February 2016 - openldap-technical

slapo-accesslog: wrong timestamp microseconds

by Dario Zanzico

In adding an accesslog overlay I noticed something strange with the reqstart and reqend fields: the fractional part always begins with 000 and has this strange distribution. > $ ldapsearch ..... | awk -F . '/^reqStart: / {print $2}'| sort | uniq > -c 2 000000Z 351 000001Z 73 000002Z 70 000003Z 308 000004Z 81 000005Z > 97 000006Z 312 000007Z 97 000008Z 97 000009Z 297 000010Z 105 000011Z > 92 000012Z 294 000013Z 108 000014Z 95 000015Z 271 000016Z 128 000017Z > 97 000018Z 252 000019Z 126 000020Z 113 000021Z 240 000022Z 132 000023Z > 110 000024Z 230 000025Z 155 000026Z 118 000027Z 209 000028Z 150 > 000029Z 111 000030Z 193 000031Z 161 000032Z 103 000033Z 187 000034Z > 152 000035Z 117 000036Z 174 000037Z 145 000038Z 117 000039Z 140 > 000040Z 126 000041Z 94 000042Z 89 000043Z 98 000044Z 72 000045Z 51 > 000046Z 49 000047Z 27 000048Z 27 000049Z 26 000050Z 12 000051Z 13 > 000052Z 12 000053Z 9 000054Z 7 000055Z 6 000056Z 8 000057Z 10 > 000058Z 5 000059Z 3 000060Z 3 000061Z 5 000062Z 3 000063Z 7 > 000064Z 3 000065Z 7 000066Z 8 000067Z 1 000068Z 6 000069Z 5 > 000070Z 5 000071Z 4 000072Z 8 000073Z 2 000074Z 3 000075Z 11 > 000076Z 1 000077Z 4 000078Z 7 000079Z 6 000080Z 5 000081Z 6 > 000082Z 5 000083Z 2 000084Z 8 000085Z 3 000086Z 1 000087Z 9 > 000088Z 3 000089Z 3 000090Z 6 000091Z 3 000092Z 6 000093Z 5 > 000094Z 4 000095Z 4 000096Z 3 000097Z 4 000098Z 3 000099Z 4 > 000100Z 3 000101Z 6 000102Z 8 000103Z 1 000104Z 3 000105Z 4 > 000106Z 5 000107Z 2 000108Z 4 000109Z 4 000111Z 10 000112Z 5 > 000113Z 2 000114Z 3 000115Z 2 000116Z 4 000117Z 3 000118Z 4 > 000119Z 1 000120Z 4 000121Z 2 000122Z 4 000123Z 8 000124Z 3 > 000125Z 4 000126Z 4 000127Z 2 000128Z 3 000129Z 4 000130Z 5 > 000131Z 2 000132Z 5 000133Z 1 000134Z 5 000135Z 3 000136Z 2 > 000137Z 1 000138Z 2 000139Z 3 000140Z 2 000141Z 4 000142Z 1 > 000143Z 4 000144Z 4 000145Z 3 000146Z 4 000147Z 1 000148Z 1 > 000149Z 1 000150Z 2 000151Z 2 000152Z 2 000153Z 2 000154Z 3 > 000155Z 3 000156Z 2 000157Z 2 000158Z 1 000160Z 1 000161Z 1 > 000165Z 1 000166Z 1 000169Z 1 000171Z 1 000177Z This is on the last 10 minutes of entries, which I expected to be 'kind of' randomly distributed; Instead no entry has a reqstart with a fractional part bigger than .000177, and the vast majority of them has it < .000050 Anybody knows what can be the cause of this, and how to correct it? Thanks, dario

7 years, 7 months

2
3
0 / 0

ACL and set problem

by Cole

Hi, I have setup openldap and managed to get everything working, except for limiting access using an ACL with a set. Here is the output of the database and config: https://gist.github.com/onslauth/d6502df4d395dbdf9b19 What I want to achieve, is to limit ssh access to a computer, by adding users or groups to the cn=10.0.0.92,ou=servers group. When I try to bind to openldap with a user in the afore mentioned group, I get "Invalid credentials" error. I have included at the bottom of the gist the ACL log level output. As you can see, the set seems to be expanded correctly, but it doesn't seem to match the 'user' used for the bind. Can anyone see anything wrong with my setup? Thanks /Cole

