openldap-technical April 2017

openldap-technical@openldap.org

27 participants
45 discussions

Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by Howard Chu 27 Apr '17

27 Apr '17

Matthew Kemp wrote: > > On Thu, Apr 20, 2017 at 6:36 AM, mailing lists <listas.correo(a)yahoo.es > <mailto:listas.correo@yahoo.es>> wrote: > > Hello, > > I am testing the chain overlay from a read-only slave (consumer) slapd > server to a read-write master (provider), but what I am seeing is an > anonymous bind from the consumer to the provider instead of the > authorization identity configurated in the chain directive. > > > We're also seeing the same behavior and reported a similar issue last month to > this list: > http://www.openldap.org/lists/openldap-technical/201703/msg00047.html > > I'm hopeful we can track down this issue as it's causing us some issues that > we'll need to resolve eventually. Only ProxyAuth will work, now. As documented, the chain overlay only intercepts responses to operations, and only acts when it sees a referral in the response. In order for rebind-as-user to work, the overlay would need to intercept Bind requests and cache the credentials, but it never intercepts Bind requests, therefore it has nothing to rebind with. It *could* intercept referrals from Bind responses, and grab the user's credentials at that point. But back in 2004 we turned those off, and slapd now will never return a referral to a Bind request. (commit 100facedf3c9ec241121a5e3ad7aa059a7c57bc2 in git.) Probably we should remove references to rebind-as-user from the slapo-chain(5) manpage now, since that commit basically killed this feature. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by Matthew Kemp 26 Apr '17

26 Apr '17

On Wed, Apr 26, 2017 at 4:12 PM, Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Hi Matthew, > > Can you look at follow up#4 to ITS#8008 and see if that helps your > situation? > > --Quanah > Hey Quanah! Thanks for reaching out! Sadly in my case the update is not specifically helpful in my case. I found the override flag already, but I do not want to use a ProxyAuth and instead want to bind as the originating user who bound to the consumer. Override allows a ProxyAuth to be used rather than an anonymous bind, which is better, but not the intended behavior I want that the documentation seems to imply is possible. -- Matt Kemp Production Engineer Braintree

1 0

Re: chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by Quanah Gibson-Mount 26 Apr '17

26 Apr '17

--On Monday, April 24, 2017 7:38 PM -0500 Matthew Kemp <matthew.kemp(a)braintreepayments.com> wrote: > > > > > On Thu, Apr 20, 2017 at 6:36 AM, mailing lists <listas.correo(a)yahoo.es> > wrote: > > > > Hello, > > > I am testing the chain overlay from a read-only slave (consumer) slapd > server to a read-write master (provider), but what I am seeing is an > anonymous bind from the consumer to the provider instead of the > authorization identity configurated in the chain directive. > > > > > > We're also seeing the same behavior and reported a similar issue last > month to this list: > http://www.openldap.org/lists/openldap-technical/201703/msg00047.html > > > I'm hopeful we can track down this issue as it's causing us some issues > that we'll need to resolve eventually. Hi Matthew, Can you look at follow up#4 to ITS#8008 and see if that helps your situation? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Processing telephone number
by Quanah Gibson-Mount 26 Apr '17

26 Apr '17

--On Wednesday, April 26, 2017 9:53 AM +0200 "Angel L. Mateo" <amateo(a)um.es> wrote: > Hi, > > I have an openldap that stores information of my users. One of the > fields we are using is telephoneNumber to store the phone number of the > user. > > In this field we are storing now the complete phone number, that is, a > number like +34 123456789, but now we are deploying applications that > need just the extension number (the last 4 digits), not the hole one. > > Is there any overlay or other option we can use to provide those last 4 > digits of the telephoneNumber attribute without needing to store them in > another different attribute? Nope. I'd suggest fixing the application so it does whatever data manipulation is necessary. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Processing telephone number
by Angel L. Mateo 26 Apr '17

26 Apr '17

Hi, I have an openldap that stores information of my users. One of the fields we are using is telephoneNumber to store the phone number of the user. In this field we are storing now the complete phone number, that is, a number like +34 123456789, but now we are deploying applications that need just the extension number (the last 4 digits), not the hole one. Is there any overlay or other option we can use to provide those last 4 digits of the telephoneNumber attribute without needing to store them in another different attribute? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337

