Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl
Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted:
slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was:
slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig):
( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
Regards,
Ulrich
2 years, 10 months
back-ldap SASL proxy authorization
by Dieter Bocklandt
Hi!
We have a fairly standard OpenLDAP setup (on 2.4.49) running well, where
our replica instances chain writes back to the master using the chain
overlay. Relevant bits of configuration we're using below:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn:
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbIDAssertBind: mode=self flags=override,prescriptive tls_reqcert=never
bindmethod=sasl saslmech=plain authcID=proxy credentials=XXXXX
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbProxyWhoAmI: TRUE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 8
olcDbSessionTrackingRequest: TRUE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbIdleTimeout: 5
.
.
.
dn: cn=proxy,ou=System,dc=example,dc=net
cn: proxy
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: XXXXX
authzTo: {0}dn.regex:^uid=[^,],ou=People,dc=example,dc=net$
Above works great, with the client identity being authorized through the
ProxyAuthz control.
However, we also have a service using SASL proxy authorization, in which
case the authcid is used in the ProxyAuthz instead of the authorized
authzid. Ldapwhoami works as expected and the username mentioned in the
session tracking request (visible in the producer's logs) is actually the
authzdn (being cn=enduser,ou=People,dc=example,dc=net in this example,
whereas cn=service,ou=system,dc=internal,dc=machines is the authcdn):
ldapwhoami -H ldaps://$(cat /etc/service_hostname) -U service -X
dn:cn=enduser,ou=People,dc=example,dc=net -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
SASL username: dn:cn=enduser,ou=People,dc=example,dc=net
SASL SSF: 0
dn:cn=enduser,ou=People,dc=example,dc=net
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 PROXYAUTHZ
dn="cn=service,ou=system,dc=internal,dc=machines"
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2
[IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] MOD
dn="uid=sys.cp.test,ou=People,dc=internal,dc=machines"
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2
[IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] MOD
attr=klarnaItNote
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2
[IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] RESULT
tag=103 err=0 text=
Am I misunderstanding how this is supposed to work, am I hitting a certain
limitation or maybe a bug? Let me know if you need any more details!
Thanks!
Dieter Bocklandt
3 years, 2 months
ldap_sasl_interactive_bind_s: Local error (-2) for SASL/GSS-SPNEGO
by Debashis Chaki
Hi ,
I have installed openldap but I am getting the following error while executing some basic command using SASL/GSS-SPNEGO authentication
Where as SASL/EXTERNAL authentication working perfectly.
[root@dtgldap103 LdapCfg]# ldapsearch
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
[root@dtgldap103 LdapCfg]# ldapwhoami
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
[root@dtgldap103 LdapCfg]# ldapsearch -LLL -s base -b '' '(objectClass=*)' +
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
[root@dtgldap103 LdapCfg]# ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase=config
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase=config
# requesting: ALL
#
# {0}config, config
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth" manage by * none
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@dtgldap103 openldap]# rpm -qa | grep ldap
sssd-ldap-1.15.2-50.el7_4.2.x86_64
openldap-clients-2.4.44-5.el7.x86_64
openldap-servers-sql-2.4.44-5.el7.x86_64
openldap-servers-2.4.44-5.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
openldap-devel-2.4.44-5.el7.x86_64
openldap-2.4.44-5.el7.x86_64
nss-pam-ldapd-0.8.13-8.0.1.el7.x86_64
Please help me how can I get out of this issue ?
I am not able to proceed further for our openldap project without that.
Please let me know if you need any more details.
Thanks & Regards
<http://www.proquest.com/>
Debashis Chaki
ProQuest | The Quorum, Barnwell Road | Cambridge | CB5 8SW | UK
debashis.chaki(a)proquest.com tel: +44 (0)1223 271257
Better research. Better learning. Better insights.
3 years, 3 months
commit vs abort
by Sam Dave
Hi,What is the difference between mdb_txn_commit() and mdb_txn_abort() for read-only transactions?
Thank you,
Samuel
3 years, 3 months
With MDB Openldap seems to be pretty slower in Windows
by Vijay Kumar
Hi Team,
Can you please share your inputs / suggestions on performance to increase
the openldap with MDB in windows slowness.?
We have a 110 users data by performance testing, where we observed slowness
for windows 10 OS.
