what happened to the openldap toolbox project?
by Miroslaw Baran
Dear all,
I don't want to sound too alarmistic, but it seems that the LTB project has
disappeared from the 'net sometime this week. Would you happen to know what
happened, what's going on (and perhaps if some help with the infrastructure
is needed)?
I've been relying on project-ltb packages for a while and would be quite
unhappy to see it go; and I find the lack of information and the abrupt
disappearance a bit troubling.
While I know it's not strictly on-topic here, I know also that OpenLdap
Toolbox folks are subscribed to this list, and ltb-project.org packages are
quite widely used here – so I hope someone would be able to provide a bit
of information…
Kind regards
– Miroslaw Baran
--
» miroslaw baran » chaos monkey • pope • general nuisance » 0101010
Down with categorical imperative!
8 years, 9 months
Q: querying accesslog with reqStart>=partial time spec
by Ulrich Windl
Hi!
Can anybody explain when openLDAP with bdb succeeds on a filter like (reqStart>=X) on accesslog?
When I use "(reqStart>=2014080100)" I get "no match", but when I use "(reqStart>=20140801000)" I get the expected matches.
(And I don't get any match when just using "reqStart>=20140801)")
I see no log messages on the server's syslog...
Regards,
Ulrich
8 years, 9 months
Password Policy Questions
by Bram Cymet
Hi,
It looks like the password policy overlay will do exactly what I need it
to I just can't get it to work.
I have applied the overlay my directory.
I have a default policy set that has:
pwdAttribute set to userPassword
and
pwdMustChange set to TRUE.
However when I change a user's password either with an ldapmodify or the
ldappassword command that user is still able to bind to the directory
just fine. I was assuming that a bind attempt would return an error
saying that the user had to change their password or is this not the
expected behavior?
Also I have tried adding pwdReset = TRUE to my user's object but it
complains the pwdReset is not allowed in the schema. Is there a specific
objectclass that I have to add to my user entries?
I have also tried creating a schema with pwdReset and pwdPolicySubentry
but when I add that schema it complains that these are operational
attributes.
I have upped the logging and when I user tries to bind I see:
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from
IP=10.20.48.66:55519 (IP=0.0.0.0:389)
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
dn="uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128
Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
"uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn"
Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
"cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn"
Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in
cache (userPassword)
Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to
"uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword"
requested
Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword
Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry
"uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn", attr
"userPassword" requested
Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0)
Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self
Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: *
Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying
auth(=xd) (stop)
Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd)
Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth
access granted by auth(=xd)
Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access
granted by auth(=xd)
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
dn="uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE
ssf=0
So it looks to me like the default policy has been applied but nothing
happens when a password is reset by an administrator.
So I think I am missing something fundamental here. I have a few
questions that I think will help me to narrow down my problem though.
1) What is the best way to debug an overlay?
2) Is there a proper way for an administrator to change a password so
that the pwdReset flag is set on the user (or whatever is supposed to
happen so that the user needs to reset their password on their next bind)
3) Is it enough to have a password policy with just pwdAttribute and
pwdMustChange set or are there other values that need to be set to make
this work.
4) Are there any extra object classes that have to added to my user
entries for the password policies to work?
5) I would like users to have to reset their password on first bind do
I need to set something on object creation?
6) Anything else I might be missing?
Any help would be awesome.
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
8 years, 9 months
pwdChangedTime/authTimestamp, MMR etc.
by Michael Ströder
HI!
I have a replication topology with providers running with MMR and a layer of
r/o consumers..
- spread across three data centers
- in two different countries (DE and foreign country)
Network traffic between the countries has higher latency so consumers are only
accessing providers within the same country.
Write operations go nearly 100% to a single provider in Germany.
All systems are using these overlays:
- slapo-ppolicy (mostly for password expiry)
- slapo-lastbind overlays
- slapo-accesslog (yes, also on consumers)
Now occasionally contextCSN values differ most times for a couple of minutes on
the consumers in the foreign country from their local providers.
I cannot tell exactly which conditions are causing this. But I observed that
most times there was a login failure on the provider in Germany which results
in 'pwdChangedTime' being set and replicated to the consumers. Most times
followed by 'authTimestamp' being correctly set.
So I wonder whether the differences of the contextCSN values could be caused by
'pwdChangedTime' and 'authTimestamp' being replicated to providers but not to
consumers.
