openldap-technical May 2023

openldap-technical@openldap.org

25 participants
19 discussions

OpenLDAP - CLDAP and SASL
by Simon Pichugin 16 May '23

16 May '23

Hi folks, I am currently experiencing an issue with IPA Server set up on Fedora 36, using ipa-adtrust-install, and I'm unsure if this is due to a bug or misconfiguration on my part. Here's what I've done: I ran the following ldapsearch command: ldapsearch -LL -H cldap://server.example.com -b '' -s base 'dc=example,dc=com' "(&(DnsDomain='dc=example,dc=com')(NtVer=\x06\x00\x00\x00)(AAC=\x00\x00\x00\x00))" On OpenLDAP 2.4.46, it was working fine, and it gave an output. But OpenLDAP 2.6.2 and 2.6.4 fails with No such object (32) error. I used gdb to investigate and found that the error occurred here: https://git.openldap.org/openldap/openldap/-/blob/master/clients/tools/comm… It executes ldap_sasl_interactive_bind, but it exits right in the beginning: https://git.openldap.org/openldap/openldap/-/blob/master/libraries/libldap/… So back at: https://git.openldap.org/openldap/openldap/-/blob/master/clients/tools/comm… It exists the do-while loop right away and leaves with no result. I'm wondering if I missed something or if there was an oversight in the implementation of this RFC, specifically regarding the CLDAP case: https://git.openldap.org/openldap/openldap/-/commit/2ae62e86bc8ffab713fc489… Looking forward to your thoughts! Best Regards, Simon

2 2

iNetOrgPerson doesn't exist?
by Luca Stancapiano 16 May '23

16 May '23

Hi all, I'm triing to create a user with openldap 2.4 dn: uid=rrrrrr,ou=users,dc=my-domain,dc=com objectClass: iNetOrgPerson uid: iiiiii but it doesn't seem recognize the objectClass producing this error: adding new entry "uid=rrrrrr,ou=users,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Using other object classes is ok. What's the problem?

5 11

Debugging TLS negotiation failure
by terry.lemons＠dell.com 16 May '23

16 May '23

Hi I've followed the instructions in https://www.openldap.org/doc/admin26/quickstart.html to deploy openldap 2.6.4 on a SLES 15 SP4 system. Once I confirmed that this was working correctly, I moved on to configure TLS, following the instructions in https://www.openldap.org/doc/admin26/tls.html. When I try a connection to the LDAPS port (636), I see the following: ldpdd040:~ # openssl s_client -connect ldpdd042.hop.lab.emc.com:636 CONNECTED(00000003) 139702302594704:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 293 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1683823897 Timeout : 300 (sec) Verify return code: 0 (ok) --- ldpdd040:~ # I'm using this command to start slapd: /usr/local/libexec/slapd -F /usr/local/etc/slapd.d -s 3 -h "ldap:/// ldaps:///" When I execute the openssl command above, I look in /var/log/messages and see: 2023-05-11T12:51:55.213884-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 ACCEPT from IP=10.247.229.40:56844 (IP=0.0.0.0:636) 2023-05-11T12:51:55.213944-04:00 ldpdd042 slapd[20101]: connection_get(12): got connid=1000 2023-05-11T12:51:55.214004-04:00 ldpdd042 slapd[20101]: connection_read(12): checking for input on id=1000 2023-05-11T12:51:55.214065-04:00 ldpdd042 slapd[20101]: connection_read(12): TLS accept failure error=-1 id=1000, closing 2023-05-11T12:51:55.214138-04:00 ldpdd042 slapd[20101]: connection_close: conn=1000 sd=12 2023-05-11T12:51:55.214207-04:00 ldpdd042 slapd[20101]: conn=1000 fd=12 closed (TLS negotiation failure) ldpdd0 I've appended these lines to /usr/local/etc/openldap/slapd.conf: # Added TLS directives # TLSCACertificateFile /var/lib/ca-certificates/ca-bundle.pem TLSCertificateFile /etc/ssl/private/server.cert TLSCertificateKeyFile /etc/ssl/private/server.key #TLSCipherSuite ALL I can't find any log information that helps me understand what the problem is. I'm using a self-signed server certificate that has the cn using the FQDN of the server. How can I debug this? Thanks! tl

