openldap-technical February 2022

openldap-technical@openldap.org

30 participants
36 discussions

Re: Error when running make test or slapd after building on windows
by Howard Chu 18 Feb '22

18 Feb '22

Dr. Ogg wrote: > Why not run in a Linux VM or a docker container? and avoid Cygwin? Or WSL2. I hear that works pretty well these days. > > >> On Feb 17, 2022, at 2:48 PM, Joshua Dunbar <jdunbar(a)montereytechnologies.com> wrote: >> >> Are there up to date instructions on how to build with Cygwin or Msys somewhere? I am trying to do this on a 64 bit Windows 10 computer. The way I am doing it with Cygwin with default configure options must be wrong. I am new to both Cygwin and OpenLDAP so apologies for my inexperience. >> >> -----Original Message----- >> From: Howard Chu <hyc(a)symas.com> >> Sent: Thursday, February 17, 2022 5:40 PM >> To: Quanah Gibson-Mount <quanah(a)fast-mail.org>; Joshua Dunbar <jdunbar(a)montereytechnologies.com>; openldap-technical(a)openldap.org >> Subject: Re: Error when running make test or slapd after building on windows >> >> Quanah Gibson-Mount wrote: >>> >>> >>> --On Thursday, February 17, 2022 8:00 PM +0000 Joshua Dunbar <jdunbar(a)montereytechnologies.com> wrote: >>> >>>> >>>> >>>> Hello, >>>> >>>> >>>> >>>> I am attempting to install openldap (latest version 2.6.1) on windows >>>> using Cygwin where I have installed dependencies of gcc core and make >>>> in order to get configure to run. I then run configure from a Cygwin >>>> terminal (without any arguments). Configure seems to run fine, and so >>>> does make depend, and make. Then when I attempt to run make test (or >>>> slapd with any other well formatted slapd.conf file) I get the >>>> following error message. I >>> >>> Hi Joshua, >>> >>> It's likely related to this discussion: >>> >>> <https://cygwin.com/pipermail/cygwin/2019-July/241961.html> >> >> More than just that. OpenLDAP code supports real POSIX environments and native WIN32 environments. >> It doesn't support Cygwin, which is a partially-working fake POSIX environment. >> >> You can use Cygwin or MSYS as the build platform, but the binaries will only work if built with the MinGW toolchain for native WIN32 output. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 2

DNS/ldap
by pascal.jakobi＠gmail.com 18 Feb '22

18 Feb '22

Just a question (quick). You probably saw the relatively new CAA record for DNS. This (great) record provides a means to get the address of a CA for a given DNS domain. Firstly, it is unclear to me why the old SRV records are not used as they essentially do the same. You may think of creating an SRV record for _pkica.<domain> that would provide a CA's IP address. Then my question is : why is this SRV not used on linux boxes ? This would provide a means to retrieve automatically a certificate/public key for a given user and avoid setting configs (i.e. ldap.conf) on the client side. In other tertms, don't we need a CAA equivalent for Directories ?

1 0

Error when running make test or slapd after building on windows
by Joshua Dunbar 17 Feb '22

