openldap-technical June 2014

openldap-technical@openldap.org

38 participants
30 discussions

Password History check in openldap
by scor z 10 Jun '14

10 Jun '14

Password History check in openldap not working when I am using SHA-256 password hashing in openldap. So I am sending clear text password from my java application to openLDAP and it is storing as SHA-256 hashed form on its own. whenever I am changing password, openLDAP is storing the previous password in pwdHistory. There is no problem in that but when I am changing password with the same password previously used it is taking up without throwing any error. I am struggling to make it work for few weeks. Please somebody help me. My environment details: OpenLDAP 2.4.38 RHEL 6 Following details also mentioned in slapd.conf include ../etc/openldap/schema/ppolicy.schema password-hash {SHA256} overlay ppolicy ppolicy_default "cn=default,ou=pwdpolicies,dc=my-domain,dc=com" ppolicy_hash_cleartext my password policy: dn: cn=Default,ou=pwdpolicies,dc=my-domain,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: Default sn: Default pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 5 pwdFailureCountInterval: 0 pwdLockout: TRUE pwdLockoutDuration: 0 pwdAllowUserChange: TRUE pwdExpireWarning: 0 pwdGraceAuthNLimit: 0 pwdMustChange: FALSE pwdSafeModify: FALSE Kindly let me know if I have to give me more information to nail down the issue. Please Please Please someone help me on this. I am badly need a solution on this.

3 2

Re: AD pass through to Openladp?
by Justin Stanczak 10 Jun '14

10 Jun '14

I want to keep the password part in the current LDAP so we don't have to do a mass reset for all parties. And I didn't want to move the LDAP to an MS product. Thanks for the information. On Fri, Jun 6, 2014 at 8:08 PM, Stewart Walters <stewart.walters(a)gmail.com> wrote: > Just spit balling here, because I'm not exactly sure I completely > understand your usage scenario. > > You say you want AD to use OpenLDAP as the authentication source, I > presume so that Windows workstation logins can authenticate against an > identity in OpenLDAP? > > If Group Policy/File and Printer management and other aspects of AD aren't > hugely important to the control and management of your workstation fleet, > you could deploy pGina (pgina.org) to every workstation. pGina will > replace the windows Ctrl + Alt + Del style login screen with one that will > allow users to authenticate directly to an identity in OpenLDAP. > > If that's not your scenario (or if you need the Group Policy/File and > Print stuff), as Peter correctly asserts - Samba 3/4 can be used as a drop > in replacement for AD. It can also be configured to use Kerberos and > OpenLDAP on the backend to control identity and authentication. Without > having to learn Samba (which by extension, often requires you to know low > level concepts of AD itself), you could also consider a FreeIPA deployment > which may or may not assist with simplifying the configuration of Samba4. > > Another way would be to use an IDAM product such as Microsoft Forefront > Identity Manager (or the Quest or NetIQ equivalents) to replicate > user identities and passwords in AD over to OpenLDAP (and vice versa). I > suspect however that an IDAM project is probably too over-engineered/too > expensive for your needs. > > Hope that helps, > > Stewart > > >

1 0

LMDB and multiple processes
by Brian G. Merrell 08 Jun '14

08 Jun '14

Hi all, First, I'm having trouble finding resources to answer a question like this myself, so please forgive me if I've missed something. I'm considering using LMDB (versus LevelDB) for a project I'm working on where I'll be receiving a high volume (hundreds per second) of high priority requests (over HTTP) and issuing multiple (<10) database queries per request. I'll also have a separate process receiving updates for the data and writing to the database. This will happen often (several times a minute, perhaps), but the priority is much lower than the read requests. LMDB appealed to me because of the read performance and that I could have one processing reading data from LMDB and another process writing data updates to LMDB. For proof of concept, I hacked up the following (I'll use pseudocode since I used the Go bindings for my actual programs, and hopefully my question is sufficiently abstract not to matter): Process 1, the writer, simply writes a random integer (from 0 to 1000) to a defined set of keys: env = NewEnv() env.Open("/tmp/foo", 0, 0664) txn = env.BeginTxn(nil, 0) dbi = txn.DBIOpen(nil, 0) txn.Commit() txn = env.BeginTxn(nil, 0) n_entries = 5 for i = 0; i < n_entries; i++ { key = sprintf("Key-%d", i) val = sprintf("Val-%d", rand.Int(1000)) txn.Put(dbi, key, val, 0) } txn.Commit() env.DBIClose(dbi) env.Close() Process 2, the reader, simply loops forever and does random access reads on the data from process 1 (I won't benefit from a cursor for my actual problem), and prints out that data occasionally: env = NewEnv() env.Open("/tmp/foo", 0, 0664) while { txn = BeginTxn(nil, 0) dbi = txn.DBIOpen(nil, 0) txn.Commit() for i = 0; i < n_entries; i++ { key = sprintf("Key-%d", i) val = txn.Get(dbi, key) print("%s: %s", key, value) } env.DBIClose(dbi) sleep(5) } So my high level question is: What am I doing wrong? This seems to work OK, but a lot of it was guesswork, so I'm sure I'm doing some silly things. For example, first I put the BeginTxn() and DBIOpen() calls in process 2 outside of the while loop, but when I did that, I never saw the updates values upon running process 1 simultaneously. In my real-world application, it seems like adding these calls to every request (to be sure the data being read is up-to-date) could be an unnecessary performance penalty. I was suspect there are flags that I can/should be using, but I'm not sure. Thanks for any input. Brian

