openldap-technical February 2016

openldap-technical@openldap.org

56 participants
68 discussions

ldap client library
by Friedrich Locke 11 Feb '16

11 Feb '16

Hi folks! i am in need to write a small subset of ldap client library. Currently i need Write a function to encode a bind request Write a function to decode a bind response Write a function to encode a entry request (for instance: retrieve all attributes for entry posixuser uid=sioux,ou=people,dn=x,dn=y) Write a function to decode a entry search response May you point me what are the messages in the ldap library RFC i shoud implement as also the tag values for the ASN objects ? Thanks in advance.

1 0

LMDB and Referential transparency
by Pierre-Étienne Meunier 11 Feb '16

11 Feb '16

Hi, I love LMDB, thanks for writing it! I wonder whether it would be possibly to add the following feature: When I change one of the databases (called for instance A) in my environment, I'd like to be able to still keep a copy of A as it was before, and make a new copy B, that would share all its memory with A, except the changes. In other words, I'd like to have a function like: int mdb_fork_db(MDB_txn* txn, MDB_dbi dbi_a, char* B, int open_dbi_flags, MDB_dbi* dbi_b), which would open a new database dbi_b with name B, and copy the B-Tree root of database "dbi_a" as the root of "dbi_b". After this, any put/delete on A would update A only, and any put/delete on new_name would update new_name only. Cheers, Pierre Here is an example of the semantics I would find really great: #include<lmdb.h> void main(){ MDB_env *env; mdb_env_create(&env); mdb_env_open(env,"/tmp/test.lmdb",0,0755); MDB_txn *txn; mdb_env_set_maxdbs(env,2); mdb_txn_begin(env,NULL,0,&txn); MDB_dbi db_a; mdb_dbi_open(txn,"A",MDB_CREATE,&db_a); { char*k_="shared1"; char*v_="value 1"; MDB_val k = { mv_data:k_,mv_size:sizeof(k_) }; MDB_val v = { mv_data:v_,mv_size:sizeof(v_) }; mdb_put(txn,db_a,&k,&v,0); } { char*k_="shared2"; char*v_="value 2"; MDB_val k = { mv_data:k_,mv_size:sizeof(k_) }; MDB_val v = { mv_data:v_,mv_size:sizeof(v_) }; mdb_put(txn,db_a,&k,&v,0); } MDB_dbi db_b; mdb_fork_db(txn,db,"B",MDB_CREATE,&db_b); { char*k_="BKey"; char*v_="Value B"; MDB_val k = { mv_data:k_,mv_size:sizeof(k_) }; MDB_val v = { mv_data:v_,mv_size:sizeof(v_) }; mdb_put(txn,db_b,&k,&v,0); } { char*k_="AKey"; char*v_="Value A"; MDB_val k = { mv_data:k_,mv_size:sizeof(k_) }; MDB_val v = { mv_data:v_,mv_size:sizeof(v_) }; mdb_put(txn,db_a,&k,&v,0); } // Now, A has {shared1, shared2, AKey}, and B has {shared1,shared2,BKey}. { char*k_="shared1"; MDB_val k = { mv_data:k_,mv_size:sizeof(k_) }; mdb_del(txn,db_b,&k,NULL); } // Now, A has {shared1, shared2, AKey}, and B has {shared2,BKey}. mdb_drop(db_a); // Now, the environment has just a single database B, with keys {shared2, BKey}. mdb_txn_commit(txn); mdb_env_close(env); }

3 2

chaining for a single backend?
by Marc Patermann 11 Feb '16

11 Feb '16

Hi, I want to activate chaining for a single backend. The server is a replication consumer and has a few glued database backends. Only one is containing linux accounts with ppolicy overlay. This should use chaining to replicate the ppolicy changes which otherwise stay local. Can this be achieved? Marc

4 6

Unable to do ldapsearch, but testsaslauthd works in OpenLDAP 2.4
by Ravi K Althuru 11 Feb '16

