openldap-technical@openldap.org

27 participants
24 discussions

by Giuseppe

Hi to all, for my companty I'm triing to setup a LDAP proxy to our Active Direcory implementation, after some time I have found several problems on some critical application that does not support multiple OU anche CN formed by "Surname Name" caused by the bad structure and nomenclature on the AD, but we cant change it. To work around the problem I have used the rwm module to rewrite the client binddn query part to AD format name.surname@domain, but the proxy return: [root@client ~]# ldapsearch -H ldap://192.168.29.134 ��-D "CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int" -W ldap_bind: Invalid syntax (21) �� additional info: bindDN massage error �� some logs: Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 do_bind Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <CN=Name.Surname,OU=subou,OU=Users HOUSE,DC=domain,DC=int> Nov ��3 21:32:33 proxy slapd[1309]: <<< dnPrettyNormal: <cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int>, <cn=Name.Surname,ou=subou,ou=users house,dc=domain,dc=int> Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 BIND dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128 Nov ��3 21:32:33 proxy slapd[1309]: do_bind: version=3 dn="cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" method=128 Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on 1 descriptor Nov ��3 21:32:33 proxy slapd[1309]: daemon: activity on: Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' Nov ��3 21:32:33 proxy slapd[1309]: Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_rule_apply rule='^([C,c][N,n]=)([^.]*)\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$' string='cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int' [1 pass(es)] Nov ��3 21:32:33 proxy slapd[1309]: ==> rewrite_context_apply [depth=1] res={0,'Name.Surname(a)domain.int'} Nov ��3 21:32:33 proxy slapd[1309]: [rw] bindDN: "cn=Name.Surname,ou=subou,ou=Users HOUSE,dc=domain,dc=int" -> "Name.Surname(a)domain.int" Nov ��3 21:32:33 proxy slapd[1309]: >>> dnPrettyNormal: <Name.Surname(a)domain.int> Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: conn=1001 op=0 p=3 Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_result: err=21 matched="" text="bindDN massage error" Nov ��3 21:32:33 proxy slapd[1309]: send_ldap_response: msgid=1 tag=97 err=21 Nov ��3 21:32:33 proxy slapd[1309]: conn=1001 op=0 RESULT tag=97 err=21 text=bindDN massage error I have downloaded the source code for try to remove or skip this check, but with my few programming skills after a month I haven't find the solution. So there is a way (or a better way) to accomplish this need? Best regards, Giuseppe. Config file of my test env: ### Schema includes ########################################################### #include �� /etc/ldap/schema/corba.schema #include �� /etc/ldap/schema/core.schema #include �� /etc/ldap/schema/cosine.schema #include �� /etc/ldap/schema/duaconf.schema #include �� /etc/ldap/schema/dyngroup.schema #include �� /etc/ldap/schema/inetorgperson.schema #include �� /etc/ldap/schema/java.schema #include �� /etc/ldap/schema/misc.schema #include �� /etc/ldap/schema/nis.schema #include �� /etc/ldap/schema/openldap.schema #include �� /etc/ldap/schema/ppolicy.schema #include �� /etc/ldap/schema/collective.schema #include �� /etc/openldap/schema/ad.schema include �� /etc/openldap/schema/corba.schema include �� /etc/openldap/schema/core.schema include �� /etc/openldap/schema/cosine.schema #include �� /etc/ldap/schema/duaconf.schema #include �� /etc/ldap/schema/dyngroup.schema include �� /etc/openldap/schema/inetorgperson.schema #include �� /etc/ldap/schema/java.schema include �� /etc/openldap/schema/misc.schema include �� /etc/openldap/schema/nis.schema #include �� /etc/ldap/schema/openldap.schema #include �� /etc/ldap/schema/ppolicy.schema #include �� /etc/ldap/schema/collective.schema include �� /etc/openldap/schema/ad.schema # ## Module paths ############################################################## #modulepath �� /usr/lib/ldap/ moduleload �� back_ldap moduleload �� rwm overlay �� rwm rwm-rewriteEngine �� on rwm-rewriteContext �� bindDN rwm-rewriteRule �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "$2.$3(a)domain.int" ":@I" #rwm-rewriteRule �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "domain\\$2.$3" ":@I" #rwm-rewriteRule �� "^([C,c][N,n]=)([^.]*)\\.([^.]*)(,[O,o][U,u][^.]*)(,[O,o][U,u][^.]*)$" "CN=$3 $2$4$5" ":@I" # Main settings ############################################################### pidfile �� /var/run/openldap/slapd.pid argsfile �� /var/run/openldap/slapd.args allow bind_v2 ### Database definition (Proxy to AD) ######################################### database �� config database �� ldap readonly �� yes protocol-version �� 3 rebind-as-user uri �� "ldap://192.168.29.133:389" suffix �� "dc=domain,dc=int" rootdn �� "CN=Administrator,CN=Users,DC=domain,DC=int" rootpw �� "hidden" idassert-bind bindmethod=simple �� binddn="CN=Administrator,CN=Users,DC=domain,DC=int" �� credentials="hidden" �� mode=none �� flags=non-prescriptive idassert-authzFrom "*" #overlay �� rwm rwm-map �� attribute �� uid �� sAMAccountName rwm-map �� attribute �� mail �� proxyAddresses ### Logging ################################################################### loglevel �� -1

2 years, 2 months

3
2
0 / 0

How does docker deployed ldap realize mailbox login

by HaoDongZ

Hello: The ldap deployed by my docker can now log in with account and password. How to log in to ldap by email? I deployed tls authentication, how do I log in to ldap by email? My deployment reference document: https://github.com/osixia/docker-openldap#tls -- HaoDongZ Beijing Dongcheng District