2 6

Problems using StartTls with openldap-2.4.31
by Andrei Cipu 07 Jun '14

07 Jun '14

Hi all, I'm using openldap-2.4.31 compiled with gnutls25 on Rapsbmc (pre-compiled by the distribution) and I'm trying to make ldap+StartTls work with ldapsearch (simple ldap:// works like a charm). After hitting the issue described at [1] , I've decided to use a self-signed CA cert generated with certtool, as described in [2]. This allowed me to establish the TLS connection. However, the client still sends the bind in clear text, then the server closes the connection. The slapd.conf file is below (comments stripped; the client has the same CACert and cipher suites): > include /etc/ldap/schema/core.schema > include /etc/ldap/schema/cosine.schema > include /etc/ldap/schema/nis.schema > include /etc/ldap/schema/inetorgperson.schema > include /etc/ldap/schema/samba.schema > > pidfile /var/run/slapd/slapd.pid > > argsfile /var/run/slapd/slapd.args > > loglevel -1 > > modulepath /usr/lib/ldap > moduleload back_hdb > > sizelimit 500 > > tool-threads 1 > > TLSCACertificateFile /etc/ldap/certs/selfsign/ca-cert.pem > TLSCertificateKeyFile /etc/ldap/certs/selfsign/key.pem > TLSCertificateFile /etc/ldap/certs/selfsign/cert.pem > TLSCipherSuite NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+COMP-ALL:+AES-256-CBC:+CAMELLIA-256-CBC:+RSA:+SHA1:+SHA256 > TLSVerifyClient never The client output: > root@argyle:/home/pi# ldapsearch -x -H ldap://127.0.0.1 -Z -b 'dc=strainu,dc=ro' -Dcn=admin,dc=strainu,dc=ro -w bla > ldap_start_tls: Connect error (-11) > additional info: (unknown error code) > ldap_result: Can't contact LDAP server (-1) And finally the server output: > root@argyle:/etc/ldap# /usr/sbin/slapd -g openldap -u openldap -f /etc/ldap/slapd.conf -d -1 > 53923fb1 @(#) $OpenLDAP: slapd (Apr 24 2013 17:35:25) $ buildd@build07.raspbian.lan:/build/openldap-nxJLrU/openldap-2.4.31/debian/build/servers/slapd > ldap_pvt_gethostbyname_a: host=argyle, r=0 > 53923fb1 daemon_init: <null> > 53923fb1 daemon_init: listen on ldap:/// > 53923fb1 daemon_init: 1 listeners to open... > ldap_url_parse_ext(ldap:///) > 53923fb1 daemon: listener initialized ldap:/// > 53923fb1 daemon_init: 2 listeners opened > ldap_create > 53923fb1 slapd init: initiated server. > > [...] > > 53923ffe connection_read(12): unable to get TLS client DN, error=49 id=1000 > 53923ffe conn=1000 fd=12 TLS established tls_ssf=256 ssf=256 > 53923ffe daemon: activity on 1 descriptor > 53923ffe daemon: activity on:53923ffe > 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero > 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero > 53923ffe daemon: activity on 1 descriptor > 53923ffe daemon: activity on:53923ffe 12r53923ffe > 53923ffe daemon: read active on 12 > 53923ffe connection_get(12) > 53923ffe connection_get(12): got connid=1000 > 53923ffe connection_read(12): checking for input on id=1000 > ber_get_next > tls_read: want=5, got=5 > 0000: 30 33 02 01 02 03... > ldap_read: want=8 error=Success > 53923ffe ber_get_next on fd 12 failed errno=0 (Success) > 53923ffe connection_read(12): input error=-2 id=1000, closing. > 53923ffe connection_closing: readying conn=1000 sd=12 for close > 53923ffe connection_close: conn=1000 sd=12 > 53923ffe daemon: removing 12 > tls_write: want=53, written=53 > 0000: 15 03 03 00 30 c2 bb c0 ae 12 fa 04 27 45 11 6e ....0.......'E.n > 0010: d7 08 20 97 49 59 0b 35 c5 77 2d b5 65 a0 97 a4 .. .IY.5.w-.e... > 0020: b0 3a eb aa b1 e7 71 8b 3e 0c 73 60 e3 9b 66 8c .:....q.>.s`..f. > 0030: f8 94 e0 c6 50 ....P > 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero > 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero > 53923ffe daemon: activity on 1 descriptor > 53923ffe daemon: activity on:53923ffe > 53923ffe daemon: epoll: listen=6 active_threads=0 tvp=zero > 53923ffe daemon: epoll: listen=7 active_threads=0 tvp=zero > 53923ffe conn=1000 fd=12 closed (connection lost) As you can see, the server declares the TLS established, then tries to read something, receives 5 bytes which indicates the ldap protocol (I believe), then comes the part I can't decode: > ldap_read: want=8 error=Success > 53923ffe ber_get_next on fd 12 failed errno=0 (Success) > 53923ffe connection_read(12): input error=-2 id=1000, closing. What's with the "failed errno=0" and why does the server close the connection? What should I change in the config to make it work? If you need any more information I'll provide it - I selected the part that seemed relevant to me. Thank a lot for any ideas, Andrei [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921#25 [2] http://www.gnutls.org/manual/html_node/certtool-Invocation.html

