openldap-technical March 2016

openldap-technical@openldap.org

51 participants
51 discussions

Re: DB_LOG_AUTOREMOVE fails to suppress the log files
by jupiter 08 Mar '16

08 Mar '16

Thanks Quanah, you are right, the solution is to switch to mdb. Thank you very much. - jupiter On Tue, Mar 8, 2016 at 7:36 AM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Monday, March 07, 2016 9:35 PM +1100 jupiter <jupiter.hce(a)gmail.com> > wrote: > > The logsize is set to 10 MB, it creates a 10 MB log file every 2 - 3 >> minutes (it grows so fast, like the movie "Evolution" :-)), I ran the >> db_archive -d 10 hours ago when the disk was full, and I have run the >> db_archive -d now as the disk is full again despite the server is not too >> busy. Why doesn't the slapd do it automatically? Apart that issue, the >> ldap is running very well. I really want to figure out what is going on, >> but if I cannot find a solution, I have no choice but run a cron job to >> call db_archive -d every 8 hours. I guess that should not cause ldap any >> side effect, right? >> > > The real solution, again, is to dump the broken RH build and switch to > MDB. Then there will no longer be any pointless log files created, and your > system will be both more secure and faster (and take a smaller footprint). > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc >

1 0

Returned mail: see transcript for details
by dieter＠dkluenter.de 08 Mar '16

08 Mar '16

Message could not be delivered

1 0

No "known good" password found for the user. Not setting Auth-Type
by MichaelLeung 07 Mar '16

07 Mar '16

hi list i was trying to deploy freeradius + openldap ,and got warning like this (0) ldap : Processing user attributes (0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject the ldap account i added to radius configuration file was not the LDAP Manager account , but when i change the account to LDAP Manager user , the warning would not be shown again , and the pass authentication challenge. how can i authorize a normal ldap account can read userPassword attribute , then i can add the account to those system which need LDAP .

1 0

DB_LOG_AUTOREMOVE fails to suppress the log files
by jupiter 07 Mar '16

07 Mar '16

Hi, I am running openldap servers 2.4.40 with bdb on CentOS 6, it creates 10 MB log file in every 2 - 3 minutes, no surprisingly, it fills up the disk quickly. To fix the issue, I added following statement to DB_CONFIG, restarted splapd, but it does not seem work, the log files are still glowing and creating. Could anyone help please why the DB_LOG_AUTOREMOVE is unable to stop log files? Sorry for posting it to different lists as we are not be able to run the ldap server when it fills up the disk so quickly. set_flags DB_LOG_AUTOREMOVE Thanks for your helps. Kind regards,

3 7

storing HA1 password hash for HTTP DIGEST, SIP, TURN
by Daniel Pocock 06 Mar '16

06 Mar '16

Hi all, There are a few protocols that use a HA1[1] password hash, such as HTTP DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST) Is there a standard LDAP attribute name for storing a HA1 value or should it be stored in a regular userPassword attribute as described in the manual[4]? I came across smbk5pwd for keeping SMB password attributes in sync. Is there a similar facility for keeping HA1 passwords in sync when a user changes the password or how could a developer go about adding that, would the smbk5pwd source be a useful model? Regards, Daniel 1. http://tools.ietf.org/html/rfc2617#section-3 2. https://tools.ietf.org/html/rfc3261#section-22.4 3. https://tools.ietf.org/html/rfc5389#section-15.4 4. http://www.openldap.org/doc/admin24/security.html#Password%20Storage

3 5

rewrite overlay to combine multiple OUs
by Nick Couchman 06 Mar '16

06 Mar '16

Well, I have a situation (a particular application, actually), that is so arcane in its configuration that it requires that all of the users for the application be in the same OU. So, the config for the app is something like: CN=%USERNAME%,ou=Users,dc=example,dc=com So, the application substitutes in the %USERNAME% value with the actual username, and then does a bind with the supplied password. My tree is a little more complicated than that - another dc level or two and several different ou=People places - something like this: ou=People,dc=engineering,dc=example,dc=com ou=People,dc=administration,dc=example,dc=com ou=People,dc=operations,dc=example,dc=com etc. with all of the users located under the ou=People branches of the tree. What I'm hoping is that there's some way that I can virtually combine the ou=People locations in my LDAP tree such that, when the application requests cn=Nick,ou=users,dc=example,dc=com, it goes out and searches through either the entire dc=example,dc=com tree or goes through and looks at each of the ou=People locations until it finds it and transparently redirects, allowing this application to function correctly in its stupid configuration, but without me having to create a bunch of aliases in a single location in my tree, or, worse, actually reorganize my tree. I'm thinking there's probably a way to do this with the rewriteRule and some regular expressions, but I can't find quite the combination of rules/expressions to accomplish this. Any ideas? Or am I stuck making aliases? Thanks, Nick == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.

