openldap-technical June 2020

openldap-technical@openldap.org

41 participants
48 discussions

Re: [Question]: centos8 install - looking for migrationtools package
by Dave Macias 29 Jun '20

29 Jun '20

Thank you for the reply! Decided to use the centos7 versions. They worked like a charm! Regards, Dave On Fri, Jun 26, 2020 at 2:56 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Thursday, June 25, 2020 1:01 PM -0400 Dave Macias <davama(a)gmail.com> > wrote: > > > > > Hello, > > > > > > Our production env is centos7 and we were testing to see how it would > > work on centos8. > > > > > > There were no issues using the symas pkgs. Thank you for providing them! > > > > > > I was wondering if someone knew where I could find the migrationtools for > > centos8? > > I think since rhel stopped supporting openldap-servers, it would make > > sense that the migrationtools package would disappear too. > > > > > > Perhaps this is not the right place to ask, but any input is much > > appreciated. > > What you would likely need to do is look at the Fedora git repository for > the migrationtools package and port it for CentOS8 and then build it > yourself. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

OpenLDAP results limited via SSL?
by a.leurs＠consense-gmbh.de 27 Jun '20

27 Jun '20

Hello, I have installed OpenLDAP on my Windows machine (Windows 10) and configured a connection to our company LDAP. The connection is via LDAPS. Here is my slapd.conf #LDAP Backend configuration file # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/nis.schema include ./schema/inetorgperson.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args # Full log level loglevel 32768 16384 2048 1024 512 256 128 64 32 16 8 4 2 1 sizelimit 10000 timelimit 10000 # Enable TLS if port is defined for ldaps (to openldap) TLSVerifyClient never #TLSCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3 TLSProtocolMin 3.3 TLSCertificateFile ./secure/certs/maxcrc.cert.pem TLSCertificateKeyFile ./secure/certs/maxcrc.key.pem TLSCACertificateFile ./secure/certs/maxcrc.cert.pem # Configuration for Connection to company.local database meta suffix "DC=company,DC=local" rootdn "DC=company,DC=local" rebind-as-user yes uri ldaps://DC001.company.local:636/dc=company,DC=local lastmod off chase-referrals no idassert-bind bindmethod=simple binddn="cn=CN=User Name,OU=Users,OU=Orga,DC=company,DC=local" credentials=XXX tls_reqcert=never tls_cacert=./secure/certs/company-ca.pem tls ldaps tls_reqcert=allow tls_cacert=./secure/certs/company-ca.pem overlay rwm rwm-map attribute uid samaccountname rwm-map attribute member memberOf rwm-map attribute sn sn rwm-map attribute givenname givenname rwm-map attribute intials initials When I connect to the OpenLDAP server with Softerra LDAP-Browser and search the directory I don't get any results, when the results are more than 65 entries. When I use paging in the search (to restrict the results to only 65 results) then it works. On a machine of a colleague the limit is 70 results. We didn't find any information where an restriction on the LDAP server could be. Any idea why the results are limited? When I do a connection without SSL it works fine.

3 4

[Question]: centos8 install - looking for migrationtools package
by Dave Macias 26 Jun '20

26 Jun '20

Hello, Our production env is centos7 and we were testing to see how it would work on centos8. There were no issues using the symas pkgs. Thank you for providing them! I was wondering if someone knew where I could find the migrationtools for centos8? I think since rhel stopped supporting openldap-servers, it would make sense that the migrationtools package would disappear too. Perhaps this is not the right place to ask, but any input is much appreciated. Thank you, Dave

2 1

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 23 Jun '20

23 Jun '20

Hi Quanah Both the servers are set up as master as well as consumer so that sync works in both directions. So the sync setup is like "A -> B", and when A fails B is updated and the expectation is that "B -> A" should work because a multi master setup is already in place. Let me know based on the attached configuration files if my assumption is correct or not. Also Add data works when A fails and B is updated then sync "B -> A"works fine. After Delete data sync does not work when A fails and data is deleted from B. Once A comes back both databases have data which was deleted on B. Thanks Rahul On Tue, Jun 23, 2020 at 8:11 AM Ulrich Windl < Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > >>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am 22.06.2020 um 18:09 > in > Nachricht > <13855_1592842197_5EF0D7D5_13855_226_1_A497B27F9A5328340A4CDBAC@ > [192.168.1.144]> > > > > > > ‑‑On Monday, June 22, 2020 3:08 PM +0000 Kumar Rahul > > <rahul2002mit(a)gmail.com> wrote: > > > >> Hi Quanah > >> > >> Thank you for all the help so far. I am still seeing the original > >> issue reported. Let me know if you need fresh set of configuration > >> information. > > > > I've told you repeatedly what is necessary, you haven't provided it. > > > > To re‑iterate: > > > > Full configuration of both servers, not config snippets or LDAP modify > > change code. > > Actually (if I read the description correctly the sync setup is like "A -> > B", > and when A fails B is updated and expectation is that "B -> A" will work > automagically (which is not true IMHO). Then multi-master setup is needed. > > > > > Regards, > > Quanah > > > > > > > > ‑‑ > > > > Quanah Gibson‑Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > <http://www.symas.com> > > > >