2 1

AD pass through to Openladp?
by Justin Stanczak 07 Jun '14

07 Jun '14

Is there a method of connecting Active Directory to use OpenLDAP as the authentication source. So pass through to OpenLDAP. Making OpenLDAP the primary system with all the passwords and usernames. I realize this might be more of a AD question, but the places I've looked seem to always make AD the primary. Then everyone else must proxy to AD. Thanks.

4 6

back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
by Charles Bueche 06 Jun '14

06 Jun '14

Hi, I'm running the latest openldap stable 2.4.39 on Ubuntu. My openldap server is configured as a LDAP proxy to MS-AD using back-meta. It works nicely, as long as I don't use OID in filters. Specifically, I need LDAP_MATCHING_RULE_IN_CHAIN (http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx) to search recursive groups in MS-AD. If I use that special filter directly against AD, I get my group list. filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)' Or if I use a "normal" filter across my proxy, I get my group list as well. filter='(memberOf=cn=gs-msp-report,OU=Customers,DC=ad,DC=stuff,DC=ch)' BROKEN: If I use the special filter across my LDAP proxy's back-meta, I get no results and filter="(?=undefined)" in my debug log. filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)' So my guess is that my filter syntax with OID is not accepted by back-meta. When using -d -1, I see this: ... 538dd110 begin get_filter 538dd110 EXTENSIBLE ... 538dd110 end get_filter 0 538dd110 filter: (?=undefined) ... I have looked at the code of openldap-2.4.39/servers/slapd/filter.c but I don't really see what's wrong. Help very welcome ! Charles