If there any suggestions on tuning side, please let me know.
Thank you.
--
Thanks & Regards,
Vijay Kumar
*+91-94944 44009*
3 years, 3 months
Antw: [EXT] With MDB Openldap seems to be pretty slower in Windows
by Ulrich Windl
>>> Vijay Kumar <pasumarthivijaykumar(a)gmail.com> schrieb am 28.02.2020 um 07:45 in
Nachricht
<15622_1582872629_5E58B835_15622_1813_1_CAKgG+3fagqROY8n5q_gpUZtzK1R10PJ+N1H=Zhx
Sx0-RzgrHg(a)mail.gmail.com>:
> Hi Team,
>
> Can you please share your inputs / suggestions on performance to increase
> the openldap with MDB in windows slowness.?
>
> We have a 110 users data by performance testing, where we observed slowness
> for windows 10 OS.
Actually I'm observing Windows 10 slowness all the time even without running OpenLDAP ;-)
Booting alone is about five times as long as for Windows 7 and with classical hard disks it's effectively unusable.
Regards,
Ulrich
3 years, 3 months
Re: Cannot configure TLS
by jean-christophe manciot
I have not mentioned that my let's encrypt certificate is not SAN but wildcard.
On Thu, Feb 27, 2020 at 1:10 PM jean-christophe manciot
<actionmystique(a)gmail.com> wrote:
>
> Hi everyone,
>
> On Ubuntu 20.04
> slapd 2.4.49+dfsg-1ubuntu1
> with /etc/ldap/tls.ldif:
> --------------------------
> dn: cn=config
> changetype: modify
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/ssl/domain.crt
> -
> add: olcTLSCertificateKeyFile
> olcTLSCertificateKeyFile: /etc/ssl/domain_priv_key.pem.decrypted
> -
> add: olcTLSCACertificateFile
> olcTLSCACertificateFile: /etc/ssl/letsencrypt_root_intermediate_bundle.pem
>
> - All files are readable by openldap user.
> - domain.crt is in pem format
> - letsencrypt_root_intermediate_bundle.pem contains isrgrootx1.pem +
> letsencryptauthorityx3.pem
> --------------------------
> Yet, if I run:
> ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f tls.ldif
>
> I get in the logs:
> --------------------------
> daemon: read active on 12
> daemon: epoll: listen=8 active_threads=0 tvp=zero
> daemon: epoll: listen=9 active_threads=0 tvp=zero
> daemon: epoll: listen=10 active_threads=0 tvp=zero
> daemon: activity on 1 descriptor
> conn=1001 op=1 MOD dn="cn=config"
> daemon: activity on:
> conn=1001 op=1 MOD attr=olcTLSCertificateFile olcTLSCertificateKeyFile
> olcTLSCACertificateFile
>
> => access_allowed: result not in cache (olcTLSCertificateFile)
> => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested
> daemon: epoll: listen=8 active_threads=0 tvp=zero
> => acl_get: [1] attr olcTLSCertificateFile
> daemon: epoll: listen=9 active_threads=0 tvp=zero
> => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested
> daemon: epoll: listen=10 active_threads=0 tvp=zero
> => acl_mask: to value by
> "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> <= acl_mask: [1] applying manage(=mwrscxd) (stop)
> <= acl_mask: [1] mask: manage(=mwrscxd)
> => slap_access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: result not in cache (olcTLSCertificateKeyFile)
> => access_allowed: add access to "cn=config"
> "olcTLSCertificateKeyFile" requested
> => acl_get: [1] attr olcTLSCertificateKeyFile
> => acl_mask: access to entry "cn=config", attr
> "olcTLSCertificateKeyFile" requested
> => acl_mask: to value by
> "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> <= acl_mask: [1] applying manage(=mwrscxd) (stop)
> <= acl_mask: [1] mask: manage(=mwrscxd)
> => slap_access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: result not in cache (olcTLSCACertificateFile)
> => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested
> => acl_get: [1] attr olcTLSCACertificateFile
> => acl_mask: access to entry "cn=config", attr
> "olcTLSCACertificateFile" requested
> => acl_mask: to value by
> "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0)
> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> <= acl_mask: [1] applying manage(=mwrscxd) (stop)
> <= acl_mask: [1] mask: manage(=mwrscxd)
> => slap_access_allowed: add access granted by manage(=mwrscxd)
> => access_allowed: add access granted by manage(=mwrscxd)
> conn=1001 op=1 RESULT tag=103 err=80 text=
> daemon: activity on 1 descriptor
> daemon: activity on:
> 12r
> --------------------------
>
> What is going on?
