January 2014 - openldap-technical

by Borresen, John - 0442 - MITLL

First, my apologies for the adding you, Quanah, to the cc list. Over the last few weeks, my emails have not been getting through to the openldap-technical group (haven't seen anything getting posted). Anyway, Trying to set up Monitor. I've created a Monitor directory in my ldap directory: /var/lib/openldap /var/lib/openldap/Monitor /var/lib/openldap/openldap-data All owned by ldap. My ldif looks like this: dn: olcDatabase=Monitor,cn=config objectClass:olcDatabaseConfig olcDatabase:Monitor olcAccess:dn.exact="cn=ldapadmin,dc=<my_group>,dc=ldap" write olcAccess:by users read olcAccess:by * none Getting two different errors: 1) Ldap_add: Other (e.g., implementation specific) error (80); additional info: <olcAccess> handlier exited with 1 2) Then after restarting slapd, and seeing no changes in the /var/lib/openldap/Monitor directory and ldapsearch returns # extended LDIF # # LDAPv3 # base <cn=Monitor> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 10 Referral ref: ldap://<ldap_server>.<my_group>.ldap/cn=Monitor??sub # numResponses: 1 John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Surveillance Systems Group 244 Wood St Lexington, MA 02420 Email: john.borresen(a)ll.mit.edu<mailto:john.borresen@ll.mit.edu>

9 years, 4 months

4
3
0 / 0

SSHA hashed passwords && retrieving the salt

by Matthias Apitz

Hello, I want to understand how to retrieve the 'salt' which was used by the LDAP server to hash a user's password with seeded sha1, i.e. SSHA; when I do a ldapsearch from the UNIX cmd line I get the attribute as: $ ldapsearch -h 10.45.xx.xx -p 389 -x -D ... 'cn=jrXXXXX' ... dn: cn=jrXXXXX,ou=user,ou=.... userPassword:: e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q= ... the above string I can decode with: $ echo -n 'e1NTSEF9TWd3ZmtxQ25HdTJYVXZtVzNzTm5yWjlwVjBUSmwvQ0Q=' | mmencode -u {SSHA}MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD but now I'm lost how to retrieve the 'salt' from it :-( I have google'd around and see examples for this like in http://www.pressinganswer.com/444023/how-can-i-retrieve-a-salt-from-ldap <CITED ON> With SSHA, normally the salt is appended to the SHA1 hash and then the whole thing is Base64 encoded (I've never seen an LDAP that didn't do SSHA this way). You should be able to tell this by looking at the userPassword attribute. If it's 28 character long with a = at the end, it's only the hash. If the Base64 value is 32 character long or greater, it contains both the hash and the salt. Base64 decode the value and strip off the first 20 bytes, this is the SHA1 hash. The remaining bytes are the salt. Example: Base64 encoded hash with salt userPassword: {SSHA}MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0 Base64 decoded value SHA1 Hash Salt --------------------++++ 123456789012345678901234 <CITED OFF> I can repeat the given example with: $ echo -n 'MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0' | mmencode -u 123456789012345678901234 but when I run the original string through decode, I get only binary nonsense from: echo -n 'MgwfkqCnGu2XUvmW3sNnrZ9pV0TJl/CD' | mmencode -u 2 §íRùÞÃgð What I do wrong or what I'm missing here? The used 'mmencode' is on FreeBSD 10-CURRENT from a pkg: $ pkg_info -W /usr/local/bin/mmencode /usr/local/bin/mmencode was installed by package metamail-2.7_9 if this does any matter. Thanks matthias -- Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: guru(a)unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards

9 years, 4 months

2
3
0 / 0

strange error with openldap 2.4 and sql backend

by Adrian

Hi, I have a very strange issue with OpenLDAP 2.4 and the SQL backend. at_query fails although the exactly same query works fine with 2.3. I posted some details on this question on SF: http://serverfault.com/questions/566902/openldap-sql-backend-failing There's also this Gist containing my config, the full error message, etc.: https://gist.github.com/ThiefMaster/b47613f79d6a3ed879df Regards, Adrian

9 years, 4 months

1
0
0 / 0

N-Way-Multimaster Configuration

by Borresen, John - 0442 - MITLL

Thanks for your help with my last post. Now, the next task, will be setting up an N-way multimaster: Server1 Server2 Server3 Server4 Using TLS. To create the certificates, finding a lot of varying ideas via google, what is the "best practice" to create certificates to where I don't have to touch each client if a server goes down. Create a wildcard cert or use the subjectAltName in the openssl.cnf file? John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Surveillance Systems Group 244 Wood St Lexington, MA 02420 Email: john.borresen(a)ll.mit.edu<mailto:john.borresen@ll.mit.edu>

9 years, 4 months

4
5
0 / 0

BDB fine grained lock manager

by Chris Card

Hi All, We are running openldap 2.4.36 and Berkeley DB 4.6.21 (+ 4 patches) on centos 6.3 64 bit. Does anyone know if building Berkeley DB with --enable-fine_grained_lock_manager is likely to make any difference to slapd performance? Chris

9 years, 4 months

2
1
0 / 0

Re: N-Way-Multimaster Configuration

by Quanah Gibson-Mount

--On Tuesday, January 14, 2014 2:22 PM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > > > Thanks for your help with my last post. > > > > Now, the next task, will be setting up an N-way multimaster: > > Server1 > > Server2 > > Server3 > > Server4 > > > > Using TLS. To create the certificates, finding a lot of varying ideas > via google, what is the "best practice" to create certificates to > where I don't have to touch each client if a server goes down. Create > a wildcard cert or use the subjectAltName in the openssl.cnf file? I prefer to use a wildcard cert. I would note that a technically correct wildcard cert has *.domain in subjectAltname. On the flip side, virtually no CA creates certs that are compliant with the RFC for wildcards. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 4 months

