openldap-technical October 2015

openldap-technical@openldap.org

50 participants
44 discussions

SSL based ldap server
by Aneela Saleem 06 Oct '15

06 Oct '15

Hi all, I have implemented LDAP over ssl. FQDN of LDAP server is "platalytics.com" and same is CN in the SSL certificate. But why is it so that when i run following command it works fine i.e., ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldap:// 127.0.0.1:389 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' but in case of ldaps, i have to provide FQDN as the hostname i.e., ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// platalytics.com:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela' because following command does not work i.e., ldapsearch -x -D "cn=aneela,ou=users,dc=platalytics,dc=com" -W -H ldaps:// 127.0.0.1:636 -b "dc=platalytics,dc=com" -s sub 'cn=aneela'

4 9

New User unable to authenticate on new client
by Varadi, Louis - 0442 - MITLL 06 Oct '15

06 Oct '15

I have a new OpenLDAP server. I am also using it as a Ldap Client. I have added a user but cannot authenticate. I have spent a lot of time researching this issue. All the suggestions are very different - ACL issues, slapd pointing the incorrect config files, Ldap.conf file is incorrect, nsswitch is incorrect, incorrect password. Is there a straight forward way to troubleshoot this issue. What are the configs files that are involved with this failure? Your help is greatly appreciated. This user works [root@ldapservrer]# ldapwhoami -x -D cn=ldapadmin,dc=group1,dc=ldap -W Enter LDAP Password: dn:cn=ldapadmin,dc=group1,dc=ldap This user fails [root@ldapserver]# ldapwhoami -x -D cn=lou,dc=group1,dc=ldap -W Enter LDAP Password: ldap_bind: Invalid credentials (49) 5612e45a conn=1051 fd=12 ACCEPT from IP=192.168.0.101:59308 (IP=192.168.0.a0a:389) 5612e45a conn=1051 op=0 BIND dn="cn=lou,dc=group1,dc=ldap" method=128 5612e45a conn=1051 op=0 RESULT tag=97 err=49 text= 5612e45a conn=1051 op=1 UNBIND 5612e45a conn=1051 fd=12 closed Oct 5 16:03:32 ldapserver sshd[1432]: Received disconnect from 9.9.9.9: 11: disconnected by user Oct 5 16:03:36 ldapserver sshd[1528]: Invalid user lou from 9.9.9.9 Oct 5 16:03:36 ldapserver sshd[1529]: input_userauth_request: invalid user lou Oct 5 16:03:53 ldapserver sshd[1528]: Failed password for invalid user lou from 9.9.9.9 port 33968 ssh2 _______________________________ [root@ldapserver man1]# su - lou su: user lou does not exis 5612ebc3 conn=1053 fd=12 ACCEPT from IP=192.168.0.101:59310 (IP=192.168.0.101:389) 5612ebc3 conn=1053 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 5612ebc3 conn=1053 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN 5612ebc3 conn=1053 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text= 5612ebc3 conn=1053 op=1 SRCH base="dc=group1,dc=ldap" scope=2 deref=0 filter="(&(uid=lou)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNum ber=0))))" 5612ebc3 conn=1053 op=1 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey 5612ebc3 conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text= 5612ebc3 conn=1053 op=2 UNBIND 5612ebc3 conn=1053 fd=12 closed __________________________ ssh lou(a)192.168.101 5612ed15 conn=1107 fd=12 ACCEPT from IP=192.168.0.101:59364 (IP=192.168.0.101:389) 5612ed15 conn=1107 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 5612ed15 conn=1107 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN 5612ed15 conn=1107 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text= 5612ed15 conn=1107 op=1 SRCH base="dc=group1,dc=ldap" scope=2 deref=0 filter="(&(uid=lou)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNum ber=0))))" 5612ed15 conn=1107 op=1 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey 5612ed15 conn=1107 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text= 5612ed15 conn=1107 op=2 UNBIND 5612ed15 conn=1107 fd=12 closed [root@ldapserver ]# ldapsearch -H ldap://ldapserver.group1.ldap -d 256 -D cn=ldapadmin,dc=group1,dc=ldap -W -b ou=Users,dc=group1,dc=ldap Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Users,dc=group1,dc=ldap> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Users, group1.ldap dn: ou=Users,dc=group1,dc=ldap ou: Users objectClass: organizationalUnit # lou, Users, group.ldap dn: uid=lou,ou=Users,dc=group1,dc=ldap uid: lou mail: louxxxxxxxxxxx sn: xxxx pwdAttribute: xxxxxxx telephoneNumber: xxxxxxxxxx roomNumber: xxxx uidNumber: xxxx gidNumber: xxxxx employeeNumber: xxxxx cn: Louis xxxxx loginShell: /bin/bash gecos: Lou xxxx homeDirectory: /home/xxxx objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: pwdPolicy objectClass: shadowAccount userPassword:: xxxxxxx # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2

