openldap-technical October 2016

openldap-technical@openldap.org

44 participants
57 discussions

OpenLDAP server attack surface analysis shows UDP port 63515 in unknown state
by Sreekanth Sukumaran 14 Oct '16

14 Oct '16

Sorry, I missed to add subject in the last mail. Resending with subject. sorry about spamming the group Hi All, OpenLDAP version : 2.4.39 on windows Tool used : Microsoft Attack surface analyzer We have been doing attack surface analysis on OpenLDAP server, and we have found that there is an UDP port 63515 associated with OpenLDAP server. (state shows "Unknown", not listening or established) [image: Inline image 1] We have not connected any clients to OpenLDAP server, so we cannot think of it as an ephemeral port at server end as well. Has anyone an idea on what this port could be for. Inputs are much appreciated. -- Regards, Sreekanth -- Regards, Sreekanth 09036794524

5 5

syncrepl not working: "no serverID / URL match found"
by Daniel Spannbauer 14 Oct '16

14 Oct '16

Hello, at the moment we have an server running openSuSE 11.4 (lets call in server2), running openldap 2.4.23. Configured is a replication to/from out mainoffice (running openldap 2.4.17, server1). Replication works fine. I wan't to replace server2 with a newer one, running openldap 2.4.33 atm. ---------------------------------------------- Configuration for replication on server2: moduleload syncprov.la serverID 1 "ldap://server1.mainoffice.xxx.de" serverID 2 "ldap://server2.branch.xxx.de" overlay syncprov syncrepl rid=001 provider=ldap://server1.mainoffice.xxx.de:389 binddn="cn=Administrator,dc=xxx,dc=de" bindmethod=simple credentials=somepassowrd searchbase=" dc=marco,dc=de" type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 mirrormode TRUE overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE syncprov-checkpoint 1000 60 ---------------------------------------------- This config works fine with the "old" 2.4.23, but on 2.4.33 I get the following error when I start it on the commandline with /usr/lib/openldap/slapd -h ldap:/// -f /etc/openldap/slapd.conf -u ldap -g ldap -o slp=off -d 1 57ff35cc read_config: no serverID / URL match found. Check slapd -h arguments. Any hints about this? regards Daniel -- Daniel Spannbauer Systemadministration marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4-6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds(a)marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München

2 1

Re: syncrepl not working: "no serverID / URL match found"
by Quanah Gibson-Mount 13 Oct '16

13 Oct '16

--On Thursday, October 13, 2016 10:22 AM +0200 Daniel Spannbauer <ds(a)marco.de> wrote: > serverID 1 "ldap://server1.mainoffice.xxx.de" > serverID 2 "ldap://server2.branch.xxx.de" > This config works fine with the "old" 2.4.23, but on 2.4.33 I get the > following error when I start it on the commandline with > /usr/lib/openldap/slapd -h ldap:/// -f /etc/openldap/slapd.conf -u > ldap -g ldap -o slp=off -d 1 > > 57ff35cc read_config: no serverID / URL match found. Check slapd -h > arguments. Hi Daniel, As the error message notes, there is no match between what you are passing to -h when slapd starts (ldap:///) and a URI in your serverID config (ldap://server1... ldap://server2...). Adjust your -h option to slapd so that it can be matched against a server ID. Hope that helps! --Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: LMDB: Ignore SIGPIPE in mdb_env_copythr
by Howard Chu 13 Oct '16

13 Oct '16

Lorenz Bauer wrote: > Hello Hallvard, List, > > I'd like to propose explicitly ignoring SIGPIPE in the copy thread via > pthread_sigmask, and returning EPIPE to the caller instead. Feel free to submit a patch to the ITS, according to http://www.openldap.org/devel/contributing.html Since it seems this is a pretty small change, I suggest your IPR notice should place your changes into the public domain. > > This is a change that makes little sense in the C world, since the > caller can simply adjust the sigmask before calling the function > (which is indeed what the utilities do). However, this amount of > control is not always given, e.g. when using LMDB from Go (which is > what I am doing). > > Due to the way the Go runtime works, using mdb_env_copyfd2 with > CP_COMPACT on a pipe or a network connection will abort the whole > process with SIGPIPE if the reading end of the fd is closed > prematurely. The details why this happens are in [1]. Go has some > additional trickery when dealing with stdin and stdout, so ignoring > SIGPIPE for the whole process is undesirable (details in [2]). > > I understand that you might be reluctant to change the behaviour due > to the constraints of a different runtime. However, I think that even > in the C world it is surprising that calling a library function can > abort your process. > > What are your thoughts regarding this? I think the code changes would > be small, and the API would not change for consumers of the library. > > 1: https://golang.org/pkg/os/signal/#hdr-Go_programs_that_use_cgo_or_SWIG > 2: https://golang.org/pkg/os/signal/#hdr-SIGPIPE > > Best, > Lorenz > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

