openldap-technical February 2016

openldap-technical@openldap.org

56 participants
68 discussions

chain-uri with a blank?
by Marc Patermann 18 Feb '16

18 Feb '16

Hi, should chain-uri work with an URI with a blank the DIT path? like in: chain-uri "ldap://servername/ou=far bar,c=de" I'm getting a parsing error here with 2.4.43. Feb 17 18:35:01 slapd[1765]: /etc/openldap/slapd.conf: line 156 (chain-uri "ldap://servername/ou=foo bar,c=de") Feb 17 18:35:01 slapd[1765]: /etc/openldap/slapd.conf: line 156: unable to parse uri "(null)" in "uri <uri>" line: URL doesn't begin with "[c]ldap[si]://". Is this a bug? Marc

5 6

slapo-accesslog: wrong timestamp microseconds
by Dario Zanzico 18 Feb '16

18 Feb '16

In adding an accesslog overlay I noticed something strange with the reqstart and reqend fields: the fractional part always begins with 000 and has this strange distribution. > $ ldapsearch ..... | awk -F . '/^reqStart: / {print $2}'| sort | uniq > -c 2 000000Z 351 000001Z 73 000002Z 70 000003Z 308 000004Z 81 000005Z > 97 000006Z 312 000007Z 97 000008Z 97 000009Z 297 000010Z 105 000011Z > 92 000012Z 294 000013Z 108 000014Z 95 000015Z 271 000016Z 128 000017Z > 97 000018Z 252 000019Z 126 000020Z 113 000021Z 240 000022Z 132 000023Z > 110 000024Z 230 000025Z 155 000026Z 118 000027Z 209 000028Z 150 > 000029Z 111 000030Z 193 000031Z 161 000032Z 103 000033Z 187 000034Z > 152 000035Z 117 000036Z 174 000037Z 145 000038Z 117 000039Z 140 > 000040Z 126 000041Z 94 000042Z 89 000043Z 98 000044Z 72 000045Z 51 > 000046Z 49 000047Z 27 000048Z 27 000049Z 26 000050Z 12 000051Z 13 > 000052Z 12 000053Z 9 000054Z 7 000055Z 6 000056Z 8 000057Z 10 > 000058Z 5 000059Z 3 000060Z 3 000061Z 5 000062Z 3 000063Z 7 > 000064Z 3 000065Z 7 000066Z 8 000067Z 1 000068Z 6 000069Z 5 > 000070Z 5 000071Z 4 000072Z 8 000073Z 2 000074Z 3 000075Z 11 > 000076Z 1 000077Z 4 000078Z 7 000079Z 6 000080Z 5 000081Z 6 > 000082Z 5 000083Z 2 000084Z 8 000085Z 3 000086Z 1 000087Z 9 > 000088Z 3 000089Z 3 000090Z 6 000091Z 3 000092Z 6 000093Z 5 > 000094Z 4 000095Z 4 000096Z 3 000097Z 4 000098Z 3 000099Z 4 > 000100Z 3 000101Z 6 000102Z 8 000103Z 1 000104Z 3 000105Z 4 > 000106Z 5 000107Z 2 000108Z 4 000109Z 4 000111Z 10 000112Z 5 > 000113Z 2 000114Z 3 000115Z 2 000116Z 4 000117Z 3 000118Z 4 > 000119Z 1 000120Z 4 000121Z 2 000122Z 4 000123Z 8 000124Z 3 > 000125Z 4 000126Z 4 000127Z 2 000128Z 3 000129Z 4 000130Z 5 > 000131Z 2 000132Z 5 000133Z 1 000134Z 5 000135Z 3 000136Z 2 > 000137Z 1 000138Z 2 000139Z 3 000140Z 2 000141Z 4 000142Z 1 > 000143Z 4 000144Z 4 000145Z 3 000146Z 4 000147Z 1 000148Z 1 > 000149Z 1 000150Z 2 000151Z 2 000152Z 2 000153Z 2 000154Z 3 > 000155Z 3 000156Z 2 000157Z 2 000158Z 1 000160Z 1 000161Z 1 > 000165Z 1 000166Z 1 000169Z 1 000171Z 1 000177Z This is on the last 10 minutes of entries, which I expected to be 'kind of' randomly distributed; Instead no entry has a reqstart with a fractional part bigger than .000177, and the vast majority of them has it < .000050 Anybody knows what can be the cause of this, and how to correct it? Thanks, dario

2 3

ACL and set problem
by Cole 18 Feb '16

18 Feb '16

Hi, I have setup openldap and managed to get everything working, except for limiting access using an ACL with a set. Here is the output of the database and config: https://gist.github.com/onslauth/d6502df4d395dbdf9b19 What I want to achieve, is to limit ssh access to a computer, by adding users or groups to the cn=10.0.0.92,ou=servers group. When I try to bind to openldap with a user in the afore mentioned group, I get "Invalid credentials" error. I have included at the bottom of the gist the ACL log level output. As you can see, the set seems to be expanded correctly, but it doesn't seem to match the 'user' used for the bind. Can anyone see anything wrong with my setup? Thanks /Cole

