Can a Bind result in a Referral?
by Mike Stevens
Good day.
I’m an LDAP novice and am attempting to modify an LDAP client to
accommodate an LDAP server environment that makes use of referrals.
I have installed openLDAP 2.4.44 on 2 RHEL 7.9 servers.
The initial entries in the tree on serverA contains :
# xxx.com
dn: dc=xxx,dc=com
description: xxx.com
dc: xxx
o: xxx.com
objectClass: top
objectClass: dcObject
objectClass: organization
# Users, xxx.com
dn: ou=Users,dc=xxx,dc=com
ou: Users
description: xxx Users
objectClass: organizationalUnit
# search reference
*ref: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub
<http://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub>*
# mike, Users, xxx.com
dn: uid=mike,ou=Users,dc=xxx,dc=com
cn: mike
ou: Users
uid: mike
givenName: Mike
mail: mike(a)uk.xxx.com
objectClass: Person
objectClass: organizationalPerson
objectClass: inetOrgPerson
I believe the "ref" entry is known as a subordinate referral;
it was created by populating the tree from an LDIF file that contained the
following:
dn: dc=uk,dc=xxx,dc=com
objectClass: referral
objectClass: extensibleObject
dc: uk
ref: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com
The intent is to redirect any requests received by serverA that refer to
the subtree uk.xxx.com to serverB.
The tree on serverB contains:
# xxx.com
dn: dc=xxx,dc=com
description: xxx.com
dc: xxx
o: xxx.com
objectClass: top
objectClass: dcObject
objectClass: organization
# uk.xxx.com
dn: dc=uk,dc=xxx,dc=com
dc: uk
o: uk.xxx.com
description: xxx Users in the UK
objectClass: dcObject
objectClass: organization
# mike, uk.xxx.com
dn: uid=mike,dc=uk,dc=xxx,dc=com
cn: mike
uid: mike
givenName: Mike
mail: mike(a)uk.xxx.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
Now, if I perform a search on serverA specifying a base of uk.xxx.com, I
get an RC=10 Referral result as expected:
[root@serverA ~]# ldapsearch -x '(uid=mike)' -b dc=uk,dc=xxx,dc=com -LL
version: 1
Referral (10)
Matched DN: dc=uk,dc=xxx,dc=com
Referral: ldap://serverB.xxx.com:389/dc=uk,dc=xxx,dc=com??sub
... and I can chase that referral using the -C option to retrieve the entry
from serverB:
[root@Mike21 ~]# ldapsearch -x '(uid=mike)' -b dc=uk,dc=ibm,dc=com -LL -C
version: 1
dn: uid=mike,dc=uk,dc=xxx,dc=com
cn: mike
uid: mike
givenName: Mike
mail: mike(a)uk.xxx.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
But, if I attempt a bind to serverA using the user that exists in serverB,
I get an authentication failure:
[root@serverA ~]# ldapsearch -x -b 'dc=uk,dc=xxx,dc=com' -D
uid=mike,dc=uk,dc=xxx,dc=com -w passw0rD
ldap_bind: Invalid credentials (49)
Now, I realise that the failure would be expected as the bind DN doesn't
exist at serverA.
But I read that every request apart from unbind and abandon can result in a
referral.
So why doesn't the bind follow the "ref" to serverB?
Is that possible and have I not configured my server correctly?
Ultimately, what I'd like to do in my client is something like:
ld_user = ldap_init( "ldap://serverA:389/dc=uk,dc=xxx,dc=com" , 0 );
... followed by :
err = ldap_simple_bind_s( ld_user, "uid=mike,dc=uk,dc=xxx,dc=com"
, password);
... and have LDAP authenticate the given user against serverB based on the
referral in serverA.
Is this sort of set up possible?
Many thanks for your advice,
Mike
1 month, 2 weeks
issues with kqueue on OpenBSD
by Stuart Henderson
I'm working on updating the OpenBSD port of OpenLDAP to 2.6.2 (it's
currently stuck at 2.4.59).
In 2.5 kqueue support was added to slapd for BSDs, but it's not working
correctly on OpenBSD. If slapd runs as a daemon, errors like these are
seen:
slap_client_connect: URI=ldaps://XXX Warning, ldap_start_tls failed (1)
mdb_opinfo_get: err Invalid argument(22)
However if slapd is run in the foreground with -d, things are ok.
They are also OK if kqueue is disabled (by neutering the autoconf check)
so this isn't blocking me updating the port but I thought I'd write up what
I have in case someone has any ideas what might be up or anything they'd
like me to try and report back on.
