openldap-technical September 2020

openldap-technical@openldap.org

34 participants
34 discussions

openssl output
by Shaheena Kazi 24 Sep '20

24 Sep '20

Hello, I am using openssl - 1.1.1d Slapd Version - 2.4.47 I have complied slapd against the openssl to use the support ofTLSv1.3 The path is /opt/openssl/bin/openssl Now, I have a doubt, when I run the below command I get the expected output. /opt/openssl/bin/openssl s_client -connect localhost:636 But when I run /opt/openssl/bin/openssl s_client -connect localhost:389, I get the output as below: root@xxxxxxxxx# /opt/openssl/bin/openssl s_client -connect localhost:389 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 293 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- +++++++++++++++++++++++++++++++++++++++++++++++++++++ Is this correct? I mean I dont face any issues but the output does not show the Protocol used. ++++++ As for the present openssl I get the below output where it shows the protocol used. root@cxxxxxxxxxxxx# openssl s_client -connect localhost:389 CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1600959876 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- So I am wondering, If I am missing on anything or is it fine ?

2 2

Problems with syncrepl state
by Berthold Cogel 24 Sep '20

24 Sep '20

Hello, we have a cluster of LDAP servers consisting of one provider and 4 consumer. We're upgrading the os of the systems by proving an replacement system for each of the five systems. Then we stop the slapd on the system that should be replaced, dump the database with slapcat, copy it to new system, switch hostname and ip of both systems. We shut down the old and reboot the new system. Then we slapadd the database on the new system. So far so good... We started with the provider. After importing the database and starting the slapd on the new provider, we get errors for the syncrepl state on all consumer systems: "Can't get Context CSN with SID <x> from ldap+tls://localhost. Please set SID with -I option." We're using check_ldap_syncrepl_status from ltb-project with icinga2 to monitor the replication. I don't know how to fix this. When I modify an entry in the provider, it is synced to the consumer. But the status error stays. On all four consumers. I've then 'upgraded' a consumer by starting the slapd on the replacment system without any database. The system started the sync and after completion the error was gone. But syncing takes more time than importing a dump from a local file. And in a case where we have to rebuild the provider from scratch after a crash, it might be not an option to resync one consumer after the other to rebuild the complete cluster. Is there a method to fix the problem? Syncrepl configuration on the provider overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Syncrepl configuration on the consumer syncrepl rid=<x> provider=ldap://yxz:389 binddn="cn=xxxxxxx" credentials="xxxxxxx" tls_cacertdir=/etc/pki/tls/certs tls_reqcert=demand bindmethod=simple starttls=critical searchbase="xxxxxx" type=refreshAndPersist retry="10 10 300 +" filter="(objectClass=*)" scope=sub attrs="*,+" sizelimit=unlimited timelimit=unlimited schemachecking=off Regards Berthold Cogel

3 8

How to delete root DIT
by mi.aleksio＠gmail.com 23 Sep '20

23 Sep '20

Hello all! I have test database: dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcSuffix: dc=aleksio,dc=com olcRootDN: cn=Manager,dc=aleksio,dc=com # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd-config(5) for details. # Use of strong authentication encouraged. olcRootPW: 1 # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. olcDbDirectory: /usr/local/var/openldap-data # Indices to maintain olcDbIndex: objectClass eq I created top record: dn: dc=aleksio,dc=com objectClass: dcObject objectClass: organization dc: aleksio o: myorg Record successfully created, I can search this record: ~# ldapsearch -x -w 1 o # extended LDIF # # LDAPv3 # base <dc=aleksio,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: o # # aleksio.com dn: dc=aleksio,dc=com o: myorg # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Then I try to delete this record: ~# ldapdelete -x -w 1 'dc=aleksio,dc=com' ldap_delete: No such object (32) If I create child record in DN dc=aleksio,dc=com I can successfully delete this child record. How can I delete root record?

2 1

Why does OpenLDAP think my code didn't bind to the server?
by suryakalpo.sarker＠gmail.com 22 Sep '20

