Invalid DN
by Justin Brown
Hello,
I'm struggling to setup my Hdb database in OpenLDAP. I'm trying to
create the entire directory from ldif files with cn=config.
I have two initialization ldifs. The first one creates all the
cn=config stuff, and also creates my Hdb database. The first file is
too long to completely list here (I included core, cosine, nis, and
inetorgperson schema ldifs.), but I'll put some excerpts here.
dn: cn=config
objectClass: olcGlobal
cn: config
...
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
...
dn: cn={0}core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {0}core
...
(There are lots more for the other included schemas. I also have three
custom objectClasses in cn=schema,cn=config, and one custom
attributeType there, too.)
The file finishes with the database configurations.
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
...
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * none
olcRootDN: cn=config
olcRootPW: secret
...
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=appName,dc=app
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=appName,dc=app
olcRootPW: secret
olcAccess: to * by * write by * read
...
This file runs successfully with slapadd:
sudo -u ldap slapadd -l init.ldif -F /etc/openldap/slapd.d -n0
The second file is very simple and just sets up the root objects in my database.
dn: dc=appName,dc=app
objectClass: top
objectClass: dcObject
objectclass: domain
dc: addressbook
dn: dc=directory,dc=appName,dc=app
objectClass: top
objectClass: domain
dc: directory
This also runs successfully with
sudo -u ldap slapadd -l init2.ldif -F /etc/openldap/slapd.d -n1
Now if I use slapcat to view the directory, I see those objects:
sudo slapcat
523b5022 hdb_monitor_db_open: monitoring disabled; configure monitor
database to enable
dn: dc=appName,dc=app
objectClass: top
objectClass: dcObject
objectClass: domain
dc: addressbook
structuralObjectClass: domain
entryUUID: 37f1bd06-b5ad-1032-824f-6ffc71c73dcf
creatorsName: cn=admin,dc=appName,dc=app
createTimestamp: 20130919192708Z
entryCSN: 20130919192708.309183Z#000000#000#000000
modifiersName: cn=admin,dc=appName,dc=app
modifyTimestamp: 20130919192708Z
dn: dc=directory,dc=appName,dc=app
objectClass: top
objectClass: domain
dc: directory
structuralObjectClass: domain
entryUUID: 37f4023c-b5ad-1032-8250-6ffc71c73dcf
creatorsName: cn=admin,dc=appName,dc=app
createTimestamp: 20130919192708Z
entryCSN: 20130919192708.324059Z#000000#000#000000
modifiersName: cn=admin,dc=appName,dc=app
modifyTimestamp: 20130919192708Z
The problem is that I can't locate these objects using the ldap tools
(ldapsearch and python-ldap).
ldapsearch -xb 'dc=addressbook,dc=app'
gives
result: 34 Invalid DN syntax
text: invalid DN
If I don't specify a base DN, then I get 32: No such object:
ldapsearch -x '(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
Does anyone know why I cannot see my objects through the LDAP
"interface?" My configuration seems entirely consistent with
http://www.openldap.org/doc/admin24/slapdconf2.html.
Thanks,
J
10 years
PFS Ciphers
by manu@netbsd.org
Hi
I tried to use ciphers that bring PFS for OpenLDAP, but it did not work.
I used this cipher specification:
TLSCipherSuite ECDH:DH:!SHA:!MD5:!aNULL:!eNULL
I test it this way:
for i in `openssl ciphers ALL|tr ':' '\n'` ; do
echo ''|openssl s_client -cipher $i -connect server:636 \
2>/dev/null |awk '/ Cipher/{print }' ;
done
I get nothing. I understand ECDH needs some support code, but why aren't
DH ciphers available?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
10 years
TLS negation failure
by espeake@oreillyauto.com
We have a client server that is failing on the ssl handshake using TLS.
The following is from the server log when the client is trying to connect.
Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 fd=28 ACCEPT from
IP=172.17.1.10:55469 (IP=0.0.0.0:389)
Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 op=0 STARTTLS
Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 op=0 RESULT oid=
err=0 text=
Sep 19 09:12:50 tntest-ldap-3 slapd[18796]: conn=3534 fd=28 closed (TLS
negotiation failure)
On the client when I run the following:
openssl s_client -showcerts -connect tntest-ldap.oreillyauto.com:389
I get this on the client
CONNECTED(00000003)
139669033973408:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
If I do the same command on port 636 I can see the certificate. All of our
applications that use ldap are all set for TLS. Even if I force them to
port 636 they fail.
Any ideas to look at are appreciated.
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
10 years
auditing failed login attempts
by Paul B. Henson
Our security group is hassling us because we don't currently provide them an
audit log of failed login attempts on our LDAP servers. For most of our
other systems, we simply provide them a syslog feed with this information.
However, openldap doesn't appear to have a logging level that provides
detail about login attempts on a single line, but rather across many lines
that would need to be correlated. It seems more like connection debugging
logging as opposed to authentication logging.
