openldap-technical June 2022

openldap-technical@openldap.org

34 participants
29 discussions

olcTLSProtocolMin not taking effect
by juan＠quantifind.com 06 Jun '22

06 Jun '22

Hi all - As part of routine security remediation my company asked me to remove the support for older TLS versions from my LDAP server. To this effect I restarted the service after running the following: sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f olcTLSProtocolMin.ldif Here is the content of olcTLSProtocolMin.ldif dn: cn=config changetype: modify add: olcTLSProtocolMin olcTLSProtocolMin: 3.3 When I look at the /etc/ldap/slapd.d/cn=config.ldif file I can see the olcTLSProtocolMin: 3.3 entry. however, when I scan the LDAP server using Nessus, the scanner reports older versions of TLS still available. Also if I scan the supported TLS version using nmap it also reports TLS1.0-TLS1.2 If it helps here is the cn=config.ldif file is here dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: stats sync olcPidFile: /var/run/slapd/slapd.pid olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/my_cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/my_slapd_key.pem olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: SomeUUID creatorsName: cn=config createTimestamp: 20160311213839Z olcTLSProtocolMin: 3.3 entryCSN: 20220601202658.429433Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber Any help will be greatly appreciated. JRosario

2 4

Re: Antw: [EXT] Re: slow memberOf queries in 2.5 with dynlist overlay
by Paul B. Henson 03 Jun '22

03 Jun '22

On 5/30/2022 11:53 PM, Ulrich Windl wrote: > I wonder: Would forcing a core dump help in that situation, or would a > gprof-compile be helpful? Unfortunately I can't reproduce it; it just happens randomly on my production boxes, less frequently since I increased the amount of memory on them. I'm not sure I could run a debug or profiling build in production for an extended amount of time waiting for it to happen. And with my luck it would be a heisenbug anyway 8-/. > Maybe one could track down the page fault to some code (function) using tools > from the valgrind family (Cachegrind, callgrind, etc.) > http://www.valgrind.org/docs/manual/manual-core-adv.html#manual-core-adv.va…

1 0

OpenLDAP 2.6.2 on RHEL8: add password policy
by Real Villafan, Elizabeth (US 392K) 01 Jun '22

01 Jun '22

Hello, I'm upgrading from openldap 2.4 running on RHEL7 up to 2.6.2 and RHEL8 on new hardware, apparently the way to configure password policy now is by configuring the slapd.conf file rather than loading the ppolicy schema. How do I modify that file properly? I read https://www.openldap.org/doc/admin26/overlays.html#Password%20Policies on section 12.10.2. Password Policy Configuration, what does it mean to "Instantiate the module in the database"? do you have a sample slapd.conf file I can refer to? Thank you, Liz

2 3

2.5 LTS release with OpenSSL 3.0
by barry.greenberg＠oracle.com 01 Jun '22

01 Jun '22

Is there any information about the release of OpenLDAP 2.5.x that includes support for OpenSSL 3.0? I see that it's now supported in 2.6.2 but we'd prefer to stay on the 2.5 branch for the foreseeable future. Thanks.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2022