openldap-technical December 2022

openldap-technical@openldap.org

25 participants
20 discussions

lloadd standalone daemon
by Stefan Kania 15 Dec '22

15 Dec '22

Hi to all, I want to test the "lloadd" as a standalone daemon. I'm using the symas OpenLDAP 2.6 packages on a debian 11 system. I can only find the module "lloadd.la" but not the standalone daemon. If I want to us it, do I have to compile it myself? What would be the better way using the standalone daemon or use it as a module as part of slapd. Stefan

3 5

openldap TLSv1.0 is enabled
by Andre Rodier 14 Dec '22

14 Dec '22

Hello, I have configured OpenLDAP using SSL certificate, but I have a few issues. Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 c70363a6 > dn: cn=config > objectClass: olcGlobal > cn: config > olcArgsFile: /var/run/slapd/slapd.args > olcLogLevel: none > olcPidFile: /var/run/slapd/slapd.pid > olcToolThreads: 1 > structuralObjectClass: olcGlobal > entryUUID: 40ee991a-0efe-103d-855a-11ff3a5638b4 > creatorsName: cn=config > createTimestamp: 20221213065102Z > olcPasswordCryptSaltFormat: $6$%.16s > olcTLSCACertificateFile: /etc/ldap/certs/ldap.homebox.world.issuer.crt > olcTLSCertificateKeyFile: /etc/ldap/certs/ldap.homebox.world.key > olcTLSCertificateFile: /etc/ldap/certs/ldap.homebox.world.crt > olcTLSProtocolMin: 3.3 > entryCSN: 20221214054517.926245Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20221214054517Z But if I try sslscan: I see TLSv1.0, TLSv1.1 and TLSv1.2 enabled. Why ? > root@main:/etc/ldap/changes# sslscan ldap.homebox.world:636 > Version: 2.0.7 > OpenSSL 1.1.1n 15 Mar 2022 > > Connected to 2001:19f0:7402:86e:5400:4ff:fe38:b9b4 > > Testing SSL server ldap.homebox.world on port 636 using SNI name ldap.homebox.world > > SSL/TLS Protocols: > SSLv2 disabled > SSLv3 disabled > TLSv1.0 enabled > TLSv1.1 enabled > TLSv1.2 enabled > TLSv1.3 enabled > > TLS Fallback SCSV: > Server supports TLS Fallback SCSV > > TLS renegotiation: > Secure session renegotiation supported > > TLS Compression: > OpenSSL version does not support compression > Rebuild with zlib1g-dev package for zlib support > > Heartbleed: > TLSv1.3 not vulnerable to heartbleed > TLSv1.2 not vulnerable to heartbleed > TLSv1.1 not vulnerable to heartbleed > TLSv1.0 not vulnerable to heartbleed > > Supported Server Cipher(s): > Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 > Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 > Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253 > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.2 256 bits AES256-GCM-SHA384 > Accepted TLSv1.2 256 bits AES256-CCM > Accepted TLSv1.2 128 bits AES128-GCM-SHA256 > Accepted TLSv1.2 128 bits AES128-CCM > Accepted TLSv1.2 256 bits AES256-SHA > Accepted TLSv1.2 128 bits AES128-SHA > Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.1 256 bits AES256-SHA > Accepted TLSv1.1 128 bits AES128-SHA > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253 > Accepted TLSv1.0 256 bits AES256-SHA > Accepted TLSv1.0 128 bits AES128-SHA > > Server Key Exchange Group(s): > TLSv1.3 128 bits secp256r1 (NIST P-256) > TLSv1.3 192 bits secp384r1 (NIST P-384) > TLSv1.3 260 bits secp521r1 (NIST P-521) > TLSv1.3 128 bits x25519 > TLSv1.3 224 bits x448 > TLSv1.3 112 bits ffdhe2048 > TLSv1.3 128 bits ffdhe3072 > TLSv1.3 150 bits ffdhe4096 > TLSv1.3 175 bits ffdhe6144 > TLSv1.3 192 bits ffdhe8192 > TLSv1.2 128 bits secp256r1 (NIST P-256) > TLSv1.2 192 bits secp384r1 (NIST P-384) > TLSv1.2 260 bits secp521r1 (NIST P-521) > TLSv1.2 128 bits x25519 > TLSv1.2 224 bits x448 > > SSL Certificate: > Signature Algorithm: sha256WithRSAEncryption > RSA Key Strength: 2048 > > Subject: ldap.homebox.world > Altnames: DNS:ldap.homebox.world > Issuer: (STAGING) Artificial Apricot R3 > > Not valid before: Dec 13 05:34:29 2022 GMT > Not valid after: Mar 13 05:34:28 2023 GMT Thanks for your insights. Andre

5 11

Service Accounts in Consumer databases
by thomaswilliampritchard＠gmail.com 13 Dec '22

