openldap-technical September 2013

openldap-technical@openldap.org

72 participants
78 discussions

RE: openldap-technical Digest, Vol 70, Issue 20
by Sotomayor, Vicente (ITD) 26 Sep '13

26 Sep '13

>Message: 12 >Date: Thu, 26 Sep 2013 16:35:38 +0800 >From: "Tian Zhiying" <tianzy1225(a)thundersoft.com> >To: openldap-technical <openldap-technical(a)openldap.org> >Cc: tianzy1225 <tianzy1225(a)thundersoft.com> >Subject: Other system use port 636 connect LDAP Server Error >Message-ID: <2013092616353831259123(a)thundersoft.com> >Content-Type: text/plain; charset="us-ascii" >Hi >In ldap server(localhost) , I execute the below command , it ok. ># ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W >But in other linux system is not ok, below is the error info: ># ldapsearch -x -b 'ou=people,dc=mydomain,dc=com' -D "cn=interface,dc=mydomain,dc=com" -H ldaps://192.168.1.10 -W >ldap_bind: Can't contact LDAP server (-1) > additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >LDAP Server is Centos 5.8 64 OS, iptables serverice is closed state. What is the cause? >You have any Suggestions? Thanks. Because the telnet test worked then I would look at your client config files on that hosts in addition to seeing if the file size/permission of the cert matches the size on the other client that is working. Also try ldapsearch -x -d 1 and see what the output shows.

1 0

Re: SSL replication deadlocks slapd
by Chad Scott 25 Sep '13

25 Sep '13

Message definitely received. =) I've actually discovered http://ltb-project.org/... Any thoughts on how reputable their build is? On Wed, Sep 25, 2013 at 3:24 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, September 25, 2013 2:32 PM -0700 Chad Scott < > cscott(a)appdynamics.com> wrote: > > >> Definitely not an entropy problem. I see "ACCEPT" in the logs, but >> nothing else. >> >> >> I hadn't realized RedHat was so damn behind. I'm going to generate a >> custom package with the latest version and see if the problem goes away. >> > > Note that RedHat links to its own broken SSL implementation MozNSS. I > don't know if Scientific linux went the same route or not, which is why I > (again) recommend linking (sanely) to a current version of OpenSSL. > > > --Quanah > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra Software, LLC > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

SSL replication deadlocks slapd
by Chad Scott 25 Sep '13

25 Sep '13

I'm having a lot of trouble with replication when using SSL. If I configure everything exactly the same without SSL, it works flawlessly. The instant I try to encrypt traffic, one or both servers will deadlock, even after restart. I'm configuring according to the instructions at http://www.openldap.org/doc/admin24/replication.html#N-Way Multi-Master, except using ldaps:// instead of ldap://. In cn=config, I've setup: olcTLSCACertificateFile: /etc/openldap/certs/Operations_CA_Certificate.pem olcTLSCertificateFile: /etc/openldap/certs/ldap.pem olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key I've also tried using STARTTLS over ldap:// and it seems to make no difference. Permissions are right and I can connect via SSL from clients without issue. I'm completely stumped as to what might be going on. Has anyone seen this before? This is running on Scientific Linux 6 with the following packages: openldap-2.4.23-32.el6_4.x86_64 openldap-clients-2.4.23-32.el6_4.x86_64 openldap-servers-2.4.23-32.el6_4.x86_64

3 4

Schema With Multi Part Attribute
by Bram Cymet 25 Sep '13

25 Sep '13

Hi, I am wondering if it is possible to create a schema with a multi part attribute. In other words I want the value of the attribute to be a dictionary. For example I would have an attribute called "Application" which would have a value of: {"name" : "Application Name", "active" : <True or False>} The other way I was thinking about doing this was to just have a multi value string attribute that would be the names of the "applications" and if there was an entry then that "application" is active but the dictionary way just seems cleaner to me. If this is possible an example of how to define the schema entry or a link to an RFC would be helpful. Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752

2 3

Access being denied.
by espeake＠oreillyauto.com 24 Sep '13

24 Sep '13

I know this has to be super simple in what I am missing. My ldapadmin account cannot write to the database due to insufficient privileges.. This is the ACL part of the ldif file. Version 2.4.31 and this is from olcDatabase={1}hdb.ldif olcAccess: {0}to attrs=userPassword by dn="uid=admin,dc=oreillyauto,dc=com" wr ite by anonymous auth by self write by * none olcAccess: {1}to dn.subtree="" by * read olcAccess: {2}to * by dn="uid=admin,dc=oreillyauto,dc=com" write by dn="uid=ld apadmin,ou=System,dc=oreillyauto,dc=com" write by * read olcAccess: {2} for ldap admin actually be 'dn.base="uid=ldapadmin,ou-System, dc=<domain>,dc=com" write'? Thanks Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2 4

