openldap-technical July 2015

openldap-technical@openldap.org

40 participants
37 discussions

Integrate LDAP in Hadoop
by Aneela Saleem 30 Jul '15

30 Jul '15

Hi all, I want to integrate LDAP in my HDFS, i have changed core-site.xml Attached is my core-site.xml file. Can anyone please send me complete steps, how to integrate LDAP with HDFS ? i have followed this link: http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ but the *services.ldif *file is missing in the link.

2 1

docker and openldap
by Aleks 23 Jul '15

23 Jul '15

Dear openldapers. What is your opinion about the different docker information out there. https://github.com/osixia/docker-openldap https://github.com/Enalean/docker-ldap ... My Question goes primary for the data persistency issue and replication setup. I think that a good sync setup (olcSyncrepl)and the dynamic slapd-config http://www.openldap.org/software/man.cgi?query=slapd-config&sektion=5&aprop… could be enough for a docker setup? Due to the fact that I'm not aware that openldap have a storage back-end for the hadoop universe https://hadoop.apache.org/ or any other cloud methods except the olcSyncrepl. Thank you for your time. Best Reagards Aleks

1 0

LMDB Replication
by Kristoffer Sjögren 23 Jul '15

23 Jul '15

Hi Are there any battle-tested good practices for incrementally replicating LMDB? Cheers, -Kristoffer

2 3

Issue renewing my TLSCertificateFile(s)
by Olivier 22 Jul '15

22 Jul '15

Hi everyone Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? See below why I ask : I have used the following configuration in my slapd servers for quite a while without any problem : olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt olcTLSCertificateFile: /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key olcTLSCipherSuite: HIGH olcTLSVerifyClient: allow See for example my configuration for syncrepl (see: tls_reqcert=demand) : olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr bindmethod=sasl sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand -> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem. But I since my certicates were too weak (see this : sha1, 512 bit) : $ openssl x509 -text -in server.crt Certificate: Data: Version: 1 (0x0) Serial Number: 13998752034197585248 (0xc2458ece791fbd60) Signature Algorithm: sha1WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap(a)example.fr Validity Not Before: Dec 29 15:41:56 2011 GMT Not After : Jul 29 15:41:56 2021 GMT Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap(a)example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this : $ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) : Certificate: Data: Version: 1 (0x0) Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap(a)example.fr Validity Not Before: Jul 22 15:24:50 2015 GMT Not After : Feb 19 15:24:50 2025 GMT Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap(a)example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get on ldap4 logs (loglevel = sync ) : $ tail -f /var/log/ldap.log ... Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2) Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs : ... Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ? (note : I use openssl to manage my certificates) Thanks for any help. --- Olivier

2 1

Multi Master Openldap replication
by Kaushal Shriyan 21 Jul '15

21 Jul '15

Hi, I have a Multi Master Openldap replication setup and when i create user on the Primary Master Node and while i query it on the secondary master node i do not see the user. Any thing specific i need to look at and please do let me know if anyone wants the config files? Any help will be highly appreciable. Regards, Kaushal

2 1

OpenLDAP and DH parameter size / LogJam vulnerability
by Jens Vagelpohl 18 Jul '15

18 Jul '15

Hi all, In my setup (CentOS7, OpenLDAP 2.4.41 from the LDAP Tool Box project) I am using the following slapd.conf parameters for SSL-related configuration: TLSProtocolMin 3.1 TLSCertificateFile /etc/pki/tls/certs/NNN.crt TLSCertificateKeyFile /etc/pki/tls/private/NNN.key TLSCACertificateFile /etc/pki/tls/certs/NNN.ca.pem TLSDHParamFile /usr/local/openldap/etc/openldap/dh_2048.pem TLSCipherSuite AESGCM:!RSA:!DSS:!ADH:!aECDH The file /usr/local/openldap/etc/openldap/dh_2048.pem is a valid DH parameter file with size 2048: <snip> # openssl dh -in /usr/local/openldap/etc/openldap/dh_2048.pem -text -noout PKCS#3 DH Parameters: (2048 bit) prime: </snip> I am now testing the actual DH parameter size used during a TLS connection with instructions from https://bettercrypto.org/blog/2015/05/20/tls-logjam/ and it only shows DH parameter size 1024: <snip> $ echo | openssl s_client -connect alias01.alias.ooo:636 -cipher "EDH" 2>/dev/null … much output … No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: DH, 1024 bits </snip> I was expecting "Server Temp Key: DH, 2048 bits”. Am I just testing this the wrong way or is there an issue with DH parameter configurations in OpenLDAP? Thanks for any help! jens