13 Dec '22

Hello, I am building a health check for a consumer that replicates a subset of data from a provider's application database. I do not want to incorporate a service account into the replicated data set because it is not my organization to be adding service users to. I also do not want to use the consumer root credentials for health checking but would prefer to add a service account with limited ACL access to the consumers I can use to issue test binds and ensure SLAPD is running properly. Do you have suggestions on how I can add a service account to a consumer? Currently we are getting "ldap_add: Server is unwilling to perform (53) additional info: shadow context; no update referral" which I believe is because consumers are simply read only. Thanks for the consideration Thomas

1 0

Overlays accesslog and dynlist
by Carsten Jäckel 13 Dec '22

13 Dec '22

Hello experts, we are using OpenLDAP 2.5.13 and we are facing problems using the accesslog overlay along with the dynlist overlay. As long as we use only the accesslog overlay the logging works as expected. Successfully logged search access: ldapsearch -H ldaps://ldap.example.com:636 -D cn=manager,dc=example,dc=com -W -b dc=users,dc=example,dc=com cn=user1 mail Result of ldapsearch -H ldaps://ldap.example.com:636 -D cn=log -W -b cn=log objectclass=*: ###################################### ... # 20221212145029.000000Z, log dn: reqStart=20221212145029.000000Z,cn=log objectClass: auditBind reqStart: 20221212145029.000000Z reqEnd: 20221212145029.000001Z reqType: bind reqSession: 1022 reqAuthzID: reqDN: cn=manager,dc=example,dc=com reqResult: 0 reqVersion: 3 reqMethod: SIMPLE # 20221212145029.000002Z, log dn: reqStart=20221212145029.000002Z,cn=log objectClass: auditSearch reqStart: 20221212145029.000002Z reqEnd: 20221212145029.000003Z reqType: search reqSession: 1022 reqAuthzID: manager,dc=example,dc=com reqDN: dc=users,dc=example,dc=com reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (cn=user1) reqAttr: mail reqEntries: 1 reqTimeLimit: -1 reqSizeLimit: -1 # 20221212145029.000004Z, log dn: reqStart=20221212145029.000004Z,cn=log objectClass: auditObject reqStart: 20221212145029.000004Z reqEnd: 20221212145029.000005Z reqType: unbind reqSession: 1022 reqAuthzID: manager,dc=example,dc=com ###################################### After adding overlay dynlist the information in the accesslog database after the same search operation ldapsearch -H ldaps://ldap.example.com:636 -D cn=manager,dc=example,dc=com -W -b dc=users,dc=example,dc=com cn=user1 mail is as follows: ###################################### ... # 20221212144859.000000Z, log dn: reqStart=20221212144859.000000Z,cn=log objectClass: auditBind reqStart: 20221212144859.000000Z reqEnd: 20221212144859.000001Z reqType: bind reqSession: 1019 reqAuthzID: reqDN: manager,dc=example,dc=com reqResult: 0 reqVersion: 3 reqMethod: SIMPLE # 20221212144859.000002Z, log dn: reqStart=20221212144859.000002Z,cn=log objectClass: auditSearch reqStart: 20221212144859.000002Z reqEnd: 20221212144859.000003Z reqType: search reqSession: 1019 reqAuthzID: manager,dc=example,dc=com reqDN: dc=users,dc=example,dc=com reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (objectClass=groupOfURLs) reqAttr: memberURL reqEntries: 0 reqTimeLimit: -1 reqSizeLimit: -1 # 20221212144859.000005Z, log dn: reqStart=20221212144859.000005Z,cn=log objectClass: auditObject reqStart: 20221212144859.000005Z reqEnd: 20221212144859.000006Z reqType: unbind reqSession: 1019 reqAuthzID: manager,dc=example,dc=com ###################################### Is it possible that the configuration of the dynlist overlay somehow overrides the configuration of the accesslog overlay? Changing the order of the overlays has no impact. Are there some dependencies between the accesslog and the dynlist overlay that we didn't attend to in the slapo-accesslog/slapo-dynlist manuals? Is there something wrong in our configuration? Configuration: ###################################### dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb ... olcSuffix: dc=example,dc=com olcSyncUseSubentry: FALSE dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {0}refint olcRefintAttribute: member olcRefintAttribute: memberOf olcRefintNothing: cn=tgroup,dc=groups,dc=example,dc=com dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcDynListConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames dn: olcOverlay={3}lastbind,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcLastBindConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {3}lastbind olcLastBindPrecision: 86400 dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcAccessLogConfig objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcAccessLogDB: cn=log olcOverlay: {4}accesslog olcAccessLogOld: (objectClass=inetOrgPerson) olcAccessLogOldAttr: description olcAccessLogOps: all olcAccessLogPurge: 01:00 00:15 ###################################### Any help is apreciated, thank you very much in advance. Carsten

