November 2021 - openldap-technical

by shekhar.shrinivasan＠gmail.com

Hi Team, We have a OpenLDAP Proxy in front of Active Directory servers and all client applications perform ldap operations via the Proxy. One of the applications seems to be not working as expected and when we checked the logs we see this error SEARCH RESULT tag=101 err=12 nentries=0 text=critical extension is not recognized After discussing with the app owner we understand that we need to enable support for dirsync. Can you please let us know if OpenLDAP supports DirSync and what exactly needs to be done on the OpenLDAP proxy. Thanks you for your help !

1 year, 10 months

3
3
0 / 0

RE: [EXT]:Re: OpenLDAP SSLV3 disable

by Quanah Gibson-Mount

--On Tuesday, November 9, 2021 5:41 AM +0000 "Ballem, Narayanan" <Narayanan.Ballem(a)Staples.com> wrote: > Is this possible to give slapd.conf reference file . > I did updated config section and restart the slapd but that did not > helped. This would be an extremely basic slapd.conf file: include /usr/local/etc/openldap/schema/core.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args loglevel stats TLSCACertificateFile /path/to/ca/cert TLSCertificateFile /path/to/server/cert TLSCertificateKeyFile /path/to/server/private/key TLSProtocolMin 3.3 modulepath /usr/local/lib/openldap moduleload back_mdb.la database config rootpw secret database mdb maxsize 1073741824 suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq database monitor If you are still unable to set the minimum protocol, I would advise confirming what TLS library your slapd build is linked to. For example, the TLSProtocolMin parameter has no effect when slapd is linked to GnuTLS. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 year, 10 months

1
0
0 / 0

TLS handshake callback

by Jérémie HUNEL

Hi, I would like to use a custom TLS handshake callback to verify the server's certificate, however it seems that there is not this option yet in openldap. I saw the LDAP_OPT_CONNECT_CB option but this is not exactly what I'm looking for. Is there a way to specify a custom callback? If not, is it a feature that you plan to develop? Regards, Jeremie Internal

1 year, 10 months

1
0
0 / 0

OpenLDAP 2.6 Build Failure - undefined reference

by Simon Pichugin

Hi, I'm trying to build OpenLDAP 2.6 on Fedora Rawhide and I'm getting the error message: /usr/bin/ld: ./.libs/libldap.so: undefined reference to `ber_sockbuf_io_udp' I've checked commits from https://bugs.openldap.org/show_bug.cgi?id=9673 and found that 'ber_sockbuf_io_udp' was not added to https://git.openldap.org/openldap/openldap/-/blob/master/libraries/liblbe... Is it intentional? If I add 'ber_sockbuf_io_udp' there, my build passes the stage successfully. If 'ber_sockbuf_io_udp' absence is intentional, should I somehow account for it during './configure'? Thank you! Regards, Simon

1 year, 10 months

2
1
0 / 0

RE: [EXT]:Re: OpenLDAP SSLV3 disable

by Quanah Gibson-Mount

--On Wednesday, November 3, 2021 11:13 PM +0000 "Ballem, Narayanan" <Narayanan.Ballem(a)Staples.com> wrote: > Yes it just adding few CN entries to DB for active directory sync up. Not > sure where is the issue then in disabling SSLv3. Do you think is 2.4.54 > might not support TLSprotocolMin? I think it supports. > > I did run slapd in debug mode while starting not seeing any issue TLS > version. > > @(#) $OpenLDAP: slapd 2.4.54 (Oct 27 2020 18:47:58) I testing with 2.4.59 on RHEL7 linked to the RHEL7 OpenSSL libraries and could not reproduce the issue. There are no fixes between 2.4.54 and 2.4.59 related to OpenSSL or TLS. I would note that your TLS configuration directives are inside the database backend definition which is invalid. They are global options and should appear before any database xxxx configuration section. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 year, 10 months

1
0
0 / 0

RE: [EXT]:Re: OpenLDAP SSLV3 disable

by Quanah Gibson-Mount

--On Wednesday, November 3, 2021 10:51 PM +0000 "Ballem, Narayanan" <Narayanan.Ballem(a)Staples.com> wrote: > We do have slapd.conf and as part of config we add a few entries to DB > using LDIF file which has OU/CN/Object class information. > > Do we need to update any config over there or do I need to update > anywhere w.r.t CN=config in slapd.conf ? > > /opt/dirsvcs/sbin/slapadd -f /opt/dirsvcs/etc/openldap/slapd.conf -l > /opt/dirsvcs/etc/openldap/base.ldif That means you're telling slapadd to use that slapd.conf file, it says nothing about what slapd itself is using at startup. > Do we have a tarball option for the 2.6 version? I can look to upgrade it. The OpenLDAP website has a tarball of the source available for download. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 year, 10 months

1
0
0 / 0

OpenLDAP SSLV3 disable

by Ballem, Narayanan

HI Team, Hope you can help with this issue. I am trying to disable SSLV3 on OpenLDAP servers we are using OpenLDAP as a proxy with upstream Active directory servers. we are using CA certs on this openssl we would like to disable SSLV3. Based on earlier update from OpenLdap Technical support team, I added "TLSProtocolMin 3.2" and able to restart slapd service as well without any issue. However when we tried to test SSLV3 connectivity it's still showing SSLv3 enabled . This OpenLDAP server built on RHEL server with locally compiled and openssl rpm/binaries are part of base RHEL OS image. cat /opt/dirsvcs/etc/openldap/slapd.conf|grep -i TLSProtocolMin TLSProtocolMin 3.2 openssl s_client -connect localhost:1636 -ssl3 -quiet depth=3 CN = XXX Root Certificate Authority verify return:1 SSLV3 is insecure as you know we are looking to disable this asap . Any help in addressing this much appreciated. Thanks Narayanan Linux Platform Engineering 500 Staples Drive, Framingham MA Office: 508-253-6909 | Mobile: 508-333-4395 [signature_1767107679]

1 year, 10 months

3
6
0 / 0

memberof vs groupMembership

by Keith LeValley

Good afternoon, I am working to migrate my LDAP setup to openldap, however I have run into a problem around group membership. Specifically my old instance of ldap used the attribute "groupMembership" and I need to support this moving forward, so if you were to query the attribute "groupMembership" it needs to return the groups the user is part of. Currently in my test environment I have the memberof overlay working, and I found the option *memberof-memberof-ad* which should allow me to create a custom attribute named "groupMembership" and point the overlay at that attribute. I am really hoping to avoid this though and would much rather have a cleaner solution. Maybe some type of interface that just acts as a pointer to the memberof attribute when they query groupMembership? But I am not familiar enough with openldap to know whether this is even possible. So I guess my question is; is the custom attribute going to be the solution here or is there another tool that I am unaware of? -- Keith LeValley Identity Services Architect, Davenport University phone: (616) 732-1102 klevalley2(a)davenport.edu

1 year, 10 months

3
2
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2021