Any clue? Thanks in advance.
Ciao, Michael.
8 years, 9 months
sanity check on updating from HDB backend to MDB
by Brian Reichert
I have an experiment, that may have too many moving parts to tease apart.
We're exploring migrating our LDAP server from a 32-bit OS to a 64-bit OS,
and I've also explored the port to the mdb back end. My first shot at this
does not show the performance the write-ups on MDB would have me expect.
If it matters, my old environment is a Dell R610 server, with 6G of RAM.
# uname -r
2.6.18-308.13.1.el5PAE
# cat /etc/redhat-release
CentOS release 5.8 (Final)
# rpm -qf `which slapd`
openldap-servers-2.3.43-25.el5_8.1
My ldapsearch invocations on this host take ~120 seconds.
I set up two Dell R610s, each with 12G or memory.
One environment uses the RPM produced by the LTB project, here named 'ltb':
root@ltb# uname -r
2.6.32-431.17.1.el6.x86_64
root@ltb# cat /etc/redhat-release
CentOS release 6.5 (Final)
root@ltb# rpm -qf /usr/local/openldap/libexec/slapd
openldap-ltb-2.4.39-2.el6.x86_64
And the other uses the same OS, but uses CentOS's stock OpenLDAP
RPM; here named 'stock':
root@stock# rpm -qf `which slapd`
openldap-servers-2.4.23-34.el6_5.1.x86_64
I migrated a database of ~360k DNs, and underwent the cache tuning,
following the suggestions here:
http://www.openldap.org/doc/admin24/tuning.html#Caching
http://blog.monitor.us/2012/02/berkeley-db-performance-tuning/
And with those tunings, my ldapsearch command does outperform our old 32-but
environment:
stock# time ldapsearch -x -w XXXXX -D "cn=manager,orgid=MyOrgID" -b orgid=MyOrgID dn | grep ^dn: | wc -l
3600071
real 0m27.147s
user 0m19.216s
sys 0m10.585s
However, my efforts to use the MDB backend yield slower responses, on the
order of 175 seconds.
How I set up the MDB backend:
I copied my old slapd.conf over, and replaced my bdb backend with mdb
settings.
- I set 'tool-threads' to 2
- I set 'maxsize' to 21474836480 [ 20G = 20 * ( 1024 * 1024 * 1024 ) ]
ltb# /usr/local/openldap/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
ltb# chown -R ldap:ldap /etc/openldap/slapd.d
I was apparently able to import all 360k DNs without an error:
ltb# time setuidgid ldap /usr/local/openldap/sbin/slapadd \
-q -v -F /etc/openldap/slapd.d -b orgId=MyOrgID \
-l export_from_OLD.ldif >& log; echo $?
real 16m46.924s
user 8m52.165s
sys 3m44.859s
0
ltb# ls -ld data.mdb
-rw------- 1 ldap ldap 21474836480 Jul 30 20:16 data.mdb
ltb# du -c -h data.mdb
6.3G data.mdb
6.3G total
But, the same search looks worse here.
ltb# time ldapsearch -x -w XXXXX -D "cn=manager,orgid=MyOrgID" -b orgid=MyOrgID dn | grep ^dn: | wc -l
3600071
real 2m55.482s
user 0m25.459s
sys 0m23.948s
Both 64-bit hosts show no swapping, and minimal CPU load. Can
anyone point out what I've missed?
--
Brian Reichert <reichert(a)numachi.com>
BSD admin/developer at large
8 years, 9 months
CA and Intermediate Certificates
by Andrew Devenish-Meares
Hi All,
We are currently assessing changing our TLS Certificate setup.
We have been using a self-signed CA to issue certificates for our
OpenLDAP setup, which has required us to supply the CA to anyone outside
our organisation that wishes to use our OpenLDAP over TLS or SSL.
We're currently starting to migrate our certificates to AusCERT, as we
get a good deal as a University. As AusCERT is an intermediate CA, so
we need to use a chain to get this to work.
The server side works, as per the documentation, by adding the
intermediate CA with the root CA in the olcTLSCertificateCAFile.
This means that we need to install the intermediate certificate on
clients that connect to our LDAP using SSL or TLS. Admittedly this
isn't vastly different to what we need to do now in supplying our own CA.