22 Sep '20

I'm trying to use the OpenLDAP C APIs to execute a search query against an AD. #include <ldap.h> #include <iostream> int main(void) { LDAP *ldp; auto ldap_version = LDAP_VERSION3; auto tls_cert_strat = LDAP_OPT_X_TLS_NEVER; //Never require identity cert from peer int err = ldap_initialize(&ldp,"ldap://1.1.1.1"); if (err != LDAP_SUCCESS) { std::cerr << "unable to connect" << std::endl; return -1; } std::cout << "connected, err == " << ldap_err2string(err) << "\n"; ldap_set_option(ldp, LDAP_OPT_PROTOCOL_VERSION, &ldap_version); //Set version to LDAPv3 ldap_set_option(ldp, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_cert_strat); err = ldap_start_tls_s(ldp, nullptr, nullptr); if (err != LDAP_SUCCESS) { char* msg; ldap_get_option(ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, &msg); std::cerr << "unable to upgrade to TLS! err: " << ldap_err2string(err) << std::endl; std::cerr << "diagnostic msg: " << msg << "\n"; ldap_memfree(msg); return -1; } std::cout << "start_tls request sent successfully, err == " << ldap_err2string(err) << "\n"; err = ldap_tls_inplace(ldp); if (err != 1) { char* msg; ldap_get_option(ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, &msg); std::cerr << "TLS handlers not installed! err: " << ldap_err2string(err) << std::endl; std::cerr << "diagnostic msg: " << msg << "\n"; ldap_memfree(msg); return -1; } std::cout << "TLS handlers have been installed sucessfully" << "\n"; //err = ldap_bind_s(ldp, "user(a)domain.com", "foo", LDAP_AUTH_SIMPLE); err = ldap_simple_bind_s(ldp, "user(a)domain.com", "foo"); if (err != LDAP_SUCCESS) { char* msg; ldap_get_option(ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, &msg); std::cerr << "Unable to bind to domain! err: " << ldap_err2string(err) << std::endl; std::cerr << "diagnostic msg: " << msg << "\n"; ldap_memfree(msg); return -1; } std::cout << "Successfully bound to DC\n"; char* base_dn = const_cast<char*>("dc=domain,dc=com"); char* filters = const_cast<char*>("userPrincipalName=user"); char* attr[4]; attr[0] = const_cast<char*>("samaccountname"); attr[1] = const_cast<char*>("cn"); attr[2] = const_cast<char*>("mail"); attr[3] = nullptr; LDAPMessage* ldp_msg; std::cout << "Executing LDAP search query\n"; err = ldap_search_ext_s(ldp, base_dn, LDAP_SCOPE_SUBTREE, filters, attr, 0, nullptr, nullptr, nullptr, 0, &ldp_msg); if (err != LDAP_SUCCESS) { char* msg; ldap_get_option(ldp, LDAP_OPT_DIAGNOSTIC_MESSAGE, &msg); std::cerr << "Unable to search domain! err: " << ldap_err2string(err) << std::endl; std::cerr << "diagnostic msg: " << msg << "\n"; ldap_memfree(msg); return -1; } std::cout << "Search executed successfully\n"; return 0; } I build the code as follows: g++8 -D LDAP_DEPRECATED -g -std=c++17 my_ldap.cpp -o my_ldap -l ldap But when I execute it, I get the following error: connected, err == Success start_tls request sent successfully, err == Success TLS handlers have been installed sucessfully Successfully bound to DC Executing LDAP search query Unable to search domain! err: Operations error diagnostic msg: 000004DC: LdapErr: DSID-0C0907E1, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 This is where I'm confused: The diagnostic message says that I didn't bind, but given that ldap_simple_search_s returned LDAP_SUCCESS, that would mean that I did have a successful bind. I would understand if the search fails with a message citing lack of authorization, filter not matching, etc. The only other thing that I could think of is that I may have bound to one DN and executed a search against a different DN, but I checked for any typos several times, and nothing popped up. Just FYI, ldap_bind_s(ldp, "user(a)domain.com", "foo", LDAP_AUTH_SIMPLE) has the same behavior. Now, if the DC didn't like my bind/authentication method, I would imagine that would've caused an error during the bind call, but nothing of the sort happened. I thought about using the built-in debugging of the library as documented in the man pages for ldap_set_option, i.e. the LDAP_OPT_DEBUG_LEVEL option, but the code doesn't compile when I try to use one of the options as shown in the man page (incidentally none of those options are defined in ldap.h) I've tried a few other random (I'm saying random coz I doubt this is the cause) things too: a) Tried binding to the secure port directly instead of upgrading to TLS. b) Tried disabling LDAP_OPT_REFERRALS One strange thing that I observed though was that if the changed the syntax of the bind dn to "uid=user,dc=domain,dc=com" that would result in an "Invalid credentials" error from ldap_bind_s, but the "user(a)domain.com" format is accepted without any errors. I'm unable to check the contents of LDAP* in gdb because I cannot build the openldap port in freeBSD with non-stripped symbols (even though I built the port with debug support). What other angle should I be looking at to understand/resolve this problem?

