openldap-technical October 2020

openldap-technical@openldap.org

19 participants
24 discussions

ldapsearch -Y EXTERNAL not working
by Stefan Kania 15 Oct '20

15 Oct '20

Hello, I just compiled OpenLDAP 2.5alpha on a debian 10 system. I used this howto: https://tylersguides.com/guides/install-openldap-source-debian-stretch/ Slapd is running and I load the following ldif: ----------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcPidFile: /opt/openldap-current/var/run/slapd.pid olcTLSCACertificateFile: /etc/ssl/certificates/demoCA/cacert.pem olcTLSCertificateFile: /etc/ssl/certificates/ldap01-cert.pem olcTLSCertificateKeyFile: /etc/ssl/certificates/ldap01-key.pem olcTLSCipherSuite: TLSv1.2:HIGH:!aNULL:!eNULL olcTLSProtocolMin: 3.3 dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /opt/openldap-current/libexec/openldap olcModuleload: back_mdb.la olcModuleload: pw-sha2.la include: file:///opt/openldap-current/etc/openldap/schema/core.ldif include: file:///opt/openldap-current/etc/openldap/schema/cosine.ldif include: file:///opt/openldap-current/etc/openldap/schema/nis.ldif include: file:///opt/openldap-current/etc/openldap/schema/inetorgperson.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend olcPasswordHash: {SSHA512} olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootDN: cn=config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none ----------------- When I try to do a ldapsearch with -Y EXTERNAL I get the following error: ----------------- root@lda25:~# ldapsearch -Y EXTERNAL -H ldaps://ldap25.example.net -b cn=config SASL/EXTERNAL authentication started ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: ----------------- Ldapsearch -ZZ is working: ----------------- root@lda25:~# ldapsearch -x -ZZ -H ldap://ldap25.example.net -b cn=config -LLL No such object (32) root@lda25:~# ldapsearch -x -H ldaps://ldap25.example.net -b cn=config -LLL No such object (32) ----------------- So ldaps and ldap+tls is working. Did I miss something during "configure". I would like to help testing version 2.5. Stefan

2 2

OpenLDAP 2.5.0 ALPHA released
by Quanah Gibson-Mount 15 Oct '20

15 Oct '20

Hello -technical, The first alpha release for the OpenLDAP 2.5 series released today, and the source can be obtained from the download page: <https://www.openldap.org/software/download/> The OpenLDAP 2.5 series contains numerous bug fixes and enhancements. Note that some features listed in the ANNOUNCEMENT file in the source tarball are not yet available (I.e., the load balancer). A list of issues marked complete for this alpha can be found in Bugzilla: <https://bugs.openldap.org/buglist.cgi?bug_status=VERIFIED&list_id=858&produ…> Any testing in dev/qa/test environments that people can engage in with this alpha would be extremely helpful. I will be working on making binary builds available to help with testing in the near future. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Re: OpenLDAP 2.5.0 ALPHA released
by Dave Macias 14 Oct '20

14 Oct '20

Sorry for the unnecessary email but my jaw literally dropped... Look forward to the binary builds for testing Stay safe everyone! -Dave On Wed, Oct 14, 2020 at 6:15 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Hello -technical, > > The first alpha release for the OpenLDAP 2.5 series released today, and > the > source can be obtained from the download page: > > <https://www.openldap.org/software/download/> > > The OpenLDAP 2.5 series contains numerous bug fixes and enhancements. > Note > that some features listed in the ANNOUNCEMENT file in the source tarball > are not yet available (I.e., the load balancer). > > A list of issues marked complete for this alpha can be found in Bugzilla: > > < > https://bugs.openldap.org/buglist.cgi?bug_status=VERIFIED&list_id=858&produ… > > > > Any testing in dev/qa/test environments that people can engage in with > this > alpha would be extremely helpful. I will be working on making binary > builds available to help with testing in the near future. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

