Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 3 months
Re: uidNumber for Service Accounts?
by Douglas Duckworth
Thanks John and everyone else. It's only performing binds for Apache, and
sssd, as I do not allow anon binds to the LDAP server. This particular
account does not perform any interactive logins on *Nix boxes.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl(a)hyperbolicinnovation.com>
wrote:
> On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
> > Hi
> >
> > Do I need uidNumber for Service Accounts used for application /
> > server binding if this user won't actually be resolved by sssd or
> > nslcd?
> >
> > I set a very high uidNumber but eventually this will conflict with
> > users as in my ignorance I didn't put this in a lower range.
> >
> > Thanks,
> >
> > Douglas Duckworth, MSc, LFCS
> > HPC System Administrator
> > Scientific Computing Unit
> > Physiology and Biophysics
> > Weill Cornell Medicine
> > E: doug(a)med.cornell.edu
> > O: 212-746-6305
> > F: 212-746-8690
>
> It depends on weather your service account needs to login to a UNIX
> compliant system or not. If the account doesn't have a uid, it will
> most likely not be able to login as a standard UNIX account via LDAP.
>
> If the binds go directly to an application without going through an OS
> authentication layer, for example a web user login, it probably doesn't
> matter either way whether the account has a uidNumber set or not. If
> you have an interaction with sssd or nslcd in the middle, you are going
> to need the uidNumber attribute set.
>
5 years, 5 months
ldap_sasl_interactive_bind_s: Can't contact LDAP server
by Turbo Fredriksson
[I’ve posted this on the OpenStack list as well, but maybe someone
here knows more]
I’m setting up (Open)LDAP (v2.4.40) on my old Newton installation,
with the LDAP servers behind a HAProxy LB.
I’m trying to have one at a time enabled to see if I can get them
working individually before I try them as a whole/group..
I tried all day yesterday, and I could do the initial connection, but
not get any results:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
I see the connection in syslog on the LDAP server, but don’t get any
results back.
Now, first thing I did this morning was to just run the exact same
command (kinit && ldapwhoami) that I did last night.
AND IT WORKED!!
No idea why! It shouldn’t have. Glad it did, but since I can’t explain
WHY it worked, it’s annoying!! :)
So I then disabled that (working) LDAP server in the LB member list
and enabled the second. And now that is experiencing the same
problem as the first yesterday…
I didn’t change anything else - last thing I did before I went to bed
last night was try the ldapwhoami command -> “can’t contact ldap
server”. And the very first thing I did this morning was kdestroy
my ticket, get a new one and then run ldapwhoami.
I’ve run with multiple types of debugging, but there’s nothing obvious
that I can see, either from ‘-d -1’ or with KRB5_TRACE set).
So … “something” internally in OS changed. Any suggestions to what
or how to debug this?
What is ldap_sasl_interactive_bind_s() actually doing? Why does the
ldap_bind() earlier seem to work, but not the SASL bind?
See http://bayour.com/misc/ldapwhoami_output.txt <http://bayour.com/misc/ldapwhoami_output.txt> for full output from
KRB5_TRACE=/dev/stdout ldapwhoami -YGSSAPI -H ldaps://ldap.bayour.net -d -1
and while this is happening, this is the output from slapd in the logs
(running with “loglevel sync stats):
Nov 19 12:42:40 admin-auth-ldap-31 slapd[26613]: conn=1015 fd=29 ACCEPT from IP=10.0.17.34:53451 (IP=10.0.17.31:636)
Nov 19 12:42:40 admin-auth-ldap-31 slapd[26613]: conn=1015 fd=29 TLS established tls_ssf=256 ssf=256
Nov 19 12:42:40 admin-auth-ldap-31 slapd[26613]: conn=1015 op=0 BIND dn="" method=163
Nov 19 12:43:09 admin-auth-ldap-31 slapd[26613]: conn=1013 fd=22 closed (connection lost)
With ‘loglevel -1’ (and filtering out 'daemon: epoll: listen|daemon: activity on’
because it ends up filling the screen), I get:
Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: slap_listener_activate(12):
Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: >>> slap_listener(ldaps://admin-auth-ldap-31.bayour.net:636/)
Nov 19 12:49:28 admin-auth-ldap-31 slapd[27043]: daemon: listen=12, new connection on 25
Nov 19 12:49:29 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:33 admin-auth-ldap-31 slapd[27043]: daemon: added 25r (active) listener=(nil)
Nov 19 12:49:33 admin-auth-ldap-31 slapd[27043]: conn=1001 fd=25 ACCEPT from IP=10.0.17.34:54740 (IP=10.0.17.31:636)
Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: 25r
Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25
Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: connection_get(25)
Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001
Nov 19 12:49:34 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: 25r
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_get(25)
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: connection_read(25): unable to get TLS client DN, error=49 id=1001
Nov 19 12:49:35 admin-auth-ldap-31 slapd[27043]: conn=1001 fd=25 TLS established tls_ssf=256 ssf=256
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: 25r
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: connection_get(25)
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: op tag 0x60, time 1511095776
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: conn=1001 op=0 do_bind
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: >>> dnPrettyNormal: <>
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: <<< dnPrettyNormal: <>, <>
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: conn=1001 op=0 BIND dn="" method=163
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: do_bind: dn () SASL mech GSSAPI
Nov 19 12:49:36 admin-auth-ldap-31 slapd[27043]: ==> sasl_bind: dn="" mech=GSSAPI datalen=617
Nov 19 12:49:37 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:54 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:49:55 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: 25r
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: daemon: read active on 25
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_get(25)
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_get(25): got connid=1001
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_read(25): checking for input on id=1001
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: ber_get_next on fd 25 failed errno=0 (Success)
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_read(25): input error=-2 id=1001, closing.
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_closing: readying conn=1001 sd=25 for close
Nov 19 12:50:26 admin-auth-ldap-31 slapd[27043]: connection_close: deferring conn=1001 sd=25
Nov 19 12:50:27 admin-auth-ldap-31 slapd[27043]:
Nov 19 12:50:28 admin-auth-ldap-31 slapd[27043]:
So nothing obvious that I can see. Which is reasonable, because
“eventually” it worked on the previous LDAP server, so can’t be
a slapd problem. But I was hoping someone that have tried this
on OS or behind a HAProxy setup might be able to shed some
light on this.
PS. I’ve done the exact same thing at work, in AWS and there it
works just fine. So I’m fairly certain it’s something with OS/HAProxy,
but I don’t know how to debug that bit..
5 years, 6 months
Re: [LMDB] Large transactions
by Howard Chu
Jürgen Baier wrote:
> Hi,
>
> I have a question about LMDB (I hope this is the right mailing list for such a
> question).
>
> I'm running a benchmark (which is similar to my intended use case) which does
> not behave as I hoped. I store 1 billion key/value pairs in a single LMDB
> database. _In a single transaction._ The keys are MD5 hash codes from random
> data (16 bytes) and the value is the string "test".
> The documentation about mdb_page_spill says (as far as I understand) that this
> function is called to prevent MDB_TXN_FULL situations. Does this mean that my
> transaction is simply too large to be handled efficiently by LMDB?
Yes.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
5 years, 6 months
Re: Openldap-ldb-2.4.44-2 - Issu with Password Management
by Raja T Nair
Thanks for the timely response, Mike/Ulrich.
It was a missing configuration. I missed this line in slapd.conf:
ppolicy_hash_cleartext
Once that got added, things started working fine.
It was a server rebuild as the old one crashed, and I used conf file from a
wrong backup :(
Mike: Thanks for the explanation. It helped.
Btw I was just explaining my observation. Never expected slapd to do that
magic :)
Best Regards,
Raja.
On 29 November 2017 at 14:09, Ulrich Windl <
Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
> You should at least show us the whole $entry.
>
>
>
> > Hello All,
> >
> > I'm using openldap-ltb-2.4.44-2
> > Using password-hash {SSHA512}
> >
> > We have an in-house portal which allows people to change their passwords.
> > It is written in PHP.
> >
> > version = php 5.6
> > lib = php-ldap
> > $entry['userpassword'] = $newpasswd;
> > ldap_modify($conn, $userdn, $entry);
> >
> > $newpasswd contains new password in plain text.
> >
> > It seems that the server does not encrypt the plain text string sent to
> it
> > from the portal, it only encodes it in base64.