7 years, 7 months

1
0
0 / 0

LDAPMODIFY Error

by Borresen, John - 0444 - MITLL

All, New ldap server, running OpenLDAP (v 2.4.40), running CentOS 7. Trying to add/modify the Netgroup. # ldapmodify -d 4 -x -W -H ldap://ldapserver.ldap.net Enter Password Dn: cn=admin,ou=Netgroup,dc=ldap,dc=net Changetype: modify Add: nisNetgroupTriple nisNetgroupTriple: (lenldap,,) . Ldap_modify: Inappropriate matching(18) Additional info: modify/add: nisNetgroupTriple: no equality matching rule I've been googling, one suggestion was to restart slapd, which was done to no avail. Any help would be appreciated. John D. Borresen (Dave) Linux/Unix Systems Administrator MIT Lincoln Laboratory Email: <mailto:john.borresen@ll.mit.edu> john.borresen(a)ll.mit.edu

7 years, 7 months

2
3
0 / 0

Re: SSL/TLS passphrase not being prompted for at startup

by Raja T Nair

Hello Quanah, Thanks for the help. LTB build works superbly. It would be great if you can give me some hint about doing such background check as the broken mozNSS lib issue you mentioned.. Warm Regards, Raja. On 16 February 2016 at 21:56, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, February 16, 2016 8:28 PM +0530 Raja T Nair < > rtnair(a)gmail.com> wrote: > > >> >> >> >> >> Hi Quanah, >> >> Thanks for the response. I will try LTB builds. >> >> But just curious, I am using centos. are centos builds also known to be >> buggy? >> > > Yes. They are essentially the same thing as the RHEL builds. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc > -- :^)

7 years, 7 months

2
1
0 / 0

Work Queues, MDB_NOTLS, MDB_NOLOCK, and Concurrent Map() Over Sub Database

by A R

Hello, I’m using a work queue to manage concurrency. Currently jobs manage their own transactions, and barriers are used to enforce exclusive writer access. Naturally, MDB_NOTLS and MDB_NOLOCK are set on the environment. However, I need to implement a concurrent map algorithm over a sub database. The algorithm would be simple: a reader would enqueue worker jobs–each having a strong, immutable reference to the transaction and cursor, and copies of the key and value pointers. The transaction and cursor would only be destroyed after all of the sibling jobs have completed/canceled/failed. I’ve read that transactions and cursors should not be shared between threads, but in this use case, the creation and destruction operations are atomic since only 1 thread, or 2 distinct threads, receive the “beginReadTransaction” and “endReadTransaction” jobs at two distinct moments in time, in a guaranteed order. Are there any caveats in this approach? Thanks, A. Robinson

7 years, 7 months

1
0
0 / 0

Shutting down some slapd listeners

by Hallvard Breien Furuseth

Sometimes I want slapd to stop listening for new connections to ldap:// and ldaps://, but keep listening to ldapi://, for maintenance before shutdown. One way would be to extend the 'gentlehup' config option with a list of which URIs it should affect. Or we could add some sort of 'command language' to cn=config/cn=monitor. Or should I play some temporary tricks with iptables or whatever, so new connections never reach slapd? I've never tried that. -- Hallvard

7 years, 7 months

3
2
0 / 0

Re: SSL/TLS passphrase not being prompted for at startup

by Raja T Nair

Hi Quanah, Thanks for the response. I will try LTB builds. But just curious, I am using centos. are centos builds also known to be buggy? Warm Regards, Raja. On 16 February 2016 at 03:21, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Monday, February 15, 2016 11:34 PM +0530 Raja T Nair < > rtnair(a)gmail.com> wrote: > > >> >> >> Hi, >> >> >> OpenLDAP version: 2.4.40-8.el7.x86_64 >> >> OS: CentOS 7.0.1406 >> > > Builds from RedHat link to the very broken MozNSS libraries, which are > likely the source of your issue. You should avoid their broken builds > entirely. I would suggest getting the LTB project builds that are sanely > linked to OpenSSL. > > <http://ltb-project.org/wiki/download#openldap> > > --Quanah > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc > -- :^)