2 2

Re: OS X Yosemite clients
by oldap＠mountainlake.k12.mn.us 05 Oct '15

05 Oct '15

I have this problem resolved. It isn't related to the OpenLDAP code at all, but has to do with the password formatting. What I found was the passwords in OpenLDAP were in this format: {MD5}<base 64 encoded md5 digest><newline character> The base64 encoder on the Linux server always adds a a newline character (\n) to the end of the encoding. Multiple platforms have always ignored that character until OS X 10.10.5. Simply removing the newline before inserting the encoded password into the OpenLDAP database allows 10.10.5 and later to authenticate against that password. -- Jon

2 1

Allow users to change ldap password with passwd
by Real, Elizabeth (392K) 05 Oct '15

05 Oct '15

This is my setup: Server: Openldap 2.4.39 installed on RHEL7 Ldap clients: RHEL7 and RHEL5 I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected. Now I need to allow users to reset their ldap password after logging in to an ldap client. This is what is logged when a user attempts to reset their password using passwd: rhel7 ldap client: # passwd Changing password for user real Current password: New password: Retype new password: passwd: Authentication token manipulation error rhel7 ldap server: /var/log/secure pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange': dn: olcDatabase={2}hdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by anonymous auth by * none olcAccess: {1}to * by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by * read However that did not work, on the ldap clients I get this on the logs: pam_unix(sshd:auth): authentication failure pam_sss(sshd:auth): authentication failure pam_sss(sshd:auth): received for user reaL 4 (System error) This is the /etc/pam.d/system-auth file on the rhel7 ldap client: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ~ What other directive do I need to set to allow users to reset their ldap password when they call passwd? Thank you, Liz

4 14

olcAccess with combined "by who" condition
by rss ln 05 Oct '15

05 Oct '15

Hello, Is it possible to combine olcAccess "by who" condition for DN and IP address, that both conditions must by true? Something like: to dn.subtree="ou=test,dc=domain,dc=com" by dn="uid=someuser,ou=users,dc=domain,dc=com" & peername.ip=10.10.10.10 read So, it should be possible to read the subtree for the user only from the specific IP address. I tried also use "set=(...)" but without success. Any chance to do that?

2 1

implementation specific error trying to modify olcSyncProvConfig object
by Angel L. Mateo 05 Oct '15

05 Oct '15

Hello, I am trying to modify an already existing configuration in my openldap servers (I have tried with 2.4.31 an 2.4.41). Its current ldif is: dn: olcOverlay={0}syncprov objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig entryUUID: ef486ea8-bf26-1034-850e-938b6f4c1ac2 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20150715102100Z entryCSN: 20151002093808.730729Z#000000#01e#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20151002093808Z Now, I'm trying to add olcSpSessionlog and olcCheckpoint attributes, so I have this update ldif: dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config changetype: modify replace: olcSpCheckpoint olcSpCheckpoint: 100 10 - replace: olcSpSessionlog olcSpSessionlog: 100 (I know I could use add operations instead of replace, but the ldif is generated from a configuration system). When I try to run this ldif I get: # /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/update.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) This is a rare behaviour, because I have tried changing the order of the modifications and it works: # /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/update.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config" I have also tried separating the modifications in two different operations (first with olcSpCheckpoint) and then I get a "no such attribute" error: # /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config changetype: modify replace: olcSpCheckpoint olcSpCheckpoint: 100 10 modifying entry "olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config" dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config changetype: modify replace: olcSpSessionlog olcSpSessionlog: 100 modifying entry "olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: modify/delete: olcSpSessionlog: no such attribute The same operation but trying to update first the olcSpSessionlog attribute also errors with "no such attribute": # /usr/bin/ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config changetype: modify replace: olcSpSessionlog olcSpSessionlog: 100 modifying entry "olcOverlay={0}syncprov,olcDatabase={2}hdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: modify/delete: olcSpSessionlog: no such attribute Is this a bug? If not, why I'm having this error? Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337

