openldap-technical November 2014

openldap-technical@openldap.org

66 participants
69 discussions

Re: Antw: getting warning:var/lib/ldap/__db.004 is not owned by "ldap" and ldap wont start
by wailok tam 26 Nov '14

26 Nov '14

Hi, thanks. it is fixed now. I get another trouble with doing replication over SSL on redhat. I dont know how to config the slave.If you can help with my other post, that would be greatly appreciated. From: Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> To: openldap-technical(a)openldap.org; wailoktam(a)yahoo.com Sent: Wednesday, November 26, 2014 5:26 PM Subject: Antw: getting warning:var/lib/ldap/__db.004 is not owned by "ldap" and ldap wont start >>> wailok tam <wailoktam(a)yahoo.com> schrieb am 26.11.2014 um 04:36 in Nachricht <1434320209.699036.1416973016975.JavaMail.yahoo(a)jws100111.mail.ne1.yahoo.com>: > Hi, all, I get the warning given in the title and ldap stops even after > reporting to start successfully. > The error is fixed by doing a chown for the affected files. It was > mysteriously changed to root. I change it back to ldap and it works again. > However, I want to know what has caused this to happen. Anyone can help? Most likely: You started slapadd as root? > I am in the course of changing a slurpd-based replication to a > syncrepl-based replication. I suspect that is relevant. > In the old and working master config: > rootdn: root binddn for replication(slurpd) directive: replicator > In the old and working slave config: rootdn: replicator > > In the new master config: rootdn: root > > In the new slave config: rootdn: replicator > binddn for replication(syncrepl) directive: replicator > What has caused the db.00X file to be owned by root? > The new configs once start without error. But I find the replication is not > doing its job when I check on the slave the data of a user account I changed > on the master side. So I go back to the old config. And then the > var/lib/ldap/__db.004 is not owned by "ldap" comes up and ldap wont start on > the slave. > Maybe the syncrepl has been working partially, just in a different name and > causes the problem?Maybe it is not working at all as I dont know what to put > about ssl/tls in the slave config file. In the master, I have commented out > the tls cert/key lines and access to the server by the client are done with > the ldaps:// port. But I dont know what to do with the slapd.conf of the > slave file. Does it have to get the ssl lines commented out in order to get > allowed to access the master. > Any help would be greatly appreciated.

1 0

getting warning:var/lib/ldap/__db.004 is not owned by "ldap" and ldap wont start
by wailok tam 25 Nov '14

25 Nov '14

Hi, all, I get the warning given in the title and ldap stops even after reporting to start successfully. The error is fixed by doing a chown for the affected files. It was mysteriously changed to root. I change it back to ldap and it works again. However, I want to know what has caused this to happen. Anyone can help? I am in the course of changing a slurpd-based replication to a syncrepl-based replication. I suspect that is relevant. In the old and working master config: rootdn: root binddn for replication(slurpd) directive: replicator In the old and working slave config: rootdn: replicator In the new master config: rootdn: root In the new slave config: rootdn: replicator binddn for replication(syncrepl) directive: replicator What has caused the db.00X file to be owned by root? The new configs once start without error. But I find the replication is not doing its job when I check on the slave the data of a user account I changed on the master side. So I go back to the old config. And then the var/lib/ldap/__db.004 is not owned by "ldap" comes up and ldap wont start on the slave. Maybe the syncrepl has been working partially, just in a different name and causes the problem?Maybe it is not working at all as I dont know what to put about ssl/tls in the slave config file. In the master, I have commented out the tls cert/key lines and access to the server by the client are done with the ldaps:// port. But I dont know what to do with the slapd.conf of the slave file. Does it have to get the ssl lines commented out in order to get allowed to access the master. Any help would be greatly appreciated.