2 1

Re: [EXT] Re: syncrepl does not work as expected
by kumar rahul 23 Jun '20

23 Jun '20

Hi Ulrich Both the servers are set up as master as well as consumer so that sync works in both directions. So the sync setup is like "A -> B", and when A fails B is updated and the expectation is that "B -> A" should work because a multi master setup is already in place. Let me know based on the attached configuration files if my assumption is correct or not. Also Add data works when A fails and B is updated then sync "B -> A"works fine. After Delete data sync does not work when A fails and data is deleted from B. Once A comes back both databases have data which was deleted on B. Thanks Rahul On Tue, Jun 23, 2020 at 8:11 AM Ulrich Windl < Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > >>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am 22.06.2020 um 18:09 > in > Nachricht > <13855_1592842197_5EF0D7D5_13855_226_1_A497B27F9A5328340A4CDBAC@ > [192.168.1.144]> > > > > > > ‑‑On Monday, June 22, 2020 3:08 PM +0000 Kumar Rahul > > <rahul2002mit(a)gmail.com> wrote: > > > >> Hi Quanah > >> > >> Thank you for all the help so far. I am still seeing the original > >> issue reported. Let me know if you need fresh set of configuration > >> information. > > > > I've told you repeatedly what is necessary, you haven't provided it. > > > > To re‑iterate: > > > > Full configuration of both servers, not config snippets or LDAP modify > > change code. > > Actually (if I read the description correctly the sync setup is like "A -> > B", > and when A fails B is updated and expectation is that "B -> A" will work > automagically (which is not true IMHO). Then multi-master setup is needed. > > > > > Regards, > > Quanah > > > > > > > > ‑‑ > > > > Quanah Gibson‑Mount > > Product Architect > > Symas Corporation > > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > <http://www.symas.com> > > > >

1 0

syncrepl does not work as expected
by rahul2002mit＠gmail.com 22 Jun '20

22 Jun '20

Hi I am using LDAP protocol as front end and Berkeley DB as back end. I am observing a strange syncrepl issue type=refreshAndPersist is being used $OpenLDAP: slapd 2.4.44 OS: RHEL7U6 I have 2 server setup say S1 and S2. S1 is in provider and S2 is in consumer mode. Added data D1 in database and that was synced with S2 database. Now I killed slapd process on server S1. At this point server S2 assumes provider role. Now I removed data D1 from database using server S2. Once deletion is complete validated that data was removed from server S2 database. Now i brought S1 slapd service back up and started the application which starts syncrepl. Here is what i see both server S1 and S2 has data D1 which was actually deleted. Expected behavior: Both server should sync properly and data D1 which was deleted using Server S2 should not be present in the database after sync. Request you guys to help. Thanks Rahul

