openldap-technical March 2022

openldap-technical@openldap.org

35 participants
38 discussions

olclimit dn.base <> group/groupOfNames/member
by bourguijl＠gmail.com 29 Mar '22

29 Mar '22

Dears, Openldap version : 2.5.7 env 2 MMR 2 Replicas (test env) I've set and olclimit for one user (dn.base) on my DB and it works fine but in order to move it on my production env, I decided to modify my olclimit by using (group/groupOfNames/member) and place this user as member of the group. This is also works fine on my test env. I did the same config on my production env which is 4 MMR 4 Replicas and it didn't work :-( I did a lot of checks to see if there was any difference but it was exactly the same configuration. I did some other test on replicas first by adding a new olclimit for the concerned user ( dn.base) which solved the issue. I decided to remove this newly user olclimit, the olclimit (group/groupOfNames/member) was still there, and was not my surprise, the limitation for my user was still set to unlimited as expected. I did the same on all replicas, adding concerned user, remove it and limits were OK .... very strange. As it was working on replicas, I did try the same on master but no luck, my user stay still limited to 500 entries. Questions : Is there an order to respect in olclimit type ? why the config is working on test env and not on production one ? Thx to advice, Jean-Luc

3 6

slapo-translucent overlay crashes during wildcard search with subordinate
by jeremy.diaz＠rexconsulting.net 29 Mar '22

29 Mar '22

Hello openldap-technical, I found that slapd 2.5.11 w/slapo-translucent will crash when queried with a wildcard search. It looks like any wildcard search on any attribute specified in "translucent_local" will cause the SIGSEGV on the latest version of Symas OpenLDAP slapd, 2.5.11, MDB databases, running on CentOS7. It seems that the SIGSEGV problem does not occur w the 2.4.44 from the RHEL7 distribution, and so the problem may have be a regression. I have not tested any other versions but have verified that, with the exact same config, the problem does not happen on the RHEL7 2.4.44 version, but does happen w/Symas OpenLDAP 2.5.11. It's an interesting config here. There are two database+suffixes defined in the instance. The first one is subordinate (ou=someorg,dc=corp,dc=com) to the second one (dc=corp,dc=com). The "subordinate" option is set to "True". The second database section loads the translucent overlay which is pointed to the upstream Active Directory instance and has the same suffix of AD. The problem is administrative. The group want their admins who manage LDAP data to be able to search using wildcard "cn=xyx*" filters. Besides crashing, we have noticed that these work, but only when setting the basedn of the subordinate database. I tried a few things in a test lab and was able to reproduce the issue. with "cn" in "translucent_local" and sublevel search of translucent superior basedn dc=corp,dc=com "(cn=jed)" filter returns subordinate database entry "(cn=je*)" filter crashes slapd with "cn" not in "translucent_local" and sublevel search of translucent superior basedn dc=corp,dc=com "(cn=jed)" filter return referrals from upstream Active Directory "(cn=je*)" filter return referrals from upstream Active Directory with "cn" in "translucent_local" and sublevel search of subordinate basedn ou=someorg,dc=corp,dc=com "(cn=jed)" filter returns subordinate database entry from ou=someorg "(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg with "cn" not in "translucent_local" and sublevel search of subordinate dbasedn ou=someorg,dc=corp,dc=com "(cn=jed)" filter returns subordinate database entry from ou=someorg "(cn=je*)" filter returns subordinate database entry(ies) from ou=someorg Here's what the crash looks like: 622eb2f7.0393c4d6 0x7fcf15e89880 slapd starting 622eb2fd.32371976 0x7fce8d9f3700 slap_listener_activate(8): 622eb2fd.323bb364 0x7fce8d1f2700 >>> slap_listener(ldap:///) 622eb2fd.3247761c 0x7fce8d1f2700 connection_get(15): got connid=1000 622eb2fd.3247962c 0x7fce8d1f2700 connection_read(15): checking for input on id=1000 622eb2fd.3247b177 0x7fce8d1f2700 ber_get_next 622eb2fd.3247e0b8 0x7fce8d1f2700 ber_get_next: tag 0x30 len 12 contents: 622eb2fd.3247f6f1 0x7fce8d1f2700 op tag 0x60, time 1647227645 622eb2fd.32480615 0x7fce8d1f2700 ber_get_next 622eb2fd.32484eca 0x7fce8d1f2700 conn=1000 op=0 do_bind 622eb2fd.324861e8 0x7fce8d1f2700 ber_scanf fmt ({imt) ber: 622eb2fd.324871c1 0x7fce8d1f2700 ber_scanf fmt (m}) ber: 622eb2fd.32488890 0x7fce8d1f2700 >>> dnPrettyNormal: <> 622eb2fd.32489324 0x7fce8d1f2700 <<< dnPrettyNormal: <>, <> 622eb2fd.3248ce51 0x7fce8d1f2700 do_bind: version=3 dn="" method=128 622eb2fd.3248efc7 0x7fce8d1f2700 send_ldap_result: conn=1000 op=0 p=3 622eb2fd.324906be 0x7fce8d1f2700 send_ldap_response: msgid=1 tag=97 err=0 622eb2fd.32492605 0x7fce8d1f2700 ber_flush2: 14 bytes to sd 15 622eb2fd.324ab763 0x7fce8d1f2700 do_bind: v3 anonymous bind 622eb2fd.325dc3b4 0x7fce8d1f2700 connection_get(15): got connid=1000 622eb2fd.325de12a 0x7fce8d1f2700 connection_read(15): checking for input on id=1000 622eb2fd.325dec44 0x7fce8d1f2700 ber_get_next 622eb2fd.325e0856 0x7fce8d1f2700 ber_get_next: tag 0x30 len 63 contents: 622eb2fd.325e1663 0x7fce8d1f2700 op tag 0x63, time 1647227645 622eb2fd.325e22e8 0x7fce8d1f2700 ber_get_next 622eb2fd.325e500c 0x7fce8d1f2700 conn=1000 op=1 do_search 622eb2fd.325e5ae0 0x7fce8d1f2700 ber_scanf fmt ({miiiib) ber: 622eb2fd.325e69ea 0x7fce8d1f2700 >>> dnPrettyNormal: <dc=corp,dc=com> 622eb2fd.325e98bd 0x7fce8d1f2700 <<< dnPrettyNormal: <dc=corp,dc=com>, <dc=corp,dc=com> 622eb2fd.325eaad7 0x7fce8d1f2700 ber_scanf fmt ({m) ber: 622eb2fd.325ebce5 0x7fce8d1f2700 ber_scanf fmt (m) ber: 622eb2fd.325eddcb 0x7fce8d1f2700 ber_scanf fmt ({M}}) ber: 622eb2fd.325f334c 0x7fce8d1f2700 ==> limits_get: conn=1000 op=1 self="[anonymous]" this="dc=corp,dc=com" 622eb2fd.325f4dcc 0x7fce8d1f2700 ==> translucent_search: <dc=corp,dc=com> (cn=jed*) Segmentation fault Thanks! Jeremy Diaz | Rex Consulting | https://www.rexconsulting.net