2 2

Re: Antw: Re: multi master replication
by Guruprasad Kulkarni 25 Nov '14

25 Nov '14

I think I can have two "rid=000" because I do not see any complaints on the logs (both masters) and the replication works. I'll have to read more about this. Thanks, Guruprasad On Nov 25, 2014 2:46 AM, "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > Hi! > > First I think you cannot have two "rid=000", second (unless you use > certificates or more sophisticated mechs) your password will be visible in > the > config. That's why the config should be protected (and better not be sent > to > this list unmodified). > > Regards, > Ulrich > > >>> Guruprasad Kulkarni <gkulkarni(a)gridcosystems.com> schrieb am > 24.11.2014 > um > 20:01 in Nachricht > <CAB6=W2stWBseeehyE7vPn-v1BG6Wro+WPZtqdMb8ZY0yFqrXSQ(a)mail.gmail.com>: > > So I found an example for setting up multi master replication using > > slapd.conf > > > > *slapd.conf for MASTER 1* > > > > *# slapd master ldap1.example.com <http://ldap1.example.com>* > > *# global section* > > *serverID 001* > > > > *database bdb* > > *...* > > > > *access to ** > > * by dn.base="cn=admin,ou=people,dc=example,dc=com" read* > > * by * read* > > > > *syncrepl rid=000 * > > * provider=ldap://ldap2.example.com <http://ldap2.example.com>* > > * type=refreshAndPersist* > > * retry="5 5 300 +" * > > * searchbase="dc=example,dc=com"* > > * attrs="*,+"* > > * bindmethod=simple* > > * binddn="cn=admin,ou=people,dc=example,dc=com"* > > * credentials=secret* > > > > *index objectClass eq* > > > > *mirrormode TRUE* > > > > *overlay syncprov* > > *syncprov-checkpoint 100 10* > > > > > > > > *slapd.conf for MASTER 2* > > > > *# slapd master ldap2.example.com <http://ldap2.example.com>* > > *# global section* > > *serverID 002* > > > > *database bdb* > > *...* > > > > *access to ** > > * by dn.base="cn=admin,ou=people,dc=example,dc=com" read* > > * by * read * > > > > *syncrepl rid=000 * > > * provider=ldap://ldap1.example.com <http://ldap1.example.com>* > > * type=refreshAndPersist* > > * retry="5 5 300 +" * > > * searchbase="dc=example,dc=com"* > > * attrs="*,+"* > > * bindmethod=simple* > > * binddn="cn=admin,ou=people,dc=example,dc=com"* > > * credentials=secret* > > > > *index objectClass eq* > > > > *mirrormode TRUE* > > > > *overlay syncprov* > > *syncprov-checkpoint 100 10* > > > > > > > > My question is - Do the credentials have to be clear text passwords? If > > not, how do I mention encrypted passwords? (I tried within quotes ' ' > and " > > ", but each time got invalid credentials error) > > > > > > > > On Mon, Nov 24, 2014 at 1:28 PM, Howard Chu <hyc(a)symas.com> wrote: > > > >> Guruprasad Kulkarni wrote: > >> > >>> Hi, > >>> > >>> I did have a look at the options and only "--enable-modules" option > >>> talks about dynamic module support > >>> > >>> I tried "--enable-dynamic" option as well (the description for it is > >>> enable linking built binaries with dynamic libs) > >>> > >>> What I do observe is that even though I have "moduleload syncprov.la > >>> <http://syncprov.la>" directive in slapd.conf, slapd does not complain > >>> about it. So I guess I do not have to specify the module path > >>> (syncreplication tests were successful as well) > >>> > >> > >> Correct, moduleload silently succeeds if you specify a module that was > >> built statically. > >> > >>> > >>> I also realized I was looking at the OLC configuration examples for > >>> multi master. What I need to do is find slapd.conf example for multi > >>> master. > >>> > >>> > >>> On Mon, Nov 24, 2014 at 11:29 AM, Dieter Klünter <dieter(a)dkluenter.de > >>> <mailto:dieter@dkluenter.de>> wrote: > >>> > >>> Am Mon, 24 Nov 2014 09:52:34 -0500 > >>> schrieb Guruprasad Kulkarni <gkulkarni(a)gridcosystems.com > >>> <mailto:gkulkarni@gridcosystems.com>>: > >>> > >>> > I have 2 questions regarding multi master replication: > >>> > > >>> > 1. I built openldap 2.4.40 from source and according to the > >>> makefile, > >>> > the module directory should be at /usr/local/libexec/openldap. > >>> > > >>> > However I do not see such a folder. Am I missing something? > The > >>> > options I used with configure were "--enable-debug > --enable-modules > >>> > --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov > >>> > --with-tls --with-cyrus-sasl" > >>> > > >>> > I am asking because the multi master replication example ( > >>> >http://www.openldap.org/doc/admin24/replication.html > >>> > <http://www.openldap.org/doc/admin24/replication.html#N-Way>) > >>> needs > >>> > me to load thesyncprov.la <http://syncprov.la> module, but I am > >>> not sure if the > >>> > modulepath given there is correct or not. > >>> > >>> You have probably not build dynamic loadable modules, but built-in > >>> modules. > >>> you should run ./configure --help | less, which will show proper > build > >>> choices. > >>> > >> > >> -- > >> -- Howard Chu > >> CTO, Symas Corp. http://www.symas.com > >> Director, Highland Sun http://highlandsun.com/hyc/ > >> Chief Architect, OpenLDAP http://www.openldap.org/project/ > >> > > > > > > > > -- > > -Guruprasad > > > >