2 4

Replication of local entries with translucent overlay
by Igor 04 Mar '16

04 Mar '16

Hello, I have an openLDAP proxy server which uses the translucent overlay to supplement Active Directory records with additional attributes. I wanted to set up replication for my translucent entries (specifically, push-based provider/consumer scheme, refreshAndPersist mode). Since slapo-translucent turns off maintenance of the entryCSN and entryUUID attributes (turns off the lastmod option in the translucent_db_init function), it cannot be used with slapo-syncprov (which requires entryCSN and entryUUID attributes). I understand that to make these two overlays work together in all scenarios may not be trivial. However, for my specific scenario, it seems to be enough to just comment out that line which turns off lastmod: ============== --- servers/slapd/overlays/translucent.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c index 48cca49..45b45a0 100644 --- a/servers/slapd/overlays/translucent.c +++ b/servers/slapd/overlays/translucent.c @@ -1282,7 +1282,7 @@ static int translucent_db_init(BackendDB *be, ConfigReply *cr) { return 1; } SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NO_SCHEMA_CHECK; - SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD; +// SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD; return 0; } -- 1.7.1 ============== Everything replicates correctly after that. I don't expect anyone to scour the openLDAP code to come up with an exhaustive list of potential bugs that may arise because of this. I assume the risks that come with such a solution. Having said that, can anyone think of any issues with commenting that line in translucent_db_init, and setting entryCSN, entryUUID, contextCSN attributes to be searched in local glue records only (via olcTranslucentLocal)? Thanks, -Igor

2 1

Users with multiple passwords?
by dev 03 Mar '16

03 Mar '16

Hello All, I have OpenLDAP (2.4.31-1+nmu2ubuntu8.2) setup to authenticate users on our LAN with ActiveDirectory using SASL passthrough. I want to give some of these users access to VPN (OpenVPN) services (auth with the same OpenLDAP server above) however I want to give them an {SHA1} password to access the VPN. I've created another OU (OU=vpnuser) and simply duplicated the entire user entry into it. I have the VPN server using a searchbase of "OU=vpnuser.." and things are working as I want... sort of.. Some software on the LAN finds two users in ldap now so I explicitly exclude OU=vpnuser from searchbases (!OU=vpnuser). ugh.. Is there a better way to accomplish what I am trying to do? Give the same user two different passwords in the ldap tree? Thanks

2 1

Re: ldapmodify hangs, slapd appears to be looping
by Quanah Gibson-Mount 03 Mar '16

03 Mar '16

If you're artificially stuck using RH's builds, then you'll need to contact them for support. --Quanah --On Thursday, March 03, 2016 3:42 PM +0000 "Heinemann, Peter" <phei(a)isc.upenn.edu> wrote: > True, but unfortunately recommended practice collides with (artificial) > standards.... > > ________________________________________ > From: Quanah Gibson-Mount <quanah(a)zimbra.com> > Sent: Thursday, March 3, 2016 10:37 AM > To: Heinemann, Peter; openldap-technical(a)openldap.org > Subject: Re: ldapmodify hangs, slapd appears to be looping > > --On Thursday, March 03, 2016 3:23 PM +0000 "Heinemann, Peter" > <phei(a)isc.upenn.edu> wrote: > >> >> >> >> >> Openldap 2.4.40-6.el6_7 > > As has been repeatedly mentioned on the list, please don't use RH's > OpenLDAP builds. Please do use a current release. You may wish to look > into using a build from the LTB project or Symas. > > <http://ltb-project.org/wiki/download#openldap> > <https://symas.com/products/openldap-directory/> > > There were some known issues with mdb in 2.4.40 and 2.4.41 you may be > triggering here. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc

1 0

ldapmodify hangs, slapd appears to be looping
by Heinemann, Peter 03 Mar '16

03 Mar '16

Openldap 2.4.40-6.el6_7 RHEL 6.7 mdb backend ldapmodify is hanging; the hang first evidenced itself in a bulk update. The hang occurs even for a simple update -- with debug set to 1 on the ldapmodify statement (using interactive mode) the block of output listed at below repeats endlessly with no change to the values displayed. The slapd audit log shows no update for the intended record. The problem started after I added a significant amount of data; not new structural objects (OUs) but many entries under them. Have I reached some sort of threshold? I have: - stopped/started slapd; - run a full slapcat and slapadd to a new database I am running the monitor database; would there be data of value there about this condition? mdb_stats output: sudo mdb_stat -ef /etc/openldap/openldap-data Environment Info Map address: (nil) Map size: 8589934592 Page size: 4096 Max pages: 2097152 Number of pages used: 618975 Last transaction ID: 3647 Max readers: 126 Number of readers used: 0 Freelist Status Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 11 Entries: 7 Free pages: 5233 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 16 debug output from ldapmodify: ** ld 0x1ed4e30 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1ed4e30 request count 1 (abandoned 0) ** ld 0x1ed4e30 Response Queue: Empty ld 0x1ed4e30 response count 0 ldap_chkResponseList ld 0x1ed4e30 msgid 2 all 1 ldap_chkResponseList returns ld 0x1ed4e30 NULL ldap_int_select ldap_result ld 0x1ed4e30 msgid 2 wait4msg ld 0x1ed4e30 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x1ed4e30 msgid 2 all 1 ** ld 0x1ed4e30 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 3 10:04:05 2016 ** ld 0x1ed4e30 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1ed4e30 request count 1 (abandoned 0) ** ld 0x1ed4e30 Response Queue: Empty ld 0x1ed4e30 response count 0 ldap_chkResponseList ld 0x1ed4e30 msgid 2 all 1 ldap_chkResponseList returns ld 0x1ed4e30 NULL ldap_int_select ldap_result ld 0x1ed4e30 msgid 2 wait4msg ld 0x1ed4e30 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x1ed4e30 msgid 2 all 1 ** ld 0x1ed4e30 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 3 10:04:05 2016 ...etc

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2016