March 2016 - openldap-technical

Returned mail: see transcript for details

by dieter＠dkluenter.de

Message could not be delivered

5 years, 4 months

1
0
0 / 0

No "known good" password found for the user. Not setting Auth-Type

by MichaelLeung

hi list i was trying to deploy freeradius + openldap ,and got warning like this (0) ldap : Processing user attributes (0) WARNING: ldap : No "known good" password added. Ensure the admin user has permission to read the password attribute (0) WARNING: ldap : PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject the ldap account i added to radius configuration file was not the LDAP Manager account , but when i change the account to LDAP Manager user , the warning would not be shown again , and the pass authentication challenge. how can i authorize a normal ldap account can read userPassword attribute , then i can add the account to those system which need LDAP .

5 years, 4 months

1
0
0 / 0

DB_LOG_AUTOREMOVE fails to suppress the log files

by jupiter

Hi, I am running openldap servers 2.4.40 with bdb on CentOS 6, it creates 10 MB log file in every 2 - 3 minutes, no surprisingly, it fills up the disk quickly. To fix the issue, I added following statement to DB_CONFIG, restarted splapd, but it does not seem work, the log files are still glowing and creating. Could anyone help please why the DB_LOG_AUTOREMOVE is unable to stop log files? Sorry for posting it to different lists as we are not be able to run the ldap server when it fills up the disk so quickly. set_flags DB_LOG_AUTOREMOVE Thanks for your helps. Kind regards,

5 years, 4 months

3
7
0 / 0

storing HA1 password hash for HTTP DIGEST, SIP, TURN

by Daniel Pocock

Hi all, There are a few protocols that use a HA1[1] password hash, such as HTTP DIGEST[1], SIP DIGEST[2] and TURN[3] (which uses HMAC rather than DIGEST) Is there a standard LDAP attribute name for storing a HA1 value or should it be stored in a regular userPassword attribute as described in the manual[4]? I came across smbk5pwd for keeping SMB password attributes in sync. Is there a similar facility for keeping HA1 passwords in sync when a user changes the password or how could a developer go about adding that, would the smbk5pwd source be a useful model? Regards, Daniel 1. http://tools.ietf.org/html/rfc2617#section-3 2. https://tools.ietf.org/html/rfc3261#section-22.4 3. https://tools.ietf.org/html/rfc5389#section-15.4 4. http://www.openldap.org/doc/admin24/security.html#Password%20Storage

5 years, 4 months

3
5
0 / 0

rewrite overlay to combine multiple OUs

by Nick Couchman

Well, I have a situation (a particular application, actually), that is so arcane in its configuration that it requires that all of the users for the application be in the same OU. So, the config for the app is something like: CN=%USERNAME%,ou=Users,dc=example,dc=com So, the application substitutes in the %USERNAME% value with the actual username, and then does a bind with the supplied password. My tree is a little more complicated than that - another dc level or two and several different ou=People places - something like this: ou=People,dc=engineering,dc=example,dc=com ou=People,dc=administration,dc=example,dc=com ou=People,dc=operations,dc=example,dc=com etc. with all of the users located under the ou=People branches of the tree. What I'm hoping is that there's some way that I can virtually combine the ou=People locations in my LDAP tree such that, when the application requests cn=Nick,ou=users,dc=example,dc=com, it goes out and searches through either the entire dc=example,dc=com tree or goes through and looks at each of the ou=People locations until it finds it and transparently redirects, allowing this application to function correctly in its stupid configuration, but without me having to create a bunch of aliases in a single location in my tree, or, worse, actually reorganize my tree. I'm thinking there's probably a way to do this with the rewriteRule and some regular expressions, but I can't find quite the combination of rules/expressions to accomplish this. Any ideas? Or am I stuck making aliases? Thanks, Nick == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.

