Antw: [EXT] Re: replication issue. Incorrect ACL?
by Ulrich Windl
>>> Andreas Hasenack <andreas(a)canonical.com> schrieb am 20.05.2020 um 15:04 in
Nachricht
<17575_1589979873_5EC52AE0_17575_76_1_CANYNYEHQ0+sBtbuO8zDKcaZChDxPPB6WC0tWabWWM
yLgVtkYA(a)mail.gmail.com>:
>> olcRootDN: cn=Manager,dc=van,dc=company,dc=com
>> olcRootPW:: e1NTSEF9cEpWbEIzOEh4UXJpcjnvSUl2enZzWTF1akt4Nnd6OTk=
>
> You should change that password now, since you just shared its SSHA
> hash to the world ;)
...what makes me wonder how long it takes these days to create a valid password from a salted SHA-1 hash...
[...]
3 years, 4 months
Disable overlays
by Jean-Luc Chandezon
Hello,
I don't how to disable overlays (ppolicy or sync for example).
Is it possible?
Thanks,
Jean-Luc
3 years, 4 months
"GSSAPI Error: No credentials were supplied ... unknown mech-code 0 for mech unknown"
by Braiam
Hi,
I'm trying to get slapd to use heimdal kerberos to provide
a single authentication backend for my network. I've followed
the Administrator's Guide on SASL[1] and cyrus faq entry
about connecting OpenLDAP with GSSAPI[2]. I'm stuck
at the what I believe is a misunderstanding from my part.
I believe when I use -Y GSSAPI I should be using my
braiam/admin credentials, but according to SASL facility
in slapd I'm not providing any. strace confirms that
it reads the /tmp/krb5cc_1000 file correctly.
I'm very confused as to how to proceed since most of
the relevant results point to having not kinit'd.
I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1,
libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.
debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal
Aliases
4 aes256-cts-hmac-sha1-96 host/ldap01.example.com(a)EXAMPLE.COM
4 des3-cbc-sha1 host/ldap01.example.com(a)EXAMPLE.COM
4 arcfour-hmac-md5 host/ldap01.example.com(a)EXAMPLE.COM
9 aes256-cts-hmac-sha1-96 ldap/ldap01.example.com(a)EXAMPLE.COM
9 des3-cbc-sha1 ldap/ldap01.example.com(a)EXAMPLE.COM
9 arcfour-hmac-md5 ldap/ldap01.example.com(a)EXAMPLE.COM
debian@ldap01:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: braiam/admin(a)EXAMPLE.COM
Issued Expires Principal
May 12 20:34:05 2020 May 13 20:34:05 2020 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
May 12 20:34:11 2020 May 13 20:34:05 2020 ldap/ldap01.example.com(a)EXAMPLE.COM
debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b ""
supportedSASLMechanisms -H $ldap_host
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: No
credentials were supplied, or the credentials were unavailable or
inaccessible. (unknown mech-code 0 for mech unknown)
[1]: http://www.openldap.org/doc/admin24/sasl.html
[2]: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
--
Braiam
3 years, 4 months
Help for setting-up an ldap-proxy
by lists@zxt10d.de
Hello,
I'm pretty new to this list, and maybe/hopefully someone could help ...
I work at a chair at a german university, and we would like to use the
central AD of theat university for our chair - by using a ldap-proxy
system, so that there's only one connection to the central AD, and not
~70 (all of our computers, etc.).
I can search the AD by using this (modified) command:
ldapsearch -LLL "(cn=FIRSTNAME LASTNAME)" -H ldaps://ldap.UNIVERSITY.de
-b dc=university,dc=de -D cn=special,ou=group,dc=university,dc=de -W
For locally installed applications I can use this /etc/pam_ldap.conf:
uri ldaps://ldap.university.de
host ldap.university.de
base ou=group,ou=hosts,dc=university,dc=de
ldap_version 3
binddn cn=special,ou=group,dc=university,dc=de
bindpw password
pam_password crypt
ssl start_tls
ssl on
To set-up the local ldap-proxy, I tried to follow this description, but
it won't work (and I guess its not realy correct, as the config-file is
there twice):
https://doc.owncloud.com/server/admin_manual/configuration/ldap/ldap_prox...
When running "slaptest -f /etc/ldap/slapd.conf" I get these errors:
5ebd3ec5 /etc/ldap/slapd.conf: line 102: warning, source attributeType
'dn' should be defined in schema
5ebd3ec5 PROXIED attributeDescription "DN" inserted.
5ebd3ec5 hdb_db_open: warning - no DB_CONFIG file found in directory
/var/lib/ldap: (2).
Expect poor performance for suffix "ou=group,ou=hosts,dc=university,dc=de".
5ebd3ec5 hdb_db_open: database "ou=lsafp,ou=hosts,dc=university,dc=de":
db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5ebd3ec5 backend_startup_one (type=hdb,
suffix="ou=group,ou=hosts,dc=university,dc=de"): bi_db_open failed! (2)
5ebd3ec5 backend_startup_one (type=ldap,
suffix="ou=group,ou=hosts,dc=university,dc=de"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)
Now my questions:
- where and how to put the data to do a query versus the central AD?
(binddn & bindpw part)
- where to define the local ldap-database? (I guess that has to be
created an will be filled automatically...?)
The system I'm using is a Debian 10.4 one.
slapd -V:
@(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $
Debian OpenLDAP Maintainers
<pkg-openldap-devel(a)lists.alioth.debian.org>
Sorry, english is not my native language ...
