openldap-technical August 2022

openldap-technical@openldap.org

21 participants
22 discussions

using memberof to authenticate Linux with PAM
by Alceu Rodrigues de Freitas Junior 22 Aug '22

22 Aug '22

Greetings, For a matter of studying OpenLDAP, I decided to create a CLI in Golang that is based on the migrationtools (https://gitlab.com/future-ad-laboratory/migrationtools), which is written in Bash and (very old) Perl code. All the Golang module is available here: https://github.com/glasswalk3r/aprendendo-openldap/tree/main/migration. After learning about the memberof overlay, I've being wondering if it is possible to use it to maintain the UNIX groups at /etc/group instead of just replicating the same information over an over. I've tried to find references in the documentation of using PAM and NSCD in the Linux clients for authenticating from a OpenLDAP server, but found nothing regarding those requirements, neither a detailed explanation (without resorting looking into the source code) of how those requests from a Linux client would be sent to OpenLDAP in order to check that. If any has any pointers on the subject, I would be glad to receive them. Thanks in advance, Alceu

3 7

Proxying an insecure LDAP and authenticate using another
by Kevin Olbrich 22 Aug '22

22 Aug '22

Hi! I have a case where I got access to a read-only LDAP that has no authentication (everything is public). It is located in a secure and trusted environment. Now I want to expose the directory to another network and like to add authentication but can not add it to the source (proprietary software). I need to proxy this server and authenticate the users using active directory. I know how to proxy AD including passthrough authentication but can I proxy another directory and authenticate using another? If yes, how? Thank you very much. Kind regards Kevin Olbrich

1 0

Re: Pass-through
by Stéphane Veyret 20 Aug '22

20 Aug '22

Could it be that the SASL global configuration (also given in first message) is wrong? I only set those 2 options: olcSaslHost: localhost olcSaslSecProps: none

2 4

Re: Error: Could not locate TLS/SSL package
by Jeffrey Walton 17 Aug '22

17 Aug '22

On Wed, Aug 17, 2022 at 12:16 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > --On Wednesday, August 17, 2022 2:11 PM +0530 Vijay Maidarkar > <vmaidarkar(a)gmail.com> wrote: > > Hi, please keep replies on the list. > > Find below answers. > > > > Where is it installed? > > $ which openssl > > > > /usr/local/bin/openssl > > > > $ ldd /usr/local/bin/openssl > > linux-vdso.so.1 => (0x00007fff931e6000) > > libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f7f7a570000) > > libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f7f7a087000) > > libdl.so.2 => /lib64/libdl.so.2 (0x00007f7f79e83000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f7f79c67000) > > libc.so.6 => /lib64/libc.so.6 (0x00007f7f79899000) > > /lib64/ld-linux-x86-64.so.2 (0x00007f7f7a802000) > > > > How was it installed? > > I've downloaded the archive & done compilation from below cmds. > > > > $ ./config > > $ make > > $ make install There are other options you should be using for OpenSSL. At minimum, you probably want enable-ec_nistp_64_gcc_128 on x86_64. Also see https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_O… . > So, you built it yourself so there will be no development package. I'm not > sure why you built such an ancient version of OpenSSL (you listed OpenSSL > 1.1.1g when 1.1.1q is the most recent), since it's vulnerable to multiple > critical CVEs. > > I'd strongly advise using the packages from EPEL if you insist on staying > on CentOS7 (which is near end of life). > > If you are going to use your own OpenSSL build, I can't emphasize enough > the importance of using a current release. Since you're doing this in an > unpackaged way, maintenance is going to be a nightmare. > > Since you've built it yourself into its own location, you have to tell the > configure script where to find the development headers, like: > > CPPFLAGS="/usr/local/include" LDFLAGS="-L/usr/local/lib > -Wl,-rpath,/usr/local/lib" ./configure ... +1 for the RPATH. Linux (and other OSes) have a (mis)feature of building against one version of a library, and runtime linking against another version of the library. Be sure to specify the RPATH to avoid the bug. (If you want to see the effects of linking against the wrong library at runtime, see https://www.openwall.com/lists/oss-security/2020/07/20/1). Nowadays on Linux you should specify a RUNPATH, not a RPATH. The RUNPATH allows LD_LIBRARY overrides to search paths. It is recommended by the folks who write the runtime loaders. The options you need are: * -Wl,-rpath,<lib path> (enables RPATH) * -Wl,--enable-new-dtags (enables RUNPATH) Jeff