group membership search performance
by Rébeli-Szabó Tamás 12 Oct '16

12 Oct '16

Hi, we are on OpenLDAP 2.4.41 + MDB, Oracle Linux 6 (2.6 x86_64). In our DIT we have around 300 groups, with tens of thousands of members in each group. When we want to know which groups a certain user belongs to, it takes OpenLDAP several seconds to perform such a search. Here is a log excerpt showing that it took 6 seconds for the server to answer: Oct 10 15:39:38 ldap-srv1 slapd[14776]: conn=1062 op=1 SRCH base="ou=groups,dc=tt,dc=hu" scope=1 deref=0 filter="(&(uniqueMember=uid=o10011,ou=users,dc=tt,dc=hu)(objectClass=groupOfUniqueNames))" Oct 10 15:39:44 ldap-srv1 slapd[14776]: conn=1062 op=1 SEARCH RESULT tag=101 err=0 nentries=127 text= We have eq indices on objectClass and uniqueMember, and the latter is also listed after sortvals. The machine running OpenLDAP has 2 virtual cores of Intel Xeon E5 2637 v2 (3.5GHz). During such searches, one of the CPU cores is almost fully loaded, but the system is not overloaded (the average load is around 0.8). Our whole dataset is under 1 GB, and there are several gigabytes of free RAM with no swapping. Our expectation would be for OpenLDAP to give an answer to a group membership question under 1 second. Is that a realistic expectation, and if so, how should we tune OpenLDAP or what do you suggest we change? Version 2.4.41 is more than a year old, so the question is if there is any significant performance enhancement (an order of magnitude) possible with this setup described above, or that's about all we can get from OpenLDAP+MDB (or perhaps any in-memory LDAP)? Regards, tamas

1 0

Returned mail: Data format error
by dieter＠dkluenter.de 11 Oct '16

11 Oct '16

Dear user openldap-technical(a)openldap.org, Your account has been used to send a huge amount of junk e-mail during this week. Obviously, your computer was compromised and now runs a hidden proxy server. Please follow instructions in order to keep your computer safe. Virtually yours, openldap.org user support team.

1 0

Paged Result support in proxy cache
by laurent2.perrin＠orange.com 10 Oct '16

10 Oct '16

Hello, I have configured a proxy LDAP with cache but when I try to do request with paged results, I can see this error message in logs: Oct 7 14:07:55 ldap-cache slapd[18615]: conn=1017 op=1 SRCH base="dc=***,dc=***,dc=****,dc=**" scope=2 deref=0 filter="(&(memberOf=cn=gg-oab-pa-openstack,ou=profils applicatifs,ou=groupes de securite \28gg\29,ou=***,dc=***,dc=***,dc=***,dc=***)(objectClass=person)(?SAMACCOUNTNAME=*))" Oct 7 14:07:55 ldap-cache slapd[18615]: conn=1017 op=1 SRCH attr=samaccountname userPassword userAccountControl mail description Oct 7 14:07:55 ldap-cache slapd[18615]: conn=1017 op=1: critical pagedResults control disabled with proxy cache. Oct 7 14:07:55 ldap-cache slapd[18615]: conn=1017 op=1: critical control "1.2.840.113556.1.4.1339" not supported. Oct 7 14:07:55 ldap-cache slapd[18615]: send_ldap_result: conn=1017 op=1 p=3 Oct 7 14:07:55 ldap-cache slapd[18615]: send_ldap_result: err=12 matched="" text="" Oct 7 14:07:55 ldap-cache slapd[18615]: send_ldap_response: msgid=2 tag=101 err=12 Oct 7 14:07:55 ldap-cache slapd[18615]: conn=1017 op=1 SEARCH RESULT tag=101 err=12 nentries=0 text= When the cache is not configured, all requests are OK and return results Here is the configuration used: dn: olcDatabase=ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: ldap olcSuffix: dc=ad-***,dc=***,dc=***,dc=** olcRootDN: cn=compte_service,OU=***,dc=***,dc=***,dc=***,dc=*** olcRootPW: password olcDbURI: "ldap://ad.local" olcDbChaseReferrals: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbACLBind: bindmethod=simple binddn="cn= ***,OU=***,dc=***,dc=*,dc=***,dc=***" credentials="password" olcLimits: * size.prtotal=unlimited size.pr=1000 size.hard=5000 dn: olcOverlay=pcache,olcDatabase={2}ldap,cn=config objectClass: olcOverlayConfig objectClass: olcPcacheConfig olcOverlay: pcache olcPcache: hdb 100000 1 1000 100 olcPcacheAttrset: 0 * olcPcacheTemplate: "(sn=)" 0 3600 0 0 0 olcPcacheTemplate: "(memberof=)" 0 3600 dn: olcDatabase=hdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcHdbConfig objectClass: olcPcacheDatabase olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcDbCacheSize: 200 olcDbIndex: objectClass eq olcDbIndex: cn pres,eq,sub I tried to add size.pr option to the Cache database but it seems to not be supported. So does proxy cache support the use of paged results ? Regards, [cid:image001.gif@01CBF2E5.34FD28F0] Laurent PERRIN Service Infra aux Projets Orange Applications for Business SCE/OAB/DPO/DSPM/IOP tel. +33 4 37 24 62 85 Mob : 07 84 12 78 79 laurent2.perrin(a)orange.com<mailto:laurent2.perrin@orange.com> 139 rue Vendôme 69006 Lyon www.orange-business.com<http://www.orange-business.com/> [cid:image002.gif@01CBF2E5.34FD28F0] _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.