Looking at our Linux clients in particular, we need to add an
appropriate TLS_CACERT directive to our openldap/ldap.conf. Is the
intention, then, to point the client at the appropriate CA files? Is
there a reason that OpenLDAP doesn't use the regular system CA store? Is
there any reason for us not to point to the CA store that's already
maintained?
Cheers
--
Andrew Devenish-Meares
Solutions Analyst
Information Technology
University of New England
Armidale NSW 2351
e: adevenis(a)une.edu.au
p: 02 6773 4098
w: http://une.edu.au/itd
8 years, 9 months
Specifying multiple password hashes
by Michael
Since both the password-hash and password-crypt-salt-format are Global options, is it possible to specify the password-hash on a per BDB backend basis?
For example, I have 4 BDB backends and I'd like them all to have the CRYPT and salt listed below sans one BDB backend where it needs to be CLEARTEXT.
However, when I specify this configuration in sladp.conf and bounce slapd I get the following error when trying to change a users password with the ldappasswd command. It's worth nothing that an ldapmodify to the userPassword attribute works just fine. I use security ssf=256, which is a Global option as well on a per BDB backend basis and this works just fine so I assumed this config for hashes would work as well.
Error message:
"Result: Constraint violation (19)
Additional info: Password policy only allows one password value"
Relevant config below:
## GLOBAL SETTING
password-hash {CRYPT}
password-crypt-salt-format $6$%.12s
### BDB DATABASE SETTING
database bdb
suffix "dc=testldap,dc=com"
rootdn "cn=LDAPAdmin,dc=testldap,dc=com"
directory /var/lib/ldap/testldap
password-hash {CLEARTEXT}
8 years, 9 months
How to do a case insensitive substring search on a case-sensitive field ?
by Guillermo-Nicolas Guénon Díaz
Hello,
[First of all, sorry if this question has already been answered before: the
search on this mailing list does not work currently so I haven't been able
to check.]
I need to write a filter so that when the user of my software introduces
any substring of the content of a field in any case (upper, lower or mixed
case), it finds the entry. It must work even if the user does not input a
complete word, but just a part of a word.
The field is called "supName" and it follows the DirectoryString syntax.
This means that the default matching rule is exact and case sensitive
("caseExactMatch"). But according to:
http://www.zytrax.com/books/ldap/apa/types.html
, this syntax should allow also "caseIgnoreMatch" and
"caseIgnoreSubstringsMatch" matching rules. I though I just needed to force
to use the last one ("caseIgnoreSubstringsMatch"), so I tried this filter:
(supName:caseIgnoreSubstringsMatch:=*somesubstring*)
But this does not work. I make my tests using Apache Directory Studio, and
that tool refuses to accept the above filter. It complains on the
asterisks, and I don't understand why, since I am using a Substring match
(and thus asterisks should be allowed). If I run the filter from command
line (using ldapsearch), I get this error message:
ldap_search_ext: Bad search filter (-7)
Therefore this is not an issue with Apache Directory Studio.
So my question is: What is the correct way of defining a case-insensitive
substring filter on a field that is case-sensitive by default?
Yesterday I filled a question in StackOverflow regarding this same issue.
There are more details and examples in that question:
http://stackoverflow.com/questions/25290494/case-insensitive-substring-ld...
Any help would be greatly appreciated !
Thank you very much.
Nicolas
8 years, 9 months
Create Distribution List
by Jerry
I don't know if this is the best place to ask this question, but it is
probably as good as any to start.
I am a new user of OpenLDAP. I formerly, and still do use the MS Outlook
address book to store my contacts. I can duplicate most of the features of
the MS Address book, except the ability to create distribution lists. I just
cannot figure out how to accomplish this feat.
Using MS Outlook, or Claws-Mail on my FreeBSD machine, I can type in a
distribution name and all of the email addresses are filled in.
EXAMPLE:
distribution list name=my-list
john(a)somewhere.com
jill(a)anotherISP.net
jim(a)hisISP.com
Some of these distribution lists are quite large.
I cannot fine out a way to create a similar list in OpenLDAP, which is a
serious buzz, not to mention deal killer in this instance.
Thanks!
--
Jerry
8 years, 10 months
