openldap-technical November 2019

openldap-technical@openldap.org

14 participants
17 discussions

Re:Re: It seems that the Tls cipher settings in ldap client and server not work.
by Quanah Gibson-Mount 22 Nov '19

22 Nov '19

--On Thursday, November 14, 2019 11:17 AM +0800 莫亚男 <nanmor(a)126.com> wrote: > > > Hi Quanah, > > > Sorry for reply so late. We download the package and self-built. > we used below commands: > env CPPFLAGS=-I/usr/local/src/openssl-1.1.1/include > LDFLAGS=-L/usr/local/ssl/lib ./configure > make depend > make > make install Hi Nancy, Please keep replies on the technical list. Which OpenSSL 1.1.1 release are you linking to? Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 2

Page Leak?
by Andrew Spott 20 Nov '19

20 Nov '19

I apologize if this is the wrong place to ask this, let me know if there is someplace better. So, when doing a `mdb_copy -c`, I've run into the error message: mdb_copy: copying failed, error -30784 (MDB_INCOMPATIBLE: Operation and DB incompatible, or DB flags changed) When looking at the mdb_copy man page, it says that mdb_copy with compaction might fail if the database has a 'page leak'. Since that appears to be what has happened... can anyone tell me what that means? Does this mean that the data could be corrupted? How do I fix this? Thanks! -Andew

2 6

Mailman list?
by Zinski, Steve 19 Nov '19

19 Nov '19

We are in the process of migrating from a sendmail/virtuser environment to proofpoint/ldap mail routing. This means we have to add the inetLocalMailRecipient class to all of our users along with mail/mailLocalAddress/mailRoutingAddress attributes. We also need to create routing records for our mailman mailing list aliases (i.e., list-admin, list-bounces, list-request, list-subscribe, etc.). What is the best way to add these addresses to ldap? I was thinking about adding a “mailman” container (regular users go in “people”) but I don’t know what structural object class to use for each mailman entry. Do I use person (or inetOrgPerson)? I want to do this right, so any best-practice tips would be welcome. Any help would be appreciated. Thanks, Steve

1 0

slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16
by Jean-Francois Malouin 16 Nov '19

16 Nov '19

Hi, Since I started adding clients to authenticate users through LDAP I'm getting those messages in the servers log: slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16 Clients use nss-ldapd 0.9.9 with nslcd and nscd for caching. Servers are running OpenLDAP 2.4.47 on Debian/Stretch 9.11. A quick search shows those are related to deref control. I don't have that overlay loaded on the servers, only slapo-memberof, slapo-syncprov, slapo-refint and slapo-ppolicy So I wonder if, first, are they harmfull? Or will they get eventually as the number of clients will start to increase in the very near future? thanks, jf

2 3

Acl on userPassword on a specfic base
by Marc Roos 11 Nov '19

11 Nov '19

I have problems authenticating against this acl[0] with nslcd, if I use[1] authentication is fine. I have the impression the dn.exact is not able to access the password attribute, because getent shows the other attributes. How should I rewrite this so the dn.exact is able to read the password attributes from dn.subtree? [0] olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none continue olcAccess: {3} to dn.subtree="ou=gggg,ou=ffff,ou=eee,dc=ccc,dc=bbb,dc=aaa" by dn.exact="cn=system,ou=dddd,dc=ccc,dc=bbb,dc=aaa" ssf=64 read olcAccess: {4} to * by * none [1] olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none olcAccess: {3} to * by ssf=64 users read by * none

2 1

It seems that the Tls cipher settings in ldap client and server not work.
by 莫亚男 11 Nov '19

11 Nov '19

Hi Friends, My open-ldap server is Version: 2.4.46 OS: redhat7 I set the parameter about cipher suite in client(ldap.conf) and server (slapd.conf) and restart the service, the tcp/ip log, find the cipher not changed. In ldap.conf: TLS_CIPHER_SUITE ALL:!TLSv1.3 In slapd.conf: TLSCipherSuite !TLSv1.3 openssl provide those cipher suites: [root@ ~]# openssl ciphers -v 'TLSv1.3' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD when openldap worked as a client, it send 4 cipher suites to server in TLS1.3 client hello. Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) When openldap worked as a server, it used TLS_AES_256_GCM_SHA384 to connect in TLS server hello. And when i set one specific cipher in client, TLS_CIPHER_SUITE TLS_CHACHA20_POLY1305_SHA256 It also send same four suites in client hello. Could you help me to have a look? thanks.

2 1

syncprov overlay and autogroup
by Martin Pittamitz 04 Nov '19

04 Nov '19

Good day I have recently added a syncprov configuration and consumer node to our OpenLDAP setup. On our master we use the overlays "memberOf" and "autogroup". Now a specific error occurs on the consumer node, where "group1" has objectClass "groupOfURLs": > Oct 29 16:39:18 user slapd[26309]: autogroup_modify_entry attempted to > modify group's <cn=group1,ou=groups,dc=example,dc=net> member attribute > Oct 29 16:39:18 user slapd[26309]: send_ldap_result: conn=-1 op=0 p=3 > Oct 29 16:39:18 user slapd[26309]: send_ldap_result: err=19 matched="" > text="attempt to modify dynamic group member attribute" > Oct 29 16:39:18 user slapd[26309]: syncrepl_null_callback : error code > 0x13 > Oct 29 16:39:18 user slapd[26309]: syncrepl_entry: rid=001 be_modify > cn=group1,ou=groups,dc=example,dc=net (19) > Oct 29 16:39:18 user slapd[26309]: syncrepl_entry: rid=001 be_modify > failed (19) > Oct 29 16:39:18 user slapd[26309]: do_syncrepl: rid=001 rc 19 quitting Can anyone point me in the right direction here? Is autogroup simply incompatible with such a syncprov setup? Best regards, Martin

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2019