April 2021 - openldap-technical

by Hans van Zijst

Hi, After more than a day of fiddling with it, I turn to you, the gurus ;) I'm trying to create an OpenLDAP proxy that will talk to 2 OpenLDAP servers, doing MirrorMode replication and using a floating IP so that I can point all write queries to one and the same server. Those 2 MirrorMode servers are up and running and doing fine, but I can't figure out how to make that proxy. I'm running on Debian Bullseye (still "testing" at this moment), with OpenLDAP 2.4.57, both on the backend servers and the proxy I'm trying to make. I'm not using TLS yet, that's for later. After installation, there's an (empty, of course) mdb database. I think I should throw that away, but I'm not sure. The suffix in that database is different than the one I need to proxy, so it's probably not a problem to leave it there. I have loaded the extra schemas that I use on the MirrorMode machines, and loaded the backends ldap and meta, with LDIF files like this: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: back_ldap.la And fed that to slapd with ldapmodify -Y EXTERNAL -h ldapi:/// -f <file> I checked with ldapvi and saw both modules loaded. So far, so good. Now I need to create the backend, and this is where I keep running into problems. Although the use of slapd.conf has fallen from grace a long time ago, every example I can find online only uses that. So I tried creating one and adding it to the configuration with slaptest. This is what I came up with: backend meta database meta suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw "super secret passwd" uri "ldap://172.16.7.6/dc=example,dc=com" readonly yes acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd" uri "ldap://172.16.7.7/dc=example,dc=com" readonly yes acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd" uri "ldap://172.16.7.8/dc=example,dc=com" readonly no acl-authcDN "cn=admin,dc=example,dc=com" acl-passwd "super secret passwd" But when I try to convert that, I get an error: # slaptest -f /root/proxybackend.conf -F /etc/ldap/slapd.d 6075bced /root/proxybackend.conf: line 1: <backend> failed init (meta)! slaptest: bad configuration directory! The information in the OpenLDAP Handbook is, well, lacking: https://openldap.org/doc/admin24/backends.html#Metadirectory I had hoped to find a way to create an LDIF file which I could add with ldapadd, but I never came much further than this: dn: olcDatabase=meta objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: meta olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcRootPW: "super secret passwd" which results in: adding new entry "olcDatabase=meta" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge I'm pretty sure I need more lines in that, to begin with the URI lines to point the proxy to the machines it needs to contact, but I couldn't find the olcSomeThing syntax for them. I'm pretty good at searching, but not so good at finding, unfortunately. Can somebody give me a few hints please? I'm pretty sure I'm missing something small here, but I'm stuck. Kind regards, Hans

2 years, 1 month

1
0
0 / 0

N-WAY replication, contextCSNs and olcSpNoPresent

by thomaswilliampritchard＠gmail.com

I am migrating from single provider to N-Way provider in OpenLDAP 2.4.56 This configuration was setup years ago and reading the docs has me questioning this piece of configuration. I notice we have no present configured on our syncprov overlay for our primary DB setup for delta sync. I noticed in the docs it explains " The nonpresent option should only be configured if the overlay is being placed on top of a log database, such as when used with delta-syncrepl. The nonpresent option is configured by the syncprov-nopresent <TRUE|FALSE> directive. This value should only be set TRUE for a syncprov instance on top of a log database (such as one managed by the accesslog overlay). The default is FALSE. " dn: olcDatabase={2}mdb,cn=config changetype: modify replace: olcDbCheckpoint olcDbCheckpoint: 1024 10 - replace: olcDbIndex ... indexes ... - replace: olcDbMaxSize olcDbMaxSize: 5000000000 - replace: olcDbNosync olcDbNosync: TRUE dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE Should this olcSpNoPresent piece be removed from our configuration? What adverse affects would this generate if it is in fact an incorrect piece of configuration? Delta-Sync between our consumers and provider seem to function. I am worried this could cause problems on my journey to N-Way provider replication. Next, I am testing new architecture for N-Way but see that the new context CSNs generated by those new providers also show up in the initial provider. If I want to "go back" to my original system state before my N-Way testing, can I simply delete the ContextCSNs from an exported LDIF and reload the database? Or is that asking for trouble?

