openldap-technical May 2020

openldap-technical@openldap.org

30 participants
33 discussions

replication issue. Incorrect ACL?
by Gao 20 May '20

20 May '20

Hello, We have two Openldap server in master-slave replication. I just found that a replication issue on the slave and I think it is ACL related. Few weeks ago I added ACL on the master (ldap-01) to allow user change their own password: dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub structuralObjectClass: olcHdbConfig entryUUID: 3b7e5722-d26f-1035-7735-91213c5bb357 creatorsName: cn=config createTimestamp: 20160629180122Z olcSuffix: dc=van,dc=company,dc=com olcRootDN: cn=Manager,dc=van,dc=company,dc=com olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjnvSUl2enZzWTF1akt4Nnd6OTk= olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba se="cn=Manager,dc=van,dc=company,dc=com" write by * none olcAccess: {1}to * by self write by dn="cn=Manager,dc=van,dc=company,dc= com" write by * read entryCSN: 20200504150528.806636Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20200504150528Z Now I found on the slave(ldap-03) all userPassword attributes is disappeared. So I think the ACL may blocked the replication. I think I need add the replication user (rpuser) to the ACL on the master and allow the rpuser read(or RW?) access. Could someone check my ACL and see if my guess is correct? If so then how do I add (or append?) the ACL to allow replication of the userPassword? Thank you in advance. Gao

3 5

Antw: [EXT] Re: replication issue. Incorrect ACL?
by Ulrich Windl 20 May '20

20 May '20

>>> Andreas Hasenack <andreas(a)canonical.com> schrieb am 20.05.2020 um 15:04 in Nachricht <17575_1589979873_5EC52AE0_17575_76_1_CANYNYEHQ0+sBtbuO8zDKcaZChDxPPB6WC0tWabWWM yLgVtkYA(a)mail.gmail.com>: >> olcRootDN: cn=Manager,dc=van,dc=company,dc=com >> olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjnvSUl2enZzWTF1akt4Nnd6OTk= > > You should change that password now, since you just shared its SSHA > hash to the world ;) ...what makes me wonder how long it takes these days to create a valid password from a salted SHA-1 hash... [...]

2 1

Disable overlays
by Jean-Luc Chandezon 18 May '20

18 May '20

Hello, I don't how to disable overlays (ppolicy or sync for example). Is it possible? Thanks, Jean-Luc

2 1

"GSSAPI Error: No credentials were supplied ... unknown mech-code 0 for mech unknown"
by Braiam 15 May '20

15 May '20

Hi, I'm trying to get slapd to use heimdal kerberos to provide a single authentication backend for my network. I've followed the Administrator's Guide on SASL[1] and cyrus faq entry about connecting OpenLDAP with GSSAPI[2]. I'm stuck at the what I believe is a misunderstanding from my part. I believe when I use -Y GSSAPI I should be using my braiam/admin credentials, but according to SASL facility in slapd I'm not providing any. strace confirms that it reads the /tmp/krb5cc_1000 file correctly. I'm very confused as to how to proceed since most of the relevant results point to having not kinit'd. I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1, libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1. debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list /etc/krb5.keytab: Vno Type Principal Aliases 4 aes256-cts-hmac-sha1-96 host/ldap01.example.com(a)EXAMPLE.COM 4 des3-cbc-sha1 host/ldap01.example.com(a)EXAMPLE.COM 4 arcfour-hmac-md5 host/ldap01.example.com(a)EXAMPLE.COM 9 aes256-cts-hmac-sha1-96 ldap/ldap01.example.com(a)EXAMPLE.COM 9 des3-cbc-sha1 ldap/ldap01.example.com(a)EXAMPLE.COM 9 arcfour-hmac-md5 ldap/ldap01.example.com(a)EXAMPLE.COM debian@ldap01:~$ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: braiam/admin(a)EXAMPLE.COM Issued Expires Principal May 12 20:34:05 2020 May 13 20:34:05 2020 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM May 12 20:34:11 2020 May 13 20:34:05 2020 ldap/ldap01.example.com(a)EXAMPLE.COM debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b "" supportedSASLMechanisms -H $ldap_host SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown) [1]: http://www.openldap.org/doc/admin24/sasl.html [2]: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html -- Braiam

3 4

Help for setting-up an ldap-proxy
by lists＠zxt10d.de 14 May '20

14 May '20

Hello, I'm pretty new to this list, and maybe/hopefully someone could help ... I work at a chair at a german university, and we would like to use the central AD of theat university for our chair - by using a ldap-proxy system, so that there's only one connection to the central AD, and not ~70 (all of our computers, etc.). I can search the AD by using this (modified) command: ldapsearch -LLL "(cn=FIRSTNAME LASTNAME)" -H ldaps://ldap.UNIVERSITY.de -b dc=university,dc=de -D cn=special,ou=group,dc=university,dc=de -W For locally installed applications I can use this /etc/pam_ldap.conf: uri ldaps://ldap.university.de host ldap.university.de base ou=group,ou=hosts,dc=university,dc=de ldap_version 3 binddn cn=special,ou=group,dc=university,dc=de bindpw password pam_password crypt ssl start_tls ssl on To set-up the local ldap-proxy, I tried to follow this description, but it won't work (and I guess its not realy correct, as the config-file is there twice): https://doc.owncloud.com/server/admin_manual/configuration/ldap/ldap_proxy_… When running "slaptest -f /etc/ldap/slapd.conf" I get these errors: 5ebd3ec5 /etc/ldap/slapd.conf: line 102: warning, source attributeType 'dn' should be defined in schema 5ebd3ec5 PROXIED attributeDescription "DN" inserted. 5ebd3ec5 hdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2). Expect poor performance for suffix "ou=group,ou=hosts,dc=university,dc=de". 5ebd3ec5 hdb_db_open: database "ou=lsafp,ou=hosts,dc=university,dc=de": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2). 5ebd3ec5 backend_startup_one (type=hdb, suffix="ou=group,ou=hosts,dc=university,dc=de"): bi_db_open failed! (2) 5ebd3ec5 backend_startup_one (type=ldap, suffix="ou=group,ou=hosts,dc=university,dc=de"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch) Now my questions: - where and how to put the data to do a query versus the central AD? (binddn & bindpw part) - where to define the local ldap-database? (I guess that has to be created an will be filled automatically...?) The system I'm using is a Debian 10.4 one. slapd -V: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> Sorry, english is not my native language ... Thanks a lot for reading! ;) Cheers, Torsten

