openldap-technical January 2016

openldap-technical@openldap.org

39 participants
44 discussions

Lastbind
by Lindolfo Meira 29 Jan '16

29 Jan '16

I noticed the lastbind module won't log public key authentications. Is this the expected behavior? I'm using OpenLDAP 2.4.33. Cheers, L. Meira.

2 1

ldap client login
by Lane 28 Jan '16

28 Jan '16

I'm trying to log into an LDAP client. Below I show a login from the ldap server to the ldap client, and another from a normal workstation on the same subnet to the ldap client. The workstation is able to login, but am not able to login from the ldap server. server: OpenLDAP 2.4.43 clients: nss-pam-ldapd 0.9.6 Any help much appreciated. --- from ldap server to ldap client (fails) $ ssh -l james 10.0.1.2 Enter passphrase for key '/home/james/.ssh/id_rsa': You are required to change your password immediately (root enforced) WARNING: Your password has expired. You must change your password now and login again! New password: Retype new password: password change failed: Server is unwilling to perform passwd: password updated successfully Connection to 10.0.1.2 closed. --- from worstation to ldap client (succeeds) $ ssh node-2 Password: You are required to change your password immediately (root enforced) need a new password New password: Retype new password: password change failed: Insufficient access node-2(james):~$ $ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)' # extended LDIF # # LDAPv3 # base <dc=my,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # my.example.com dn: dc=my,dc=example,dc=com dc: cem objectClass: dcObject objectClass: organization o: CEM # manager, my.example.com dn: cn=manager,dc=my,dc=example,dc=com objectClass: organizationalRole cn: Manager description: LDAP Admin # groups, my.example.com dn: ou=groups,dc=my,dc=example,dc=com ou: groups description: Groups objectClass: organizationalUnit # users, my.example.com dn: ou=users,dc=my,dc=example,dc=com ou: users description: Users objectClass: organizationalUnit # james, groups, my.example.com dn: cn=james,ou=groups,dc=my,dc=example,dc=com cn: james objectClass: top objectClass: posixGroup gidNumber: 1000 # james, users, my.example.com dn: uid=james,ou=users,dc=my,dc=example,dc=com cn: James uid: james uidNumber: 1000 gidNumber: 1000 sn: James homeDirectory: /home/james mail: james(a)example.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash gecos: james shadowLastChange: 0 userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I= shadowMax: 9999 shadowWarning: 14 # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 /etc/pam.d/system-auth --- auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_ldap.so use_authtok use_first_pass password optional pam_permit.so session required pam_limits.so session required pam_env.so session optional pam_ldap.so session required pam_unix.so session optional pam_permit.so

1 0

OCSP for LDAP Client
by Jason Talley 28 Jan '16

28 Jan '16

I've been asked to enable OCSP checking in our client (connecting to any LDAP server) . The client uses OpenLdap api's for managing the connection to the server. From my recent birth-by-fire education on certs and security, OCSP checking appears more or less to be a manual process rather than having OpenSSL do all the work auto-magically as part of the handshake (ignoring ocsp stapling which I'm avoiding). I don't see any options in openssl s_client (for testing) to enable OCSP -- only a separate utility to manually check based on captured client certs. Storing the CRL in the LDAP DB isn't an option. For whatever reason, OCSP is required. Is there any way to enable OCSP checking via the current LDAP API? Assuming the answer is no, then would a reasonable approach be to manually query the server URL from time to time, and verify the certificate in the background? Traffic from our client should be relatively minimal, so even at a rate of one verification an hour should have a minimal risk window of the cert being expired. Using this method I can more or less follow the same logic as the openssl utilities (s_client and ocsp). TIA.

