tag=97 err=0 text= Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(sAMAccountName=steve.eckmann)" Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=1 SRCH attr=cn Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=1 ldap_back_retry: retrying URI="ldap://172.30.11.20" DN="cn=remoteuser,ou=users,ou=system accounts,dc=example,dc=com" Jul 15 09:46:09 eck1 slapd[9198]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI? Jul 15 09:46:09 eck1 slapd[9198]: <= mdb_equality_candidates: (sAMAccountName) not indexed Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 op=2 UNBIND Jul 15 09:46:09 eck1 slapd[9198]: conn=1001 fd=10 closed Thanks. Steve

3 4

cn=config chaining or authzTo Strong(er) authentication required (8)
by espeake＠oreillyauto.com 23 Jul '13

23 Jul '13

I am working on setting up a provider/consumer setup for openLDAP version 2.4.28. Everything seems to be working other than referrals. I can query the consumers, I can write directly to the provider. But I get the following when I try to sent a ldapmadify to a consumer and it refers it to the provider. ldapmodify -W -D "uid=ldapadmin,ou=system,dc=example,dc=com" -H ldap://tntest-ldap.example.com -c -f /tmp/epseake.ldif Enter LDAP Password: modifying entry "uid=ESPEAKE,ou=Users,dc=example,dc=com" ldap_modify: Strong(er) authentication required (8) If I run the modify against the provider with the same credentials it will modify the record. I have added authzTo dn.regex:^uid= [^,]*,ou=system,dc=example,dc=com$. I also added authzTo ldap:///dc=example,dc=com???(objectClass=top) This got rid of my error 10 on the referral but now it is asking for strong(er) authentication. I do have certificates on my servers in the correct locations and olcTLSCertificate statements with the directories for the certs and keys. THis is the final step I hope in getting the test environment completed and ready for testing. All help is appreciated. Thank you, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2 1

OpenLdap from OpenCSW installation
by michał kępkowski 23 Jul '13

23 Jul '13

Hey, Has anyone of you install OpenLdap from OpenCSW repositories on Solaris? I've try to install using pkgutils: pkgutil -yi CSWopenldap than I read something more an add pkgutil -iy berkeleydb48 pkgutil -i CSWopenldap-back-bdb however my slaptest shows Unrecognized database type (bdb) 51ed5c62 /etc/opt/csw/openldap/slapd.conf: line 53: <database> failed init (bdb) Line 53 is the beginning of database configuration: database bdb Do you have any ideas? Am I configured something bad?

2 1

Slapd starts with "-h" not working as described
by Nathanel Sulimanov 22 Jul '13

22 Jul '13

Hi, I am trying to configure /etc/sysconfig/ldap with following: SLAPD_LDAP=no SLAPD_URLS="ldap://${HOSTNAME} ldaps://${HOSTNAME} ldap://127.0.0.1" ---> This works and Slapd start ok. But While using: SLAPD_URLS="ldap://${HOSTNAME} ldaps://${HOSTNAME} ldap://localhost" ---> Does NOT work. My /etc/hosts looks like this: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 following RPM installed: openldap-2.4.34-1.el6.x86_64 openldap-clients-2.4.34-1.el6.x86_64 openldap-servers-2.4.34-1.el6.x86_64 And one more issue: How I could verify that ldap server start with proper olcServerID ? Is there any logging should be enabled and what values to look for ? How I could present olcServerID along with ldap://${HOSTNAME} ldaps://${HOSTNAME} ldap://127.0.0.1 command ? Regards,

1 0

Re: ldap syncrepl issue.
by Ashok Kumar Shah 22 Jul '13

22 Jul '13

I am running OpenLDAP 2.4.23. Looks like syncrepl has stuck i am seeing this message from last 2 days every minute i see this message popping up on the logs perhaps this the reason of huge slave lag is 2 days and some hours. Is there a fix for this? *syncrepl_message_to_op: rid=011 be_modrdn uid=user.name,ou=xxxxx,dc=xxxx,dc=com (68)* * do_syncrepl: rid=011 rc 68 retrying* * * Thanks, Ashok On Fri, Jul 12, 2013 at 9:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, July 12, 2013 5:40 PM +0530 Ashok <ashok.shah(a)flipkart.com> > wrote: > > >> >> >> >> >> Hi, >> >> I am running ldap master and multiple slave with RefreshandPersist config. >> ldap search for an user shows different set of records. ContextCSN on >> master and slave are exactly same. >> What can i do to fix this. I tried restarting slave ldap but didn't help. >> Also i keep getting do_syncrepl: rid=112 rc 68 retrying every minute. I >> doubt if there is replication issue. >> > > It sounds like it is resyncing the DB, and skipping entries that already > exist: LDAP_ALREADY_EXISTS is error code 68. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

