Re: Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Douglas Duckworth
What would you recommend as a replacement for SSSD? I am running it across
Centos 6 and 7 clients without any issue using TLS.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Thu, Sep 28, 2017 at 4:28 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Thursday, September 28, 2017 2:18 PM -0700 Quanah Gibson-Mount
> <quanah(a)symas.com> wrote:
>
> > --On Thursday, September 28, 2017 4:41 PM -0400 Robert Heller
> > <heller(a)deepsoft.com> wrote:
> >
> >> Will these spit out useful error messages? If I just get "TLS
> >> Negotiation failure" it is not going to be helpful.
>
> However, you may have hit a known and unfixed bug in SSSD:
>
> <https://urldefense.proofpoint.com/v2/url?u=https-
> 3A__pagure.io_SSSD_sssd_issue_2896-3Fcversion-3D0-26cnum-
> 5Fhist-3D6&d=DwICAg&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_
> 78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=Ja4DjRR6Qj8_V_
> dfdMKRYjRAr1xpbNW8S-ZCeuu0wVU&s=LX7sB7YqYEcVA8ShS-
> BKldCvsNEKG_FtNXsHvAu313g&e=>
>
> You may be better off using a better written piece of software.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.symas.com&d=DwICAg&c=lb62iw4YL4RFalcE2hQUQealT9-
> RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=
> Ja4DjRR6Qj8_V_dfdMKRYjRAr1xpbNW8S-ZCeuu0wVU&s=dEVYmbtnrd3EzH7Xm1Pk8GYotr6_
> kbuWkSoBh6UEV7I&e=>
>
>
>
6 years, 2 months
Openldap and sssd: getting slapd to do TLS negotiation or getting sssd to NOT do TLS negotiation
by Robert Heller
OK, I have narrowed things down to slapd and sssd not playing nice with each
other. slapd is able to listen on ldaps (port 636) and accept SSL connections
(eg from openssl s_client and other applications using straight SSL). slapd
will also listen on ldap (port 389), but refuses to negotiate a TLS connection
on port 389. It also refuses to negotiate TLS connection on port 636. sssd
seems to *insist* on negotiating a TLS connection on port 636 or port 389 and
won't just connect using ssl to port 636. (At least that is what I *think* is
going on.)
So, I either need to get slapd to do TLS negotiation on port 389 OR port 636,
or get sssd to NOT do TLS negotiation on port 636 and just connect with SSL.
How the hell do I get that to happen?
here are my config files:
[root@c764guest heller]# cat /etc/openldap/slapd.d/cn\=config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 ba294eab
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
olcTLSCACertificatePath: /etc/openldap/certs
structuralObjectClass: olcGlobal
entryUUID: 7e6a3298-30da-1037-9c4f-458bcc6c0ce0
creatorsName: cn=config
createTimestamp: 20170918163057Z
olcTLSCACertificateFile: /etc/openldap/certs/ca-cert.pem
olcTLSCertificateFile: /etc/pki/tls/certs/c764guest.cert
olcTLSCertificateKeyFile: /etc/pki/tls/certs/c764guestkey.pem
entryCSN: 20170927144348.897441Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170927144348Z
[root@c764guest heller]# cat /etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=deepsoft,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://192.168.250.98/
ldap_id_use_start_tls = false
ldap_tls_cacert = /etc/openldap/certs/ca-cert.pem
ldap_default_bind_dn = uid=sssd,ou=People,dc=deepsoft,dc=com
ldap_default_authtok = sssd
[sssd]
services = nss, pam, autofs
domains = default
[nss]
homedir_substring = /home
[pam]
debug_level = 0x7770
ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[root@c764guest heller]# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=deepsoft,dc=com
URI ldaps://192.168.250.98/
TLS_CACERT /etc/openldap/certs/ca-cert.pem
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
TLS_REQCERT allow
--
Robert Heller -- 978-544-6933
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
heller(a)deepsoft.com -- Webhosting Services
6 years, 2 months
Re: Attribute map/substitution
by Quanah Gibson-Mount
--On Wednesday, September 27, 2017 11:53 AM +0200 Ervin Hegedüs
<airween(a)gmail.com> wrote:
> The problem is, that (for example) ntPassword and lmPassword attributes
> are doesn't exists (sAMAccountName and objectSid also...).
>
> I thing that the ntPassword is the sambaNTPassword, which is part of the
> samba.scheme.
>
> But how can I configure the OpenLDAP to server these attributes?
The larger question is, does it actually need those attributes to function?