17 Feb '22

Hello, I am attempting to install openldap (latest version 2.6.1) on windows using Cygwin where I have installed dependencies of gcc core and make in order to get configure to run. I then run configure from a Cygwin terminal (without any arguments). Configure seems to run fine, and so does make depend, and make. Then when I attempt to run make test (or slapd with any other well formatted slapd.conf file) I get the following error message. I have turned on the highest level of logging and don't get any additional useful information and have been going at this for a couple days now without any luck. I have tried manipulating permissions on the db folder as well as using different folder names and locations. I can see the lock.mdb file being generated in the /tests/testrun/db.1.a folder, but nothing else. Any insight or help would be very appreciated. 620dab00.2d2e09dc 0x800000010 config_build_entry: "olcDatabase={2}monitor" 620dab00.2d2e359c 0x800000010 slap_get_csn: conn=-1 op=0 generated new csn=20220217015512.758001Z#000000#000#000000 manage=0 620dab00.2d2ecdf4 0x800000010 backend_startup_one: starting "o=OpenLDAP Project,l=Internet" 620dab00.2d2edba0 0x800000010 mdb_db_open: "o=OpenLDAP Project,l=Internet" 620dab00.2d3072a8 0x800000010 mdb_db_open: database "o=OpenLDAP Project,l=Internet": dbenv_open(/tests/testrun/db.1.a). 620dab00.2d3a1894 0x800000010 mdb_db_open: database "o=OpenLDAP Project,l=Internet" cannot be opened: Invalid argument (22). Restore from backup! 620dab00.2d3a37d4 0x800000010 backend_startup_one (type=mdb, suffix="o=OpenLDAP Project,l=Internet"): bi_db_open failed! (22) 620dab00.2d3a42c4 0x800000010 slapd shutdown: initiated 620dab00.2d3c25f8 0x800000010 slapd destroy: freeing system resources. 620dab00.2d5278d0 0x800000010 slapd stopped. Thanks, Josh

3 4

Re: How to restrict access to pwdHistory attributes
by Chandeshwar Mishra 16 Feb '22

16 Feb '22

Hi Quanah, Thanks for your response. Our setup is a very old one and we are planning to migrate it to the latest stable version but Since this openldap is deployed in Production it is not possible for us to upgrade it suddenly. As you mentioned that ppolicy schema is missing in configuration, so is it possible that without having ppolicy schema, Openldap will remember the pwdHistory of the user ? In my case pwdHistory is visible to users, for which I want to apply ACL so that a user can only see his/her pwdHistory , not other users pwdHistory. Below are my configuration related to ppolicy configuration in config file:- include /etc/openldap/schema/ppolicy.schema --- more include directive related to schema ---- moduleload ppolicy.la moduleload memberof.la overlay memberof overlay syncprov overlay auditlog #overlay accesslog overlay ppolicy ppolicy_default "cn=passwordDefault,dc=example,dc=com" Thanks & Regards, Chandeshwar Kumar On Mon, Feb 14, 2022 at 11:24 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Saturday, February 12, 2022 5:22 AM +0000 > kumarchandeshwar99(a)gmail.com > wrote: > > > Hi, > > I am trying to restrict access to pwdHistory attributes provided by > > ppolicy overlay. I have applied the below ACL > > > > access to attrs=pwdHistory > > by * none > > but while doing slaptest, its throwing below error:- > > /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to > clause > > <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> > > ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] > > [attrs=<attrspec>] <attrspec> ::= <attrname> > > [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= > > <attr> [ , <attrlist> ] > > <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | > children > > <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] > > [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> > ] > > [dnattr=<attrname>] > > [realdnattr=<attrname>] > > [group[/<objectclass>[/<attrname>]][.<style>]=<group>] > > [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] > > [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] > > [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] > > > > Before posting here I searched archive and found one similar, issue , but > > it did not resolve my issue. I have running openldap-servers-2.4.23 on > > RHEL-6.5. > > You are missing the ppolicy schema in your configuration. > > However, I would note that both RHEL6 and OpenLDAP 2.4 are historic and no > longer in support. I'd strongly advise upgrading to both an OS that is > under support and a version of OpenLDAP that's under support. > > Regards, > Quanah > > > >

4 3

Re: OpenLDAP and NTLM
by Marc Boorshtein 15 Feb '22

15 Feb '22

> > > > NTLM has been obsoleted and shouldn't be used at all. SASL/GSSAPI or > SASL/GSS-SPNEGO should be fine. > I understand, but this is a legacy (really legacy) application that can't be changed. Is NTLM still working? >

2 1

OpenLDAP and NTLM
by Marc Boorshtein 15 Feb '22

15 Feb '22

I see that NTLM is supported as an authentication mechanism for supportedSASLMechanisms, but I'm not seeing any docs. Do I configure GSSAPI and NTLM is now available? Thanks Marc