3 2

simple question
by Aleksandar Karalejić 27 Jan '16

27 Jan '16

Hi OpenLDAP team, I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL). For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636). I have set LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3 LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback and then I called ldap_sasl_bind: ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid); What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.) Can you, help me with this? Regards, Aleksandar

2 4

OpenLdap + Cyrus SASL + MIT Kerberos credentials cache
by Petar Kovačević 27 Jan '16

27 Jan '16

Hi All, I'm working on Windows application that uses libldap built with cyrus sasl and MIT Kerberos and I'm having issues with Kerberos authentication on AD. I have tested with various applications and Kerberos is working properly on server. In my app I'm using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order to bind with server, but I get error -2 (Local error). I have debugged the app and I have found that there is an issue with Keberos Credentials Cache. Because I haven't set credentials cache location, Kerberos reads this location from KRB5CCNAME environment variable. So my first question is : Is there any API in libldap, so we can set our own contact cache location? But even when I set this variable, I get same error when I try to bind. After some more debugging I found that Kerberos expects that I already have credentials cache file created, and that there is a ticket in it(as a I have called kinit before bind). Is there an API in libldap, that will call Kerberos API for credentials cache and ticket obtaining operations, which we can call before bind, or we need to call Kerberos API directly ? Thank you for your help. Best Regards, Petar Kovacevic

2 3

Re: [OpenLDAP][Authentication] SASL
by Timothy Keith 27 Jan '16

27 Jan '16

I don't yet have access to the corporate LDAP service on the production Unix servers. To serve that purpose for testing I am using Apache Directory server on Windows. The test example I'm using is for Active Directory, but I think the pass-through tutorial ought to work basically the same for evaluation purposes. Tim

1 0

Re: acl bug?
by BÖSCH Christian 27 Jan '16

27 Jan '16

> On 26 Jan 2016, at 14:34 , julien soula <julien.soula(a)univ-lille2.fr> wrote: > > On Tue, Jan 26, 2016 at 11:43:59AM +0000, BÖSCH Christian wrote: >> >> Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" >> Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" > > are you sure that "uid=user1,ou=people,o=abc.net" is a member of > "cn=group,ou=groups,o=abc.net” ? yes i am. to me it seems that filter= following with attrs= (tested with several filters and attributes) does not work. if i omit attrs= it works to hide the whole entry. if i use a dn instead of filter i can use the attrs= to hide a single attribute. christian > > cdt, > -- > Julien > << Vous n'avez rien a dire... Parlons-en! >>

2 3

Problems with log entries order
by Dario Zanzico 27 Jan '16

27 Jan '16

Writing a script for parsing openldap logs I found that, for some of my connections, the BIND log entry precedes the corresponding ACCEPT entry (which as far as i understand must logically precede the BIND) example: 2016-01-25T12:54:02.131094+01:00 HOSTNAME slapd[15258]: conn=91596 op=0 BIND dn="" method=128 2016-01-25T12:54:02.131099+01:00 HOSTNAME slapd[15258]: conn=91596 op=0 RESULT tag=97 err=0 text= 2016-01-25T12:54:02.131103+01:00 HOSTNAME slapd[15258]: conn=91596 fd=93 ACCEPT from [CUT] slapd is started with the '-l local4' parameter, and rsyslogd is configured to send local4.* to the openldap.log file suspecting some rsyslogd problems i tried running slapd using the "-d 256" parameter, but in the output i found 56a6202b conn=1004 op=0 BIND dn="" method=128 56a6202b conn=1004 op=0 RESULT tag=97 err=0 text= 56a6202b conn=1004 fd=13 ACCEPT from [CUT] Is there any way to guarantee openldap to generate ordered logs? thanks, dario

2 2

Updating Symas LMDB page to add Nim Binding?
by Paul Jackson 26 Jan '16

26 Jan '16

Hi, How would I go about, or to whom would I suggest, adding Nim to the list of languages with LMDB wrappers to the page http://symas.com/mdb/. There is a Nim wrapper for LMDB at https://github.com/fowlmouth/lmdb.nim (Caveat: I cannot vouch for the quality of this wrapper, being new to both Nim and LMDB.) Thanks. -- Paul Jackson pj(a)usa.net

2 1

acl bug?
by BÖSCH Christian 26 Jan '16

26 Jan '16

hi, i’m using this acl: {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works. seems to me filters do not work? chris

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2016