It looks like we might need to set up an accesslog overlay to log all of the
attempted binds and then have a separate process that runs through that and
generates the syslog feed to our ISO group's central logging server? That's
a bit more overhead than I would like.
Are there any other simpler ways of generating failed login logs?
Thanks much.
10 years
Re: Multi-master setup in debian
by Listas de Correo
On Tue, Sep 17, 2013 at 9:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, September 17, 2013 9:06 PM -0300 Listas de Correo <
> toshiro.listas(a)gmail.com> wrote:
>
> Would you mind to provide me more details about the bugs and potential
>> problems of using Debian packages? I'm not putting your statements in
>> doubt, I just need to have solid and documented arguments to convince my
>> boss that this extra work is really needed.
>>
>
> Read the release notes for OpenLDAP:
>
> <http://www.openldap.org/**software/release/changes.html<http://www.openldap.org/software/release/changes.html>
> >
>
> The FAQ from the Debian OpenLDAP package maintainers:
>
> <http://www.openldap.org/faq/**data/cache/1456.html<http://www.openldap.org/faq/data/cache/1456.html>
> >
>
> The use of GnuTLS (What Debian links to instead of OpenSSL) is harmful:
>
> <http://www.openldap.org/lists/openldap-devel/200802/msg00072.html>
>
Ok, thanks for the info, I will look into it right away.
I have an additional question about compiling from source: how do you
handle upgrades? In Debian, I've just use apt-get upgrade, in the case of
compiliing yourself, you just compile and then 'make install'? Is that
enough or do you need to do any previous housekeeping? (I'm asking because
I haven't found any mention of upgrade in the Administrator's Guide)
10 years
Re: Multi-master setup in debian
by Listas de Correo
Hi Quanah,
On Tue, Sep 17, 2013 at 12:21 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> It is always interesting to me when someone emails the technical list,
> asking for guidance from people who know the most about the software, and
> then ignore it.
I know what you mean, I've suffered that myself :) but there's a valid
reason for trying to ignore your suggestion (that I explained in a previous
message).
> The Debian build of OpenLDAP is old, links to a potentially insecure SSL
> implementation, and has a variety of known bugs present in it that are
> known to affect replication, particularly multi-master. Understand that by
> continuing to use the Debian package, you are essentially setting yourself
> up for failure when looking at using Multi-Master Replication.
>
Would you mind to provide me more details about the bugs and potential
problems of using Debian packages? I'm not putting your statements in
doubt, I just need to have solid and documented arguments to convince my
boss that this extra work is really needed.
Thanks in advance for your help!
10 years
seeding memberOf attribute
by Paul B. Henson
We are looking at adding the memberOf overlay to an existing deployment.
>From what I can tell, after the configuration on all of the servers has been
updated, all of the members need to be removed and then re-added for all
existing groups in order to get this new attribute populated?
We have a lot of groups, with a lot of members; that's going to be quite a
bit of churn. I just want to double check there wasn't a simpler/more
efficient mechanism before I started down that path.
Thanks much.
10 years
invalid syntax (21) error while importing password password policy
by Philip Bubel
Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices. I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us. I run into trouble running ldapadd to import the new policy. I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file. I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif
Enter LDAP Password:
adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test"
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
Contents of policy.ldif
n: cn=policy,ou=policies,dc=XXXX,dc=test
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=XXXX,dc=test" read
by * none
database bdb
suffix "dc=XXXXX,dc=test"
checkpoint 1024 15
rootdn "cn=Manager,dc=XXXX,dc=test"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw hello (Temp password used for testing)
overlay ppolicy
policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
10 years
RE: invalid syntax (21) error while importing password password policy
by Quanah Gibson-Mount
--On Tuesday, September 17, 2013 8:28 PM +0000 Sebastian Bianchi
<Sebastian.Bianchi(a)zaisgroup.com> wrote:
> Can anyone tell me how to get off this list?
I can tell you a second time to stop hijacking threads. Read the email I
sent you earlier about how to get removed.
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years
Multi-master setup in debian
by Listas de Correo
Hi,
I've "inherited" from a former sysadmin (among many other things) an LDAP
server to administer :) ... it's installed on Debian 6.0; it's currently
working ok but the company has another remote site now and wants to have a
secondary LDAP server on the new location (in order to support the new
remote users).
Looking into the documentation I think the best configuration option is a
N-way multi-master replication setup; unfortunately, I don't have
experience with LDAP so I found difficult to implement this; I've found
some good tutorials on the web but they're written for other versions of
LDAP (for example, they use slapd.conf but on Debian, the configuration is
in several directories under /etc/ldap/slapd.d).
My big question is: ¿do you know of any resource (url link, book, whatever)
that I can use as a reference to make this configuration? (in particular,
I'd be more than happy if provides some examples in Debian). Of course, I'm
willing to do my own work (study, research, etc) but I need some guidance
regarding where to start (assume I have little LDAP knowledge).
Thanks in advance for any help, tip, etc you may have!
10 years