1 0

Can't get LDAPS connection with OpenLDAP as a Proxy working (error:14090086)
by a.leurs＠consense-gmbh.de 13 May '20

13 May '20

Hello, I'm farely now to OpenLDAP. I have successfully build a connection to an Windows Active Directory with LDAP over Port 389. But when I switch to LDAPS and Port 636 and try a connection via the Softerra LDAP Browser I get the following error: TLS certificate verification: Error, unable to get local issuer certificate TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate). I have installed the certificate of the Server I want to connect to on my machine. But I still get this error. Does anyone have an idea why this error happens? Here is my slapd.conf-File: # MDB Backend configuration file # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/nis.schema include ./schema/inetorgperson.schema #include ./schema/openldap.schema #include ./schema/dyngroup.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args loglevel 256 sizelimit unlimited timelimit unlimited ####################################################################### # mdb database definitions ####################################################################### database meta suffix "dc=example,dc=com" uri "ldaps://dc001.example.com:636/DC=example,DC=com"

2 1

Ldap attribute error
by Technology Server 11 May '20

11 May '20

Dear, After trying to reset LDAP user password , we are getting the following error. main[9834]: conn=4965799 op=1 MOD dn="uid=########################################" main[9834]: conn=4965799 op=1 MOD attr=userPassword [9834]: conn=4965799 op=1 RESULT tag=103 err=17 text=entry update failed [9834]: conn=4965799 fd=16 closed (connection lost) error 17 is receiving for other attribute also which are already defined. Can you please suggest on this issue?

3 2

ldapmodify: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
by nisgopee＠gmail.com 07 May '20

07 May '20

Commad: ldapmodify -Y external -H ldapi:/// -f enable-ldap-log.ldif Returns: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) # cat enable-ldap-log.ldif dn: cn=config changeType: modify add: olcLogLevel olcLogLevel: stats # ldapmodify -Y external -H ldapi:/// -f enable-ldap-log.ldif -d1 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind_s: user selected: external ldap_int_sasl_bind: external ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 4 ldap_connect_to_path: Trying /var/run/ldapi ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_ndelay_off: 4 ldap_int_sasl_open: host=mgo-lab-openldap SASL/EXTERNAL authentication started ldap_sasl_bind_s ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 26 bytes to sd 4 ldap_result ld 0x1306570 msgid 1 wait4msg ld 0x1306570 msgid 1 (infinite timeout) wait4msg continue ld 0x1306570 msgid 1 all 1 ** ld 0x1306570 Connections: * host: (null) port: 0 (default) refcnt: 2 status: Connected last used: Thu May 7 02:59:55 2020 ** ld 0x1306570 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x1306570 request count 1 (abandoned 0) ** ld 0x1306570 Response Queue: Empty ld 0x1306570 response count 0 ldap_chkResponseList ld 0x1306570 msgid 1 all 1 ldap_chkResponseList returns ld 0x1306570 NULL ldap_int_select read1msg: ld 0x1306570 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x1306570 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x1306570 0 new referrals read1msg: mark request completed, ld 0x1306570 msgid 1 request done: ld 0x1306570 msgid 1 res_errno: 80, res_error: <SASL(0): successful result: >, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)

2 1

Re: Remove duplicate ppolicy overlay
by Côme Chilliet 07 May '20

07 May '20

Le mercredi 6 mai 2020, 08:16:35 CEST Quanah Gibson-Mount a écrit : > You need to provide the -F option so it knows where to write the data out > to. Thank you very much, that works! -- Côme Chilliet FusionDirectory - https://www.fusiondirectory.org

1 0

Antw: [EXT] Remove duplicate ppolicy overlay
by Ulrich Windl 06 May '20

06 May '20

>>> Côme Chilliet <come.chilliet(a)fusiondirectory.org> schrieb am 06.05.2020 um 17:07 in Nachricht <19295_1588777992_5EB2D407_19295_51_1_3360663.6gdB8VmVdU@mcmic-probook>: > Hello, > > I have a duplicated ppolicy overlay. > If I try to delete it using an LDAP operation on the node under cn=config, I > get a 53 error. > > After searching I found an email on this list ( > https://www.openldap.com/lists/openldap‑technical/201811/msg00077.html ) which > suggest the following procedure: > > a) slapcat ‑n 0 ‑l /tmp/config.ldif > b) Remove the duplicate entries from /tmp/config.ldif > c) mv /path/to/current/config /path/to/current/config.old;mkdir ‑p > /path/to/current/config > d) slapadd ‑n 0 ‑l /tmp/config.ldif > > But this does not work, because when calling slapadd at the end, it > complains that there is no slapd.conf. > Is there some way to tell slapadd what to do? Did you try adding " -F confdir"? > > Or do I need to create a slapd.conf file that I remove after? > > ‑‑ > Côme Chilliet > FusionDirectory ‑ https://www.fusiondirectory.org

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2020