2 years, 2 months

2
1
0 / 0

n-way multi provider set up and mdb_copy

by paul.jc＠yahoo.com

Hello, I am setting up n-way multi-provider replication. Should we expect a full sync when we setup sync for the first time on a new provider? Can we load a backup data.mdb file first and have deltasync run from there to prevent a full sync (i.e. to save time)? What is the expected behavior/best practice? Also, I have some questions around mdb_copy. Is there any concern using the -c flag for compacting the data.mdb file to be used for restore (or new n-way provider if that works)? I notice the compacted file is smaller on disk than the original data.mdb (due to the removed freed pages). I assume the data sets are still the same? Are there tools to compare the two? And last question, I am using mdb_copy to create a backup but standard linux cp to put the new file into /var/lib/ldap/data.mdb. Will this cause any issues or is it recommended to use mdb_copy to also move the data.mdb file into place? Thanks! Paul

2 years, 2 months

3
3
0 / 0

Migration from OpenLDAP to Oracle Directory Servers (OUD or ODSEE)

by borabaysal＠borabaysal.com

Hi, I was wondering if anyone has successfully made schema and data migration from OpenLDAP (current version: openldap-2.4.49) to OUD (Oracle Unified Directory 11g) or ODSEE (Oracle Directory Server Enterprise Edition 11g). We are trying to make Zimbra servers (currently using OpenLDAP directory on each server Zimbra installed) use a centralized MMR-enabled OUD environment. But we couldn't find any migration documentation on that. Thanks, -Bora

2 years, 2 months

4
8
1 / 0

hide attribute with specific value only

by Chris Leung

Dear all, Is it possible to hide a attribute for a specific value only? e.g., dn: ...... objectClass: ... attr1: A attr1: B E.g., I would like to hide the 'attr1: A' for some DNs binding, but, 'attr1: B' should be visible for the client. Chris

2 years, 2 months

2
1
0 / 0

Trust your own (Domain Controller's) CA cert with ldapsearch/openldap

by Wiebe Cazemier

Hi, I'm having difficulty making tools like ldapsearch accept SSL certificates signed by a Windows domain controller, even when the trust chain seems good. The problem extends to PHP, which uses openldap (PHP debug logging shows the exact same errors). We manually trusted the CA certifcate of the domain controller: cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates update-ca-certificates OpenSSL approves it (it doesn't aprove without the previous step): # openssl verify -verify_hostname PDC01.city.cmpny.local /tmp/PDC01.city.cmpny.local.crt /tmp/PDC01.city.cmpny.local.crt: OK And: openssl s_client -verify_hostname PDC01.city.cmpny.local -connect PDC01.city.cmpny.local:3269 CONNECTED(00000005) depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA verify return:1 depth=0 verify return:1 --- Certificate chain 0 s: i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA But ldapsearch just will not approve it: $ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269 ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269) ldap_create ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269/??base) [..snip...] ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.105.10.10:3269 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: peer cert untrusted or revoked (0x102) TLS: can't connect: (unknown error code). ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: (unknown error code) Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly read. Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all possible permutations. Nothing works, except 'TLS_REQCERT never'. Other certificates are accepted when testing public servers. They are just https, but for SSL tests that doesn't matter. Like: ldapsearch -d1 -H ldaps://www.google.com:443 Or ldapsearch -d1 -H ldaps://www.amazon.co.uk:443 The latter only has the correct domain name in the 'subject alternate name', not the common name. I theorized that maybe the SAN was a cause, but this test result, and [1], show that should work fine. If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname (blabla.com) does not match common name in certificate (www.amazon.co.uk)'. Very different from my 'peer cert untrusted or revoked'. Could this be a bug (in GnuTLS)? Versions: ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42) Ubuntu: 18.04.5 LTS libgnutls30: 3.5.18-1ubuntu1.4 Regards, Wiebe [1] https://www.openldap.org/lists/openldap-technical/201310/msg00167.html

2 years, 2 months

1
0
0 / 0

Authentication by the mail attribute

by Клеусов Владимир Сергеевич

Hi Please tell me how (if possible) to authenticate in OpenLDAP not by cn but by the mail attribute ?

2 years, 2 months

3
3
0 / 0

Replacing the server during replication

by Клеусов Владимир Сергеевич

Hi, I have multi-master replication configured. https://pastebin.com/vYKsa9VY I want to replace ldap3. Please tell me how to do this ? I mean, how does the new server synchronize the current ldap database?

2 years, 2 months

4
11
0 / 0

RE: [EXT]:Re: Openldap client is not populating GID name instead of it just getting GID with empty Group name

by Quanah Gibson-Mount

--On Monday, April 5, 2021 2:37 PM +0000 "Ballem, Narayanan" <Narayanan.Ballem(a)Staples.com> wrote: > Quanah, > > Good Morning !!! > > On Last weekend , finally migration went fine . > > I have modified loglevel to stats and increased slapd file descriptor to > 8192 which resolve the issue. Looks like in RHEL7 somehow with value 2k > it's not working where as it's used to work in RHEL6. > > It's bit interesting , No errors reported with ulimit issues in the logs. Glad to hear it! :) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 years, 2 months

2
1
0 / 0

is there a standard way to store social media handle?

by Zhang

Hi. I was certain that I could find this in the archives but failed. What's the recommended way to extend inetOrgPerson to include twitter handle, facebook ID and other social media contact points? There doesn't seem to be OID defined for these attributes. Thanks

2 years, 2 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2021