January 2014 - openldap-technical

by Borresen, John - 0442 - MITLL

Ok, Trying to add the following: objectClass: olcGlobal --> this is the objectClass on another server that has SSL already set up. dn: cn=config changetype: add olcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3 olcTLSCertificateFile: /usr/local/openldap/etc/openldap/CA/cacert.pem olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/CA/private/cakey.pem adding new entry "cn=config" ldapmodify: Object class violation (65) additional info: no objectClass attribute I've read the various manpages that deal with ldif formats, ldapmodify, ldapadd, etc and been googling too. What am I missing? Thanks in advance. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Surveillance Systems Group 244 Wood St Lexington, MA 02420 Email: john.borresen(a)ll.mit.edu<mailto:john.borresen@ll.mit.edu>

9 years, 8 months

3
6
0 / 0

Implementing PPolicy

by Joshua Schaeffer

I'm trying implement the password policy overlay into my openldap setup, I'm running a Debian 7 server and installed openldap with the package manager. =================================================== root@baneling:~# dpkg -l | grep slapd ii slapd 2.4.31-1+nmu2 amd64 OpenLDAP server (slapd) =================================================== I currently have my ldap server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my other machines to search the ldap directory and would like to implement the password policy provided by the overlay. I believe I've added the schema, loaded thedynamic module, and added the overlay to my databasecorrectly, however I'm not sure it's actually working. I've been mostly followingthis article and the openldap documentation: http://www.zytrax.com/books/ldap/ch6/ppolicy.html http://www.openldap.org/doc/admin24/overlays.html#Password Policies <http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies> Here is my slapd.d config (shortened for brevity): =================================================== root@baneling:~# slapcat -b cn=config [...] dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} structuralObjectClass: olcModuleList entryUUID: ad917d22-1583-1033-9e53-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119183138Z olcModuleLoad: {0}ppolicy.so olcModulePath: /usr/lib/ldap entryCSN: 20140119183433.154615Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119183433Z [...] dn: cn={4}ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}ppolicy [...] dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119194003Z entryCSN: 20140119194003.774030Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119194003Z =================================================== And my container for the default policy: =================================================== root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Policies,dc=harmonywave,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: ou=Policies,dc=harmonywave,dc=com ou: Policies objectClass: top objectClass: organizationalUnit dn: cn=default,ou=Policies,dc=harmonywave,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdFailureCountInterval: 1800 pwdGraceAuthNLimit: 10 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMaxFailure: 6 pwdMinAge: 86400 pwdMinLength: 10 pwdMustChange: FALSE pwdSafeModify: TRUE sn: passwdpolicy =================================================== However, I'm not sure the policy is actually being applied. I thought it might be because I originally created my user before adding the schema and overlay, so I deleted the user and recreated it. I'm able to log into a server using my uid, however if I try to change my password I get the following: =================================================== jschaeffer@defiler:~$ passwd (current) LDAP Password: New password: Retype new password: password change failed: Constraint violation passwd: Authentication token manipulation error passwd: password unchanged =================================================== I've been entering mycurrent password correctly when it asks and I am using a complex new password. I also don't see any of the ppolicy attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc): =================================================== root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com Enter LDAP Password: dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com objectClass: top objectClass: account objectClass: posixAccount uid: jschaeffer cn: Joshua Schaeffer uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/jschaeffer loginShell: /bin/bash gecos: Joshua Schaeffer userPassword:: .... =================================================== I've been searching around for on the web for answers to the passwd issue, but I've not been able to find anything useful. Does anyone know how to verify that the ppolicy overlay is actually working?