Thanks a lot for reading! ;)
Cheers,
Torsten
3 years, 4 months
Can't get LDAPS connection with OpenLDAP as a Proxy working (error:14090086)
by a.leurs@consense-gmbh.de
Hello,
I'm farely now to OpenLDAP. I have successfully build a connection to an Windows Active Directory with LDAP over Port 389.
But when I switch to LDAPS and Port 636 and try a connection via the Softerra LDAP Browser I get the following error:
TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).
I have installed the certificate of the Server I want to connect to on my machine.
But I still get this error. Does anyone have an idea why this error happens?
Here is my slapd.conf-File:
# MDB Backend configuration file
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/nis.schema
include ./schema/inetorgperson.schema
#include ./schema/openldap.schema
#include ./schema/dyngroup.schema
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
loglevel 256
sizelimit unlimited
timelimit unlimited
#######################################################################
# mdb database definitions
#######################################################################
database meta
suffix "dc=example,dc=com"
uri "ldaps://dc001.example.com:636/DC=example,DC=com"
3 years, 4 months
Ldap attribute error
by Technology Server
Dear,
After trying to reset LDAP user password , we are getting the following
error.
main[9834]: conn=4965799 op=1 MOD
dn="uid=########################################"
main[9834]: conn=4965799 op=1 MOD attr=userPassword
[9834]: conn=4965799 op=1 RESULT tag=103 err=17 text=entry update failed
[9834]: conn=4965799 fd=16 closed (connection lost)
error 17 is receiving for other attribute also which are already defined.
Can you please suggest on this issue?
3 years, 4 months
ldapmodify: ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
by nisgopee@gmail.com
Commad: ldapmodify -Y external -H ldapi:/// -f enable-ldap-log.ldif
Returns:
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
# cat enable-ldap-log.ldif
dn: cn=config
changeType: modify
add: olcLogLevel
olcLogLevel: stats
# ldapmodify -Y external -H ldapi:/// -f enable-ldap-log.ldif -d1
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind_s: user selected: external
ldap_int_sasl_bind: external
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_ndelay_off: 4
ldap_int_sasl_open: host=mgo-lab-openldap
SASL/EXTERNAL authentication started
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 26 bytes to sd 4
ldap_result ld 0x1306570 msgid 1
wait4msg ld 0x1306570 msgid 1 (infinite timeout)
wait4msg continue ld 0x1306570 msgid 1 all 1
** ld 0x1306570 Connections:
* host: (null) port: 0 (default)
refcnt: 2 status: Connected
last used: Thu May 7 02:59:55 2020
** ld 0x1306570 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1306570 request count 1 (abandoned 0)
** ld 0x1306570 Response Queue:
Empty
ld 0x1306570 response count 0
ldap_chkResponseList ld 0x1306570 msgid 1 all 1
ldap_chkResponseList returns ld 0x1306570 NULL
ldap_int_select
read1msg: ld 0x1306570 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x1306570 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x1306570 0 new referrals
read1msg: mark request completed, ld 0x1306570 msgid 1
request done: ld 0x1306570 msgid 1
res_errno: 80, res_error: <SASL(0): successful result: >, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_sasl_bind_result
ber_scanf fmt ({eAA) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
3 years, 4 months
Antw: [EXT] Remove duplicate ppolicy overlay
by Ulrich Windl
>>> Côme Chilliet <come.chilliet(a)fusiondirectory.org> schrieb am 06.05.2020 um
17:07 in Nachricht
<19295_1588777992_5EB2D407_19295_51_1_3360663.6gdB8VmVdU@mcmic-probook>:
> Hello,
>
> I have a duplicated ppolicy overlay.
> If I try to delete it using an LDAP operation on the node under cn=config, I
> get a 53 error.
>
> After searching I found an email on this list (
> https://www.openldap.com/lists/openldap‑technical/201811/msg00077.html )
which
> suggest the following procedure:
>
> a) slapcat ‑n 0 ‑l /tmp/config.ldif
> b) Remove the duplicate entries from /tmp/config.ldif
> c) mv /path/to/current/config /path/to/current/config.old;mkdir ‑p
> /path/to/current/config
> d) slapadd ‑n 0 ‑l /tmp/config.ldif
>
> But this does not work, because when calling slapadd at the end, it
> complains that there is no slapd.conf.
> Is there some way to tell slapadd what to do?
Did you try adding " -F confdir"?
>
> Or do I need to create a slapd.conf file that I remove after?
>
> ‑‑
> Côme Chilliet
> FusionDirectory ‑ https://www.fusiondirectory.org
3 years, 4 months
Remove duplicate ppolicy overlay
by Côme Chilliet
Hello,
I have a duplicated ppolicy overlay.
If I try to delete it using an LDAP operation on the node under cn=config, I get a 53 error.
After searching I found an email on this list ( https://www.openldap.com/lists/openldap-technical/201811/msg00077.html ) which suggest the following procedure:
a) slapcat -n 0 -l /tmp/config.ldif
b) Remove the duplicate entries from /tmp/config.ldif
c) mv /path/to/current/config /path/to/current/config.old;mkdir -p /path/to/current/config
d) slapadd -n 0 -l /tmp/config.ldif
But this does not work, because when calling slapadd at the end, it complains that there is no slapd.conf.
Is there some way to tell slapadd what to do?
Or do I need to create a slapd.conf file that I remove after?
--
Côme Chilliet
FusionDirectory - https://www.fusiondirectory.org
3 years, 4 months