2 years, 2 months

2
3
0 / 0

ppolicy issues

by Kresimir Petkovic

Hi guys, I'm having issues trying to setup multiple databases with different password hash algos. My first db has to have plaintext passwords and I'm using password-hash {CLEARTEXT} overlay ppolicy ppolicy_hash_cleartext and my second one needs to use SHA for password hash. I have it like this in slapd.conf password-hash {SHA} overlay ppolicy ppolicy_hash_cleartext When I insert user in ldap via ldapadd it stores plaintext password for that user in userPassword attribute. Can I have different password-hash directives for each database? Or my ppolicy overlay doesn't work. Thanks in advance. BR, Kreso

2 years, 3 months

2
1
0 / 0

openldap on RHEL 8 - can't get TLS connectivity

by Heinemann, Peter G

Good Day, Working on moving from RHEL6 to RHEL8. Given the drop in support for openldap in RHEL8 I've installed the symas-openldap distros. Here are the versions in play: cat /etc/redhat-release Red Hat Enterprise Linux release 8.2 (Ootpa) sudo yum list installed | grep openldap openldap.x86_64 2.4.46-9.el8 @rhel-8-for-x86_64-baseos-rpms symas-openldap.x86_64 2.4.55-1.el8 @sofl symas-openldap-clients.x86_64 2.4.55-1.el8 @sofl symas-openldap-servers.x86_64 2.4.55-1.el8 @sofl $ openssl version OpenSSL 1.1.1c FIPS 28 May 2019 I can't get any TLS connections to succeed, even if I try ldapsearch from the local (ldap server) host. The net error is cipher incompatibility; here's the output from a local ldapsearch: ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636) ldap_create ldap_url_parse_ext(ldaps://dev-pnldap1.net.isc.upenn.edu:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP dev-pnldap1.net.isc.upenn.edu:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 130.91.185.254:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL3 alert read:fatal:handshake failure TLS trace: SSL_connect:error in error TLS: can't connect: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) I had slapd running in foreground for that ldapsearch, here's the output: TLS trace: SSL_accept:before SSL initialization tls_read: want=5, got=5 0000: 16 03 01 01 26 ....& tls_read: want=294, got=294 0000: 01 00 01 22 03 03 cb 02 a0 2f ea 25 ad d7 c9 8e ..."...../.%.... 0010: f0 32 a4 1e a9 46 be af 48 9e e6 23 53 44 d2 f7 .2...F..H..#SD.. 0020: e0 9d 99 82 50 17 20 dd fa 96 00 76 ab ce a7 ec ....P. ....v.... 0030: 2b b9 e6 51 e0 77 78 2d ca 73 4c f4 eb 62 ed 62 +..Q.wx-.sL..b.b 0040: 97 3b d4 ea ea 16 ab 00 48 13 02 13 03 13 01 13 .;......H....... 0050: 04 c0 2c c0 30 cc a9 cc a8 c0 ad c0 2b c0 2f c0 ..,.0.......+./. 0060: ac c0 23 c0 27 c0 0a c0 14 c0 09 c0 13 00 9d c0 ..#.'........... 0070: 9d 00 9c c0 9c 00 3d 00 3c 00 35 00 2f 00 9f cc ......=.<.5./... 0080: aa c0 9f 00 9e c0 9e 00 6b 00 67 00 39 00 33 00 ........k.g.9.3. 0090: ff 01 00 00 91 00 0b 00 04 03 00 01 02 00 0a 00 ................ 00a0: 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00 ..............#. 00b0: 00 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04 ............0... 00c0: 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 ................ 00d0: 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03 ................ 00e0: 01 02 01 03 02 02 02 04 02 05 02 06 02 00 2b 00 ..............+. 00f0: 05 04 03 04 03 03 00 2d 00 02 01 01 00 33 00 26 .......-.....3.& 0100: 00 24 00 1d 00 20 8a 31 32 cf fd 40 46 5d aa b6 .$... .12..@F].. 0110: 4b 31 fb a2 6d 47 92 f9 46 25 02 ce 62 7a cf 0b K1..mG..F%..bz.. 0120: 93 38 00 37 7f 2f .8.7./ TLS trace: SSL_accept:before SSL initialization tls_write: want=7, written=7 0000: 15 03 03 00 02 02 28 ......( TLS trace: SSL3 alert write:fatal:handshake failure TLS trace: SSL_accept:error in error TLS: can't accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher. 5fa072c7 connection_read(11): TLS accept failure error=-1 id=1000, closing I've tried various combinations of TLSProtocolMin (3.3, 3.2, and not specifying at all) and the result is the same. I tried specifiying the ciphers currently supported by openssl in TLSCipherSuite, same erros. Running some outside utilities give the same information. nmap: no ciphers returned for the rhel8 system: nmap --script ssl-enum-ciphers -p 636 dev-pnldap1.net.isc.upenn.edu -Pn Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST Nmap scan report for dev-pnldap1.net.isc.upenn.edu (130.91.185.254) Host is up (0.0014s latency). PORT STATE SERVICE 636/tcp open ldapssl Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds rhel6 system: $ nmap --script ssl-enum-ciphers -p 636 dev-pnldap2.net.isc.upenn.edu -Pn Starting Nmap 5.51 ( http://nmap.org ) at 2020-11-02 16:25 EST Nmap scan report for dev-pnldap2.net.isc.upenn.edu (130.91.185.136) Host is up (0.0019s latency). PORT STATE SERVICE 636/tcp open ldapssl | ssl-enum-ciphers: | TLSv1.2 | Ciphers (14) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | Compressors (1) |_ uncompressed Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds Thanks in advance for any suggestions or corrections. Peter

2 years, 3 months

2
1
0 / 0

← Newer
1
2
3
Older →

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2020