February 2023 - openldap-technical

Re: Antw: [EXT] Re: Entering Multi-Byte Values for DirectoryString attributes

by Ede Wolf

> Hi! > > I'd say: Get the proper app (eg. BabelPad on Windows, see attachment) and then BASE64-encode the string. > > Regards, > Ulrich > Thanks, but windows is not an option. Again, base64 encoding is fine with echo -en "" | base64. With a browser I can search for the symbol and do copy paste into the ldif. All that works fine, even if my console font does not even support that symbol. I've done it. But feels a bit hackish. I just hoped, there was an option, to tell the server, when the ldif has this sequence, interpret it as an ecoding, not as a literal string. Now I know, this does only work for the dn (and maybe only openldap, will test, see other post), and for the rest I do have a work around.

3 months, 2 weeks

2
3
0 / 0

Entering Multi-Byte Values for DirectoryString attributes

by Ede Wolf

Hello, This is probably more a ldif than an OpenLDAP question, but still, maybe somebody knows the answer: Is there a way to put multibyte characters into an attribute value and let the server know, these are not to be treated literally, but are utf8 character encodings? I've tried to dig into rfc3629 and 4517, but those were above my capabilities. It does of course work for the dn, it also works, if I provide base64 code to the attributes, but is there a way, to directly put them into a ldif an let the server know, these are character encodings? Also, rfc2849 only talks about not line breaking multi-byte characters. In this silly, but easy, example, both cn: and description: are entered literally, while the dn words as intended: dn: cn=A \F0\9F\99\82 Test,dc=example,dc=com cn: A \F0\9F\99\82 Test objectClass: person sn: Test description: %xF0%x9F%x99%x82 Test This is about understanding, not about the intention, to really put a smily into a dn. I am aware, this a potential recipe for disaster. Also, I am aware, the OpenLDAP kindly adds a proper cn value anyway, but that does not help here. And still would leave the description open. Also, as mentioned before: echo -en "A \xF0\x9F\x99\x82 Test" | base64 is a viable workaround, but a cumbersome one. So maybe there is an easier way Thanks Ede

3 months, 2 weeks

4
11
0 / 0

Re: Antw: [EXT] Entering Multi-Byte Values for DirectoryString attributes

by Ede Wolf

Am 20.02.23 um 16:18 schrieb Ulrich Windl: > Hi! > > Ever notices the "double-colons" "::"? > > For example: > userPassword:: e1NTSEF9... > > Kind regards, > Ulrich Windl > > Yes, but I am unaware, that those hint to something else than base64 encoding? I may stand more than happily corrected, tough My question was more, how to provide single unicode charater encoding within a ldif file, like it can be done with the dn, where I may provice the hex values for a character.

3 months, 2 weeks

1
0
0 / 0

Re: OpenSSL1.1.1 support after its EOL

by Anil 1. Tadikamalla (EXT-NSB)

Hi Team, Can you please help to address below queries ASAP from OpenLDAP point of view: 1. Please do let us know if OpenLDAP can provide extended support of OpenSSL1.1.1 beyond the EOL(End of life cycle) i.e after september 2023? 2. Does OpenLDAP depend on RHEL for OpenSSL support or Does it package OpenSSL on its own? If it depends on RHEL and RHEL introduces OpenSSL3.0 support, how would this be handled by OpenLDAP? Regards, Anil Kumar ________________________________ From: Anil 1. Tadikamalla (EXT-NSB) Sent: Friday, December 9, 2022 9:54:28 AM To: openldap-technical(a)openldap.org Cc: Seenivasan 1. Alagarsamy (EXT-NSB) Subject: Re: OpenSSL1.1.1 support after its EOL Hi Team, GENTLE REMINDER.... Can you please help to address below query to from OpenLDAP Point of View ASAP. Does OpenLDAP depend on RHEL for OpenSSL support or Does it package OpenSSL on its own? If it depends on RHEL and RHEL introduces OpenSSL3.0 support, how would this be handled by OpenLDAP? Regards, Anil Kumar ________________________________ From: Anil 1. Tadikamalla (EXT-NSB) Sent: Friday, December 9, 2022 12:53 AM To: openldap-technical(a)openldap.org Cc: Seenivasan 1. Alagarsamy (EXT-NSB) Subject: OpenSSL1.1.1 support after its EOL Hi Team, Please do let us know if OpenLDAP can provide extended support of OpenSSL1.1.1 beyond the EOL(End of life cycle) i.e after september 2023? Regards, Anil Kumar