7 years, 7 months

2
1
0 / 0

Disallow ldap operations without start_tls

by Joshua Schaeffer

I have setup my OpenLDAP server to use TLS and I can successfully bind/search/update/etc over a TLS connection. I have also set olcSecurity. Here is my database: root@baneling:~/ldif_files# slapcat -F /etc/ldap/slapd.d -s olcDatabase={1}mdb,cn=config dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=harmonywave,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=harmonywave,dc=com olcRootPW:: e1NTSEF9dUhDcE1jUUJoWlpuc0twRHBNQkVCUGtmTFA5SC9EYUU= olcDbCheckpoint: 512 30 olcDbIndex: objectClass eq olcDbIndex: cn,uid eq olcDbIndex: uidNumber,gidNumber eq olcDbIndex: member,memberUid eq olcDbMaxSize: 1073741824 structuralObjectClass: olcMdbConfig entryUUID: caa04334-6857-1035-9fbb-dd6671002504 creatorsName: cn=admin,cn=config createTimestamp: 20160215174631Z olcSecurity: simple_bind=256 olcSecurity: ssf=256 entryCSN: 20160215210910.287865Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20160215210910Z When I try to do any sort of ldap operation without the -ZZ option then slapd returns a "TLS confidentiality required" message as it should and as I expect. However, If I sniff the wire, I still see the attempted bind request with my DN and password in plaintext. Is there any way to force clients to use start_tls without sending any credentials over the wire (a.k.a. return an error message before a bind request is actually submitted) or does this have to be controlled outside of OpenLDAP? Thanks, Joshua

7 years, 7 months

4
7
0 / 0

SSL/TLS passphrase not being prompted for at startup

by Raja T Nair

Hi, OpenLDAP version: 2.4.40-8.el7.x86_64 OS: CentOS 7.0.1406 While starting openldap service with command line: systemctl start slapd, it does start well, but does not ask for passphrase of the TLS certificate included. The service listens on ports 636 and 389. When the first request over port 636 is received, the server prompts for passphrase in the console. While this behavior is fine when I run slapd on an attached console, it stops me from running it as a system startup service. Can somebody help me to make slapd to prompt for passphrase during startup? Thanks and Regards, Raja. -- :^)

7 years, 7 months

2
1
0 / 0

Incomplete members from dynlist group when Paged Results control is specified

by Kartik Subbarao

I'm using Google Apps Directory Sync (GADS) to synchronize group memberships from an OpenLDAP (2.4.41) directory. GADS uses the Paged Results control (1.2.840.113556.1.4.319) to retrieve results in batches of 1000. One of the searches that it does is as follows: base: ou=groups,dc=example,dc=com filter: (mail=*(a)example.com) attributes requested: member owner [and some others] There are more than 1000 groups that match, so it returns the results in batches as expected. Some of these groups are dynlist groups that have memberURL attributes set, which dynamically expand the member attribute when retrieved. For dynlist groups that show up in the first page of results, their members are properly retrieved. But after the first page, the results for dynlist groups only return a subset of the proper membership. As a result, an incomplete membership is being synced to Google for those subsequent groups, and the missing members are causing problems. To rule out GADS from being the root cause of the problem, I ran a standalone perl script to search with the Paged Results control, with the page size set to a small number of entries. Just as with GADS, after the first page of results, the entries started to return fewer members from dynlist groups than should be returned. With a page size of 1, the second dynlist group started to show fewer members (125 vs 127). My guess is that the dynlist code is somehow getting confused by the presence of the Paged Results control in the top-level search, when it does its internal searches to retrieve the individual group memberships. I wanted to ask whether this is enough detail to file an ITS, or whether more information was desired. It could take some more time to put together a generically reproducible LDIF file, so I figured I would post this now in case someone familiar with the dynlist code might recognize this and see how the presence of the Paged Results control might be interfering with its behavior. Thanks, -Kartik

7 years, 7 months

1
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2016