openldap-technical December 2022

openldap-technical@openldap.org

25 participants
21 discussions

Question about Persistent Search
by pham lan 18 Dec '22

18 Dec '22

Hello, I am new to OpenLDAP. May I ask if Persistent Search is supported in any version of OpenLdap Server? I installed version 2.4.46 from Rocky repo and it does not seem to support persistent search.

5 8

lloadd Proxied Authorization Denied (123)
by Stefan Kania 15 Dec '22

15 Dec '22

I now took the example configuration and changed it to my settings: --------------------- TLSCertificateFile /opt/symas/etc/openldap/example-net-cert.pem TLSCertificateKeyFile /opt/symas/etc/openldap/example-net-key.pem TLSCACertificateFile /opt/symas/etc/openldap/cacert.pem pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args loglevel 256 modulepath /opt/symas/lib/openldap moduleload lloadd.la backend lload listen "ldap://:1389 ldaps://:1636" feature proxyauthz TLSShareSlapdCTX true bindconf bindmethod=simple network-timeout=5 tls_cacert="/opt/symas/etc/openldap/cacert.pem" tls_cert="/opt/symas/etc/openldap/example-net-cert.pem" tls_key="/opt/symas//etc/openldap/example-net-key.pem" binddn=uid=lloadd,ou=users,dc=example,dc=net credentials=geheim tier roundrobin backend-server uri=ldaps://ldap01.example.net starttls=critical retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 backend-server uri=ldaps://ldap02.example.net starttls=critical retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 database monitor --------------------- The bind-user exists in the database of the backend-server. If i start the loadbalancer I can see that the connection are established. -------ldap01----------- Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 fd=46 ACCEPT from IP=192.168.56.40:38674 (IP=0.0.0.0:636) Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 fd=46 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" method=128 Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 ------------------------ I see the same massages on ldap02, so that's ok The I do a search from a different machine: ------------- root@ldap03:~# ldapsearch -x -D uid=repl-user,ou=users,dc=example,dc=net -w geheim -H ldaps://loadbalancer.example.net:1636 -LLL Proxied Authorization Denied (123) Additional information: not authorized to assume identity ------------ The uid=repl-user has read permission to all objects and attributes. On ldap01 I see: ---------ldap01------------- Dez 14 21:09:13 ldap01 slapd[550]: conn=1371 op=0 BIND dn="uid=repl-user,ou=users,dc=example,dc=net" method=128 Dez 14 21:09:13 ldap01 slapd[550]: conn=1371 op=0 BIND dn="uid=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Dez 14 21:09:13 ldap01 slapd[550]: conn=1371 op=0 RESULT tag=97 err=0 qtime=0.000033 etime=0.015255 text= ----------------------------- on ldap02 --------ldap02---------- Dez 14 21:09:13 ldap02 slapd[300]: conn=1306 op=1 SEARCH RESULT tag=101 err=123 qtime=0.000044 etime=0.000235 nentries=0 text=not authorized to assume identity Dez 14 21:09:13 ldap02 slapd[300]: conn=1306 op=1 do_search: get_ctrls failed ------------------------ Why do I get different log-entries on the backend-server? And what did I forgot? When I do a ldapsearch with uid=lloadd I get: ------------------- root@ldap03:~# ldapsearch -x -D uid=lloadd,ou=users,dc=example,dc=net -w geheim -H ldaps://loadbalancer.example.net:1636 -LLL dn: dc=example,dc=net objectClass: domain objectClass: dcObject dc: example ------------------- That's the only object the user has permissions to read. log from ldap01 -------------------- Dez 14 21:14:04 ldap01 slapd[550]: conn=1381 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" method=128 Dez 14 21:14:04 ldap01 slapd[550]: conn=1381 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Dez 14 21:14:04 ldap01 slapd[550]: conn=1381 op=0 RESULT tag=97 err=0 qtime=0.000021 etime=0.008984 text= -------------------- and log from ldap02 -------------------- Dez 14 21:14:04 ldap02 slapd[300]: conn=1308 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(objectClass=*)" Dez 14 21:14:04 ldap02 slapd[300]: conn=1308 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000022 etime=0.002048 nentries=1 text= -------------------- That's also ok, I think . The final version should be that the binduser uid=lloadd will not see anything. So what's the point I'm missing to get proxyauthz work correctly?