3 2

Detecting replication delay when replicating a subset of data
by thomaswilliampritchard＠gmail.com 12 Dec '22

12 Dec '22

Hello, Under typical circumstances we run a config database and have a single application database for ldap data. We run consumers replicating from providers where they replicate the entire application database. We detect delayed replication by querying consumer CSNs and comparing them to the provider CSNs to determine if any consumers have delayed replication through a health check script that executes every few minutes. For one particular use case we replicate a subset of the application database, but our replication check cannot work for this use case. It appears because we're not replicating the entire database we do not copy the provider CSNs over to the consumers (which live at the base level, and we're copying a DIT below that level) and therefore I cannot ask the consumers what their 'latest csn' is since they do not seem to have one. Is there any recommended way I can check that the consumer replication is functioning properly when replicating a subset of the provider database? Thanks for the consideration. Tom

5 4

question about access control
by Alex Samad - Yieldbroker 10 Dec '22

10 Dec '22

Hi From the online doco re > Level Privileges Description > none = 0 no access > disclose = d needed for information disclosure on error > auth = dx needed to authenticate (bind) > compare = cdx needed to compare > search = scdx needed to apply search filters > read = rscdx needed to read search results > write = wrscdx needed to modify/rename > manage = mwrscdx needed to manage I couldn't find out what the difference between manage and write is what does the M allow for. olcAccess: to dn.subtree="ou=Users," by dn.exact="cn=directory,ou=Roles," manage by * break so for the subtree ou=User I want to allow cn=directory to add / modify / delete any children of ou=Users. Reading the doco its seems like I only need to give it write access, what can I do extra with manage ? Also for userPassword attr to write to it do I need to have the read or can I just have =wd Thanks Alex

2 1

LDAP VLV throws error "Other sort requests already in progress"
by rathore_pushpendra21＠yahoo.co.in 08 Dec '22

08 Dec '22

The bounty expires in 7 days. Answers to this question are eligible for a +200 reputation bounty. NG. wants to draw more attention to this question. I am trying to implement pagination in LDAP using vlv, using reference from document https://docs.ldap.com/ldap-sdk/docs/javadoc/com/unboundid/ldap/sdk/controls… it is working fine with single thread, but when try with multiple threads concurrently upto 5 threads it works fine, but as number of threads increased only 5 threads can run successfully exceed threads got failed with below error message: LDAPException(resultCode=51 (busy), numEntries=0, numReferences=0, diagnostiMessage='Other sort requests already in progress', ldapSDKVersion=5.1.1.. I am using OpenLDAP, Unboundid api for connection with Java. About data size it is around 100k. Tried with single connection and multiple connections(with multiple concurrent threads) getting same error in both cases. Tried to synchronize block for fetching data. On exception, make thread to wait and try again. All above things didn't worked, threads cannot fetch data from LDAP. After trying to close and reconnect connection as described in https://www.openldap.org/lists/openldap-technical/201107/msg00006.html failed thread can fetch data but after retry lot of times, in my case thread retried about 2k times then it started fetching data. Is there any better solution, retrying 2k times and getting result is not a good option.

2 2

Q: Length of {SSHA} encoded passwords
by Ulrich Windl 05 Dec '22

05 Dec '22

Hi! Examining changes of the database via LDIF, I noticed one thing: -userPassword: {SSHA}XY94+nfFELR3iy0AYTsS0DHqxIOwFNz79zcnniA== +userPassword: {SSHA}yt98Od1WHak3kYIyZWYoCewg4D+f9ffp I had thought that the encoded SSHA passwords all have the same length. Could it depend on the program being used to vhnage the password, thus varying the length of salt? How could I decode that? (not that the example is not a real one (some characters permutated), so don't waste your time trying to crack it) Regards, Ulrich

3 2

Syncrepl has stopped 24 hours ago
by Bradley T Gill 01 Dec '22

01 Dec '22

Our accesslog mdb is 2GB and syncrepl has been 'late' (according to Nagios) on all of our servers for 24 hours now. We are in the middle of Significant Incident and am asking for suggestions of what to look for in the logs? All of the syncprov_ activities in the log seem fine. I have done a rolling restart of our servers to see if that could spark them to sync, with no positive results. Thanks, [cid:image001.png@01D903D9.98037410]<http://www.aep.com/> BRADLEY T GILL | INFRASTRUCTURE ENGINEER STAFF BGILL(a)AEP.COM<mailto:BGILL@AEP.COM> | A:8.200.3054 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215

2 5

dynlist dynamic attributes (memberof) work and doesnt work in filter querys from some apps
by andreas.ladanyi＠kit.edu 01 Dec '22

01 Dec '22

Using slapd 2.5 with dynlist to generate memberof. We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it works as expected, since slapd 2.5 We use ldapsearch with memberof filter and it works as expected, since slapd 2.5 Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get search results. Could somebody clearify me ?

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2022