1 0

LDAPMODIFY Error
by Borresen, John - 0444 - MITLL 17 Feb '16

17 Feb '16

All, New ldap server, running OpenLDAP (v 2.4.40), running CentOS 7. Trying to add/modify the Netgroup. # ldapmodify -d 4 -x -W -H ldap://ldapserver.ldap.net Enter Password Dn: cn=admin,ou=Netgroup,dc=ldap,dc=net Changetype: modify Add: nisNetgroupTriple nisNetgroupTriple: (lenldap,,) . Ldap_modify: Inappropriate matching(18) Additional info: modify/add: nisNetgroupTriple: no equality matching rule I've been googling, one suggestion was to restart slapd, which was done to no avail. Any help would be appreciated. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Email: <mailto:john.borresen@ll.mit.edu> john.borresen(a)ll.mit.edu

2 3

Re: SSL/TLS passphrase not being prompted for at startup
by Raja T Nair 17 Feb '16

17 Feb '16

Hello Quanah, Thanks for the help. LTB build works superbly. It would be great if you can give me some hint about doing such background check as the broken mozNSS lib issue you mentioned.. Warm Regards, Raja. On 16 February 2016 at 21:56, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, February 16, 2016 8:28 PM +0530 Raja T Nair < > rtnair(a)gmail.com> wrote: > > >> >> >> >> >> Hi Quanah, >> >> Thanks for the response. I will try LTB builds. >> >> But just curious, I am using centos. are centos builds also known to be >> buggy? >> > > Yes. They are essentially the same thing as the RHEL builds. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc > -- :^)

2 1

Work Queues, MDB_NOTLS, MDB_NOLOCK, and Concurrent Map() Over Sub Database
by A R 16 Feb '16

16 Feb '16

Hello, I’m using a work queue to manage concurrency. Currently jobs manage their own transactions, and barriers are used to enforce exclusive writer access. Naturally, MDB_NOTLS and MDB_NOLOCK are set on the environment. However, I need to implement a concurrent map algorithm over a sub database. The algorithm would be simple: a reader would enqueue worker jobs–each having a strong, immutable reference to the transaction and cursor, and copies of the key and value pointers. The transaction and cursor would only be destroyed after all of the sibling jobs have completed/canceled/failed. I’ve read that transactions and cursors should not be shared between threads, but in this use case, the creation and destruction operations are atomic since only 1 thread, or 2 distinct threads, receive the “beginReadTransaction” and “endReadTransaction” jobs at two distinct moments in time, in a guaranteed order. Are there any caveats in this approach? Thanks, A. Robinson

1 0

Shutting down some slapd listeners
by Hallvard Breien Furuseth 16 Feb '16

16 Feb '16

Sometimes I want slapd to stop listening for new connections to ldap:// and ldaps://, but keep listening to ldapi://, for maintenance before shutdown. One way would be to extend the 'gentlehup' config option with a list of which URIs it should affect. Or we could add some sort of 'command language' to cn=config/cn=monitor. Or should I play some temporary tricks with iptables or whatever, so new connections never reach slapd? I've never tried that. -- Hallvard

3 2

Re: SSL/TLS passphrase not being prompted for at startup
by Raja T Nair 16 Feb '16

16 Feb '16

Hi Quanah, Thanks for the response. I will try LTB builds. But just curious, I am using centos. are centos builds also known to be buggy? Warm Regards, Raja. On 16 February 2016 at 03:21, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Monday, February 15, 2016 11:34 PM +0530 Raja T Nair < > rtnair(a)gmail.com> wrote: > > >> >> >> Hi, >> >> >> OpenLDAP version: 2.4.40-8.el7.x86_64 >> >> OS: CentOS 7.0.1406 >> > > Builds from RedHat link to the very broken MozNSS libraries, which are > likely the source of your issue. You should avoid their broken builds > entirely. I would suggest getting the LTB project builds that are sanely > linked to OpenSSL. > > <http://ltb-project.org/wiki/download#openldap> > > --Quanah > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc > -- :^)

2 1

Disallow ldap operations without start_tls
by Joshua Schaeffer 15 Feb '16

15 Feb '16

I have setup my OpenLDAP server to use TLS and I can successfully bind/search/update/etc over a TLS connection. I have also set olcSecurity. Here is my database: root@baneling:~/ldif_files# slapcat -F /etc/ldap/slapd.d -s olcDatabase={1}mdb,cn=config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=harmonywave,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=harmonywave,dc=com olcRootPW:: e1NTSEF9dUhDcE1jUUJoWlpuc0twRHBNQkVCUGtmTFA5SC9EYUU= olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: caa04334-6857-1035-9fbb-dd6671002504 creatorsName: cn=admin,cn=config createTimestamp: 20160215174631Z olcSecurity: simple_bind=256 olcSecurity: ssf=256 entryCSN: 20160215210910.287865Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20160215210910Z When I try to do any sort of ldap operation without the -ZZ option then slapd returns a "TLS confidentiality required" message as it should and as I expect. However, If I sniff the wire, I still see the attempted bind request with my DN and password in plaintext. Is there any way to force clients to use start_tls without sending any credentials over the wire (a.k.a. return an error message before a bind request is actually submitted) or does this have to be controlled outside of OpenLDAP? Thanks, Joshua

4 7

SSL/TLS passphrase not being prompted for at startup
by Raja T Nair 15 Feb '16

15 Feb '16

Hi, OpenLDAP version: 2.4.40-8.el7.x86_64 OS: CentOS 7.0.1406 While starting openldap service with command line: systemctl start slapd, it does start well, but does not ask for passphrase of the TLS certificate included. The service listens on ports 636 and 389. When the first request over port 636 is received, the server prompts for passphrase in the console. While this behavior is fine when I run slapd on an attached console, it stops me from running it as a system startup service. Can somebody help me to make slapd to prompt for passphrase during startup? Thanks and Regards, Raja. -- :^)

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2016