1 0

Password storage policy and DIT organisation
by Andreas Ames 26 Apr '17

26 Apr '17

Hi all, my questions below are more about openldap pragmatics than technical issues; if they are off-topic, please point me somewhere else to ask. As I'm a newbie, please bear with me, if I get things completely wrong. What I want to achieve using slapd: a) A centralised authentication service for system accounts of a handful of Linux hosts (libpam-ldapd) and some apache-based webapps (mod_authnz_ldap). b) Every user has a single password stored in exactly one place in the DIT (single-sign on is not topical in my environment). c) I would like to have fine-grained control over whether an ldap user has access to a specific host or webapp or not. Based on that I have got two questions: 1. DIT organisation Let's assume my suffix is dc=foo. I plan to have ou=Users,dc=foo for storing ldap users with their (unique) passwords and ou=Services,dc=foo to have account information for each of my services; e.g. ou=host1,ou=services,dc=foo to provide posix account information for host1, or ou=webapp1,ou=services,dc=foo for mod_authnz_ldap related information regarding webapp1 etc. I plan to use olcAuthzRegexp to authenticate users below ou=host1,ou=services,dc=foo or ou=webapp1,ou=services,dc=foo against ldap users in ou=Users,dc=foo. Is this a sensible setup or are there better hierarchies to achieve my goals? 2. Password storage policy (NB: I am using TLS with a self-signed certificate.) Theoretically I would prefer to store hashed passwords. If I understand correctly, olcAuthRegexp only works with SASL and hashed passwords can only possibly work with the PLAIN mechanism (??). So I tried that and simple binding works as expected, when directly binding to an entry with an attribute "userPassword" (i.e. without indirection through olcAuthzRegexp). To get SASL/PLAIN working, I have tried (without success up till now) to use saslauthd. Moreover the authentication path "client -> TLS/TCP/IP -> slapd (SASL/PLAIN) -> Unix Domain socket -> saslauthd -> localhost/TCP/IP -> slapd (simple bind)" seems a little over the top for my use case. So I am wondering, if hashed password storage is really such a good idea. What are the (security) implications of cleartext storage of passwords? Do you have document links discussing this in some depth? Thanks in advance ... Mit freundlichen Grüßen / With kind regards / Cordiali saluti, Andreas Please consider the environment before you print / Merci de penser à l'environnement avant d'imprimer / Bitte denken Sie an die Umwelt bevor Sie drucken Bombardier Transportation GmbH. Vorsitzender des Aufsichtsrats / Chairman of Supervisory Board: Wolfgang Toelsner. Geschäftsführung / Management Board: Michael Fohrer (Vorsitzender/Chairman), Olaf Berghoff, Dr. Daniel Perlzweig, Konrad Wiebalck. Sitz der Gesellschaft / Principal Office: Berlin. Registergericht / Registration Court: Amtsgericht Charlottenburg, HRB 64838. This e-mail message, and any attachments, may contain information that is confidential and/or privileged. They are intended for the exclusive use of the addressee. Any other person is strictly prohibited from disclosure, distribution or reproduction. No waiver whatsoever is intended by sending this e-mail. If you receive this e-mail in error please immediately inform the sender by return e-mail and delete this e-mail message along with all the attachments and destroy all copies.

3 2

Re: Manual LDAP 2.4.44 Installation
by Quanah Gibson-Mount 25 Apr '17

25 Apr '17

--On Tuesday, April 25, 2017 1:57 AM +0000 Alexandre Vilarinho <acvoliveira(a)yahoo.com.br> wrote: > root@Linux-LDAP-SERVER:~# /usr/local/sbin/slapadd -F > /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldif > 58fe9bea invalid config directory /usr/local/etc/slapd.d, error 2 > slapadd: bad configuration directory! As per my previous email: >> Also ensure that directory exists prior to running the command. Not sure how to be any more clear than that. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

chain overlay does an anonymous bind and ignores the chain binddn (v2.4.44)
by mailing lists 24 Apr '17

