openldap-technical April 2019

openldap-technical@openldap.org

33 participants
39 discussions

Re: Strange slapadd behavior
by Ezsra McDonald 15 Apr '19

15 Apr '19

Yes, I did!! Thank you for the assistance everyone. -Ez On Mon, Apr 15, 2019 at 2:49 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, April 15, 2019 3:44 PM -0500 Ezsra McDonald > <ezsra.mcdonald(a)gmail.com> wrote: > > > I figured it out. I had missed a attribute when I built my root object. > > Hi Ezsra, > > Glad you got it figured out! Hopefully you migrated the configuration > over > to using the new LMDB based backend (back-mdb) during the process. > > --Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

1 0

Re: Strange slapadd behavior
by Ezsra McDonald 15 Apr '19

15 Apr '19

We were hoping to carry over all the operational attributes associated with objects in the LDAP. If I remember correctly, ldapadd will not apply operational attributes. On Mon, Apr 15, 2019 at 11:31 AM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > --On Monday, April 15, 2019 9:17 AM -0500 Ezsra McDonald > <ezsra.mcdonald(a)gmail.com> wrote: > > > I am in the process of migrating my OpenLdap 2.3 system to a new OpenLdap > > 2.4 system but something is not working right for the import(slapadd) to > > the new system. There are 35,895 objects defined in the LDIF generated by > > slapcat. > > I would suggest you start with ldapadd to import, rather than slapadd, as > you likely need the additional validation steps initially when doing the > migration from 2.3 to 2.4. > > I'd also avoid using RH's native packages and use a current release. The > LTB project and Symas both provide free alternatives to RH's builds. > > <https://ltb-project.org/download#openldap> > <https://repo.symas.com/sofl/rhel7/> > > > --Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > >

3 5

Strange slapadd behavior
by Ezsra McDonald 15 Apr '19

15 Apr '19

I am in the process of migrating my OpenLdap 2.3 system to a new OpenLdap 2.4 system but something is not working right for the import(slapadd) to the new system. There are 35,895 objects defined in the LDIF generated by slapcat. RPM: openldap-servers-2.4.44-21.el7_6.x86_64 Example: Importing the following object by slapadd: dn: cn=demokag,ou=Groups,dc=somewhere,dc=org *cn*: demokag *description*: KAG Demo *owner*: cn=manager,dc=somewhere,dc=org objectClass: top objectClass: groupOfUniqueNames *uniqueMember*: uid=sombody,ou=People,dc=somewhere,dc=org *uniqueMember*: uid=somebodyelse,ou=People,dc=somewhere,dc=org structuralObjectClass: groupOfUniqueNames entryUUID: 78450864-a24e-1030-9086-8baf95aed3fc creatorsName: cn=Manager,dc=somewhere,dc=org createTimestamp: 20111113142106Z entryCSN: 20121116140519Z#000000#00#000000 modifiersName: cn=Manager,dc=somewhere,dc=org modifyTimestamp: 20121116140519Z Produces this object: dn: cn=demokag,ou=groups,dc=somewhere,dc=org *givenName*: demokag *owner*: KAG Demo *uniqueMember*: cn=manager,dc=somewhere,dc=org objectClass: top objectClass: groupOfUniqueNames *gidNumber*: uid=somebody,ou=People,dc=somewhere,dc=org *gidNumber*: uid=somebodyelse,ou=People,dc=somewhere,dc=org structuralObjectClass: groupOfUniqueNames entryUUID: 78450864-a24e-1030-9086-8baf95aed3fc creatorsName: cn=Manager,dc=somewhere,dc=org createTimestamp: 20111113142106Z entryCSN: 20121116140519Z#000000#00#000000 modifiersName: cn=Manager,dc=somewhere,dc=org modifyTimestamp: 20121116140519Z 1. I bolded the impacted attributes. 2. I am unable to do ldapsearch for this object. I believe this is because the cn is being replaced with givenName. 3. Spot checking it appears this is happening to all of the objects under the groups OU. Maybe other object types are bad too. I do not know yet. I have been beating my head on this for several days.Any help would be appreciated.

3 2

Help
by A. Yuesuen 15 Apr '19

15 Apr '19

hello, i'm trying to implement Ssha512 on my openldap server. i found out that the Building concepts on the www are old. there are nor slapd.conf file. So there is written i have to work with the cn=config file cause. Can someone help me please? I'm using ubuntu 18.10 and the openldap version slapd. Thank you best wishes Ajdar yüsün

3 2

Quick question about OpenLDAP Server CA certificate handling
by Mark Cairney 15 Apr '19