2 1

Official symas docker image? Or what others do?
by Dave Macias 29 Mar '22

29 Mar '22

Hello, Wondering if there is a plan to do an official image. Also what others in the community doing? Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap anyone here used/seen this? Why am i asking? We simply looking to dockerize our infra and want to see what people here have experienced. Our ldap env: 3-way MMR (syncrepl) on v2.6.1 Thank you, Dave

6 9

openldap-ltb segmentation fault
by Aaron Bennett 29 Mar '22

29 Mar '22

Hi, I've got a new openldlap-ltb 2.5 system (running on rocky 8), and when I try to start it with "slapt-cli start", it dumps core: [root@kt-ldap-01 slapd.d]$ journalctl -xe Mar 28 16:13:06 kt-ldap-01 systemd-coredump[54716]: Resource limits disable core dumping for process 54714 (slapd). Mar 28 16:13:06 kt-ldap-01 systemd-coredump[54716]: Process 54714 (slapd) of user 0 dumped core. -- Subject: Process 54714 (slapd) dumped core -- Defined-By: systemd -- Support: https://access.redhat.com/support -- Documentation: man:core(5) -- -- Process 54714 (slapd) crashed and dumped core. -- -- This usually indicates a programming error in the crashing program and -- should be reported to its vendor as a bug. Mar 28 16:13:06 kt-ldap-01 slapd-cli[54688]: /usr/local/openldap/sbin/slapd-cli: line 350: 54714 Segmentation fault (core dumped) $SLA> Mar 28 16:13:06 kt-ldap-01 systemd[1]: systemd-coredump(a)13-54715-0.service: Succeeded. -- Subject: Unit succeeded -- Defined-By: systemd -- Support: https://access.redhat.com/support From debugging the shell script it looks like it's running slapd with these arguments: SLAPD_PARAMS='-h ldaps://kt-ldap-01-665.test.clarku.edu -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4' So if I run: /usr/local/openldap/libexec/slapd -h ldaps://kt-ldap-01-665.test.clarku.edu -F /usr/local/openldap/etc/openldap/slapd.d -u ldap -g ldap -l local4 It works -- no segfault, no nothing. I can pretty easily write a systemd script that runs that command instead of wasting time with the slapd-cli stuff if that's a better approach. -Aaron --- Aaron Bennett Manager of Systems Administration Clark University ITS