> My logging attributes are: conns filter config acl stats stats2 shell parse
> Is there a way to get more explicit logging?
> -
> Jean-Christophe
--
Jean-Christophe
3 years, 3 months
ldapsearch with DN in CN
by Möller Lioh
Hi all,
I am trying to do a ldapsearch against our Active Directory LDAPS like:
ldapsearch -d1 -x -LLL -D 'CN=serviceaccount,OU=spec,DC=mydomain,DC=ch' -W -H ldaps://ldap.mydomain.ch:636 -b 'OU=my-users,DC=mydomain,DC=ch' -s sub '(memberOf=CN=grp-admins,OU=my-groups,DC=mydomain,DC=ch)'
The domain controllers have certificates generated with CNs like this:
subject: /DC=ch/DC=mydomain/OU=Domain Controllers/CN=DC01,
and a SAN defined as ldap.mydomain.ch.
Yet, I got an error like:
TLS: hostname (ldap.mydomain.ch) does not match common name in
certificate (DC01).
An interesting fact is that if the CN is set to the fqdn like
dc01.mydomain.ch (not ldap.mydomain.ch), it works perfectly (with
ldap.mydomain.ch as SAN).
Isn't ldapsearch 2.4.44 capable of working with DN in subject (CN) or
does it fail to lookup the SAN in such case?
Greetings
Lioh
3 years, 3 months
Warnings in mdb.c generated by CodeSonar
by Christian Wendt
Dear List,
I have run CodeSonar on a project using lmdb. I have downloaded lmdb-0.9.70.tar.gz. These warnings are a "Copy-Paste" error and "Use of memory after free". I would like to share the details to help find out whether these are real or false positives.
The copy-paste warning is generated by code around lines 8870f in mdb.c. In the first block, csrc-> is used throughout, in the second block cdst-> is used, except in one line:
/* Update the parent separators.
*/
if (csrc->mc_ki[csrc->mc_top] == 0) {
if (csrc->mc_ki[csrc->mc_top-1] != 0) {
if (IS_LEAF2(csrc->mc_pg[csrc->mc_top])) {
key.mv_data = LEAF2KEY(csrc->mc_pg[csrc->mc_top], 0, key.mv_size);
} else {
srcnode = NODEPTR(csrc->mc_pg[csrc->mc_top], 0);
key.mv_size = NODEKSZ(srcnode);
key.mv_data = NODEKEY(srcnode);
}
DPRINTF(("update separator for source page %"Yu" to [%s]",
csrc->mc_pg[csrc->mc_top]->mp_pgno, DKEY(&key)));
mdb_cursor_copy(csrc, &mn);
mn.mc_snum--;
mn.mc_top--;
/* We want mdb_rebalance to find mn when doing fixups */
WITH_CURSOR_TRACKING(mn,
rc = mdb_update_key(&mn, &key));
if (rc)
return rc;
}
if (IS_BRANCH(csrc->mc_pg[csrc->mc_top])) {
MDB_val nullkey;
indx_t ix = csrc->mc_ki[csrc->mc_top];
nullkey.mv_size = 0;
csrc->mc_ki[csrc->mc_top] = 0;
rc = mdb_update_key(csrc, &nullkey);
csrc->mc_ki[csrc->mc_top] = ix;
mdb_cassert(csrc, rc == MDB_SUCCESS);
}
}
if (cdst->mc_ki[cdst->mc_top] == 0) {
if (cdst->mc_ki[cdst->mc_top-1] != 0) {
if (IS_LEAF2(csrc->mc_pg[csrc->mc_top])) {
/*
Copy-Paste Error [help] <http://codesonar.rd.skov.com:7340/install/codesonar/doc/html/CodeSonar.ht...>
This block of text appears to be a modified copy of the highlighted text. Did you intend to consistently change csrc to cdst, including here?