Here are some log excerpts:
17:23:44.692: slapd starting
17:23:44.692: daemon: added 3r listener=0x0
17:23:44.692: daemon: added 6r listener=0x100263797200
17:23:44.692: daemon: added 7r listener=0x100263785400
17:23:44.692: daemon: kqueue: listen=6 active_threads=0 tvp=zero
17:23:44.692: daemon: kqueue: listen=7 active_threads=0 tvp=zero
17:23:44.692: daemon: activity on 1 descriptor
17:23:44.692: daemon: activity on:
17:23:44.692:
17:23:44.692: daemon: kqueue: listen=6 active_threads=0 tvp=zero
17:23:44.692: daemon: kqueue: listen=7 active_threads=0 tvp=zero
17:23:44.692: >>> dnNormalize: <cn=Consumer 101>
17:23:44.692: <<< dnNormalize: <cn=consumer 101>
17:23:44.692: =>do_syncrepl rid=101
17:23:44.763: slap_client_connect: URI=ldaps://XXXXXXXXXXXXXXX Warning, ldap_start_tls failed (1)
17:23:44.781: => mdb_entry_get: ndn: "dc=XXXXXXX,dc=XXX"
17:23:44.782: => mdb_entry_get: oc: "(null)", at: "contextCSN"
17:23:44.782: mdb_opinfo_get: err Invalid argument(22)
17:23:44.782: =>do_syncrep2 rid=101
17:23:44.782: daemon: added 9r listener=0x0
17:23:44.783: daemon: activity on 1 descriptor
17:23:44.783: daemon: activity on:
17:23:44.783:
17:23:44.783: daemon: kqueue: listen=6 active_threads=0 tvp=NULL
17:23:44.783: daemon: kqueue: listen=7 active_threads=0 tvp=NULL
17:23:44.800: daemon: activity on 1 descriptor
17:23:44.800: daemon: activity on:
17:23:44.800: 9r
17:23:44.800:
17:23:44.800: daemon: read active on 9
17:23:44.800: daemon: kqueue: listen=6 active_threads=0 tvp=NULL
17:23:44.800: daemon: kqueue: listen=7 active_threads=0 tvp=NULL
17:23:44.800: connection_get(9)
17:23:44.800: connection_get(9): got connid=0
17:23:44.801: =>do_syncrepl rid=101
17:23:44.801: =>do_syncrep2 rid=101
Not sure if it's any help but looking at kdump(1) output after a run
under ktrace(1) I didn't spot the immediate problem resulting in
"ldap_start_tls failed (1)" however the "mdb_opinfo_get: err Invalid
argument(22)" occurs after attempting to call fcntl with F_SETLK on the
fd 5 which is the kqueue fd:
65304 slapd RET write 97/0x61
65304 slapd CALL poll(0x89d39cb9004,1,INFTIM)
65304 slapd STRU struct kevent [2] { ident=9, filter=EVFILT_READ, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0<>, data=0, udata=0x231a1bea } { ident=9, filter=EVFILT_EXCEPT, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0x4<>, data=0, udata=0x231a1bea }
65304 slapd STRU struct kevent { ident=9, filter=EVFILT_READ, flags=0x1005<EV_ADD|EV_ENABLE>, fflags=0<>, data=36, udata=0x231a1bea }
65304 slapd STRU struct pollfd { fd=9, events=0x3<POLLIN|POLLPRI>, revents=0x1<POLLIN> }
65304 slapd RET poll 1
65304 slapd CALL read(9,0x89ccfb103e0,0x5)
65304 slapd GIO fd 9 read 5 bytes
"\^W\^C\^C\0\^_"
65304 slapd RET read 5
65304 slapd CALL read(9,0x89ccfb349c5,0x1f)
65304 slapd GIO fd 9 read 31 bytes
"\M^W\M-r\M-f\M^C\M-2\M^V\M-E\^O\M-hdgq\M-"\M-o\M-&\M^[*\M-9\M^E\M-Sd\M^A2\M-QE\M-cb
|\M^VI"
65304 slapd RET read 31/0x1f
65304 slapd CALL mmap(0,0x2000,0x3<PROT_READ|PROT_WRITE>,0x1002<MAP_PRIVATE|MAP_ANON>,-1,0)
65304 slapd RET mmap 9468564512768/0x89c926ca000
65304 slapd CALL fcntl(5,F_SETLK,0x8ef465d0)
65304 slapd RET fcntl -1 errno 22 Invalid argument
65304 slapd CALL getpid()
65304 slapd RET getpid 65304/0xff18
65304 slapd CALL sendsyslog(0x89c8ef44040,59,0<>)
65304 slapd GIO fd -1 wrote 59 bytes
"<167>slapd[65304]: mdb_opinfo_get: err Invalid argument(22)"
Any suggestions would be welcome.
Thanks!
1 month, 2 weeks
set LDAPI_SOCK
by Michael Ströder
HI!
I'm trying to get rid of this old patch by Ralf Haferkamp:
https://build.opensuse.org/package/view_file/network:ldap/openldap2/0003-...
Background: Today Linux distros prefer that you place temporary run-time
files in a directory like
/run/<service-name>
with appropriate ownership and permissions. And also systemd can create
a temporary run-time directory on-the-fly and removes it after service
stopped.
But if I e.g. use
configure --runstatedir=/run/slapd
the default pathname of the LDAPI socket is
/run/slapd/run/ldapi
Any way to set LDAPI_SOCK directly during build?
Ciao, Michael.
1 month, 2 weeks
(Updated) License issue about sleepycat license.
by s1k2c3@naver.com
[박주현 / Ju Hyun Park] 2022-05-13 18:27
I am sorry I change my question like below...