3 2

slapo-memberof -> slapo-dynlist and value-based ACLs
by Michael Ströder 14 Feb '22

14 Feb '22

HI! I'm experimenting to replace slapo-memberof to slapo-dynlist in Æ-DIR's slapd.conf. Ok, basically it works but... Æ-DIR trys hard to follow need-to-know-principle. This means that memberOf values are only made visible to clients which they have defined to be visible on. Thus I have ACLs like this and which don't work for these clients (lines wrapped): access to dn.subtree="ou=ae-dir" filter="(objectClass=posixAccount)" attrs=memberOf val.regex="^.+$" [..] by set.expand="(user/-1 | user/aeSrvGroup | user/-1/aeProxyFor) & [ldap:///ou=ae-dir?entryDN?sub?(&(objectClass=aeSrvGroup)(aeStatus=0)(aeVisibleGroups=${v0}))]/entryDN" read [..] by * none I'm aware that this is quite special. But is there any chance that something like this will be ever supported? The alternative would be to implement an external update process for maintaining 'memberOf'. :-/ Ciao, Michael.

3 3

How to restrict access to pwdHistory attributes
by kumarchandeshwar99＠gmail.com 14 Feb '22

14 Feb '22

Hi, I am trying to restrict access to pwdHistory attributes provided by ppolicy overlay. I have applied the below ACL access to attrs=pwdHistory by * none but while doing slaptest, its throwing below error:- /etc/openldap/slapd.conf: line 212: unknown attr "pwdHistory" in to clause <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> <attrlist> ::= <attr> [ , <attrlist> ] <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] [dnattr=<attrname>] [realdnattr=<attrname>] [group[/<objectclass>[/<attrname>]][.<style>]=<group>] [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] Before posting here I searched archive and found one similar, issue , but it did not resolve my issue. I have running openldap-servers-2.4.23 on RHEL-6.5. If any further details requires , Please let me know. Thanks.

2 1

issue with importing the samba3 schema
by Ulf Volmer 08 Feb '22

08 Feb '22

Hello, I'm trying to migrate an old openldap installation to a new one. OS of the new one is SLES15SP3, we are using the symas 2.5 packages. Sadly I got an error by importing the samba3 schema: # /opt/symas/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /opt/symas/etc/openldap/schema/samba3.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=samba3,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed I'm able to import other schemas in the same way, si I don't think that I hold the tool in the wrong way. Any pointers for me? Best regards Ulf

2 2

log analysis tools
by Paul B. Henson 07 Feb '22

07 Feb '22

Does anybody know of any good tools that can rip through an openldap log file and analyze it, creating a report of what queries are being made and how long they are taking to process? All of the information I'm interested in is included in the log: Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 fd=84 ACCEPT from IP=134.71.247.28:46592 (IP=0.0.0.0:636) Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 fd=84 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.2 tls_cipher=ECDHE-RSA-AES256-GCM-SHA384 Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=0 BIND dn="cn=it_boomi,ou=user,ou=service,dc=cpp,dc=edu" method=128 Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=0 BIND dn="cn=it_boomi,ou=user,ou=service,dc=cpp,dc=edu" mech=SIMPLE bind_ssf=0 ssf=256 Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=0 RESULT tag=97 err=0 qtime=0.000031 etime=0.000189 text= Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=1 SRCH base="ou=user,dc=cpp,dc=edu" scope=2 deref=3 filter="(&(objectClass=person)(calstateEduPersonEmplID=014532336))" Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=1 SRCH attr=memberOf Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=2 UNBIND Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.192994 nentries=1 text= Feb 4 18:23:54 ldap-01 slapd[1207]: conn=46272 fd=84 closed but split up into a number of different lines which need to be correlated to summarize it. Before I try it myself I was hoping somebody else had already scratched that itch :). The only things I can find searching are either really old or commercial products. Thanks much…

8 14

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2022