Fw: Access being denied.
by espeake＠oreillyauto.com 24 Sep '13

24 Sep '13

Eric Speake Web Systems Administrator O'Reilly Auto Parts ----- Forwarded by Eric Speake/OReilly on 09/24/2013 06:31 AM ----- From: Eric Speake/OReilly To: Jason Brandt <jbrandt(a)fsmail.bradley.edu> Cc: openlda-technical(a)openldap.org Date: 09/24/2013 06:16 AM Subject: Re: Access being denied. From: Jason Brandt <jbrandt(a)fsmail.bradley.edu> To: espeake(a)oreillyauto.com Cc: "openldap-technical(a)OpenLDAP.org" <openldap-technical(a)openldap.org> Date: 09/23/2013 03:26 PM Subject: Re: Access being denied. I hope this doesn't confuse you too much... First off... Your admin account will be dn="cn=admin,dc=oreillyauto,dc=com", if you are talking about the default admin account. You also want manage instead of write. I would also recommend securing your admin account with access lists, only allowing access from specific manager IP addresses. In order to restrict the cn=admin account as I do below, you have to set the userPassword attribute for the admin account, and blank the olcRootPW. set admin password: dn: cn=admin,dc=bradley,dc=edu changeType: modify add: userPassword userPassword: {SSHA}<passwordhash> blank old olcRootPW dn: olcDatabase={1}hdb,cn=config changetype: modify delete: olcRootPW This allows use of the normal authentication process and will look at your access lists. Otherwise, it will always bypass access lists and use the olcRootPW to authenticate. Here's how I handle access restrictions, which I would suggest you evaluate. This is a positive security model as well (meaning the default action is deny), which I highly recommend (ie no one can access any field, unless it's specifically defined). The downside to the positive security model is that it's less flexible, you have to whitelist any new attributes you wish users to access, but it provides you with the best security. Another note in this, is that my user accounts are all shadowAccounts, and setting shadowInactive to 1 disables the account. (handled by the 3rd section with password fields). Here is my access list in a template form: dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess # limit access to directory manager to local host only and specific manager ip's olcAccess: to dn.base="cn=admin,dc=,dc=" by peername.ip=127.0.0.1 auth by sockurl=ldapi:/// auth by peername.ip=<manager IP> auth by users none by anonymous none #Allow admin users full access to all attrs #Allow OpenLDAP2 Sync User read access to all #Everyone else, continue olcAccess: to * by peername.ip=172.16.0.0%255.255.0.0 dn="uid=adminuser,dc=,dc=" manage by peername.ip=<secondary ldap server ip> dn="uid=syncuser,ou=Service_Logins,dc=,dc=" read by peername.ip=<third ldap server ip> dn="uid=syncuser,ou=Service_Logins,dc=,dc=" read by * break #Handle password fields, for all possible entities. No further processing for these attributes olcAccess: to attrs=userPassword,shadowLastChange filter= (&(objectClass=shadowAccount)(!(shadowInactive=1))) by self =w by sockurl=ldapi:/// auth by peername.ip=172.16.0.0%255.255.0.0 auth by peername.ip=127.0.0.1 group.exact="cn=localadmingroup,dc=,dc=" manage by group.exact="cn=admingroup,dc=,dc=" write by * none #Specific processing for an Account #Everyone else, continue olcAccess: to attrs=attr1,attr2 by dn="uid=account1,ou=Service_Logins,dc=,dc=" read by * break #Specific processing for a Group #Everyone else, continue olcAccess: to attrs=attr3,attr4 by group.exact="cn=group1,out=Group,dc=,dc=" manage by * break #Handle SELF writable fields #Everyone else, continue olcAccess: to attrs=loginShell,mailRoutingAddress,additionalattrs by self write by * break #Handle more restrictive fields #Stop processing on match olcAccess: to attrs=audio,attr5,attr6,attr7 filter=(&(matchTrue=1)(objectClass=Person)) by * none #Handle Anonymous Allowed fields #Stop Processing on Match olcAccess: to attrs=attr8,attr9,attr10 by * read #Handle User Allowed Fields #Stop Processing on Match olcAccess: to dn.subtree="dc=,dc=" attrs=audio by users read #Hide additional superuser accounts in directory olcAccess: to attrs=entry filter=(|(ou=Service_Logins)(uid=logins)) by * none #Allow access to specific objectclasses olcAccess: to filter=(| (objectClass=nisDomainObject)(objectClass=nisNetGroup)(objectClass=posixGroup)(objectClass=groupOfUniqueNames)(objectClass=organizationalUnit)) by * read #Allow access to directory entries. Required to query directory when using default deny policy olcAccess: to dn.subtree="dc=,dc=" attrs=entry,objectClass by * read #Default Deny olcAccess: to * by * none Jason, Thanks for the layout and I will take this to my bosses. I might have to group the servers because we have several servers that access the out LDAP servers and by IP address would be a little cumbersome to manage. We use somewhere in the range of 140 different applications on our internal network and accessed by our stores across the country. so we use different accounts to do different types of access depending on the application so we don't use just one admin account and this works on the old LDAP server running 2.4.21 But when I try to replicate the ACL's it has, nothing works. so for the time being I have simplified as recommended by this community and then I will work on tightening down the reigns. Right now I need to figure out why my ldapadmin account doesn't have write permissions in accordance with my ACL on the servers. Is it as simple as a syntax issue. The other issue I mentioned is starting to get a little annoying in the fact that I cannot seem to modify my config. The changes don't happen but the modify timestamp changes. I can deal with that issue later. Right now I need to get this user working. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts. On Mon, Sep 23, 2013 at 12:08 PM, <espeake(a)oreillyauto.com> wrote: I know this has to be super simple in what I am missing. My ldapadmin account cannot write to the database due to insufficient privileges.. This is the ACL part of the ldif file. Version 2.4.31 and this is from olcDatabase={1}hdb.ldif olcAccess: {0}to attrs=userPassword by dn="uid=admin,dc=oreillyauto,dc=com" wr ite by anonymous auth by self write by * none olcAccess: {1}to dn.subtree="" by * read olcAccess: {2}to * by dn="uid=admin,dc=oreillyauto,dc=com" write by dn="uid=ld apadmin,ou=System,dc=oreillyauto,dc=com" write by * read olcAccess: {2} for ldap admin actually be 'dn.base="uid=ldapadmin,ou-System, dc=<domain>,dc=com" write'? Thanks Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you. -- Jason K. Brandt Systems Administrator Bradley University (309) 677-2958 -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: A1B06600D64.A7776 This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