*/
key.mv_data = LEAF2KEY(cdst->mc_pg[cdst->mc_top], 0, key.mv_size);
} else {
srcnode = NODEPTR(cdst->mc_pg[cdst->mc_top], 0);
key.mv_size = NODEKSZ(srcnode);
key.mv_data = NODEKEY(srcnode);
}
DPRINTF(("update separator for destination page %"Yu" to [%s]",
cdst->mc_pg[cdst->mc_top]->mp_pgno, DKEY(&key)));
mdb_cursor_copy(cdst, &mn);
mn.mc_snum--;
mn.mc_top--;
/* We want mdb_rebalance to find mn when doing fixups */
WITH_CURSOR_TRACKING(mn,
rc = mdb_update_key(&mn, &key));
if (rc)
return rc;
}
if (IS_BRANCH(cdst->mc_pg[cdst->mc_top])) {
MDB_val nullkey;
indx_t ix = cdst->mc_ki[cdst->mc_top];
nullkey.mv_size = 0;
cdst->mc_ki[cdst->mc_top] = 0;
rc = mdb_update_key(cdst, &nullkey);
cdst->mc_ki[cdst->mc_top] = ix;
mdb_cassert(cdst, rc == MDB_SUCCESS);
}
}
The second error is triggered by the loop freeing loose pages at line 3451 in mdb.c: NEXT_LOOSE_PAGE(mp) would access memory that is freed before, if mp points to an overflow page with more than one page allocated. If this is never the case, then maybe mdb_page_free() should be called on mp directly?
for (; mp; mp = NEXT_LOOSE_PAGE(mp)) {
/*
Use After Free [help] <http://codesonar.rd.skov.com:7340/install/codesonar/doc/html/CodeSonar.ht...>
The memory pointed to by mp was freed at mdb.c:2047 and is read from here.
*/
mdb_midl_xappend(txn->mt_free_pgs, mp->mp_pgno);
/* must also remove from dirty list */
if (txn->mt_flags & MDB_TXN_WRITEMAP) {
for (x=1; x<=dl[0].mid; x++)
if (dl[x].mid == mp->mp_pgno)
break;
mdb_tassert(txn, x <= dl[0].mid);
} else {
x = mdb_mid2l_search(dl, mp->mp_pgno);
mdb_tassert(txn, dl[x].mid == mp->mp_pgno);
}
dl[x].mptr = NULL;
mdb_dpage_free(env, mp);
mdb_dpage_free(MDB_env *env, MDB_page *dp)
{
if (!IS_OVERFLOW(dp) || dp->mp_pages == 1) {
mdb_page_free(env, dp);
} else {
/* large pages just get freed directly */
VGMEMP_FREE(env, dp);
free(dp);
}
}
I hope you can follow these descriptions, I can provide more detail if needed. I would like to get some help figuring out how to resolve these warnings.
Best regards,
Christian Wendt
Software developer
Ext: +45 7217 5943
______________________________________
SKOV A/S
Hedelund 4, Glyngoere, 7870 Roslev, Denmark
Tel.: +45 7217 5555 - Fax: +45 7217 5959
www.skov.com<http://www.skov.com/>
3 years, 3 months
How to simulate slow queries?
by Andrey Brindeyev
Hello!
I'm trying to debug a specific issue that is related to slow queries, so I need a way how to simulate slow LDAP server responses.
It will be optimal if I can set a specific number of seconds per query shape, but a general (configured) delay is fine too.
I've already tried the retcode overlay, and I think it only simulates the slow bind scenarios and not the slow query responses.
Here's an excerpt from my slapd.conf:
overlay retcode
retcode-parent "ou=Users,dc=acme,dc=qa"
#retcode-item "uid=mdb" 0x00
retcode-item "uid=mdb" 0x00 sleeptime=4
retcode-item "cn=user1" 0x00
retcode-item "cn=user2" 0x00
retcode-item "cn=user3" 0x00
retcode-item "cn=user4" 0x00
retcode-item "cn=user5" 0x00
If there's no way this can be configured using existing options in OpenLDAP, I appreciate advice wherein the source code I need to insert the sleep construct. Ideally, it should work with the retcode overlay, so that I can test the slow bind scenarios and slow query responses at the same time.
Thanks,
Andrey.
3 years, 3 months