3 4

Re: OpenLDAP and Oracle backend
by Julián Sosa 28 Mar '22

28 Mar '22

** I wrote erroneously about working versions. Up to OpenLDAP 2.4.23 it works great with Oracle DB as backend. From version 2.4.25 onwards integration does not work. El lun, 28 mar 2022 a las 15:33, Julián Sosa (<docldap(a)gmail.com>) escribió: > Hi all. As a demand from some client, we have to implement the Oracle > backend, with idea of using an existing schema for authenticating users > using some mfa tool that only supports ldap. > > I began for last version at this date (2.6.1), but have this error: > > 6241cb6b backsql_oc_get_attr_mapping(): error executing at_query > "SELECT > name,sel_expr,from_tbls,join_where,add_proc,delete_proc,param_order,expect_return,sel_expr_u > FROM ldap_attr_mappings WHERE oc_map_id=?" > for objectClass "organization" > with param oc_id=3 > 6241cb6b Return code: -1 > 6241cb6b <==backsql_load_schema_map() > > In order for doing some debugging, I changed slapd and unixodbc to point > to an mysql, and works fine. So I found some entry on internet from a > person who had it working on some version, but when changing it does not > work. Also, I monitored with sys user last queries on v$sql. and last query > that reached DB was , so it appears that error occurs at preparing the > attribute mapping query, and code breaks before sending the query. > > I found another entry about this, where someone told that he have it > working on version 2.3.24 and he could not make it work on other version. > So I begin installing several OpenLDAP versions since mentioned one, and > from there to version 2.3.24 I found that Oracle backend is working fine. > Beginning 2.4.24, and onwards versions, it starts to show mentioned error. > I tried both on my Mint 20.3 personal machine, and with client's server > which is a CentOS 7.8. > > For tests, I used same Oracle DB instance. Only copy the slapd.conf from > working OpenLDAP/Oracle to the version I tested. > >

1 0

Response Ordering
by thomaswilliampritchard＠gmail.com 28 Mar '22

28 Mar '22

I'm looking to better understand the relationship in packet ordering when it comes to bind requests. As far as I've learned so far I can send a few ldap requests and potentially get responses in an order that doesn't match what i've sent. When it comes to, for example, sending a bind, a search, a bind (different user), and a search, when I send those serially without waiting for a response, are there any guarantees around getting successful bind responses before search results? Is it guaranteed that I would get a bind result from the second bind before search results from the second search? Is it guaranteed the second bind result would come after the end of the first search results, or might I receive the second bind result before the end of the first set of search results (or even in the middle of the second set of search results)? Then when it comes to server side processing, is it guaranteed that the first search is executed with the authorization of the first bind, and second search executed with the authorization of the second bind? Or is there a way the second search is processed before the second bind? How does openldap manage changing authorization in the middle of an executing search? If the first search is in flight and the second bind request comes in, does the first search continue to execute and finish with the authorization of the first bind? Are you aware of clients or tools that leverage that multi request (without waiting for a response) capacity of ldap? In what types of applications might a client send many requests without waiting for any responses? Thanks for the consideration Tom

4 4

ACL deny list anonymous
by beren beren 25 Mar '22

25 Mar '22

Hi, Sorry for the trivial question. How can I prevent a user who has not authenticated from viewing ? That is, the query ldapsearch -x -H ldap://infra-ldap.wildberries.ru -b "dc=test,dc=com" shows everything.

2 1

ldap bind response
by Gustavo Rios 23 Mar '22

23 Mar '22

Hi folks ? I am writing an ldap library for accessing openldap server. I have written a function that implements an ldap bind request and decode the openldap response. The program output is given below. sioux@etosha:~/msc/it/cnf/ldap/programs/ldp$ ./ldp 127.0.0.1.389 30 c 2 1 3 61 7 a 1 0 4 0 4 0 Tag: 48, Length: 12 Left: 12 bytes ================================ Tag: 2, Length: 1 Left: 10 bytes Value: 3 ================================ Tag: 97, Length: 7 Left: 7 bytes My question is: how to "read" de last seven bytes ? I have read the ldap rfc but it is still confusing. May you help me ? Thanks a lot! -- The lion and the tiger may be more powerful, but the wolves do not perform in the circus

1 0

slapi plug-in does not work after update of OpenLDAP from 2.4 to 2.6.1
by Matthias Apitz 22 Mar '22