4 11

LDAP Proxy Timeout Values
by Jack Kielsmeier 05 Jun '14

05 Jun '14

Hello, We are running OpenLDAP 2.4.23. Part of our implementation proxies to an Active Directory server. Whenever connectivity to the AD server is interrupted, queries to the non-proxied portion of our implementation take a very long time and cause many issues with querying services. I have been looking at timeout options for both slapd.conf and ldap.conf and I have found the following: ldap.conf: NETWORK_TIMEOUT <integer> Specifies the timeout (in seconds) after which the poll(2)/select(2) following a connect(2) returns in case of no activity. TIMEOUT <integer> Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs will abort if no response is received. Also used for any ldap_result(3) calls where a NULL timeout parameter is supplied. slapd.conf: idletimeout <integer> Specify the number of seconds to wait before forcibly closing an idle client connection. A idletimeout of 0 disables this feature. The default is 0. You may also want to set the writetimeout option. writetimeout <integer> Specify the number of seconds to wait before forcibly closing a connection with an outstanding write. This allows recovery from various network hang conditions. A writetimeout of 0 disables this feature. The default is 0. I am wondering which timeout values would be best to set in order to speed up queries when proxy connectivity is interrupted. Perhaps there is something else wrong with our config that is causing this issue. Our ldap.conf file is basically empty (so, using all default) Our slapd.conf looks something like this (heavily edited to remove specific info): ##########BEGIN SLAPD.CONF########## include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba3.schema include /etc/openldap/schema/lockfile.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/ldap2dns.schema include /etc/openldap/schema/radius.schema include /etc/openldap/schema/mail.schema loglevel 256 allow bind_v2 sasl-host [REMOVED] sasl-realm [REMOVED] pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap moduleload rwm tool-threads 2 #TLSCipherSuite HIGH:MEDIUM:+SSLv2 #TLSCACertificatePath /etc/ssl/certs/ #TLSCertificateFile [REMOVED] #TLSCertificateKeyFile [REMOVED] #TLSVerifyClient demand access to attrs=[REMOVED] by anonymous [REMOVED] by * [REMOVED] access to attrs=[REMOVED] by * [REMOVED] access to [REMOVED] by * [REMOVED] access to [REMOVED] by * [REMOVED] database [REMOVED] suffix "[REMOVED]" checkpoint 20480 5 cachesize 100000 directory [REMOVED] dbconfig set_cachesize 0 268435456 1 dbconfig set_lg_max 268435456 dbconfig set_lg_bsize 16777216 dbconfig set_lk_max_objects 5000 dbconfig set_lk_max_locks 5000 dbconfig set_lk_max_lockers 50000 dbconfig set_flags DB_LOG_AUTOREMOVE index [REMOVED] index [REMOVED] index [REMOVED] rootdn [REMOVED] rootpw [REMOVED] syncrepl rid=[REMOVED] provider=[REMOVED] type=refreshAndPersist retry="300 +" searchbase="[REMOVED]" filter="(objectClass=*)" sizelimit="unlimited" timelimit="unlimited" scope=sub schemachecking=off bindmethod=simple binddn="[REMOVED]" credentials=[REMOVED] database [REMOVED] suffix "[REMOVED]" checkpoint 20480 5 cachesize 100000 directory [REMOVED] dbconfig set_cachesize 0 268435456 1 dbconfig set_lg_max 268435456 dbconfig set_lg_bsize 16777216 dbconfig set_lk_max_objects 5000 dbconfig set_lk_max_locks 5000 dbconfig set_lk_max_lockers 50000 dbconfig set_flags DB_LOG_AUTOREMOVE index [REMOVED] index [REMOVED] index [REMOVED] rootdn "[REMOVED]" rootpw [REMOVED] syncrepl [REMOVED] provider=[REMOVED] type=refreshAndPersist retry="300 +" searchbase="[REMOVED]" filter="(objectClass=*)" sizelimit="unlimited" timelimit="unlimited" scope=sub schemachecking=off bindmethod=simple binddn="[REMOVED]" credentials=[REMOVED] database ldap suffix "[REMOVED]" uri "ldap:// [REMOVED]" uri "ldap:// [REMOVED]" rebind-as-user lastmod off chase-referrals yes acl-bind bindmethod=simple binddn="[REMOVED]" credentials="[REMOVED]" idassert-bind bindmethod=simple binddn="[REMOVED]" credentials="[REMOVED]" mode=none flags=prescriptive idassert-authzFrom "dn.regex:.*" overlay rwm rwm-map attribute [REMOVED] rwm-map attribute [REMOVED] rwm-map attribute [REMOVED] rwm-map attribute [REMOVED] rwm-map attribute [REMOVED] rwm-map attribute [REMOVED] rwm-map objectclass [REMOVED] rwm-map objectclass [REMOVED] database [REMOVED] ##########END SLAPD.CONF########## Thank You

3 10

Getting the list of members in an AD group
by Sankar P 04 Jun '14

04 Jun '14

Hi, I have the SID of an AD group. I want to get the list of members who belong to that group. All the documentation page that I search for points me to the reverse only (i.e., getting all the groups membership information of a user). Can someone show me to the relevant way to get the users who belong to a group whose SID I have ? Thanks. -- Sankar P http://psankar.blogspot.com