11 Feb '16

We have OpenLDAP 2.3 running on Linux. It is set up in SASL mode authenticating against multiple ADs. Everything works fine there, which is our Production env. We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6 in our Dev and QA env. Then, we moved the slapd.conf and slapd-meta.conf file to the new instance, and created the required users. When we run testsaslauthd, we are successfully able to authenticate against the appropriate AD that the user is under. testsaslauthd -u ravi@SONEPAR -p secret - WORKS ldapsearch -x -D uid=ravi,ou=People,ou=company,dc=inside,dc=devserver,dc=com -w secret results in: ldap_bind: Invalid credentials (49) But when we do a ldap search or connect using LDAP Browser, the user is not able to get autheticated. We are not able to bind to the OpenLDAP by using the same credentials. I get a Invalid credentials err 49, which indcates either credentials are incorrect, which in this case its not, or the bind info is incorrect. I seems as though the user is not able to bind to OpenLDAP 2.4 or it does not know how to. When I change the password form {SASL}ralthuru@SONEPAR to a text say "secret", it works fine. Here is the log output from the same user authetication in OpenLDAP 2.3 and OpenLDAP 2.4: SUCCESS - QA 2.4 - testsaslauthd -u ralthuru@SONEPAR -p secret Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:44500 (IP=127.0.0.1:391) Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" method=128 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 RESULT tag=97 err=0 text= Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(?SMACCOUNTNAME=ralthuru))" Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH attr=dn Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND anonymous mech=implicit ssf=0 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" method=128 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 RESULT tag=97 err=0 text= SUCCESS - QA 2.4 - login as cn=Manager/Password1 from LDAP Browser Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 fd=12 ACCEPT from IP=10.108.138.66:64931 (IP=0.0.0.0:389) Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" method=128 Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" mech=SIMPLE ssf=0 Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 RESULT tag=97 err=0 text= Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 op=1 UNBIND Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 fd=12 closed FAIL - QA 2.4 - login as uid=ralthuru/Sonepar123 from LDAP Browser Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 ACCEPT from IP=10.108.138.66:64939 (IP=0.0.0.0:389) Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sdusadevl,dc=com" mthod=128 Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 RESULT tag=97 err=49 text= Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=1 UNBIND Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 closed SUCCESS - PRODUCTION 2.3 - testsaslauthd -u ralthuru@SONEPAR -p secret Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND anonymous mech=implicit ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" method=128 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 RESULT tag=97 err=0 text= Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))" Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH attr=dn Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND anonymous mech=implicit ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 RESULT tag=97 err=0 text= SUCCESS - PRODUCTION 2.3 - login as uid=ralthuru/secret from LDAP Browser eb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 fd=15 ACCEPT from IP=10.108.138.66:54298 (IP=0.0.0.0:389) Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND anonymous mech=implicit ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" method=128 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 RESULT tag=97 err=0 text= Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))" Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH attr=dn Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND anonymous mech=implicit ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 RESULT tag=97 err=0 text= Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 RESULT tag=97 err=0 text= Feb 3 10:44:47 pavfldapp01 slapd[4806]: conn=50825 op=1 UNBIND SUCCESS - PRODUCTION 2.3 - LDAP Search command as uid=ralthuru/secret Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 ACCEPT from IP=10.199.204.205:44578 (IP=0.0.0.0:389) Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND anonymous mech=implicit ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" method=128 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 RESULT tag=97 err=0 text= Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))" Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH attr=dn Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND anonymous mech=implicit ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 RESULT tag=97 err=0 text= Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 RESULT tag=97 err=0 text= Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SRCH base="dc=inside,dc=sonepar-us,dc=com" scope=2 deref=0 filter="(objectClass=*)" Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text= Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=2 UNBIND Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 closed Here is the ldap.conf URI ldap://10.99.19.179 BASE dc=inside,dc=sdusadevl,dc=com TLS_REQCERT never Here is the slapd.conf, only the relevant info: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/schema_extension.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap loglevel 256 ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=inside,dc=sdusadevl,dc=com" rootdn "cn=Manager,dc=inside,dc=sdusadevl,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw xyz123 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index uniqueMember eq,pres # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM # adding to ignore error for slaptest cachesize 2000 sasl-host localhost sasl-secprops none ---------------------- Here is the slapd-meta.conf containing the AD where the user ralthuru is autheticating to: uri ldap://sdusa-dc-01.sdusadevl.com:3268/ou=SONEPAR,dc=local lastmod off suffixmassage "ou=SONEPAR,dc=local" "dc=sdusadevl,dc=com" idassert-bind bindmethod=simple binddn="CN=Vignette\\, Service Account,OU=Vignette Service,OU=Vignette,OU=Enterpise Systems,DC=sdusadevl,DC=com" credentials="hiddenpassword" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=Manager,dc=local" I have searched across many forums, compared the set up on the OpenLDAP 2.3 and OpenLDAP 2.4 instances and cannot find any differences. Any suggestions on how to resolve this is appreciated!