2 1

Re: Antw: Passwords, Hashing, and Binds
by Quanah Gibson-Mount 25 Nov '14

25 Nov '14

--On Monday, November 24, 2014 12:22 PM +0100 Onno van der Straaten <onno.van.der.straaten(a)gmail.com> wrote: > sudo make install I'd generally advise you really read over the options to configure, and build a better set of binaries. For example, leave out back-bdb/hdb, and enable building things modularly. My options are: --with-cyrus-sasl \ --with-tls=openssl \ --enable-dynamic \ --enable-slapd \ --enable-modules \ --enable-backends=mod \ --disable-shell \ --disable-sql \ --disable-bdb \ --disable-hdb \ --disable-ndb \ --enable-overlays=mod \ --enable-debug \ --enable-spasswd \ --enable-crypt; \ > Make the sha2 module > cd ~/openldap/contrib/slapd-modules/passwd/sha2 > sed -i.bak s/-Wall -g/-Wall -g fPIC/g Makefile > make I do: (cd openldap-$(LDAP_VERSION)/contrib/slapd-modules/passwd/sha2; \ $(MAKE) prefix=/usr/local LIBS="-L$(LDAP_LIB_DIR) -lldap_r -llber" install STRIP=""; \ ) And then it installs it for me in the same location. Just make sure you use the same prefix here. > This results in a number of files pw-sha2.la sha2.lo sha2.o slapd-sha2.lo slapd-sha2.o > > The question now is how to install this on my target OpenLDAP server. I > put the files in /usr/lib64/openldap en dan tried to add the following > dn: cn=module{0},cn=config > changetype: modify > replace: olcModuleLoad > olcModuleLoad: slapd-sha2.la I'm not sure that replacing olcModuleLoad is correct. If you already have values in there, you probably want to keep them. I generally *add* an additional values. In any case, your value for the attribute is incorrect. The .la file is named, as in your email, pw-sha2.la, not slapd-sha2.la . If you want to add it as an additional module to load, then you would do changetype: modify add: olcModuleLoad olcModuleLoad: pw-sha2.la My loaded modules are: dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /opt/zimbra/openldap/sbin/openldap olcModuleLoad: {0}back_mdb.la olcModuleLoad: {1}back_monitor.la olcModuleLoad: {2}syncprov.la olcModuleLoad: {3}accesslog.la olcModuleLoad: {4}dynlist.la olcModuleLoad: {5}unique.la olcModuleLoad: {6}noopsrch.la olcModuleLoad: {7}pw-sha2.la for example. now, if you want to make something like say, SHA512 the default, then you need to modify the frontend config db: dn: olcDatabase={-1},cn=config changetype: modify replace: olcPasswordHash olcPasswordHash: {SSHA512} --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Returned mail: Data format error
by cloos＠jhcloos.com 25 Nov '14

25 Nov '14

1 0

multi master replication
by Guruprasad Kulkarni 25 Nov '14

25 Nov '14

I have 2 questions regarding multi master replication: 1. I built openldap 2.4.40 from source and according to the makefile, the module directory should be at /usr/local/libexec/openldap. However I do not see such a folder. Am I missing something? The options I used with configure were "--enable-debug --enable-modules --enable-hdb --enable-monitor --enable-ppolicy --enable-syncprov --with-tls --with-cyrus-sasl" I am asking because the multi master replication example ( http://www.openldap.org/doc/admin24/replication.html <http://www.openldap.org/doc/admin24/replication.html#N-Way>) needs me to load the syncprov.la module, but I am not sure if the modulepath given there is correct or not. 2. Are the ldifs mentioned in the example enough with the following slapd.conf file I have? include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/ppolicy.schema #custom password quality checker module location modulepath /usr/local/lib moduleload back_hdb.la moduleload ppolicy.la moduleload syncprov.la database hdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw *rootpw* access to * by dn="cn=manager,dc=example,dc=com" write by self write by * read directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=example,dc=com" overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 loglevel 256 TLSCACertificateFile path_to_ca_certificate TLSCertificateFile path_to_certificate_file TLSCertificateKeyFile path_to_certificate_key_file I am new to openLDAP and not sure how to set up muti master replication properly. -- -Guruprasad

4 6

can our redhat os be migrate into 64bit?
by Wang, Hui 24 Nov '14

24 Nov '14

Hi, Our openLDAP is in version 2.3.4, it currently installed on a redhat 32bit. Can this server be migrate into 64bits? I can't find the os requirement for different version of openldap at this moment thanks Hui Wang (Holly) CSUN IT Department Identity and Directory Service 818-677-2031 holly.wang(a)csun.edu

3 2

Add attribute to already defined objectclass organizationalUnit in core.schema
by Shashi Ranjan 24 Nov '14

24 Nov '14

Hello, I need to add two elements to organizationalUnit Object Class. How can I do it without modifying the core.schema file? Is there a way to define two new attributes in my private schema file (local.schema) and then extend the object class organizationalUnit defined in core.schema? I do not want to modify the file core.schema. I wish to deliver only my local schema file (local.schema) with other changes also. P.S.: I m new OpenLDAP. Thanks & Regards, Shashi Ranjan "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."