15 Apr '19

Hi, Having just updated our SSL certificates on our OpenLDAP server led us to review the contents of our "bundle" file referenced in "olcTLSCACertificateFile". According to the documentation at: https://www.openldap.org/doc/admin24/tls.html it states "This directive specifies the PEM-format file containing certificates for the CA's that slapd will trust. The certificate for the CA that signed the server certificate must be included among these certificates. If the signing CA was not a top-level (root) CA, certificates for the entire sequence of CA's from the signing CA to the top-level CA should be present. Multiple certificates are simply appended to the file; the order is not significant." However based on our understanding of how SSL works we should only actually need the intermediate(s) in there as the client should have the root and then compare the intermediate provided by the server and only trust it if it can use this in conjunction with it's copy of the root certificate to complete the chain of trust. Based on this we configure our web servers to only have the intermediate(s) in their chain (and in fact SSL Labs marks you down if you have the root in there too). Of course we do realise LDAP is not HTTP! We're running OpenLDAP 2.4.47 linked against OpenSSL on Scientific Linux 7.5. Kind regards, Mark -- /**************************** Mark Cairney ITI Enterprise Services Information Services University of Edinburgh Tel: 0131 650 6565 Email: Mark.Cairney(a)ed.ac.uk PGP: 0x435A9621 *******************************/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

3 3

strange regexp behaviour
by Dieter Kluenter 15 Apr '19

15 Apr '19

Hi, I face a strange behaviour of a authz regexp. This is part of my slapd.conf authz-regexp "gidNumber=(.*)\+uidNumber=(.*),cn=peercred,cn=external,cn= auth" "ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))" The result of a ldapwhoami: SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth A result of search ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub "(&(gidNumber=100)(uidNumber=1000))" dn dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de result: 0 Success This regexp has been working for ages, in fact it hasn't been changed since Ando's first announcement. Any idea what might have been changed? -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

2 2

changes in libldap?
by Dieter Kluenter 15 Apr '19

15 Apr '19

Hi, I face some more strange error reports from some updated tools. There is for example ldapfuse, introduced in 2011, built with ldd /usr/bin/ldapfuse linux-vdso.so.1 (0x00007ffe8c92a000) libHX.so.28 => /usr/lib64/libHX.so.28 (0x00007fdf144de000) libfuse.so.2 => /lib64/libfuse.so.2 (0x00007fdf1449d000) liblber-2.4.so.2 => /usr/lib64/liblber-2.4.so.2 (0x00007fdf1448c000) libldap_r-2.4.so.2 => /usr/lib64/libldap_r-2.4.so.2 (0x00007fdf14436000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdf14415000) libc.so.6 => /lib64/libc.so.6 (0x00007fdf14250000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fdf14249000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fdf14230000) libsasl2.so.3 => /usr/lib64/libsasl2.so.3 (0x00007fdf14211000) libssl.so.1.1 => /usr/lib64/libssl.so.1.1 (0x00007fdf141a3000) libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007fdf13f17000) /lib64/ld-linux-x86-64.so.2 (0x00007fdf1451f000) libz.so.1 => /lib64/libz.so.1 (0x00007fdf13efb000) § ldapfuse ldap://localhost ~/adbook Unhandled LDAP error code -1 LDAP Can't contact LDAP server Even gcc doesn't produce more information :-) What has been changed in libldap? -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

3 5

Help
by A. Yuesuen 14 Apr '19

14 Apr '19

Hello, When i try the Instruction on following page: https://github.com/winlibs/openldap/tree/master/contrib/slapd-modules/passw… i missed I'm not sure with point 1. and i can run the make function. Is there a example with pictures? Or could you please explain me easier how i can implement the sha2 / SSHA512 modul? Hope you can help me. Thank you in advance. best wishes Ajdar Yüsün

1 0

Re: Question about OID / feedback on schema
by Mikael Bak 10 Apr '19

10 Apr '19

Hi, On 2019. 04. 06. 21:19, Harry Jede wrote: > Am 05.04.19 um 16:36 schrieb Michael Ströder: >> You need to register an IANA enterprise ID to obtain your own OID space. >> >> AFAIK there is no OID space reserved for private use. > > Both statements are true. > > But Mikael Bak says that he wont register his organization. OK, if > someting goes wrong with the registered oid space, your company may get > reputation problems. That is what people told often to me. > I actually said that I would like to avoid it, if possible. I forsee a lot of paper work here to get this done properly. > The solution is register an oid for a private person aka Mikael Bak. If > all is Ok and everyone feels good transfer the registerd oid to your > company or register a new oid and modify your schema to match the new oid. > Since there seems to be no concept of private OID space, then I will start the procedure to register the Hungarian National Library with IANA to obtain OID number. Thank you all! Mikael

2 2

OID for ASN.1 type BinaryTime
by Weiwu Zhang 08 Apr '19

08 Apr '19

HI: RFC4049 recommended a type BinaryTime - like GeneralisedTime but for compatibility with older systems. Reading https://tools.ietf.org/html/rfc4049 I couldn't find the OID for this type, despite intensive Google search. Any hint? Thanks a lot!

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2019