I just wonder license issue about sleepycat license.
In sleepycat License,
"Redistributions in any form must be accompanied by information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software."
I do not know " any accompanying software that uses the DB software"
When commercial SW uses OpenLDAP and OpenLDAP uses BDB, commercial SW should be disclosed?
What was user's obligation? I want to know about it exactly about sleepycat License.
This SW does not link with OpenLDAP directy..
For example, SW using GPL Licese does not need to disclose source code of SW, because it executes on seperate process.
How about OpenLDAP? When SW connect to OpenLDAP on seperate process, source code of SW should be disclosed?
please do not care about deprecated version..
I just want to know about Sleepycat License..
Thank you.
1 month, 2 weeks
question on replica IDs
by A. Schulze
Hello,
I'm running a Cluster of 4 Servers of openldap-2.6.1
ServerID 1 ldaps://member1.example/
ServerID 2 ldaps://member2.example/
ServerID 3 ldaps://member3.example/
ServerID 4 ldaps://member4.example/
syncrepl
rid=1
provider=ldaps://member1.example/
syncrepl
rid=2
provider=ldaps://member2.example/
syncrepl
rid=3
provider=ldaps://member3.example/
syncrepl
rid=4
provider=ldaps://member4.example/
multiprovider on
the servers 1 and 2 are offline since a week or so.
Now I like to remove servers 1 and 2 finally to fall back to a cluster
of two members.
The new config will look this way:
ServerID 1 ldaps://member3.example/
ServerID 1 ldaps://member4.example/
syncrepl
rid=1
provider=ldaps://member3.example/
syncrepl
rid=2
provider=ldaps://member4.example/
multiprovider on
Is this change of ID numbers a potential source of trouble?
Andreas
1 month, 2 weeks
BDB and License
by s1k2c3@naver.com
Hi
I want to use OpenLDAP.(GitHub - openldap/openldap: Mirror of OpenLDAP repository, The OpenLDAP Public License Version 2.8)
OpenLDAP uses berkeley DB 5.3.21.
In addition,, openLDAP version is 2.4.49.
1. Berkeley DB(BDB) 5.3.21 is sleepycat license, right?
2. When I use OpenLDAP, should I disclose source code of commercial SW? or Can I use OpenLDAP without disclosing source code of commercial SW?
3. When I do not link with OpenLDAP directly. I connect to another open source without link such as http, jmx etc and it connects to OpenLDAP, should I disclose source code of commercial SW?
4. When I distribute commercial SW using OpenLDAP, should I use sleepycat license for berkeley DB or should I purchase BDB?
Thank you.
1 month, 2 weeks
upgrade from Debian 2.4.x
by Udo Rader
Hi,
we've been long using OpenLDAP as a backbone for almost everything
(users, groups, DNS, DHCP, ...) and we've finally reached the point
where we want or better NEED to migrate away from the vanilla debian
packages.
This is mostly due to the fact that our sync-repl based replication
loses data every now and then, which is a real pain to detect and then
to fix.
So, as far as I understand, our best bet is to migrate to the latest
packages from Symas :)
However, I think to remember a discussion about the membersOf overlay
not working reliably with sync-repl even with the Symas packages. Is
this correct and if so, what would be the best way to have membersOf
functionality?
And, what would be the best way to upgrade? Are the symas packages just
a drop in replacement from the debian packages or is better to start
from scratch and import the LDAP tree?
Thanks
Udo
--
Udo Rader, MBA, CTO
BestSolution.at EDV Systemhaus GmbH
Salurner Straße 15, A-6020 Innsbruck
http://www.bestsolution.at/
Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck
1 month, 3 weeks
LDAP Proxy
by guillaume.briere@bell.ca
Hello,
Sorry if it has already been asked in the past.
We have a use-case and I'm having difficulties to find if openldap could be a good fit for us.
Let's say that we have 2 vlan. LDAP and active directory is inside the first vlan. The servers is inside the other vlan.
We want to have a "ldap proxy" server inside the server vlan where only this server could communicate with the LDAP and active directory server.
This ldap proxy server needs to listen on 3 ports (or could be 3 different instances), example:636,637 and 638
If we hit the port 636: The user password needs to be validate against the active directory and the user's membership needs to be validate against the LDAP server
If we hit the port 637: The user password and user's group membership needs to be validate against LDAP
If we hit the port 638: The user password and user's membership needs to be validate against Active Directory
The LDAP server and ldap proxy would be openldap.
Thanks in advance
1 month, 3 weeks
Win32 file size
by Søren Holm
Hi
Mapsize on windows apparently creates a database file of the exact size
of map-size. This is inconvenient.
But I can see that Howard has been nice and done the commit below back
in 2015 - it is not in any tag however.
What are your recommendations - is mdb.master safe for productions?
commit fb5a768a77ca5330e15a3a34ceb694bc11cb216a
Author: Howard Chu <hyc(a)openldap.org>
Date: Mon Nov 30 18:46:19 2015 +0000
ITS#8324 incremental DB file growth for Windows
1 month, 3 weeks