2 1

Re: Error: Could not locate TLS/SSL package
by Quanah Gibson-Mount 17 Aug '22

17 Aug '22

--On Wednesday, August 17, 2022 2:11 PM +0530 Vijay Maidarkar <vmaidarkar(a)gmail.com> wrote: > > > > > Hi Quanah, Hi, please keep replies on the list. > Find below answers. > > Where is it installed? > $ which openssl > > /usr/local/bin/openssl > > $ ldd /usr/local/bin/openssl > linux-vdso.so.1 => (0x00007fff931e6000) > libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f7f7a570000) > libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f7f7a087000) > libdl.so.2 => /lib64/libdl.so.2 (0x00007f7f79e83000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f7f79c67000) > libc.so.6 => /lib64/libc.so.6 (0x00007f7f79899000) > /lib64/ld-linux-x86-64.so.2 (0x00007f7f7a802000) > > How was it installed? > I've downloaded the archive & done compilation from below cmds. > > $ ./config > $ make > $ make install So, you built it yourself so there will be no development package. I'm not sure why you built such an ancient version of OpenSSL (you listed OpenSSL 1.1.1g when 1.1.1q is the most recent), since it's vulnerable to multiple critical CVEs. I'd strongly advise using the packages from EPEL if you insist on staying on CentOS7 (which is near end of life). If you are going to use your own OpenSSL build, I can't emphasize enough the importance of using a current release. Since you're doing this in an unpackaged way, maintenance is going to be a nightmare. Since you've built it yourself into its own location, you have to tell the configure script where to find the development headers, like: CPPFLAGS="/usr/local/include" LDFLAGS="-L/usr/local/lib -Wl,-rpath,/usr/local/lib" ./configure ... However, I would again strongly advise you not go the route of building the software yourself unless you're going to do it in a packaged way (I.e. make RPMs) so that you can upgrade whenever there's a new vulnerability. Even more, I'd strongly advise just using the pre-built packages provided by either Symas (Which offers current builds of both OpenLDAP 2.5 and OpenLDAP 2.6 + supporting libraries) or the LTB project. <https://repo.symas.com/> <https://ltb-project.org/> Regards, Quanah

1 0

Error: Could not locate TLS/SSL package
by vmaidarkar＠gmail.com 16 Aug '22

16 Aug '22

Hi Team, I'm compiling OpenLDAP 2.5.13 on CentOS 7 & OpenSSL 1.1.1g is already installed & below is the command. ./configure --prefix=/opt/deployment/openldap_v13 --sysconfdir=/opt/deployment/openldap_v13/etc --localstatedir=/opt/deployment/openldap_v13/var --libexecdir=/opt/deployment/openldap_v13/libexec --enable-overlays=mod --enable-modules --enable-accesslog --enable-auditlog --enable-collect --enable-memberof --enable-syncprov --with-tls=openssl --enable-dynamic --enable-crypt --enable-slapd --enable-rlookups --disable-perl --enable-ppolicy --enable-backends=mod --disable-ndb --disable-sql --disable-shell --disable-bdb --disable-hdb I'm getting the below error of OpenSSL. checking for openssl/ssl.h... yes checking for SSL_export_keying_material_early in -lssl... no configure: error: Could not locate TLS/SSL package Could you please suggest how to fix this issue. Thanks, Vijay

4 6

Unable to connect to 636 secure port using LDAP library
by BANDANI MAHARANA 15 Aug '22

15 Aug '22

Hi Team, I am trying to connect to an Active directory server using 636 port for secure connection. I am using the openldap library to establish the connection. Implementation is completed for insecure connection using 389 port. Below is the code snippet I am using to establish the connection with ldap server in 636 port. LDAP * ldap_handler; int return_value = ldap_initialize(ldap_handler, "ldaps:// TestServer.mylab.com:636"); //server url if (return_value == LDAP_SUCCESS) { cout<<"LDAP initialized successfully"; // this is successful for me } else { cout<<"LDAP initialization failed"; } int return_value = ldap_set_option(*ldap_handler, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3); if(return_value == LDAP_SUCCESS) { cout<<"success"; // this is successful for me } else { cout<<"failed"; } const char * CACERT_FILE_PATH = "certificate/mylab-TESTSERVER-CA.cer"; //certificate path int return_value1 = ldap_set_option(*ldap_handler, LDAP_OPT_X_TLS_CACERTFILE, CACERT_FILE_PATH); if (return_value1 == LDAP_SUCCESS) { } else { // its failing here with error -1, and error string "Can't contact to LDAP server" } int return_value = ldap_simple_bind_s(*ldap_handler, "mylab\administrator", ""pwd@1234"); if (return_value == LDAP_SUCCESS) { //success } else { // its failing here with error -1, and error string "Can't contact to LDAP server" } I have verified the same thing is working when connecting to 389 port. Could you please suggest how to make this work for secure ldap connection over ssl? Please provide some examples or references. It will be helpful for me. Thanks & Regards, Bandani