5 13

Strategy for using ldapsearch and security
by Rhodes, Neal A 17 Jul '15

17 Jul '15

So, I'm trying to implement a login running inside Webspeed inside Apache inside linux. There are good reasons to do this inside this application program and not just let Apache do it. (inactivity timeouts, daily quotas, IP reasonability, etc) So, what I get from user is network-user-id (let's call him "bob") and password. What I need to know is: Does this userid exist (samaccountname=%s), is the password provided correct? if above is good, is this user memberof a specific group? What I've got working as proof-of-concept is: A. Do a simple bind to LDAP with an admin/service account as a DN, and search for this user-id (samaccountname=bob), and get back the DN for user "bob". Using $OpenLDAP: ldapsearch 2.4.39 ldapsearch -v -d 0 -P 3 -D "CN=rslXXXXXXXreq,OU=Service Accou....................................DC=com" -w "XXXXXXXX" -oldif-wrap=no -s sub '(&(objectclass=*)(samaccountname=rhodesne))' cn userAccountControl objectclass userPrincipalName B. Then do ANOTHER simple bind to LDAP using "bob"s as DN, and "bob"s password, and return the memberof attribute. That fails if I don't give it the correct password. ldapsearch -P 3 -D "CN=Rhodes\, Neal A,OU=............C=COM" -w "BobsPasswd" -oldif-wrap=no -s sub '(&(objectclass=*)(samaccountname=rhodesne))' cn userAccountControl objectclass memberOf userPrincipalName manager OK, it works. I can walk through the results and confirm that Bob is in a desired group. I don't claim to know LDAP; but isn't this convoluted? Is there a way to do this in one shot with the ldapsearch command? I can do it this way, but it seems clunky. I don't know how to search in one shot given just samaccountname and passwd. The other topic is security: I was intending to invoke the ldapsearch from inside the Apache/Webspeed/Progress/ABL application as a "input-output through", meaning we run this and read/write its STDIn/StdOut. Since Progress ABL is an interpreted DB language this makes some sense. It also provides portability between Linux and Solaris that we don't have if we try to call the shared C libraries. And the C libraries calls are locking up. Best practices would indicate we'd want to hide the passwords. We don't want some administrator doing a 'top' command seeing passwords. Unfortunately, this does not seem readily possible without jumping through hoops. The openldap ldapsearch has a -W option to prompt for passwd, but that appears to not read StdIn, but rather /dev/tty. So I cannot feed it passwords that way. There is a "-f" option, which offers a - flavor to read StdIn, but I don't see any examples of what the input to -f looks like, eg: can I specify password there. There is a -y option to specify a file which contains the password. ok, I could write the file, put it somewhere not readable by anybody but Apache, run ldapsearch, and then delete the file. Still, that doesn't smell like best practices to me. Today I tried making the file a named pipe; that also works if I get the timing just right. I guess I could do that if there isn't a better way. So, it seems like either I'm missing something or the use of ldapsearch for password validation opens up holes and less than best practices. Yes, I could dork around with calling shared libraries, and then fight that portability battle between linux and Solaris. Why is it so hard? For a contents, this is a low volume, probably 200-400 people, one time in the morning, each day. Neal Rhodes | Software Engineer - REALServicing(r) Development Altisource(tm) P: (770)933-6625 extension 256625 F: (770)644-7420 Neal.Rhodes(a)altisource.com<mailto:Laura.Carrozza@altisource.com>| www.altisource.com<http://www.altisource.com/> Progress and Enterprise RDBMS OpenEdge are trademarks or registered trademarks of Progress Software Corporation in the U.S. and other countries. Citrix, GoToAssist, GoToMeeting, GoToMyPC, GoToTraining, GoToWebinar, Podio and Sharefile are trademarks of Citrix Systems, Inc. or a subsidiary thereof, and are or may be registered in the U.S. Patent and Trademark Office and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Any other trademarks contained herein are the property of their respective owners. *********************************************************************************************************************** This email message and any attachments are intended solely for the use of the addressee. If you are not the intended recipient, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply email and immediately delete this message from your system. This message and any attachments may contain information that is confidential, privileged or exempt from disclosure. Delivery of this message to any person other than the intended recipient is not intended to waive any right or privilege. Message transmission is not guaranteed to be secure or free of software viruses. ***********************************************************************************************************************

2 1

How to import user certificates in OpenLDAP?
by Vaclav Barta 16 Jul '15

16 Jul '15

Hi, I'd like to have a test setup for a module I'm maintaining, which basically authenticates IIS users against an LDAP server. I've installed OpenLDAP (OpenLDAP for Windows, 64-bit, version 2.4.40, to be specific) and added some user accounts to it, which worked, except I'm having trouble including X.509 certificates in the user definitions (which the tested module is supposed to check). I've found "Publishing digital certificates with LDAP" at http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/certificates.h… , which sounds like what I need, but it's old, and recommends "using the ldif utility provided with OpenLDAP" - which the latest OpenLDAP for Windows (nor any other OpenLDAP packages I've checked) doesn't have. How do I publish digital certificates with OpenLDAP? Bye Vaclav -- http://www.mangrove.cz