2 1

RBAC
by Aneela Saleem 05 Oct '15

05 Oct '15

Hi all, Can anyone please provide me with some useful tutorials about "How can we implement RBAC in LDAP" ? I have mostly seen research papers only. I want to see some implementation examples. Thanks

2 3

Complex multi-master topology
by Patrick 04 Oct '15

04 Oct '15

I've been trying to create a complex multi-master replication of cn=config for a week now... I'm using the core debian package: slapd 2.4.40+dfsg-1+deb8u1 I've seen someone claiming it could work but cannot find configs related to this kind of topology. http://www.slideshare.net/ghenry/openldap-replication-strategies (slide #24) When building a simple multimaster (two or three nodes) everything works as planned. But in the case some nodes cannot talk to others, i cannot find a way to make it works. Let's take this example +-------+ +-------+ +-------+ | ldap1 | <---> | ldap2 | <---> | ldap3 | +-------+ +-------+ +-------+ and say: olcSyncRepl: rid=001 searchbase="cn=config" type=refreshAndPersist provider=ldap://ldap1 olcSyncRepl: rid=002 searchbase="cn=config" type=refreshAndPersist provider=ldap://ldap2 olcSyncRepl: rid=003 searchbase="cn=config" type=refreshAndPersist provider=ldap://ldap3 Where initialy: ldap1 have rid=002 ldap2 have rid=001 and rid=003 ldap3 have rid=002 Soon everyone get rid=001 rid=002 rid=003 and ldap3 cannot talk to ldap1 and it does not work... And even if i don't care about the connexion between ldap1 and ldap3 failing, the replication does not work either... if ldap1 change something, it gets replicated to ldap2 but not ldap3. Also, i've been trying to use exattrs=Syncrepl but if someone change his Syncrepl, it get deleted on the other node... Someone seems to have seen this with memberof overlay ? http://www.openldap.org/lists/openldap-technical/201505/msg00124.html Anyone have references to help me get to my goal? -- Patrick Brideau Administrateur Système Kronos Technologies - http://www.kronos-web.com tel: 418 877-5400 p.216

5 10

BP build OpenLDAP and lmdb packages
by Michael Ströder 02 Oct '15

02 Oct '15

HI! I wonder what's considered best practice for building OpenLDAP and lmdb packages e.g. for a Linux distribution. Fortunately lmdb seems to be leveraged by more and more other software. So Linux distributions start to ship lmdb libs and tools as separate packages. 1. Do I have a chance to build OpenLDAP against those packages? Which releases have to be aligned? 2. Or should I link back-mdb statically into slapd when producing OpenLDAP packages? This would probably also require to build separate version of the mdb tools. Of course personally I'd prefer 1. Ciao, Michael.

5 8

[LMDB] What pointer is returned with combination of MDB_WRITEMAP and MDB_RESERVE?
by Victor Baybekov 02 Oct '15

02 Oct '15

Hi, Docs for MDB_RESERVE say that a returned pointer to the reserved space is valid "before the next update operation or the transaction ends." Docs for MDB_WRITEMAP say that it "writes directly to the mmap instead of using malloc for pages." Does combining the two options return a pointer directly to a place in a mmap so that this pointer could be used after a transaction ends or after the next update? I have a use case where I want to somewhat abuse LMDB safety for convenience. If I could get a pointer to a place inside a mmap I could work with LMDB value as opaque blob or as a region inside the single big mmap. This could be more convenient than creating and opening hundreds of temporary memory mapped files and keeping open handles to them. For example, Aeron terms could be stored like this: a stream id per an LMDB db and a term id for a key in the db. Thanks! Victor

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2015