1 0

ldap dump filter
by val john 23 Sep '13

23 Sep '13

Hi guys i have openldap server with base url dc=ldap,dc=company,dc=com and our all the users are under ou=users,dc=ldap,dc=company,dc=com within that user base we have users with mail different mail address domains (gmail, yahoo.com , company.com ) by using command "slapcat -l user.ldiff" we can get entire dump of the openldap Is there any way to filter the slapcat dump so the i can get the dump file , only with users with "company.com" mail domain Please advice Thanks John

2 1

OpenLdap 2.4.28 accesslogs
by Steve Herrera 23 Sep '13

23 Sep '13

Hello, I have 2 openldap servers running on Ubuntu 12.04. One is the primary and the other is a slave. My problem is that ldap keeps dumping files into that directory log.00000000001 then log.000000002 and so on thus filling up the drive. Is it safe to remove these logs? How do i know which one it is still using. Ideally it would be great for the server to automatically remove the log once it was done using it. I could set up a cronjob to prune it but I don't know how far back it needs to the logs to be. Any ideas? Thanks

4 4

Wrong certificate being presented
by espeake＠oreillyauto.com 23 Sep '13

23 Sep '13

The authentication works on the single server we have which is running an older version of openLDAP (2.4.21). In my packet captures it appears that the older version of openLDAP is presenting the certificate we want it to present. The new version (2.4.31), although it has the same cert installed in the same place it is presenting an older self signed cert that has been removed. The new servers have been rebooted since this change so where could this possibly be cached at? This is from my slapcat of the new servers. dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzPolicy: any olcPidFile: /var/run/slapd/slapd.pid olcServerID: 1 ldap://tntest-ldap-3.example.com olcServerID: 2 ldap://tntest-ldap-1.example.com olcServerID: 3 ldap://tntest-ldap-2.example.com olcThreads: 8 olcTLSCACertificateFile: /etc/ldap/gd_bundle.crt olcTLSCertificateFile: /etc/ldap/wildcard.example.com.crt olcTLSCertificateKeyFile: /etc/ldap/wildcard.example.com.key olcToolThreads: 1 structuralObjectClass: olcGlobal creatorsName: cn=config entryUUID: 91cc0ae0-9e13-1032-84b5-0151b658a842 createTimestamp: 20130820183919Z olcLogLevel: config acl stats conns olcTLSCipherSuite: NORMAL olcTLSCRLCheck: none olcTLSVerifyClient: never entryCSN: 20130923150907.574575Z#000000#001#000000 modifiersName: uid=admin,dc=oreillyauto,dc=com modifyTimestamp: 20130923150907Z contextCSN: 20130923150907.574575Z#000000#001#000000 contextCSN: 20130923150843.855673Z#000000#002#000000 contextCSN: 20130919185322.242639Z#000000#003#000000 I tried doing an ldapmodify and delete the olcTLSCipherSuite and olcTLSCRLCheck that I added and they will not disappear. Thanks Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

1 1

Re: Invalid DN
by Justin Brown 19 Sep '13

19 Sep '13

Quanah, Thanks for the reply. That ended up being the problem. I figured the olcAccess line would allow anonymous searches, but I changed it to "to * by users read by users write" and actually created the cn=admin,dc=appName,dc=app simpleSecurityObject. Cheers, J On Thu, Sep 19, 2013 at 3:07 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, September 19, 2013 2:35 PM -0500 Justin Brown > <justin.brown(a)fandingo.org> wrote: > >> The problem is that I can't locate these objects using the ldap tools >> (ldapsearch and python-ldap). > > > You are doing anonymous searches. Likely you haven't granted anonymous > access to read these entries. > > Try ldapsearch -x -b "..." -D "..." -W > > with the values that are correct for your installation. > > --Quanah > > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra Software, LLC > -------------------- > Zimbra :: the leader in open source messaging and collaboration

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2013