RE24 testing call #1 (OpenLDAP 2.4.54)
by Quanah Gibson-Mount 14 Oct '20

14 Oct '20

This is the first testing call for OpenLDAP 2.4.54. Depending on the results, this may be the only testing call. Generally, get the code for RE24: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_4/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.4.54 Engineering Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) Fixed slapd sessionlog to use a TAVL tree (ITS#8486) Fixed slapd syncrepl to be fully serialized (ITS#8102) Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345) Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353) Fixed slapo-accesslog normalizer for reqStart (ITS#9358) Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

7 20

smbk5pwd sambaPwdLastSet
by corey＠electrickite.org 11 Oct '20

11 Oct '20

Hello, I have run into an issue with the smbk5pwd overlay in slapd 2.4.49 on FreeBSD and I'm hoping someone can point me in the right direction. The majority of the overlay is functioning correctly - when a user updates their password using an exop the sambaLMPassword and sambaNTPassword attributes are updated along with userPassword. However, the sambaPwdLastSet attribute does not update correctly. After an exop password change the value of sambaPwdLastSet is set to 0. It does not seem to matter whether this attribute is added or updated, it is always set to zero after password change. This is honestly not a huge issue in my environment, but some applications treat a sambaPwdLastSet of zero as an indication that the user must change their password. Below is my smbk5pwd config: dn: olcOverlay={5}smbk5pwd objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcSmbK5PwdConfig objectClass: top olcOverlay: {5}smbk5pwd olcSmbK5PwdEnable: samba olcSmbK5PwdMustChange: 0 -- Corey Hinshaw

1 0

Does openldap support authPassword?
by Siddharth Jain 11 Oct '20

11 Oct '20

If yes, where can I find documentation on how to use/enable it? https://tools.ietf.org/html/rfc3112 The userPassword attribute type [RFC2256<https://tools.ietf.org/html/rfc2256>] is intended to be used to support the LDAP [RFC2251<https://tools.ietf.org/html/rfc2251>] "simple" bind operation. However, values of userPassword must be clear text passwords. It is often desirable to store values derived from the user's password(s) instead of actual passwords. The authPassword attribute type is intended to be used to store information used to implement simple password based authentication. RFC 3112 - LDAP Authentication Password Schema<https://tools.ietf.org/html/rfc3112> RFC 3112 LDAP Authentication Password Schema May 2001 hash algorithm/implementation is flawed), the hashing of passwords is intended to be as an additional layer of protection. It is RECOMMENDED that hashed values be protected as if they were clear text passwords. This attribute may be used in conjunction with server side password generation mechanisms (such as the LDAP Password Modify ... tools.ietf.org

2 1

running slapd under valgrind
by Michael Ströder 10 Oct '20

10 Oct '20

HI! An Æ-DIR installation with self-compiled OpenLDAP 2.4.53 on Debian (now buster) has memory leak issues on the Æ-DIR providers. The read-only consumers do not have this issue. The provider config is more complex with more overlays. slapd is automatically restarted (by monit) when memory consumption reaches 80%. Thus monitoring clearly shows a frequent saw tooth pattern. I'm experimenting with valgrind to track down the issue: valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes --verbose --log-file=valgrind-out.txt -- /opt/openldap-ms/libexec/slapd [...] Does that make sense or are some other command-line options needed? Ciao, Michael.

2 5

Ubuntu ldap client using DNS SRV
by thiago.conrado＠ez-masternodes.com 08 Oct '20

08 Oct '20

Hello everyone, just to share the trick of how to configure openLDAP in Ubuntu. we did config the domain DNS SRV records and ldapsearch -x -LLL -H ldap:///dc%3Dmy-domain%2Cdc%3Dcom works fine... dig shall also return the target server and port with the command "dig SRV _ldap._tcp.my-domain.com." the confusing part is: there are 2 ldap.conf files; a) at /etc/ldap.conf: this one will control the how Ubuntu check user id, feeding PAM via nss_ldap; just keep it with no URI or commented URI entries and DNS SRV will work as expected (DN must be in place); it is possible to test it using the command "id <user>"; journalctl -f and tcpdump port 389 are useful for troubleshoting; b) at /etc/lpad/ldap.conf: it is the param source for tools as ldapsearch; we were not able to make it work without declaring URI, hence, we just pointed to one LDAP server, but you can list it all; another option is to do command aliases as in http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php; a proper configuration should list all the users with ldapsearch -x -LLL; anyway, doing a very small contribution to this great project, as it took us 4 hours to get it going, and we found old mentions that openLDAP do not do resolve SRV records (which was the case in the past), as also, there are some client implementations that do resolve and some that don't. LDAP is very powerful to escalate servers/virtual machines in which credentials sync are required best regards all