5 45

Privileges for slapd service
by darkdragon 19 Jun '20

19 Jun '20

Dockerfile: ```Dockerfile FROM debian:buster ENV container docker # systemd RUN apt-get update && apt-get install -y \ systemd systemd-sysv && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* RUN systemctl disable systemd-resolved.service RUN systemctl disable systemd-hostnamed.service STOPSIGNAL SIGRTMIN+3 CMD [ "/sbin/init" ] RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ slapd && \ apt-get clean && rm -rf /var/lib/apt/lists/* RUN systemctl enable slapd.service # Allow restart of slapd after dpkg-reconfigure (docker forbids this by default) RUN bash -c "install -m755 <(printf '#!/bin/sh\nexit 0') /usr/sbin/policy-rc.d" ``` Build command: ```sh docker build -t tmp . ``` Run command: ```sh docker run \ --name=tmp \ -it \ --tmpfs /run \ --tmpfs /run/lock \ --tmpfs /tmp \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --rm \ tmp ``` Slapd restart (run within container): ```sh service slapd restart ``` Log (journalctl -u slapd): Jun 18 07:14:25 81bb7d58af2b systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:25 81bb7d58af2b slapd[39]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> Jun 18 07:14:25 81bb7d58af2b slapd[40]: slapd starting Jun 18 07:14:25 81bb7d58af2b slapd[27]: Starting OpenLDAP: slapd. Jun 18 07:14:25 81bb7d58af2b systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:14:35 81bb7d58af2b systemd[1]: Stopping LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:35 81bb7d58af2b slapd[72]: Stopping OpenLDAP: slapd. Jun 18 07:14:35 81bb7d58af2b systemd[1]: slapd.service: Succeeded. Jun 18 07:14:35 81bb7d58af2b systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Found left-over process 40 (slapd) in control group while starting unit. Ignoring. Jun 18 07:14:40 81bb7d58af2b systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. Jun 18 07:14:40 81bb7d58af2b systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:40 81bb7d58af2b slapd[99]: Starting OpenLDAP: slapd failed! Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Failed with result 'exit-code'. Jun 18 07:14:40 81bb7d58af2b systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). --- The problem seems to be an unclean stop (left-over process) which still occupies the port. Which capabilities [1] / seccomp [2] is needed by slapd? [1]: https://linux.die.net/man/7/capabilities [2]: https://docs-stage.docker.com/engine/security/seccomp/ --- My goal is to set the domain to "thisbox". Running the following code (within container): ```sh cat <<EOF >/tmp/slapd Name: slapd/domain Template: slapd/domain Value: thisbox Owners: slapd EOF DEBIAN_FRONTEND=noninteractive DEBCONF_DB_OVERRIDE=/tmp/slapd dpkg-reconfigure slapd ``` Log (journalctl -u slapd): -- Logs begin at Thu 2020-06-18 07:43:44 UTC, end at Thu 2020-06-18 07:44:57 UTC. -- Jun 18 07:43:44 fe1ddc01fdaf systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:44 fe1ddc01fdaf slapd[38]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> Jun 18 07:43:44 fe1ddc01fdaf slapd[39]: slapd starting Jun 18 07:43:44 fe1ddc01fdaf slapd[28]: Starting OpenLDAP: slapd. Jun 18 07:43:44 fe1ddc01fdaf systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Stopping LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:48 fe1ddc01fdaf slapd[160]: Stopping OpenLDAP: slapd. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Succeeded. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: daemon: bind(8) failed errno=98 (Address already in use) Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: daemon: bind(8) failed errno=98 (Address already in use) Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: slapd stopped. Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: connections_destroy: nothing to destroy. Jun 18 07:43:48 fe1ddc01fdaf slapd[165]: Starting OpenLDAP: slapd failed! Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Failed with result 'exit-code'. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). So the problem indicates that the address is already in use. --- Setting the configuration within Dockerfile (no need to restart in container): ```Dockerfile RUN echo "" >> /tmp/slapd && \ echo "Name: slapd/domain" >> /tmp/slapd && \ echo "Template: slapd/domain" >> /tmp/slapd && \ echo "Value: thisbox" >> /tmp/slapd && \ echo "Owners: slapd" >> /tmp/slapd && \ echo "" >> /tmp/slapd && \ DEBIAN_FRONTEND=noninteractive \ DEBCONF_DB_OVERRIDE=/tmp/slapd \ dpkg-reconfigure slapd ``` doesn't throw any error, but doesn't seem to work either. ```sh ldapadd -Q -Y EXTERNAL -H ldapi:/// ``` logs to stdout: ``` adding new entry "ou=users,dc=thisbox" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge ``` So for some reason the setup on container creation doesn't seem to be used. --- I am new to LDAP, so I am apologizing if I am using something completely wrongly. Just trying to fix https://salsa.debian.org/freedombox-team/freedombox/-/issues/1880. Any help appreciated!