If so, then you'll need to find schema defining them, add that schema to
your OpenLDAP server, and then populate them. It may well not *require*
them to be present in the entry (for example, it looks at all of:
ntPassword, lmPassword, userPassword). My guess would be that as long as
it can access one of those it is fine. However, the fact that it's trying
to get a value back for a password shows that the piece of software is
poorly written and should be avoided. There's zero reason for it to have
read access to a password attribute.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
Re: need an example of using "ldap_search_s" function using the "attr" parameter.
by Quanah Gibson-Mount
--On Monday, September 25, 2017 11:56 PM +0000 Don jessup
<djessup72(a)yahoo.com> wrote:
> To limit the information coming back from the server I only want the
> values of the "sAMAccountName" attribute. Every time I try populating
> the "attrs" parameter I get an error. I was wondering if I could be
> pointed to an example or 2 that uses the parameter.
ldap_search_s is deprecated, you should be using ldap_search_ext_s instead.
However, libraries/libldap/sasl.c has a trivial example of using attrs with
ldap_search_s:
char *attrs[] = { "supportedSASLMechanisms", NULL };
rc = ldap_search_s( ld, "", LDAP_SCOPE_BASE,
NULL, attrs, 0, &res );
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
meta backend , rwm AD source , uppercase to lowercase
by Nicolas Renault
Hello,
My question,
I have a meta backend that work perfectly but on the dev team somebody
ask me :
Why on AD this organizationalUnit have these valuies on attrs :
managedBy: CN=Surname Name,OU=Users,DC=domain,DC=fr
seeAlso: CN=Sunrame2 Name2,OU=Users,DC=domain,DC=fr
and on meta on the same OU :
managedBy: cn=surname name,ou=Users,ou=meta,dc=domain,dc=fr
seeAlso: cn=Surname2 Name2,ou=Users,ou=META,dc=domain,dc=fr
the AD is "bind" to ou=META,dc=domain,dc=fr ( suffixemassage)
all OU on meta have the same behavior
so
* why on managedBy attr all is modified in lowercase and only CN and OU
on seeAlso ?
* how work uppercase to lowercase with meta backend ? is overlay rwm
implicated ?
my meta backend config is very long but somme informations
moduleload back_meta
moduleload rwm
moduleload valsort
moduleload memberof
moduleload dynlist
moduleload sssvlv.so
moduleload collect
moduleload pcache
moduleload back_monitor
moduleload back_ldap
moduleload back_mdb
overlay rwm
rwm-rewriteEngine on
rwm-normalize-mapped-attrs yes
... lot of rewrite rules
etc.
version :
@(#) $OpenLDAP: slapd 2.4.44 $
opensuse-buildservice(a)opensuse.org
openSUSE Leap 42.2
thanks for your answers.
Nicolas
6 years, 2 months
Re: Locker killed to resolve a deadlock
by Quanah Gibson-Mount
--On Wednesday, September 27, 2017 3:05 PM +0900 Jorgen Lundman
<lundman(a)lundman.net> wrote:
> we have told it to syncrepl from scratch into an empty
> directory.
Catastrophically bad idea with OpenLDAP 2.4.36. You may want to read over
the various sync issues that have been fixed since that release (Current
release is 2.4.45). The only safe way for you to reload another server
will be slapcat/slapadd.
Generally, I'd strongly advise upgrading to a current release and switching
to back-mdb, eliminating BDB entirely.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
Attribute map/substitution
by Ervin Hegedüs
Hi folks,
here is a Captive Portal (from Aruba), and we would like to integrate it
with OpenLDAP tu authenticate users (for 802.1x).
The server is a Debian 8, with OpenLDAP 2.4.
I've set up the loglevel, and I see the query in the log:
Sep 27 09:56:50 srv slapd[19709]: filter:
(&(uid=airween)(objectClass=*))
Sep 27 09:56:50 srv slapd[19709]: attrs:
Sep 27 09:56:50 srv slapd[19709]: ntPassword
Sep 27 09:56:50 srv slapd[19709]: lmPassword
Sep 27 09:56:50 srv slapd[19709]: radiusReplyMessage
Sep 27 09:56:50 srv slapd[19709]: radiusFilterId
Sep 27 09:56:50 srv slapd[19709]: userPassword
Sep 27 09:56:50 srv slapd[19709]: userCertificate
Sep 27 09:56:50 srv slapd[19709]: sAMAccountName
Sep 27 09:56:50 srv slapd[19709]: objectSid
Sep 27 09:56:50 srv slapd[19709]:
The problem is, that (for example) ntPassword and lmPassword attributes are
doesn't exists (sAMAccountName and objectSid also...).
I thing that the ntPassword is the sambaNTPassword, which is part of the
samba.scheme.
But how can I configure the OpenLDAP to server these attributes?
I've found the slapo-rwm manpages, but nothing more useful informations...
Could anybody helps to explain, how rwm's works? What do I need to do with
this OpenLDAP (eg. modify the existing config) to solve that problem?
On CP side there isn't any way to change the attributes - as I saw.
Thanks,
a.
6 years, 2 months