> >
> > When an encrypted string is sent (SSHA512), the server rejects based on
> > password policy since no special character is present.
> >
> > We would want to make the first method to work. Can somebody help me with
> > this?
> >
> > ps: ldappasswd command works perfectly and the password gets encrypted in
> > SSHA512 and encoded in base64.
> >
> > Best Regards,
> > Raja.
> >
> > --
> > :^)
>
>
--
:^)
5 years, 6 months
Openldap-ldb-2.4.44-2 - Issu with Password Management
by Raja T Nair
Hello All,
I'm using openldap-ltb-2.4.44-2
Using password-hash {SSHA512}
We have an in-house portal which allows people to change their passwords.
It is written in PHP.
version = php 5.6
lib = php-ldap
$entry['userpassword'] = $newpasswd;
ldap_modify($conn, $userdn, $entry);
$newpasswd contains new password in plain text.
It seems that the server does not encrypt the plain text string sent to it
from the portal, it only encodes it in base64.
When an encrypted string is sent (SSHA512), the server rejects based on
password policy since no special character is present.
We would want to make the first method to work. Can somebody help me with
this?
ps: ldappasswd command works perfectly and the password gets encrypted in
SSHA512 and encoded in base64.
Best Regards,
Raja.
--
:^)
5 years, 6 months
Convert SSHA userPassowrd attribute to use in /etc/shadow
by tran dung
Hi
I have some servers that cannot connect to LDAP server so I have to create
accounts on the servers which hash password from LDAP.
Is it possible?
>From userPassword attribute in LDAP, I can get hashed password and salt
value in hex format.
How can I convert these hex format values to use in /etc/shadow?
Best Regards
-----------------------
Tran Dung
5 years, 6 months
Too Much LDAP Log Activity?
by Douglas Duckworth
Hi
Thanks to several users on this list I have our cluster up and running.
The databases look good as does performance.
However, logs are increasing about 1MB every few minutes.
Does everyone typically send all of local4 to a file or only filter out for
example warning and above?
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
5 years, 6 months
Re: Too Much LDAP Log Activity?
by Douglas Duckworth
I agree that logrotate can handle this but I guess what's the point of
logging normal activity that's not actionable?
On Nov 22, 2017 2:30 PM, "MJ J" <mikedotjackson(a)gmail.com> wrote:
> 1mb every few minutes is inconsequential - no impact on performance or
> disk space. You have logrotate to handle the disk space.
>
> 1gb every few minutes and you have a real problem to worry about in
> terms of both performance and disk space.
>
> On Wed, Nov 22, 2017 at 8:35 PM, Douglas Duckworth
> <dod2014(a)med.cornell.edu> wrote:
> > Hi
> >
> > Thanks to several users on this list I have our cluster up and running.
> > The databases look good as does performance.
> >
> > However, logs are increasing about 1MB every few minutes.
> >
> > Does everyone typically send all of local4 to a file or only filter out
> for
> > example warning and above?
> >
> > Thanks,
> >
> > Douglas Duckworth, MSc, LFCS
> > HPC System Administrator
> > Scientific Computing Unit
> > Physiology and Biophysics
> > Weill Cornell Medicine
> > E: doug(a)med.cornell.edu
> > O: 212-746-6305
> > F: 212-746-8690
>
5 years, 6 months
Re: Too Much LDAP Log Activity?
by Douglas Duckworth
local4.* but I really would only want to see warnings. Would auth failures
show up in local4.warn?
On Nov 22, 2017 1:48 PM, "Frank Swasey" <Frank.Swasey(a)uvm.edu> wrote:
I send all - but, what gets sent is controlled by the loglevel statement in
your config - what have you set yours to?
On 11/22/17, 13:36, "openldap-technical on behalf of Douglas Duckworth" <
openldap-technical-bounces(a)openldap.org on behalf of dod2014(a)med.cornell.edu>
wrote:
Hi
Thanks to several users on this list I have our cluster up and running.
The databases look good as does performance.
However, logs are increasing about 1MB every few minutes.
Does everyone typically send all of local4 to a file or only filter out for
example warning and above?
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305 <(212)%20746-6305>
F: 212-746-8690 <(212)%20746-8690>
5 years, 6 months