4 9

lloadd standalone daemon
by Stefan Kania 15 Dec '22

15 Dec '22

Hi to all, I want to test the "lloadd" as a standalone daemon. I'm using the symas OpenLDAP 2.6 packages on a debian 11 system. I can only find the module "lloadd.la" but not the standalone daemon. If I want to us it, do I have to compile it myself? What would be the better way using the standalone daemon or use it as a module as part of slapd. Stefan

3 5

Service Accounts in Consumer databases
by thomaswilliampritchard＠gmail.com 13 Dec '22

13 Dec '22

Hello, I am building a health check for a consumer that replicates a subset of data from a provider's application database. I do not want to incorporate a service account into the replicated data set because it is not my organization to be adding service users to. I also do not want to use the consumer root credentials for health checking but would prefer to add a service account with limited ACL access to the consumers I can use to issue test binds and ensure SLAPD is running properly. Do you have suggestions on how I can add a service account to a consumer? Currently we are getting "ldap_add: Server is unwilling to perform (53) additional info: shadow context; no update referral" which I believe is because consumers are simply read only. Thanks for the consideration Thomas

1 0

Overlays accesslog and dynlist
by Carsten Jäckel 13 Dec '22

13 Dec '22

Hello experts, we are using OpenLDAP 2.5.13 and we are facing problems using the accesslog overlay along with the dynlist overlay. As long as we use only the accesslog overlay the logging works as expected. Successfully logged search access: ldapsearch -H ldaps://ldap.example.com:636 -D cn=manager,dc=example,dc=com -W -b dc=users,dc=example,dc=com cn=user1 mail Result of ldapsearch -H ldaps://ldap.example.com:636 -D cn=log -W -b cn=log objectclass=*: ###################################### ... # 20221212145029.000000Z, log dn: reqStart=20221212145029.000000Z,cn=log objectClass: auditBind reqStart: 20221212145029.000000Z reqEnd: 20221212145029.000001Z reqType: bind reqSession: 1022 reqAuthzID: reqDN: cn=manager,dc=example,dc=com reqResult: 0 reqVersion: 3 reqMethod: SIMPLE # 20221212145029.000002Z, log dn: reqStart=20221212145029.000002Z,cn=log objectClass: auditSearch reqStart: 20221212145029.000002Z reqEnd: 20221212145029.000003Z reqType: search reqSession: 1022 reqAuthzID: manager,dc=example,dc=com reqDN: dc=users,dc=example,dc=com reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (cn=user1) reqAttr: mail reqEntries: 1 reqTimeLimit: -1 reqSizeLimit: -1 # 20221212145029.000004Z, log dn: reqStart=20221212145029.000004Z,cn=log objectClass: auditObject reqStart: 20221212145029.000004Z reqEnd: 20221212145029.000005Z reqType: unbind reqSession: 1022 reqAuthzID: manager,dc=example,dc=com ###################################### After adding overlay dynlist the information in the accesslog database after the same search operation ldapsearch -H ldaps://ldap.example.com:636 -D cn=manager,dc=example,dc=com -W -b dc=users,dc=example,dc=com cn=user1 mail is as follows: ###################################### ... # 20221212144859.000000Z, log dn: reqStart=20221212144859.000000Z,cn=log objectClass: auditBind reqStart: 20221212144859.000000Z reqEnd: 20221212144859.000001Z reqType: bind reqSession: 1019 reqAuthzID: reqDN: manager,dc=example,dc=com reqResult: 0 reqVersion: 3 reqMethod: SIMPLE # 20221212144859.000002Z, log dn: reqStart=20221212144859.000002Z,cn=log objectClass: auditSearch reqStart: 20221212144859.000002Z reqEnd: 20221212144859.000003Z reqType: search reqSession: 1019 reqAuthzID: manager,dc=example,dc=com reqDN: dc=users,dc=example,dc=com reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (objectClass=groupOfURLs) reqAttr: memberURL reqEntries: 0 reqTimeLimit: -1 reqSizeLimit: -1 # 20221212144859.000005Z, log dn: reqStart=20221212144859.000005Z,cn=log objectClass: auditObject reqStart: 20221212144859.000005Z reqEnd: 20221212144859.000006Z reqType: unbind reqSession: 1019 reqAuthzID: manager,dc=example,dc=com ###################################### Is it possible that the configuration of the dynlist overlay somehow overrides the configuration of the accesslog overlay? Changing the order of the overlays has no impact. Are there some dependencies between the accesslog and the dynlist overlay that we didn't attend to in the slapo-accesslog/slapo-dynlist manuals? Is there something wrong in our configuration? Configuration: ###################################### dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb ... olcSuffix: dc=example,dc=com olcSyncUseSubentry: FALSE dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {0}refint olcRefintAttribute: member olcRefintAttribute: memberOf olcRefintNothing: cn=tgroup,dc=groups,dc=example,dc=com dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcDynListConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames dn: olcOverlay={3}lastbind,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcLastBindConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {3}lastbind olcLastBindPrecision: 86400 dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcAccessLogConfig objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcAccessLogDB: cn=log olcOverlay: {4}accesslog olcAccessLogOld: (objectClass=inetOrgPerson) olcAccessLogOldAttr: description olcAccessLogOps: all olcAccessLogPurge: 01:00 00:15 ###################################### Any help is apreciated, thank you very much in advance. Carsten