2 2

ldapsearch filter behaviour
by mradu＠live.com 16 Jun '20

16 Jun '20

Hi, I have 2 LDAP servers. The old one is running openldap2-2.3.32 and the new one is running openldap2-2.4.41. They both have identical configuration and data. Running the following ldapsearch command against the 2 servers only yields results on the old openldap 2.3.32: ldapsearch -H ldap://server -b 'dc=mycorp,dc=com' -D 'cn=Administrator,dc=mycorp,dc=com' -w 'passwd' '(cn=*)' cn Aparently every time I am using a filter having the "*" wildcard the new openldap fails to give back any results. Any ideea what is going on? Thanks

2 1

Re: Info needed on OpenLDAP support / compliance on FIPS 140.2
by Vijay Kumar 16 Jun '20

16 Jun '20

Thank you Quanah, As i mentioned, we are using OpenLDAP 2.4.48 version from https://www.openldap.org/ which internally uses OpenSSL I would like to know, is this version of OpenLDAP with OpennSSL does FIPS compliant.? Regards, Vijay Kumar On Mon, Jun 15, 2020 at 10:22 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Monday, June 15, 2020 5:03 PM +0530 Vijay Kumar > <pasumarthivijaykumar(a)gmail.com> wrote: > > > > > Hi Team, > > > > > > We are using the version 2.4.48 OpenLDAP, we would like to know which > > versions of OpenLDAP which used OpenSSL are compliant towards FIPS 140.2 > > standards.? > > Hello, > > Do *NOT* post to multiple lists. > > The FIPS question is not really an OpenLDAP question at all. Either the > build of OpenLDAP you are using is linked to a FIPS version of OpenSSL or > it isn't. You'd need to find out from whomever provided your OpenLDAP > build (and that's assuming it's linked to OpenSSL) if that OpenSSL build > is > FIPS enabled. > > Reards, > Quaanh > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

5 4

Re: Re: Info needed on OpenLDAP support / compliance on FIPS 140.2
by Vijay Kumar 16 Jun '20

16 Jun '20

Thanks a lot Philip Guenther Absolute needful Info to all. Regards, Vijay Kumar On Tue, Jun 16, 2020 at 1:43 PM Marc Roos <M.Roos(a)f1-outsourcing.eu> wrote: > > Thanks for this clear insight! > > > -----Original Message----- > To: Scott Classen > Cc: Vijay Kumar; openldap-technical(a)openldap.org > Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance > on FIPS 140.2 > > On Mon, 15 Jun 2020, Scott Classen wrote: > > Did you build the OpenLDAP binary from source or are you using a > > binary distribution from somewhere? Like Quanah already stated, you > > need to determine if the version of OpenSSL you linked against is FIPS > > > compliant. The FIPS designation has nothing to do with OpenLDAP per > se. > > > > e.g. on my CentOS distro I can type > > > > # openssl version > > OpenSSL 1.0.2k-fips 26 Jan 2017 > > > > And it lets me know that OpenSSL is FIPS compliment. Then if I build > > OpenLDAP using the openssl libraries provided with my distro then I’m > > > assuming it would then inherit some of this FIP-ness. > > Simply _using_ that library is not nearly enough to pass any sort of > compliance check. Here's a session using a similar library (CentOS > 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant > cipher > suite: > > $ openssl version > OpenSSL 1.0.2k-fips 26 Jan 2017 > $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] > 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet > foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 > -nocert -quiet ^C $ > > > First, you have to actually tell the library to go into FIPS mode. The > CLI 'openssl' tool will do that when the OPENSSL_FIPS environment > variable is set and I seem to recall that the system openssl libs on > RedHat systems (don't remember if it carried over to CentOS) would do so > if a kernel parameter was set, but in general applications using libssl > and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode > themselves. > Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your > system libcrypto has something external to force FIPS mode *and your're > using it*, OpenLDAP will _not_ be using the library in FIPS mode. > > > Furthermore, is that build of openssl still covered by a valid FIPS > certificate? "It's a build of sources for which some build has had a > FIPS certificate issued" is cute verbiage and there are many people that > only care about that: verbiage so they can check a unclearly specified > box on their documents. Not a bad option if that's all your customers > expect and all you sell/promise, given that FIPS mode is not strictly > beneficial with the difficulty it creates for fixing bugs in crypto > implementations, including--historically--in openssl's code base. > > While some customers will find that sufficient to check a box on their > documents, it ain't going to make real FIPS compliance people (U.S. > government agencies) blink before ignoring it. If you're going to have > a compliance audit from such a group, with scheduled followups and > 30/60/90 day remediation requirements, then no, stock openldap on stock > centos, for example, will not get you there. > > > Philip Guenther > > > -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2020