1 0

TLS: can't accept: No certificate was found..
by kevhilton＠gmail.com 06 Oct '20

06 Oct '20

Hi - I'm using osixia/openldap docker container. I've created self signed client and server certs. I'm receiving the following error when trying to perform ldapsearch from the Arch linux docker host. Here is a summary of the error: # ldapsearch -x -d1 -b 'dc=ldap,dc=gohilton,dc=com' -D "cn=admin,dc=ldap,dc=gohilton,dc=com" -H ldaps://127.0.0.1:636 -W -LLL d ldap_url_parse_ext(ldaps://127.0.0.1:636) ldap_create ldap_url_parse_ext(ldaps://127.0.0.1:636/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=IL/L=CH/O=domain.com/CN=openldap/emailAddress=user(a)domain.com, issuer: /C=US/ST=IL/L=CH/O=domain.com/CN=Docker OpenLDAP CA/emailAddress=user(a)domain.com TLS trace: SSL_connect:SSLv3/TLS read server certificate TLS trace: SSL_connect:SSLv3/TLS read server key exchange TLS trace: SSL_connect:SSLv3/TLS read server certificate request TLS trace: SSL_connect:SSLv3/TLS read server done TLS trace: SSL_connect:SSLv3/TLS write client certificate TLS trace: SSL_connect:SSLv3/TLS write client key exchange TLS trace: SSL_connect:SSLv3/TLS write change cipher spec TLS trace: SSL_connect:SSLv3/TLS write finished TLS trace: SSL_connect:error in SSLv3/TLS write finished TLS: can't connect: . ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) The server logs the error as the following: f7a7260 conn=1007 fd=12 ACCEPT from IP=172.18.0.1:34350 (IP=0.0.0.0:636) TLS: can't accept: No certificate was found.. 5f7a7260 conn=1007 fd=12 closed (TLS negotiation failure) This error only occurs if on the server I use the following server setting: LDAP_TLS_VERIFY_CLIENT=try Is this possibly a permissions issue? I've verified the chain of trust for client certificate upon creation. Both client and server certificates were signed with same user created CA.

3 5

TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure
by Siddharth Jain 05 Oct '20

05 Oct '20

(I mistakenly posted this at openldap-its earlier. apologies if anyone saw it there) Hello, We have a LDAP server running with TLS enabled and verified we can connect to it from openssl s_client. This works: $ openssl s_client -connect ldap.foo.com:636 -cert client_tls_cert.pem -key client_tls_key.pem -state -nbio -CAfile ca_chain.pem -showcerts But ldapsearch throws an error: $ ldapsearch -d 1 -x -H ldaps://ldap.foo.com:636 ... -ZZ TLS: during handshake: peer cert is valid, or was ignored if verification disabled (-9841) TLS: during handshake: Peer certificate is not trusted: kSecTrustResultRecoverableTrustFailure We followed the instructions given at https://www.openldap.org/doc/admin24/tls.html#Client%20Configuration. We edited /etc/openldap/ldap.conf like so: TLS_REQCERT demand TLS_CACERT ca_chain.pem TLS_CACERTDIR /path/to/ca/cert TLS_CERT client_tls_cert.pem TLS_KEY client_tls_key.pem The ca_chain.pem file is placed under /path/to/ca/cert. We are running ldapsearch on a Mac. Can anyone help us? Sid PS: we do see following on server: TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:before SSL initialization TLS trace: SSL_accept:SSLv3/TLS read client hello TLS trace: SSL_accept:SSLv3/TLS write server hello TLS trace: SSL_accept:SSLv3/TLS write certificate TLS trace: SSL_accept:SSLv3/TLS write key exchange TLS trace: SSL_accept:SSLv3/TLS write certificate request TLS trace: SSL_accept:SSLv3/TLS write server done

5 9

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2020