3 4

LDAP Failure: {'desc': "Can't contact LDAP server}
by Shaheena Kazi 08 Aug '22

08 Aug '22

Hello, I am using Debian 11. Openldap : 2.4.57+dfsg-3+deb11u1 python3-ldap : 3.2.0-4+b3 python3-ldap3: 2.8.1-1 TLS - 1.3 Openssl - 1.1.1n-0+deb11u3 I am try to set a new connect and then import files using below commands: ldapcon = ldap.initialize('ldap://localhost') ldapcon.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) ldapcon.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldapcon.set_option(ldap.OPT_X_TLS_NEWCTX, 0) dn_to_add = 'cn=test.user,ou=people,dc=framework,dc=protegrity,dc=com' modlist_to_add = [('uid', [b'test.user']), ('objectclass', [b'inetOrgPerson', b'posixAccount', b'top']), ('uidnumber', [b'1003']), ('gidnumber', [b'100']), ('homedirectory', [b'/home/test.user']), ('userpassword', [b'qwer1234']), ('givenname', [b'test']), ('sn', [b'user']), ('displayname', [b'test user']), ('loginshell', [b'/usr/local/sbin/manager']), ('cn', [b'test.user']), ('description', [b'testing']), ('pwdreset', [b'TRUE'])] ********* But when I run this - ldapcon.add_s(dn_to_add, modlist_to_add) The slapd service crashes and I get below error LDAP Failure: {'desc': "Can't contact LDAP server} ldap.CONFIDENTIALITY_REQUIRED: {'desc': 'Confidentiality required', 'info': 'TLS confidentiality required'} Can u guys help me here as in what am I missing on and why the add_s is causing my slapd to crash Regards, Shaheena K

2 1

symas pacakages on Debian
by Ulf Volmer 05 Aug '22

05 Aug '22

Hello, I'm running symas OpenLDA on Debian 11. Today we got an upgrade, which make the server unable to start: apt show symas-openldap-server Package: symas-openldap-server Version: 2.6.3-1bullseye1 sudo systemctl status slapd ● symas-openldap-server.service - Symas OpenLDAP Server Daemon Loaded: loaded (/etc/systemd/system/symas-openldap-server.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/symas-openldap-server.service.d └─override.conf /run/systemd/system/service.d └─zzz-lxc-service.conf Active: failed (Result: exit-code) since Fri 2022-08-05 13:20:57 CEST; 8min ago Docs: man:slapd man:slapd-config man:slapd-mdb Process: 536 ExecStart=/opt/symas/lib/slapd -d 0 -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=254) Main PID: 536 (code=exited, status=254) CPU: 13ms Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: Starting Symas OpenLDAP Server Daemon... Aug 05 13:20:57 ldap3.lan.u-v.de slapd[536]: ldap_int_sasl_init: SASL library version mismatch: expected 2.1.28, got 2.1.27 Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: symas-openldap-server.service: Main process exited, code=exited, status=254/n/a Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: symas-openldap-server.service: Failed with result 'exit-code'. Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: Failed to start Symas OpenLDAP Server Daemon. dpkg -l|grep sasl ii gsasl-common 1.10.0-4+deb11u1 all GNU SASL platform independent files ii libgsasl7:amd64 1.10.0-4+deb11u1 amd64 GNU SASL library ii libsasl2-2:amd64 2.1.27+dfsg-2.1+deb11u1 amd64 Cyrus SASL - authentication abstraction library ii libsasl2-modules:amd64 2.1.27+dfsg-2.1+deb11u1 amd64 Cyrus SASL - pluggable authentication modules ii libsasl2-modules-db:amd64 2.1.27+dfsg-2.1+deb11u1 amd64 Cyrus SASL - pluggable authentication modules (DB) ii libsasl2-modules-gssapi-mit:amd64 2.1.27+dfsg-2.1+deb11u1 amd64 Cyrus SASL - pluggable authentication modules (GSSAPI) rc sasl2-bin 2.1.27+dfsg-2.1+deb11u1 amd64 Cyrus SASL - administration programs for SASL users database ii symas-cyrus-sasl-lib 2.1.27-4bullseye1 amd64 Cyrus-SASL Libraries Any help is appreciated. Best regards Ulf

3 3

OpenLDAP on Debian 11: missing TLS ciphers?
by Jochen Keutel 03 Aug '22

03 Aug '22

Hello, we installed the standard OpenLDAP package on Debian 11. Checking the TLS ciphers offered by the server we could see that all six Camellia ciphers are gone (128 and 256, for TLS 1.0, 1.1, 1.2) compared with the standard OpenLDAP package on Debian 9. Is this special to the Debian package? Or: Has Gnutls changed something? We did run into this issue because some special devices (e.G. Cisco Prime Collaboration Assurance) cannot connect to the new OpenLDAP server. The server logfile states: TLS handshake: negotiation failure. It's not yet clear whether they really can "speak" only Camellia ... Regards Jochen.

5 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2022