3 2

Detecting replication delay when replicating a subset of data
by thomaswilliampritchard＠gmail.com 12 Dec '22

12 Dec '22

Hello, Under typical circumstances we run a config database and have a single application database for ldap data. We run consumers replicating from providers where they replicate the entire application database. We detect delayed replication by querying consumer CSNs and comparing them to the provider CSNs to determine if any consumers have delayed replication through a health check script that executes every few minutes. For one particular use case we replicate a subset of the application database, but our replication check cannot work for this use case. It appears because we're not replicating the entire database we do not copy the provider CSNs over to the consumers (which live at the base level, and we're copying a DIT below that level) and therefore I cannot ask the consumers what their 'latest csn' is since they do not seem to have one. Is there any recommended way I can check that the consumer replication is functioning properly when replicating a subset of the provider database? Thanks for the consideration. Tom

5 4

question about access control
by Alex Samad - Yieldbroker 10 Dec '22

10 Dec '22

Hi From the online doco re > Level Privileges Description > none = 0 no access > disclose = d needed for information disclosure on error > auth = dx needed to authenticate (bind) > compare = cdx needed to compare > search = scdx needed to apply search filters > read = rscdx needed to read search results > write = wrscdx needed to modify/rename > manage = mwrscdx needed to manage I couldn't find out what the difference between manage and write is what does the M allow for. olcAccess: to dn.subtree="ou=Users," by dn.exact="cn=directory,ou=Roles," manage by * break so for the subtree ou=User I want to allow cn=directory to add / modify / delete any children of ou=Users. Reading the doco its seems like I only need to give it write access, what can I do extra with manage ? Also for userPassword attr to write to it do I need to have the read or can I just have =wd Thanks Alex

2 1

LDAP VLV throws error "Other sort requests already in progress"
by rathore_pushpendra21＠yahoo.co.in 08 Dec '22

08 Dec '22

The bounty expires in 7 days. Answers to this question are eligible for a +200 reputation bounty. NG. wants to draw more attention to this question. I am trying to implement pagination in LDAP using vlv, using reference from document https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/controls… it is working fine with single thread, but when try with multiple threads concurrently upto 5 threads it works fine, but as number of threads increased only 5 threads can run successfully exceed threads got failed with below error message: LDAPException(resultCode=51 (busy), numEntries=0, numReferences=0, diagnostiMessage='Other sort requests already in progress', ldapSDKVersion=5.1.1.. I am using OpenLDAP, Unboundid api for connection with Java. About data size it is around 100k. Tried with single connection and multiple connections(with multiple concurrent threads) getting same error in both cases. Tried to synchronize block for fetching data. On exception, make thread to wait and try again. All above things didn't worked, threads cannot fetch data from LDAP. After trying to close and reconnect connection as described in https://www.openldap.org/lists/openldap-technical/201107/msg00006.html failed thread can fetch data but after retry lot of times, in my case thread retried about 2k times then it started fetching data. Is there any better solution, retrying 2k times and getting result is not a good option.

2 2

Q: Length of {SSHA} encoded passwords
by Ulrich Windl 05 Dec '22

05 Dec '22

Hi! Examining changes of the database via LDIF, I noticed one thing: -userPassword: {SSHA}XY94+nfFELR3iy0AYTsS0DHqxIOwFNz79zcnniA== +userPassword: {SSHA}yt98Od1WHak3kYIyZWYoCewg4D+f9ffp I had thought that the encoded SSHA passwords all have the same length. Could it depend on the program being used to vhnage the password, thus varying the length of salt? How could I decode that? (not that the example is not a real one (some characters permutated), so don't waste your time trying to crack it) Regards, Ulrich

3 2

Syncrepl has stopped 24 hours ago
by Bradley T Gill 01 Dec '22

01 Dec '22

Our accesslog mdb is 2GB and syncrepl has been 'late' (according to Nagios) on all of our servers for 24 hours now. We are in the middle of Significant Incident and am asking for suggestions of what to look for in the logs? All of the syncprov_ activities in the log seem fine. I have done a rolling restart of our servers to see if that could spark them to sync, with no positive results. Thanks, [cid:image001.png@01D903D9.98037410]<http://www.aep.com/> BRADLEY T GILL | INFRASTRUCTURE ENGINEER STAFF BGILL(a)AEP.COM<mailto:BGILL@AEP.COM> | A:8.200.3054 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2022