22 Mar '22

Hello, We're running since ages with an OpenLDAP server 2.4 a plugin which publishes changes (add, modify, delete) in LDAP to an Identity Management Server (IDM). The plugin is written in C and configured in slpad.conf as a shared lib: plugin postoperation /opt/openldap-2.6.1/lib64/idm.so idm_init "IDM Plugin" 10.23.33.52 3001 The function idm_init() registers static C functions the supposed way: int idm_init(Slapi_PBlock * pb) { int rc = LDAP_SUCCESS; log("idm-plugin:","now in idm_init()\n"); // first call, create new list and register the functions ... rc |= slapi_pblock_set( /* Plug-in API version */ pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_CURRENT_VERSION); rc |= slapi_pblock_set( /* Plug-in description */ pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &desc); rc |= slapi_pblock_set( /* Modify function */ pb, SLAPI_PLUGIN_POST_MODIFY_FN, (void *) modify_user); ... // read arguments and add list entry rc |= read_arguments(pb); log("idm-plugin", "idm_init() return rc:%d\n", rc); return rc; } The function for modify_user() will later publish the change via network and without going into the details the start of the function looks like this: static int modify_user(Slapi_PBlock * pb) { Slapi_Entry *entry; log("idm-plugin:", "now in modify_user\n"); if (slapi_pblock_get(pb, SLAPI_SEARCH_TARGET, &entry) != LDAP_SUCCESS) { log("IDM-Connector Plugin", "entry modified, but couldn't get entry"); return -1; } ... The problem is, that after an update in LDAP this function is not called. The log shows only the attach and initialisation of the plugin but no further actions: 03/16/22 10:52:26 idm-plugin:: now in idm_init() 03/16/22 10:52:26 IDM-Connector Plugin: idm_init: Initializing plugin 03/16/22 10:52:26 idm-plugin:: now in read_arguments() 03/16/22 10:52:26 IDM Plugin: added idm connector: ip=10.23.33.52, port=3001 03/16/22 10:52:26 idm-plugin: idm_init() returns rc:0 03/16/22 10:52:26 plugin_pblock_new: Registered plugin OCLC-IDM-Connector-Notifier 1.0 [OCLC.org] (Notify the OCLC IDM-Connector of changes) As I said, with OpenLDAP 2.4 this works fine. It does not work anymore with 2.6.1. Is there some change in the slapi interface of which we are not aware off? What could be done as debugging/logging to nail this down? Thanks in advance and Regards matthias -- Matthias Apitz, ✉ guru(a)unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub

5 5

Re: RE26 testing call #1 (OpenLDAP 2.6.2)
by Nick Folino 22 Mar '22

22 Mar '22

Looking good on Fedora 35 On Tue, Mar 22, 2022 at 1:21 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > This is the first testing call for OpenLDAP 2.6.2. Depending on the > results, this may be the only testing call. > > Generally, get the code for RE26: > > < > https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o… > > > > Extract, configure, and build. > > Execute the test suite (via make test) after it is built. Optionally, cd > tests && make its to run through the regression suite. > > Thanks! > > OpenLDAP 2.6.2 Engineering > Added libldap support for OpenSSL 3.0 (ITS#9436) > Added slapd support for OpenSSL 3.0 (ITS#9436) > Fixed ldapdelete to prune LDAP subentries (ITS#9737) > Fixed libldap to drop connection when non-LDAP data is received > (ITS#9803) > Fixed libldap to allow newlines at end of included file (ITS#9811) > Fixed slapd slaptest conversion of olcLastBind (ITS#9808) > Fixed slapd to correctly init global_host earlier (ITS#9787) > Fixed slapd bconfig locking for cn=config replication (ITS#9584) > Fixed slapd usage of thread local counters (ITS#9789) > Fixed slapd to clear runqueue task correctly (ITS#9785) > Fixed slapd syncrepl handling of new sessions (ITS#9584) > Fixed slapd to clear connections on bind (ITS#9799) > Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) > Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) > Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) > Fixed slapd-meta SEGV on config rewrite (ITS#9802) > Fixed slapd-meta ordering on config rewrite (ITS#9802) > Fixed slapd-meta memory leak in keepalive setting (ITS#9802) > Fixed slapd-monitor SEGV on shutdown (ITS#9809) > Added slapo-autoca support for OpenSSL 3.0 (ITS#9436) > Added slapo-otp support for OpenSSL 3.0 (ITS#9436) > Fixed slapo-pcache SEGV on shutdown (ITS#9809) > Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) > Build Enviornment > Add ability to override default compile time paths (ITS#9675) > Fix compiliation with certain versions of gcc (ITS#9790) > Fix compilation with openssl exclusions (ITS#9791) > Fix warnings from make jobserver (ITS#9788) > Documentation > admin26 Document new lloadd features (ITS#9780) > Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit > documentation (ITS#9804) > Fixed slapd-sock(5) to clarify "sockresps result" behavior > (ITS#8255) > > > > Regards, > Quanah >

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2022