3 months, 2 weeks

2
3
0 / 0

ppolicy and olcPPolicyUseLockout

by Stefan Kania

Hello, I have the following configuration for my overlay ppolicy (OpenLDAP 2.6) It's a testing system! --------- dn: olcOverlay={0}ppolicy,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=net olcPPolicyHashCleartext: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyUseLockout: TRUE --------- My default-policy: --------- dn: cn=default,ou=policies,dc=example,dc=net objectClass: pwdPolicy objectClass: person cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 1440 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdFailureCountInterval: 300 pwdMaxFailure: 5 pwdMinLength: 8 sn: OurDefaultPolicy pwdLockoutDuration: 120 pwdMustChange: TRUE pwdMaxAge: 2000 --------- Everything works, but I don't get a different message if the account is locked because of to many bad locking attempts. The manpage of slapo-ppolicy telling me: ppolicy_use_lockout = TRUE then a AccountLocked is shown. But I still get: Permission denied, please try again. if I'm giving the correct password after the account is locked because of to many bad locking attempts. Did I miss something? If "yes" what? Thank's Stefan

3 months, 2 weeks

2
1
0 / 0

Tools parsing dc=foo URLs

by Norman Gray

Greetings. This command fails in an unexpected way: % ldapsearch -x -H 'ldap:///dc=example,dc=net' '(cn=foo)' Could not parse LDAP URI(s)=ldap:///dc=example,dc=net (3) It appears that ldapsearch wants me to escape the '=' and ',' in that URI: % ldapsearch -x -H 'ldap:///dc%3dexample%2cdc%3dnet' '(cn=foo)' DNS SRV: Could not turn domain=example.net into a hostlist But why? The manpage for ldapsearch says -H ldapuri Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396. I read that as clearly saying (via the 'exception' branch of that paragraph) that the first -H argument is correct. RFC digression: According to RFC 2396, the /dc... is `"/" path_segments`, segments are composed of *pchar, and pchar = unreserved | escaped | ":" | "@" | "&" | "=" | "+" | "$" | "," ...which includes both '=' and ','. Thus those characters don't need to be escaped, by RFC 2396. Or, put another way, 'ldap:///dc=example,dc=net' _is_ escaped according to RFC2396, in the sense that nothing in it needs to be escaped. Looking instead at RFC 4516, the 'dn' in the 'ldapurl' is a 'distinguishedName' from RFC 4514 which (Sect.3) permits '=' and ',' to be included. Sect.2.1 of 4516 requires that the URI must include <reserved>, <unreserved> or <pct-encoded> of RFC 3986, but if we look at that, then Sect.2.2 indicates that <reserved> includes both '=' and ','. Thus the behaviour of ldapsearch, when parsing the -H option, doesn't appear to match the documentation. Explanation: Looking at common.c:tool_args and common.c line 1199, I see that it calls ldap_url_parselist to break the -H argument into a list of URIs, and this will separate dc=example,dc=net at the comma. And sure enough, in practice it's only the ',' that has to be escaped by %2c. I believe this behaviour doesn't match the manpage, which (clearly in my reading of it) requires either a list of protocol/host/port URIs OR (the exception) a single URI containing no host/port but only a DN. That suggests that common.c:tool_args has to detect that exception/second case. Apart from the documentation issue, having to escape commas is both repeatedly surprising and a pain in the neck on the occasions when I want to use the dc=... syntax with ldapsearch. Re detecting that exception, searching for "///" in the ldapuri string would seem to be sufficient, and calling ldap_url_parselist_int in that case (instead of ldap_url_parselist) with a sep argument of " " looks like it would do the job with a minimal change to the code. Best wishes, Norman -- Norman Gray : https://nxg.me.uk