2 1

Re: OpenLDAP with OpenSSL 1.1.0
by Quanah Gibson-Mount 07 Oct '16

07 Oct '16

--On Wednesday, October 05, 2016 11:43 AM -0700 Norm Green <norm.green(a)gemtalksystems.com> wrote: > I am trying to build OpenLDAP from source on Linux with OpenSSL 1.1.0. I > first tried version 2.4.44 and found that didn't work due to the API > changes in OpenSSL 1.1.0. I then filed ITS 8488 on the problem, which > was quickly closed with the comment " Already supported in git master. > Closing this ITS.". > > So I then got a copy of the git master and tried a build and it still > fails in configure a follows: > > conftest.c:106: undefined reference to `SSL_library_init' > ... > configure:15618: result: no > configure:15864: error: Could not locate TLS/SSL package > > > This function is no longer present in OpenSSL 1.1.0 so it would appear > the OpenLDAP configure script should be checking the version of OpenSSL > before looking for the SSL_library_init symbol. > > Is this a known problem? Should I file a bug? Or is support for OpenSSL > 1.1.0 known to be incomplete? Follow up to ITS8353, noting that there is more to be done. --Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: User Import Problem with n-way multimaster setup
by Quanah Gibson-Mount 05 Oct '16

05 Oct '16

--On Wednesday, October 05, 2016 12:40 PM +0000 robert.lindner(a)delivion.de wrote: > Hi, > I have a Problem importing a large batch of users into the following > setup: Two Nodes of openldap running n-way multimaster replication with > mdb backend, version is 2.4.44. Everything looks good, replication is > working. > > Now I am trying to import a ldif file with 110362 Users to be added and > 956419 group modify operations: Hi Robert, I would generally suggest using dynamic rather than static groups. You've definitely found the downside to static groups -- They require an excessive number of write ops that could otherwise be avoided. You may want to look into how you're currently implementing your group data and re-adjust. Hope that helps, Quanah -- Quanah Gibson-Mount Product Engineer Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

OpenLDAP with OpenSSL 1.1.0
by Norm Green 05 Oct '16

05 Oct '16

I am trying to build OpenLDAP from source on Linux with OpenSSL 1.1.0. I first tried version 2.4.44 and found that didn't work due to the API changes in OpenSSL 1.1.0. I then filed ITS 8488 on the problem, which was quickly closed with the comment " Already supported in git master. Closing this ITS.". So I then got a copy of the git master and tried a build and it still fails in configure a follows: conftest.c:106: undefined reference to `SSL_library_init' ... configure:15618: result: no configure:15864: error: Could not locate TLS/SSL package This function is no longer present in OpenSSL 1.1.0 so it would appear the OpenLDAP configure script should be checking the version of OpenSSL before looking for the SSL_library_init symbol. Is this a known problem? Should I file a bug? Or is support for OpenSSL 1.1.0 known to be incomplete? Norm Green

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2016