4 7

Nested groups and sssd filters
by Miltos Tereres 11 Feb '16

11 Feb '16

Hello, I have a groupOfUniqueNames in my ldap (xv64ut09), which has as a uniqueMember the DN of another groupOfUniqueNames. In this last group are my user values. In my sssd configuration I use a filter like this: ldap_user_search_base = ou=people,dc=fu,dc=bar,dc=com??(&(memberOf=cn=xv64ut09,ou=groups,dc=fu,dc=bar,dc=com)(objectClass=*)) The problem is that this doesn't work if the user values are in a nested group, it only works if the users are in my main group (xv64ut09). I would guess that linux / sssd can support this type of nesting. Is there a change that needs to be done from the ldap server side, in the schema, or maybe something else that I have missed? I am using the rfc2307bis... Thanks.

4 3

Replication between 2.4.21 and 2.4.31
by Jason J. W. Williams 11 Feb '16

11 Feb '16

Hello, For various reasons we may need to set up N-way multimaster replication between OpenLDAP 2.4.21 and 2.4.31. Do folks see problems running different patch releases in the same replication group? -J

2 1

Crash on ldap 2.4.41 on RedHat using mdb.
by ping-shin ching 11 Feb '16

11 Feb '16

Hi Folks, I upload data approx (15 million entries) using slapadd. Then start the server and run some searches. Not all searches crash- only some. I get some results before before slapd core dumps. Do I need to furnish any more information? gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-3) Configure options... --without-cyrus-sasl \ --disable-bdb \ --disable-hdb \ --enable-ldap \ --enable-mdb \ --enable-constraint \ --enable-accesslog; \ backtrace... Core was generated by `./slapd -h ldap://:1389 -f /data/openldap24/etc/openldap/slapd.conf'. Program terminated with signal 11, Segmentation fault. #0 0x00000000004940fa in mdb_node_read (txn=0x7f9dec102b00, leaf=0x7f9e3914c736, data=0x7f9df15f6020) at ./../../../libraries/liblmdb/mdb.c:5350 5350 data->mv_size = NODEDSZ(leaf); Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.166.el6_7.3.x86_64 (gdb) where #0 0x00000000004940fa in mdb_node_read (txn=0x7f9dec102b00, leaf=0x7f9e3914c736, data=0x7f9df15f6020) at ./../../../libraries/liblmdb/mdb.c:5350 #1 0x00000000004978db in mdb_cursor_set (mc=0x7f9dec104480, key=0x7f9df366c320, data=0x7f9df15f6020, op=MDB_SET, exactp=<value optimized out>) at ./../../../libraries/liblmdb/mdb.c:5787 #2 0x000000000049818a in mdb_cursor_get (mc=0x7f9dec104480, key=0x7f9df366c320, data=0x7f9df15f6020, op=<value optimized out>) at ./../../../libraries/liblmdb/mdb.c:5952 #3 0x00000000004a2c81 in mdb_waitfixup (op=0x7f9dec102570, ww=0x7f9df37fc460, mci=<value optimized out>, mcd=0x7f9dec104480, scopes=0x7f9df12f5010) at search.c:377 #4 0x00000000004a52bc in mdb_search (op=0x7f9dec102570, rs=<value optimized out>) at search.c:1114 #5 0x000000000048179e in overlay_op_walk (op=0x7f9dec102570, rs=0x7f9df37fda30, which=<value optimized out>, oi=0x214ca50, on=0x0) at backover.c:677 #6 0x0000000000482213 in over_op_func (op=0x7f9dec102570, rs=<value optimized out>, which=<value optimized out>) at backover.c:730 #7 0x000000000041f871 in fe_op_search (op=0x7f9dec102570, rs=0x7f9df37fda30) at search.c:402 #8 0x000000000042009c in do_search (op=0x7f9dec102570, rs=0x7f9df37fda30) at search.c:247 #9 0x000000000041d959 in connection_operation (ctx=0x7f9df37fdb70, arg_v=0x7f9dec102570) at connection.c:1155 #10 0x000000000041e0cd in connection_read_thread (ctx=0x7f9df37fdb70, argv=<value optimized out>) at connection.c:1291 #11 0x00000000004ef7a0 in ldap_int_thread_pool_wrapper (xpool=0x20af380) at tpool.c:696 #12 0x00000034a7c079d1 in start_thread () from /lib64/libpthread.so.0 #13 0x00000034a78e8b5d in epoll_pwait () from /lib64/libc.so.6 #14 0x0000000000000000 in ?? ()