3 months, 2 weeks

3
4
0 / 0

OpenLDAP proxy to AD

by Sajesh Singh

RHEL 8 OpenLDAP 2.6.4 Trying to use OpenLDAP as a proxy to AD and most of my configuration seems to be working as expected, but when I try to use the rwm-suffixmassage option an LDAP search against the server returns the following error: No such object (32) If I remove the rwm-suffixmassage option then I am returned the expected entry. Relevant config snippet: suffix "dc=subdomain,dc=domain,dc=tld" uri "ldaps://dc1.subdomain.domain.tld/ ldaps://dc2.subdomain.domain.tld/" chase-referrals no idassert-bind bindmethod=simple binddn="cn=user,ou=OU,dc=subdomain,dc=domain,dc=tld" credentials="secret" mode=self tls_reqcert=demand tls_cacert=cert.file flags=non-prescriptive overlay rwm rwm-suffixmassage "dc=subdomain,dc=domain,dc=tld" "dc=domain,dc=tld" Any help would be appreciated. Thank you, SS

3 months, 3 weeks

1
0
0 / 0

about slapo totp

by Bastian Tweddell

Dear all, I am investigating if it is possible to use the TOTP overlay in the following concept: Many thanks for any - nis related data of users are in ldap - user ssh access to the system is pubkey only - after successful authentication also request TOTP via PAM call to slapd (only TOTP, no password) Does this make sense and can this be achieved? Thanks in advance, -- Bastian Tweddell Juelich Supercomputing Centre phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ------------------------------------------------------------------------------- -------------------------------------------------------------------------------

4 months

2
7
0 / 0

Re: Trying to migrate from ldap 2.4.x to 2.6.x and having an issue.

by Matthew Goebel

Ah, I have a mix of suse stanzas and (ou=people) stanzas, I was removing both. Just removing the stanzas with suse references and reimporting the whole mess seems to work! :) I need to get someone else on my team to test some stuff since I've been staring at this too long now. Thanks, Matt On Wed, Feb 8, 2023 at 3:57 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Wednesday, February 8, 2023 3:10 PM -0500 Matthew Goebel > <mgoebel(a)emich.edu> wrote: > > > > > > > > > I used slapcat/slapdd > > > > > > The two boxes are using different backend databases so I don't think I > > can copy the data files? > > Right, heh. I forgot you were still on hdb/bdb. I'll try to get some > time > to read over the full older config. Can you confirm your slapcat export > contains an entry for the root of the DIT? It should be the first entry in > the file (ou=people,...) > > Thanks! > > --Quanah > > > > > -- Matthew Goebel : m <goebel(a)emunix.emich.edu>goebel(a)emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

4 months

1
0
0 / 0

Re: Trying to migrate from ldap 2.4.x to 2.6.x and having an issue.

by Matthew Goebel

I used slapcat/slapdd The two boxes are using different backend databases so I don't think I can copy the data files? Thanks, Matt On Wed, Feb 8, 2023 at 2:06 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, February 7, 2023 4:56 PM -0500 Matthew Goebel > <mgoebel(a)emich.edu> wrote: > > > > > > > > > Config file attached ... > > Sorry I haven't had time to review the config yet, but a question popped > into my mind -- How did you migrate the data between the two instances? > I.e., did you copy the MDB file, or use slapcat/slapadd? > > Thanks! > > --Quanah > > > > -- Matthew Goebel : m <goebel(a)emunix.emich.edu>goebel(a)emich.edu : Unix Jockey @ EMU : Hail Eris Neo-Student, Net Lurker, Donut consumer, and procrastinating medher... "Always with the negative waves, Moriarty" - Oddball "Comfort the troubled, and trouble the comfortable." - Dietrich Bonhoeffer

4 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2023