6 15

ACL inconsistency
by John Alex. 04 Jun '14

04 Jun '14

Hi all, I use the following rules in my configuration: olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * break olcAccess: {1}to dn.one="ou=people,dc=xmpl,dc=co" filter="(pwdReset=TRUE)" a ttrs=userPassword by * none olcAccess: {2}to dn.subtree="ou=people,dc=xmpl,dc=co" by dn.base="cn=radius, ou=admins,dc=xmpl,dc=co" read by * break olcAccess: {3}to attrs=userPassword by anonymous auth olcAccess: {4}to dn.base="dc=xmpl,dc=co" by * read olcAccess: {5}to dn.subtree="ou=people,dc=xmpl,dc=co" by * read I have issues with rule {1} which I have set in order to disallow ldap bind and radius authentication from users whose password has been reset. I found out that this rule works when I request all attributes of a matching entry (uid=jdoe,ou=people,dc=xmpl,dc=co), but if I request specifically the attribute userPassword, its value is returned as if this rule did not exist: % ldapsearch -H ldapi:/// -D "cn=radius,ou=admins,dc=xmpl,dc=co" -W -x -b "ou=people,dc=xmpl,dc=co" "uid=jdoe" # extended LDIF # # LDAPv3 # base <ou=people,dc=xmpl,dc=co> with scope subtree # filter: uid=jdoe # requesting: ALL # # jdoe, people, xmpl.co dn: uid=jdoe,ou=people,dc=xmpl,dc=co objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: John Doe sn: Doe uid: jdoe # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 % ldapsearch -H ldapi:/// -D "cn=radius,ou=admins,dc=xmpl,dc=co" -W -x -b "ou=people,dc=xmpl,dc=co" "uid=jdoe" "userPassword" # extended LDIF # # LDAPv3 # base <ou=people,dc=xmpl,dc=co> with scope subtree # filter: uid=jdoe # requesting: userPassword # # jdoe, people, xmpl.co dn: uid=jdoe,ou=people,dc=xmpl,dc=co userPassword:: dGVzdDEyMw== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ------------------------------------------ slapacl shows it should be ok in any case: % slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=radius,ou=admins,dc=xmpl,dc=co" -b "uid=jdoe,ou=people,dc=xmpl,dc=co" authcDN: "cn=radius,ou=admins,dc=xmpl,dc=co" entry: read(=rscxd) children: read(=rscxd) objectClass=inetOrgPerson: read(=rscxd) objectClass=organizationalPerson: read(=rscxd) objectClass=person: read(=rscxd) objectClass=top: read(=rscxd) structuralObjectClass=inetOrgPerson: read(=rscxd) entryUUID=e959dfb8-76b6-1033-8972-4b1922a532ac: read(=rscxd) creatorsName=cn=admin,dc=xmpl,dc=co: read(=rscxd) createTimestamp=20140523111245Z: read(=rscxd) cn=John Doe: read(=rscxd) sn=Doe: read(=rscxd) uid=jdoe: read(=rscxd) userPassword=****: none(=0) pwdChangedTime=20140602101409Z: read(=rscxd) pwdReset=TRUE: read(=rscxd) entryCSN=20140602101723.590271Z#000000#000#000000: read(=rscxd) modifiersName=cn=admin,dc=xmpl,dc=co: read(=rscxd) modifyTimestamp=20140602101723Z: read(=rscxd) % slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=radius,ou=admins,dc=xmpl,dc=co" -b "uid=jdoe,ou=people,dc=xmpl,dc=co" userPassword/read authcDN: "cn=radius,ou=admins,dc=xmpl,dc=co" read access to userPassword: DENIED ------------------------------------------ If I change the rule and keep just the filter or the attribute, like: olcAccess: {1}to dn.one="ou=people,dc=xmpl,dc=co" filter="(pwdReset=TRUE)" b y * none OR olcAccess: {1}to dn.one="ou=people,dc=xmpl,dc=co" attrs=userPassword by * no ne then it seems to work ok in all cases. # /usr/local/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.39 (May 9 2014 09:26:03) $ root@xmpl.co:/usr/ports/net/openldap24-server/work/openldap-2.4.39/servers/slapd Am I doing something wrong or is this a bug? Thanks in advance, John

2 2

ldapsearch utf-8 results
by Nicolas Cauchie 01 Jun '14

01 Jun '14

Hello there I use a Debian 7.4 server with ldapsearch to search data about users on an Active Directory database. When a result of a search contains specials characters (such as é, è, à), no result is given, but if I delete special characters to the user profile, it works. How could I make it work with special caracters (guess it's a UTF-8 problem ?) ? Thanks in advance Nicolas -- signature -----

5 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2014