2 2

ldap separate OU-administrator account
by Gary Spencer 10 Feb '16

10 Feb '16

Hi, I need some guidance, I have a simple DIT with users in the users OU, and a separate OU for admins. In addition to the Manager, I have created an admin2 account in the admins OU, however default permissions don't allow the admin2.admins.domain.tld to create users in the users.domain.tld OU. I also don't want admin2 to have equal permissions to Manager, I am giving that account away to our users administrator and they only need access to create/modify/delete users under the users OU (on basis of least privilege I don't want them to have full access). I am using dynamic ldap, I have already created the users and admin accounts, I just need guidance on adding the ACL's. I am a complete novice with openldap, what do I need to do to grant the correct olcAccess so that the admin2 account can create users in the users.domain.tld OU ? I'd also like a read-only admin in the admins OU that can view all details for all users under users OU ? And cream on top of the cake, I'd like to prohibit accounts in the users OU from looking at any of the rest of the LDAP objects other than self ? I think I'm right I need to modify the olcAccess access rules, but don't know how, current olcAccess rules follow:- dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb <... CUT ...> olcSuffix: dc=domain,dc=tld olcRootDN: cn=Manager,dc=domain,dc=tld olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=domain,dc=tld" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=Manager,dc=domain,dc=tld" write by * read (I have tweaked the text output to replace our domain, please ignore any typos I may have inadvertently introduced) I have read the admin guides and man pages, but I can't see clearly see what ldif stanzas I need to construct ? Thanks in advance. Gary Spencer [cid:image001.jpg@01D16412.92EB2D10]<http://www.sis.tv/distribution/> Whitehall Avenue | Kingston | Milton Keynes | MK10 0AX www.sis.tv<http://www.sis.tv> ********************************************************************** Satellite Information Services Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 4243307 SIS LIVE Limited. Registered Office: Whitehall Avenue, Kingston, Milton Keynes, Buckinghamshire, MK10 0AX. Company No. 5075598 The information in this email (which includes any files transmitted with it) is confidential and is intended for the addressee only. Unauthorized recipients are required to maintain confidentiality. If you have received this email in error please notify the sender immediately, destroy any copies and delete it from your computer system. **********************************************************************

1 0

Using TLS not seeing EXTERNAL as Using TLS not seeing EXTERNAL as supported SASL mechanism
by Bill MacAllister 10 Feb '16

10 Feb '16

I am working on using TLS on an OpenLDAP server and having issues. Basically I can make a TLS connection, but I don't see EXTERNAL as one of the supportedSASLMechanisms. (slapd 2.4.41+dfsg-1ubuntu2~dbp0 built with openssl) Here is my ldapsearch: $ ldapsearch -h ldap-test-master1.corp.dropbox.com -x -ZZ -b '' -s base supportedSASLMechanisms # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSASLMechanisms # # dn: supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN # search result search: 3 result: 0 Success # numResponses: 2 Here is what I see in the server log: 2016-02-09T02:40:00.797598+00:00 ldap-test-master1 slapd[22379]: conn=1008 fd=14 ACCEPT from IP=172.17.8.240:47231 (IP=0.0.0.0:389) 2016-02-09T02:40:00.797640+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=0 EXT oid=1.3.6.1.4.1.1466.20037 2016-02-09T02:40:00.797646+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=0 STARTTLS 2016-02-09T02:40:00.797686+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=0 RESULT oid= err=0 text= 2016-02-09T02:40:00.804071+00:00 ldap-test-master1 slapd[22379]: conn=1008 fd=14 TLS established tls_ssf=256 ssf=256 2016-02-09T02:40:00.804540+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=1 BIND dn="" method=128 2016-02-09T02:40:00.804590+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=1 RESULT tag=97 err=0 text= 2016-02-09T02:40:00.804931+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 2016-02-09T02:40:00.804941+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=2 SRCH attr=supportedSASLMechanisms 2016-02-09T02:40:00.805056+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 2016-02-09T02:40:00.805483+00:00 ldap-test-master1 slapd[22379]: conn=1008 op=3 UNBIND 2016-02-09T02:40:00.805587+00:00 ldap-test-master1 slapd[22379]: conn=1008 fd=14 closed What should I be looking at? What am I missing? Thanks in advance, Bill

2 2

openldap 2.4.44 does not provide an slapd.d
by Mary Kao 10 Feb '16

10 Feb '16

Hello, I compiled openldap 2.4.44 on scientific linux and discovered it didn't create a slapd.d directory. There is however, a slapd.conf file. Is this right? If so, I would need to convert the slapd.conf file to slapd.d? Thanks!

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2016