3 3

Antw: Q: Multi-Master setup
by Ulrich Windl 22 Jul '13

22 Jul '13

>>> I wrote on 16.07.2013 at 09:02: [...] > 2) What is the correct syntax for the second argument (URI): Do you need a > final slash, do you need the port? Currently I'm using a syntax like > "olcServerID: 1 ldap://ldap.domain.org" [...] As nobody did answer, I guess nobody knows how the server matches the ServerID. So let me ask a diffenent question: (How) can I query the ServerID a server uses? Regards, Ulrich

2 2

Openldap-2.4.33 bind problem
by Darouichi, Aziz 19 Jul '13

19 Jul '13

Hi all, I am trying to bind openldap-2.4.33 to vendor SSO using simple bind and I am getting invalid credentials. I have reset the rootdn password more than once to make sure there were no typos, and I am still getting same Invalid Credentials error. This is a copy of my slapd.conf # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/local/etc/openldap/schema/core.schema include /opt/local/etc/openldap/schema/ppolicy.schema # Define global ACLs to disable default read access. include /opt/local/etc/openldap/schema/cosine.schema include /opt/local/etc/openldap/schema/nis.schema include /opt/local/etc/openldap/schema/inetorgperson.schema # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /opt/local/var/run/slapd.pid argsfile /opt/local/var/run/slapd.args sizelimit unlimited #serverID 1 allow bind_v2 loglevel sync "/opt/local/etc/openldap/slapd.conf" 180L, 5417C # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /opt/local/etc/openldap/schema/core.schema include /opt/local/etc/openldap/schema/ppolicy.schema # Define global ACLs to disable default read access. include /opt/local/etc/openldap/schema/cosine.schema include /opt/local/etc/openldap/schema/nis.schema include /opt/local/etc/openldap/schema/inetorgperson.schema # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org # Load dynamic backend modules: # modulepath /opt/local/libexec/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la #modulepath /usr/lib/openldap #moduleload accesslog.la moduleload auditlog.la #moduleload denyop.la #moduleload dyngroup.la moduleload dynlist.la #moduleload lastmod.la #moduleload pcache.la moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la #moduleload smbk5pwd.la moduleload syncprov.la moduleload syncprov #moduleload translucent.la moduleload unique.la moduleload valsort.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # CA singed Certificate and server cert entries: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /opt/local/etc/openldap/cacert.pem TLSCertificateFile /opt/local/etc/openldap/ldap-tls.curry.edu.cert.pem TLSCertificateKeyFile /opt/local/etc/openldap/ldap-tls.curry.edu.key.pem # Clinet verification not required #TLSVerifyClient never ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=curry,dc=edu" rootdn "cn=ldap,dc=curry,dc=edu" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}gMePUFraA8Fjn63t8FzpYHbp+6g8N6Mz #access to * # by dn.base="cn=ldap,dc=curry,dc=edu" read # by * break # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /opt/local/var/openldap-data syncrepl rid=006 provider=ldap://192.168.60.42 tls_cert=/etc/pki/tls/certs/ldap-tls.curry.edu.cert.pem tls_key=/etc/pki/tls/private/ldap-tls.curry.edu.key.pem tls_cacert=/etc/pki/tls/certs/cacert.pem tls_reqcert=demand searchbase="dc=curry,dc=edu" schemachecking=on timelimit=unlimited sizelimit=unlimited type=refreshAndPersist retry="60 +" # Index to maintain index entryUUID eq index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres index nisMapName,nisMapEntry eq,pres,sub #mirrormode TRUE mirrormode on # define the provider to use the syncprov overlay # (last directives in database section) overlay syncprov # contextCSN saved to database every 100 updates or ten minutes syncprov-checkpoint 100 1 syncprov-sessionlog 100 ################################################################################# # Password Policy # ################################################################################ ################################################################################# # This implies the password policy should be for the entire base DN #ppolicy_default overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=curry,dc=edu" # This implies the passwords should not be in clear text and this directive takes no parameters ppolicy_hash_cleartex

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2013