5 years, 4 months

2
4
0 / 0

Replication of local entries with translucent overlay

by Igor

Hello, I have an openLDAP proxy server which uses the translucent overlay to supplement Active Directory records with additional attributes. I wanted to set up replication for my translucent entries (specifically, push-based provider/consumer scheme, refreshAndPersist mode). Since slapo-translucent turns off maintenance of the entryCSN and entryUUID attributes (turns off the lastmod option in the translucent_db_init function), it cannot be used with slapo-syncprov (which requires entryCSN and entryUUID attributes). I understand that to make these two overlays work together in all scenarios may not be trivial. However, for my specific scenario, it seems to be enough to just comment out that line which turns off lastmod: ============== --- servers/slapd/overlays/translucent.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/servers/slapd/overlays/translucent.c b/servers/slapd/overlays/translucent.c index 48cca49..45b45a0 100644 --- a/servers/slapd/overlays/translucent.c +++ b/servers/slapd/overlays/translucent.c @@ -1282,7 +1282,7 @@ static int translucent_db_init(BackendDB *be, ConfigReply *cr) { return 1; } SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NO_SCHEMA_CHECK; - SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD; +// SLAP_DBFLAGS(be) |= SLAP_DBFLAG_NOLASTMOD; return 0; } -- 1.7.1 ============== Everything replicates correctly after that. I don't expect anyone to scour the openLDAP code to come up with an exhaustive list of potential bugs that may arise because of this. I assume the risks that come with such a solution. Having said that, can anyone think of any issues with commenting that line in translucent_db_init, and setting entryCSN, entryUUID, contextCSN attributes to be searched in local glue records only (via olcTranslucentLocal)? Thanks, -Igor

5 years, 4 months

2
1
0 / 0

Users with multiple passwords?

by dev

Hello All, I have OpenLDAP (2.4.31-1+nmu2ubuntu8.2) setup to authenticate users on our LAN with ActiveDirectory using SASL passthrough. I want to give some of these users access to VPN (OpenVPN) services (auth with the same OpenLDAP server above) however I want to give them an {SHA1} password to access the VPN. I've created another OU (OU=vpnuser) and simply duplicated the entire user entry into it. I have the VPN server using a searchbase of "OU=vpnuser.." and things are working as I want... sort of.. Some software on the LAN finds two users in ldap now so I explicitly exclude OU=vpnuser from searchbases (!OU=vpnuser). ugh.. Is there a better way to accomplish what I am trying to do? Give the same user two different passwords in the ldap tree? Thanks

5 years, 4 months

2
1
0 / 0

Re: ldapmodify hangs, slapd appears to be looping

by Quanah Gibson-Mount

If you're artificially stuck using RH's builds, then you'll need to contact them for support. --Quanah --On Thursday, March 03, 2016 3:42 PM +0000 "Heinemann, Peter" <phei(a)isc.upenn.edu> wrote: > True, but unfortunately recommended practice collides with (artificial) > standards.... > > ________________________________________ > From: Quanah Gibson-Mount <quanah(a)zimbra.com> > Sent: Thursday, March 3, 2016 10:37 AM > To: Heinemann, Peter; openldap-technical(a)openldap.org > Subject: Re: ldapmodify hangs, slapd appears to be looping > > --On Thursday, March 03, 2016 3:23 PM +0000 "Heinemann, Peter" > <phei(a)isc.upenn.edu> wrote: > >> >> >> >> >> Openldap 2.4.40-6.el6_7 > > As has been repeatedly mentioned on the list, please don't use RH's > OpenLDAP builds. Please do use a current release. You may wish to look > into using a build from the LTB project or Symas. > > <http://ltb-project.org/wiki/download#openldap> > <https://symas.com/products/openldap-directory/> > > There were some known issues with mdb in 2.4.40 and 2.4.41 you may be > triggering here. > > --Quanah > > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > A division of Synacor, Inc -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc

5 years, 4 months

1
0
0 / 0

ldapmodify hangs, slapd appears to be looping

by Heinemann, Peter

Openldap 2.4.40-6.el6_7 RHEL 6.7 mdb backend ldapmodify is hanging; the hang first evidenced itself in a bulk update. The hang occurs even for a simple update -- with debug set to 1 on the ldapmodify statement (using interactive mode) the block of output listed at below repeats endlessly with no change to the values displayed. The slapd audit log shows no update for the intended record. The problem started after I added a significant amount of data; not new structural objects (OUs) but many entries under them. Have I reached some sort of threshold? I have: - stopped/started slapd; - run a full slapcat and slapadd to a new database I am running the monitor database; would there be data of value there about this condition? mdb_stats output: sudo mdb_stat -ef /etc/openldap/openldap-data Environment Info Map address: (nil) Map size: 8589934592 Page size: 4096 Max pages: 2097152 Number of pages used: 618975 Last transaction ID: 3647 Max readers: 126 Number of readers used: 0 Freelist Status Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 11 Entries: 7 Free pages: 5233 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 16 debug output from ldapmodify: ** ld 0x1ed4e30 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1ed4e30 request count 1 (abandoned 0) ** ld 0x1ed4e30 Response Queue: Empty ld 0x1ed4e30 response count 0 ldap_chkResponseList ld 0x1ed4e30 msgid 2 all 1 ldap_chkResponseList returns ld 0x1ed4e30 NULL ldap_int_select ldap_result ld 0x1ed4e30 msgid 2 wait4msg ld 0x1ed4e30 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x1ed4e30 msgid 2 all 1 ** ld 0x1ed4e30 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 3 10:04:05 2016 ** ld 0x1ed4e30 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x1ed4e30 request count 1 (abandoned 0) ** ld 0x1ed4e30 Response Queue: Empty ld 0x1ed4e30 response count 0 ldap_chkResponseList ld 0x1ed4e30 msgid 2 all 1 ldap_chkResponseList returns ld 0x1ed4e30 NULL ldap_int_select ldap_result ld 0x1ed4e30 msgid 2 wait4msg ld 0x1ed4e30 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x1ed4e30 msgid 2 all 1 ** ld 0x1ed4e30 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 3 10:04:05 2016 ...etc

5 years, 4 months

2
1
0 / 0

OpenLDAP 2.4x Syncrepl setup

by Ted Hyde (RSI)

Greets - I'm trying to set up a new slave (consumer) server that would test against an existing (read: legacy) Samba4 AD controller for LDAP auth. The intent is to have the consumers as distributed HA-like setups in the event that VPNs or full off-site network connectivity was lost, users could still authenticate against the local LDAP services. (The application auth is really quite simple in this case, just some php grabbing a bunch of groups, not full AD work). In "ye olde days", I could do this with slapd.conf, but I'm trying to upgrade my own brain-software to understand OLC better, and am hitting a brick wall. I'd really like to just have the following on each consumer server: syncrepl rid=1 provider=ldap://ldap.example.com type=refreshOnly interval=00:00:00:30 searchbase="dc=example,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=root,dc=example,dc=com" credentials=secret updateref ldap://ldap.example.com tailed to the end of what would have been a few more lines describing the db for the consumer, but I've not found anywhere how to describe the above snippet into an ldif file. I ran this snippet (names corrected of course) through slaptest just to see if it could handle a partial, and of course it failed (missing db schema) - but if I add the db schema as a header, it fails because of the existing slapd.d directory. If I delete the slapd.d directory and place this old format into slapd.conf, restarting the service fails with a db import error. Yet, some of my old 2.2 configs run fine on 2.2 but fail on 2.4 The service does run, in that I can plow out an old config, start clean, add sample users by hand etc, so at least it's a working server, it just won't join to an existing one or pull a directory from another place. The 2.4 Admin docs say to add the old schema to the slapd.conf file (as I attempted above), but doesn't explore how to do it with OLC. The goal would be to have consumer slapd's running at my off-sites that act in the refreshOnly mode; push up technology is NOT required. Or wanted, actually. Suggestions welcome! Thanks, Ted.

5 years, 4 months

4
3
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2016