9 years, 8 months

2
3
0 / 0

re: sudoCommand" limitation

by Juergen.Sprenger＠swisscom.com

Hi Michel, > Are there any limitations of the "sudoCommand" values? e.g. length <= 64 attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) The LDAP definition for the IA5 String syntax is: ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' ) http://tools.ietf.org/search/rfc4517#section-3.3.15 AFAIK there should be no limitation of length according to rfc4517. Regards Juergen

9 years, 8 months

1
0
0 / 0

LDIF and cn=config

by Côme BERNIGAUD

Hello, I'm trying to figure out what's happening with my LDAP. I insert an LDIF modifying a schema in cn=schema,cn=config, OpenLDAP gives me an error "No such object", but it still does the modification. How can I do to avoid having this error while the modification is working? I can't just ignore the error because I intend to script this and I need to know if it actually succeeded or not. Please have a look at the log attached to understand my problem. Côme

9 years, 8 months

1
0
0 / 0

"sudoCommand" limitation?

by michel.del-piero＠isc-ejpd.admin.ch

Hi Are there any limitations of the "sudoCommand" values? e.g. length <= 64 Regards Michel

9 years, 8 months

2
1
0 / 0

RE24 testing call (2.4.39)

by Quanah Gibson-Mount

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.39 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 8 months

5
4
0 / 0

Re: MDB_PAGE_FULL

by Pieter Martin

Hi, I am using lmdb to implement a graph db via java JNI. Initial results are amazing. Anyhow I am having trouble with deletions. I am getting MDB_PAGE_FULL when trying to delete. A simplified version of the code is as follows. //set the key ... while ((rc = mdb_cursor_get(vertexCursor, &key, &data, MDB_SET_RANGE)) == 0) { rc = mdb_cursor_del(vertexCursor, 0); if (rc != 0) { printf("removeVertex 4 %i\n", rc); goto fail; } //set the key ... } The mdb_cursor_del returns a error code -30786 (MDB_PAGE_FULL) on about the 38th loop. if there are very few entries then the exception does not happen. Is there something obvious that I am doing wrong to cause a MDB_PAGE_FULL exception? Thanks Pieter

9 years, 8 months

3
3
0 / 0

ldif-diff / ldif->ldap sync utilities

by Hallvard Breien Furuseth

[There doesn't seem to be an active general LDAP list anymore, so I hope it's OK to post here instead.] I need an ldif-diff utility (take two LDIF dumps and produce an .LDIF to change one to the other) and maybe an LDIF->LDAP sync program like this: - Give me some control of the order in which entries are output. I need to ensure that when a "mail:" value moves from one entry to another, it should temporarily occur in both entries rather than in neither. Usually that means output the 2nd entry first. - Fairly fast, but a slower and smarter mode would be nice. Fast mode can be crude, e.g. it need not know that "foo:: eHk=" means "foo: xy" and DN cn=x+uid=y,... matches uid=y+cn=x,... - Not resource-hungry. (Don't slurp the entire LDIFs into memory. Scan them to build a mapping {dn: filepos} or something.) - Don't generate a huge "replace: member" change when it instead can generate a small "delete:" + "add:" for the attribute change. (So it must be configured to know which attrs have an EQUALITY matching rule, at least when there is no server to ask.) - Preferably LDAP-novice-friendly error messages. It does *not* need to: - Detect renamed entries. - Certainly not convert anything to/from Unicode. Sometimes I've had to battle tools to stop them from deciding I want Latin1->UTF-8. - Preserve entry/attribute order. (But preserved attr.value order is nice for some attributes, even if LDAP does not guarantee it.) -- Hallvard

9 years, 8 months

1
0
0 / 0

lmdb memory usage when writing lots of data with memorymap option

by Luc Vlaming

Hi, Currently I am creating support for using LMDB as a new storage backend for one of our products. At the moment I am testing import bulk data into lmdb using transactions that span a single record of 10MB. The total db size afterwards is 5GB. I also tested with records of 1MB. I noticed a very odd thing: when using the MDB_WRITEMAP option, memory usage grows very quickly and linear with the amount of data stored into the database. (memory usage ends up a bit higher than 5GB). when not using MDB_WRITEMAP, however, memory usage stays very low. Does anyone have a suggestion what might be wrong and what causes such different behaviour with and without using the memorymap option? FYI: - there are no long lived reads so that should not be the problem. - I am using the newest git version: ec97f49a6552a8ed599472d665ec7c16463b808c Regards, Luc Vlaming

9 years, 8 months

3
8
0 / 0

Failed bind registry

by David Tello

I need to have in a exploitable format the failed binds. Something similar to the correct binds in the accesslog. I have seen that some people talks about the use of loglevel 256, but i thing that is too hard. Any help would be welcome. Thanks!

9 years, 8 months

4
11
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2014