2 1

error 53 text=consumer state is newer than provider!
by Stefan Kania 22 Sep '20

22 Sep '20

hi, replication is now running, but when I setup all three servers (one provider and two consumers) I get the following errormessage on the provider -------------------- SEARCH RESULT tag=101 err=53 nentries=0 text=consumer state is newer than provider! -------------------- And on the consumers: -------------------- syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) tid 1dc6e700 Sep 21 19:42:03 ldapslave-01 slapd[2360]: syncrepl_entry: rid=001 inserted UUID 61db79ba-907d-103a-80a6-2965db2a1bbb Sep 21 19:42:03 ldapslave-01 slapd[2360]: syncrepl_entry: rid=001 be_search (0) Sep 21 19:42:03 ldapslave-01 slapd[2360]: syncrepl_entry: rid=001 cn=ldap-admin,ou=users,dc=example,dc=net Sep 21 19:42:03 ldapslave-01 slapd[2360]: syncrepl_entry: rid=001 be_add cn=ldap-admin,ou=users,dc=example,dc=net (0) Sep 21 19:42:03 ldapslave-01 slapd[2360]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Sep 21 19:42:03 ldapslave-01 slapd[2360]: do_syncrep2: rid=001 cookie=rid=001,csn=20200921174113.067710Z#000000#000#000000 Sep 21 19:42:03 ldapslave-01 slapd[2360]: slap_queue_csn: queueing 0x7f6714106290 20200921174113.067710Z#000000#000#000000 Sep 21 19:42:03 ldapslave-01 slapd[2360]: slap_graduate_commit_csn: removing 0x7f6714106290 20200921174113.067710Z#000000#000#000000 Sep 21 19:42:03 ldapslave-01 slapd[2360]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT Sep 21 19:42:03 ldapslave-01 slapd[2360]: do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform Sep 21 19:42:03 ldapslave-01 slapd[2360]: do_syncrep2: rid=001 (53) Server is unwilling to perform -------------------- As soon as I do a modification with "ldapmodify" on the provider and then restart slad on the consumer everything is working fine. Is this normal? Or do I still have configured something wrong? Stefan

2 2

adding sortvals later
by Michael Ströder 17 Sep '20

17 Sep '20

HI! I vaguely remember having asked this before but I forgot the answer: Do I have to re-import or re-index the database when adding directive sortvals to a database containing affected entries? Ciao, Michael.

2 1

"rootDN must be defined before syncrepl may be used" and rootDN, rootpw in general
by Christopher Paul 17 Sep '20

17 Sep '20

Salutations OpenLDAP-Technical, I am thinking of rootDN and how I'm not a big fan of it. You don't need rootDN to configure OpenLDAP (assuming you first load OLC with slapadd). You don't need it to configure OLC if you've set up access to it for admin accounts. It ends up being one shared password that rules everything. Would it not be best to always give elevated access to specific accounts? Yes I understand without privileged admin access in the first place it's a chicken or egg situation to give access to admins but that can be solved with slapadd or slaptest to generate the initial configuration from a text file. And in some extreme cases, it's best to not evaluate access at all. This is the only reason I can think of for rootDN. It seems that syncrepl depends on it though, because when I try to configure a server without rootdn, rootpw and set up syncrepl, I get Other (e.g., implementation specific) error (80) additional info: rootDN must be defined before syncrepl may be used. What do people think about the need, utility, implications of having a password based root account? And why would rootDN need to be defined for syncrepl to work? Many thanks, -- Chris Paul Rex Consulting, Inc https://www.rexconsulting.net

2 3

@Quanah About your blog
by Stefan Kania 15 Sep '20

15 Sep '20

Hi Quanah, I got a question about your blog about MMR. You wrote: Add the syncprov and accesslog overlays to the existing primary database. Note that it will be renumber from dn: olcDatabase={2}mdb,cn=config to dn: olcDatabase={3}mdb,cn=config But you did not explain why you renumber the entry. Could you do tell me the reason ehy you did this? Thank you Stefan

3 4

deltasyncrepl in mirror node configuration
by Andreas Juretzka 11 Sep '20

11 Sep '20

Hi there, since I'm suspicious about some delays in between our master-master replication I'd like to ask you if it's possible to use deltasyncrepl with mirror node configuration? Our setup is two master in active passive mode behind an loadbalancer and several slaves. The deltasyncrepl works fine there. We only have sometimes problems with the active master to passive master replication. Especially when we have a lot of changes. The version is 2.4.50 running on debian 10. Thanks! Andreas -- Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin http://www.heinlein-support.de Tel: 030 / 405051-0 Fax: 030 / 405051-19 HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin

3 4

mdb and memory size...
by Frédéric Goudal 10 Sep '20

10 Sep '20

Hello, As I understand mdb database should be in memory. Is there a way to calculate the correct amount of memory that should be allocated to a server so the database fit with no swap ? I guess the maxsize attribute should be set to a correct value too.. Thanks in advance f.g.

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2020