5 10

2.4.41 RPMs for openSUSE
by Michael Ströder 16 Jul '15

16 Jul '15

HI! I've updated my OpenLDAP builds for openSUSE and SLES12 to release 2.4.41. Build status and files: https://build.opensuse.org/package/show/home:stroeder:branches:network:ldap… If you're using the openldap packages shipped with openSUSE make sure to read the .changes files to see whether something could break your current setup. I've tested openSUSE Tumbleweed x86_64 and Factory_ARM on rasperry pi. The download repos are here: http://download.opensuse.org/repositories/home:/stroeder:/branches:/network… Make yourself familiar with zypper commands. Example: Add the repo in openSUSE 13.1 (command in one line): zypper addrepo --refresh http://download.opensuse.org/repositories/home:/stroeder:/branches:/network… Please test. Your feedback is appreciated. Especially have a look at whether the RPMs behave well regarding config files, package descriptions etc. Compared to stock SUSE packages there are two additional packages 1. openldap2-contrib with a selection of overlays from, you might have guessed, the contrib/ source directory. 2. openldap2-back-sock (see http://www.openldap.org/software/man.cgi?query=slapd-sock) Ciao, Michael.

2 1

Re: Optimization for OpenLdap 2.4.40
by PRATIK SINGAL 15 Jul '15

15 Jul '15

Hello all, Below are my db_stat -m and db_stat -c ouptput. Can any one help me if there is any problem with my BDB database perfromance. [root@AlepoHSS1 openldap-data]# db_stat -c 193 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 1000 Maximum number of locks possible 1000 Maximum number of lockers possible 1000 Maximum number of lock objects possible 80 Number of lock object partitions 3 Number of current locks 796 Maximum number of locks at any one time 10 Maximum number of locks in any one bucket 1 Maximum number of locks stolen by for an empty partition 1 Maximum number of locks stolen for any one partition 58 Number of current lockers 76 Maximum number of lockers at any one time 3 Number of current lock objects 331 Maximum number of lock objects at any one time 4 Maximum number of lock objects in any one bucket 0 Maximum number of objects stolen by for an empty partition 0 Maximum number of objects stolen for any one partition 996M Total number of locks requested (996002179) 995M Total number of locks released (995952531) 0 Total number of locks upgraded 20 Total number of locks downgraded 551604 Lock requests not available due to conflicts, for which we waited 49643 Lock requests not available due to conflicts, for which we did not wait 0 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 744KB The size of the lock region 527185 The number of partition locks that required waiting (0%) 104625 The maximum number of times any partition lock was waited for (0%) 535 The number of object queue operations that required waiting (0%) 330905 The number of locker allocations that required waiting (0%) 11 The number of region locks that required waiting (0%) 4 Maximum hash bucket length [root@AlepoHSS1 openldap-data]# [12:35:48] Bhushan Gaikar: ##################### [12:35:48] Bhushan Gaikar: [root@AlepoHSS1 openldap-data]# db_stat -m 320MB 2KB 24B Total cache size 1 Number of caches 1 Maximum number of caches 320MB 8KB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 59M Requested pages found in the cache (98%) 849192 Requested pages not found in the cache 0 Pages created in the cache 849190 Pages read into the cache 285976 Pages written from the cache to the backing file 816982 Clean pages forced from the cache 0 Dirty pages forced from the cache 0 Dirty pages written by trickle-sync thread 31916 Current total page count 31863 Current clean page count 53 Current dirty page count 32771 Number of hash buckets used for page location 60M Total number of times hash chains searched for a page (60607061) 5 The longest hash chain searched for a page 95M Total number of hash chain entries checked for page (95749492) 250939 The number of hash bucket locks that required waiting (0%) 41624 The maximum number of times any hash bucket lock was waited for (0%) 81360 The number of region locks that required waiting (3%) 0 The number of buffers frozen 0 The number of buffers thawed 0 The number of frozen buffers freed 902887 The number of page allocations 2022291 The number of hash buckets examined during allocations 93 The maximum number of hash buckets examined for an allocation 817263 The number of pages examined during allocations 40 The max number of pages examined for an allocation 105981 Threads waited on page I/O Pool File: dn2id.bdb 4096 Page size 0 Requested pages mapped into the process' address space 5052618 Requested pages found in the cache (98%) 86602 Requested pages not found in the cache 0 Pages created in the cache 86603 Pages read into the cache 0 Pages written from the cache to the backing file Pool File: id2entry.bdb 16384 Page size 0 Requested pages mapped into the process' address space 34M Requested pages found in the cache (98%) 445111 Requested pages not found in the cache 0 Pages created in the cache 445111 Pages read into the cache 285976 Pages written from the cache to the backing file Pool File: objectClass.bdb 4096 Page size 0 Requested pages mapped into the process' address space 299999 Requested pages found in the cache (99%) 2 Requested pages not found in the cache 0 Pages created in the cache 2 Pages read into the cache 0 Pages written from the cache to the backing file Regards, Pratik On Fri, Jul 10, 2015 at 3:49 PM, PRATIK SINGAL <pratik.singal13(a)gmail.com> wrote: > Hello all, > > Can any one help to with the parameters which can optimize the openldap > performance. > > We are having high end machines(rhel 6.5 ,RAM-32GB) but could not achieve > more than 1000 TPS. > > Kindly help me with all the tuning parameters which will firstly improve > the ldap performance. > > Regards, > Pratik >

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2015