1
0
0 / 0

RE: SETTING UP MONITOR

by Quanah Gibson-Mount

--On Tuesday, January 14, 2014 11:51 AM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > Did I miss something? That link just showed me an ldif that isn't > telling me anything...that I haven't already seen in numerous google > searches. It is an example of a correctly configured monitor backend. Given that your attempt to add the monitor backend to your database is failing, I thought it might help you actually get it configured. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 4 months

2
1
0 / 0

Re: SETTING UP MONITOR

by Quanah Gibson-Mount

--On Tuesday, January 14, 2014 11:06 AM -0500 "Borresen, John - 0442 - MITLL" <John.Borresen(a)ll.mit.edu> wrote: > Trying to set up Monitor. I've created a Monitor directory in my ldap > directory: Why? The monitor backend has no database. > My ldif looks like this: I suggest you look at: <https://github.com/Zimbra-Community/zimbra-sources/blob/master/main/Zimbr...> --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 4 months

2
1
0 / 0

mdb expected growth

by Paul B. Henson

So after updating our dev ldap environment to use mdb, and slapadd'ing a fresh copy from our production environment into it, the database was using 828M: Environment Info Map address: (nil) Map size: 2147483648 Page size: 4096 Max pages: 524288 Number of pages used: 211612 Last transaction ID: 1333 Max readers: 126 Number of readers used: 6 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 29 I then proceeded to run a test load on it (basically, I had a script I put together when I added the memberof overlay that ripped through all of our groups, removing and then re-adding all members). After this test run, the use jumped to 1.9G: Environment Info Map address: (nil) Map size: 2147483648 Page size: 4096 Max pages: 524288 Number of pages used: 479536 Last transaction ID: 1075380 Max readers: 126 Number of readers used: 11 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 29 There is no new data in the database, all that happened was existing data was removed and then re-added. Is this drastic increase in space utilization expected in such a scenario? I bumped the max size from 2G to 4G and am rerunning the same script to see what happens. Is there any heuristic for how mdb will grow over time, based on the initial size from a fresh slapadd? I plan to set a fairly large maxsize, and also monitor it with munin to keep track of any unexpected growth, but I am curious if it is going to reach a steady-state size or continue growing over time. I would expect growth as additional entries were added, and possibly some growth from overhead when things were changed, but not necessarily such a big jump in size. Thanks.

9 years, 4 months

5
8
0 / 0

Question regarding slapo-pcache

by Philippe

Hi everyone, I'm setting up an openldap server that proxies _and_ caches everything from other servers (OpenLDAP and AD, that's what the meta database is for). As for now proxying and caching data works fine but I'm unable to get credentials cached. How is pcacheBind supposed to work? This is my setup so far: --%snip%-- # slapd.conf include /some/schemas/.. sizelimit unlimited moduleload back_bdb moduleload back_ldap moduleload back_meta moduleload pcache database ldap suffix "dc=xyz,dc=de" rootdn "cn=sys,dc=xyz,dc=de" uri "ldap://10.0.0.1" # the ldap server I'm talking to chase-referrals yes rebind-as-user yes overlay pcache pcache bdb 999999 2 999 300 directory /var/lib/ldap-cache cachesize 1024 index objectClass eq,pres index uidNumber,gidNumber eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uid,memberUid eq,pres,sub index uniqueMember eq,pres pcacheMaxQueries 999999 pcacheOffline false pcachePersist true pcacheAttrset 0 cn uid objectclass userpassword sn mail memberof displayname pcacheTemplate (cn=) 0 3600 pcacheAttrset 1 cn uid pcacheTemplate (cn=) 1 3600 pcacheBind (cn=) 1 3600 sub dc=xyz,dc=de database meta suffix "dc=de" uri "ldap://localhost/dc=xyz,dc=de" idassert-bind bindmethod=simple binddn="cn=sys,dc=xyz,dc=de" credentials="somecredentials" chase-referrals yes rebind-as-user yes --%snip%-- Now I'm running some queries using ldapsearch and watching the traffic via tcpdump. As far as I can tell the requested attributes are cached, the remote ldap server is only asked once about the requested data. But even when the data is already cached the openldap server still tries to bind to the remote server. Which is unfortunate since I'm trying to catch network outages with the caching proxy. Example: >> $ ldapsearch -x -H ldap://localhost -D cn=me,ou=users,dc=xyz,dc=de -W -b dc=xyz,dc=de 'cn=foo' mail - first attempt tcpdump shows: bind, search of cn uid objectclass userpassword sn mail memberof, and the result - second attempt, same command tcpdump shows: bind and that's all. The result are delivered from cache. I tried other filter masks, too, which lead to different results: --%snip%-- pcacheAttrset 0 * pcacheTemplate (cn=) 0 3600 pcacheBind (cn=) 0 3600 sub dc=xyz,dc=de --%snip%-- In this case the remote server isn't queried anymore after the second attempt of the command above (which is good), but when trying to search for data that hasn't been cached yet, openldap tries to bind anonymously to the remote server (which is bad, because it won't work). Syslog tells me: >> ldap_back_dobind_int: DN="cn=me,ou=users,dc=xyz,dc=de" without creds, binding anonymously Any clues? Kind regards, Philippe

9 years, 4 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2014