4 3

Re: Antw: Passwords, Hashing, and Binds
by Onno van der Straaten 24 Nov '14

24 Nov '14

Hi, I need some help getting this SSHA512 support. I found the module in the contrib directory passwd/sha2 but the README is still the old readme. It is doesn't explain how to install the module after compliation. This is what I was able to do so far On a clean CentOS VM make OpenLDAP 2-4-40 sudo yum -y install git mkdir openldap && cd openldap git clone git://git.openldap.org/openldap.git . git tag -l git checkout tags/OPENLDAP_REL_ENG_2_4_40 sudo yum -y install gcc export CXXFLAGS="$CXXFLAGS -fPIC" sudo yum -y install db4 db4-devel ./configure make depend sudo make sudo make install Make the sha2 module cd ~/openldap/contrib/slapd-modules/passwd/sha2 sed -i.bak s/-Wall -g/-Wall -g fPIC/g Makefile make This results in a number of files pw-sha2.la sha2.lo sha2.o slapd-sha2.lo slapd-sha2.o The question now is how to install this on my target OpenLDAP server. I put the files in /usr/lib64/openldap en dan tried to add the following dn: cn=module{0},cn=config changetype: modify replace: olcModuleLoad olcModuleLoad: slapd-sha2.la This give me an error message + sudo ldapadd -Y EXTERNAL -H ldapi:/// -f sha2.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 adding new entry "cn=module{0},cn=config" The readme only describes how this used to work. I followed the readme for older version of OpenLDAP 2.4.23. This produces one file slapd-sha2.o exactly as described in the readme. I was able to install this module using this readme. Problem is that I need SSHA-512 which the older module does not support. Any tips or suggestions will be much appriacted Thanks and Regards, Onno On Fri, Aug 29, 2014 at 9:15 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Friday, August 29, 2014 9:55 AM +0200 Ulrich Windl < > Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > > Bram Cymet <bcymet(a)cbnco.com> schrieb am 28.08.2014 um 22:26 in >>>>> Nachricht >>>>> >>>> <53FF9080.1050209(a)cbnco.com>: >> >>> Hi, >>> >>> I am storing users passwords in a userPassword attribute. When the >>> passwords are hashed with MD5 I can bind as the user just fine. If I >>> hash the password with sha-256 I get invalid credentials. >>> >> >> I wonder: My slappasswd only knows about {SHA} and {SSHA}, {MD5} and >> {SMD5}, {CRYPT}, and {CLEARTEXT}. Section 14.4 of the manual indicates >> that hashed passwords are non-standard anyway. So implement the >> non-standard on your clients. >> > > It takes 5 seconds to look in the contrib directory shipped with the > source and find: > > SHA-2 OpenLDAP support > ---------------------- > > slapd-sha2.c provides support for SSHA-512, SSHA-384, SSHA-256, > SHA-512, SHA-384 and SHA-256 hashed passwords in OpenLDAP. For > instance, one could have the LDAP attribute: > > userPassword: {SHA512}vSsar3708Jvp9Szi2NWZZ02Bqp1qRC > FpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg== > > or: > > userPassword: {SHA384}WKd1ukESvjAFrkQHznV9iP2nHUBJe7 > gCbsrFTU4//HIyzo3jq1rLMK45dg/ufFPt > > or: > > userPassword: {SHA256}K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= > > all of which encode the password 'secret'. > > (etc). As I already stated, there's a module for this. I use it on my > systems to add SSHA512 suport. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > >

1 0

LDAP wire protocol analysis with Wireshark
by Igor Shmukler 24 Nov '14

24 Nov '14

Hello, As per a suggestion by Andrew Findlay, I have been using Wireshark to debug my LDAP client. Specifically, at this time, I am working on simple paging results. One "issue" which I have noticed, is that searchResultsControl returned by both OpenLDAP and/or MS AD servers always has a size of 0. The cookie is returned according to the RFC 2696 specification, but size is not. Please advise what I am missing. Thank you, Igor Shmukler

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2014