24 Apr '17

Hello, I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive. consumer/10.112.107.53:------------------------------------- # slapd -V @(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $ root@consumer:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd # grep -v -e '^#' -e '^$' slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/freeradius.schema include /etc/openldap/schema/authldap.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/custom.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args moduleload back_ldap.la moduleload unique.la moduleload ppolicy.la moduleload dynlist.la moduleload memberof.la moduleload syncprov.la moduleload accesslog.la moduleload auditlog.la overlay chain chain-uri "ldap://10.112.107.51" chain-idassert-bind bindmethod="simple" binddn="cn=proxyuser,dc=example,dc=com" credentials="12345678" mode="self" flags=non-prescriptive chain-rebind-as-user TRUE chain-return-error TRUE access to * by * write serverID 101 allow bind_v2 database mdb suffix "dc=example,dc=com" dbnosync rootdn "cn=Manager,dc=example,dc=com" rootpw 12345678 directory /var/lib/ldap maxsize 106300440576 index objectClass eq index uid eq,sub index entryCSN,entryUUID eq loglevel stats syncrepl rid=101 provider=ldap://10.112.107.51:389 type=refreshAndPersist searchbase="dc=example,dc=com" schemachecking=off bindmethod=simple retry="60 10 300 +" binddn="cn=syncrepl,dc=example,dc=com" credentials=12345678 updateref "ldap://10.112.107.51:389" provider/10.112.107.51:----------------------------------- # slapd -V @(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $ root@provider:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd # grep -v -e '^#' -e '^$' slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/freeradius.schema include /etc/openldap/schema/authldap.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/custom.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap moduleload back_ldap.la moduleload unique.la moduleload ppolicy.la moduleload dynlist.la moduleload memberof.la moduleload syncprov.la moduleload accesslog.la moduleload auditlog.la access to * by * write serverID 001 authz-policy to allow bind_v2 database mdb suffix "dc=example,dc=com" dbnosync rootdn "cn=Manager,dc=example,dc=com" rootpw 12345678 directory /var/lib/ldap maxsize 106300440576 index objectClass eq index uid eq,sub index entryCSN,entryUUID eq loglevel stats limits dn="cn=proxyuser,dc=example,dc=com" size=unlimitedlimits dn="cn=syncrepl,dc=example,dc=com" size=unlimitedoverlay syncprov syncprov-checkpoint 1000 1 syncprov-sessionlog 150000 syncprov-reloadhint TRUE now I do an update in the consumer: Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:42198 (IP=0.0.0.0:389) Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0 Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 RESULT tag=97 err=0 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(employeeid=759042)" Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH attr=* + Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=endwmkhwl60nehf2c)" Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH attr=* + Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com" Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD attr=description Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 RESULT tag=103 err=8 text= Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 closed (connection lost) and this is the corresponding log in the provider: Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 ACCEPT from IP=10.112.107.53:58416 (IP=0.0.0.0:389) Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 BIND dn="" method=128 Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 RESULT tag=97 err=0 text= Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com" Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD attr=description Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 RESULT tag=103 err=8 text=modifications require authentication Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=2 UNBIND Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 closed afaik, the bind dn in the provider must be the chain binddn configured in the consumer, but it gets an anonymous bind. any suggestion about what can be my mistake??

2 1

Re: Manual LDAP 2.4.44 Installation
by Quanah Gibson-Mount 23 Apr '17

23 Apr '17

--On Friday, April 21, 2017 6:35 PM +0000 Alexandre Vilarinho <vilarinhomail-dev(a)yahoo.com.br> wrote: > But from step 9 forward it practically didn't work: > > > 9.Import the configuration database > You are now ready to import your configration database for use by > slapd(8), by running the command: > su root -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config -l > /usr/local/etc/openldap/slapd.ldif That's a typo in the quickstart guide that's already fixed for the next release. It would be /usr/local/etc/slapd.d Also ensure that directory exists prior to running the command. > 10. Start SLAPD. > You are now ready to start the Standalone LDAP Daemon, slapd(8), by > running the command: > su root -c /usr/local/libexec/slapd -F /usr/local/etc/cn=config And here that would also be /usr/local/etc/slapd.d --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Filtered proxy to Active Directory
by Kamenko Pajic 23 Apr '17

23 Apr '17

We have Panasonic KX-UTG300B phones (SIP phone) which has LDAP Phonebook option. Settings on the phone to make this work are simple: LDAP Server Address: LDAP Server Port: LDAP Authentication ID: LDAP Authentication Password: LDAP Search Base: When I go to LDAP address book on the phone I get thousands of entries listing not only users with their phone number but also all other entries like resources, empty lines(???), N/A, Distribution lists .. Etc. in short probably everything. There is no way I can set up a filter to filter users only that have phone number set in AD. What I need is LDAP proxy server which will be queried by our phones instead of querying AD Server directly and return filtered list (example: just entries containing information in "telephoneNumber" attribute) Is this possible? I've been trying for weeks now with no success. Please someone, send me sample ldap.conf and slapd.conf configuration files Thanks

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2017