12 31

Overly variant
by Stefan Kania 14 May '23

14 May '23

Hi to all, today I tried to set up the new overlay variant with OpenLDAP 2.6 (symas-packages) on a Debian 11 system First step I loaded the module: I added the Attribute "postaladdress" to an OU (ou=firma,dc=example,dc=net) and the "mobile" attribute to (ou=firma,dc=example,dc=net) Then I added the module ------------ dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: variant.la ------------ Then I created the following configuration: ------------ dn: olcOverlay={5}variant,olcDatabase={2}mdb,cn=config objectClass: olcVariantConfig olcVariantPassReplication: TRUE dn: name=example,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config objectClass: olcVariantVariant olcVariantEntry: dc=example,dc=net dn: olcVariantVariantAttribute=postaladdress,name={0}example,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config objectClass: olcVariantAttribute olcVariantVariantAttribute: postaladdress olcVariantAlternativeAttribute: postaladdress olcVariantAlternativeEntry: ou=firma,dc=example,dc=net dn: name=firma telefon,name={0}example,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config objectClass: olcVariantAttribute olcVariantVariantAttribute: telephonenumber olcVariantAlternativeAttribute: mobile olcVariantAlternativeEntry: cn=Verw-al,ou=users,ou=Verwaltung,ou=firma,dc=example,dc=net ------------ That works fine. dc=example,dc=net has the "postaladdress" from ou=firma and dc=example,dc=net has the "mobile" as "telephonenumber" from "cn=verw-al" But now I like to set the attribute "telephonenumber" for all users in ou=users,ou=verwaltung,ou=firma,dc=example,dc=net" to the "telephonenumber" of "ou=firma,dc=example,dc=net". So I have to deal with RegEx here. I took a look at the example in the manpage and I'm even more confused. I tried the following: -------------------------- dn: name=verw-tel,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config objectClass: olcVariantRegex olcVariantEntryRegex: cn=.+,ou=users,ou=verwaltung,ou=firma,dc=example,dc=net dn: olcVariantVariantAttribute=telephonNumber,name={1}verw-tel,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config objectClass: olcVariantAttributePattern olcVariantVariantAttribute: telephoneNumber olcVariantAlternativeAttribute: telephoneNumber olcVariantAlternativeEntryPattern: ou=Verwaltung,ou=firma,dc=example,dc=net -------------------------- The first entry: dn: name=verw-tel,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config Is telling me who should get the value from the shared attribute. Right? That's the way it works without RegEx. The second entry should point to the object and it's attribute to share. Right? So in "ou=verwaltung,...." I have the attribute "telephoneNumber" set and this should be shared. But If I try to add the entries. The first entry works. But the second entry gives the following error message: --------------- adding new entry "olcVariantVariantAttribute=telephonNumber,name={1}verw-tel,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config" ldapadd: update failed: olcVariantVariantAttribute=telephonNumber,name={1}verw-tel,olcOverlay={5}variant,olcDatabase={2}mdb,cn=config ldap_add: Can't contact LDAP server (-1) --------------- And as you can see, adding the entry crashes the slapd. Can someone tell me the right way to use variant with regex?

3 6

Mapping the groupOfNames' owner attribute to members' Manager attribute
by sysadm+ldap-technical＠rolep.work 13 May '23

13 May '23

Hello, Is there any way to map the groupOfNames' owner attribute to members' Manager attribute without external scripts?

2 2

[About lmdb's write performance] mdb_txn_commit blocking for a long time
by Wang Zhiyong 05 May '23

05 May '23

Hello all. We are using lmdb in our own storage service and recently found a write performance issue. The phenomenon is that lmdb batch write is very slow, and a write transaction operation takes several minutes. For example, if a transaction writes 100,000 kv, the average value size is 100 bytes, and it takes 5 minutes. The size of lmdb data file is 460G. The analysis using perf is as follows: 53.14% liblgraph.so [.] mdb_page_alloc.isra.21 46.81% liblgraph.so [.] mdb_midl_xmerge 0.01% [kernel] [k] __check_object_size 0.01% [kernel] [k] __do_page_fault 0.01% [kernel] [k] __fput 0.01% [kernel] [k] get_futex_value_locked 0.01% [kernel] [k] radix_tree_descend 0.01% libpthread-2.17.so [.] __errno_location The cpu are consumed on the two functions mdb_page_alloc and mdb_midl_xmerge. By adding time statistics, I found that the blocking is in the mdb_freelist_save function in mdb_txn_commit. I'm not familiar with lmdb source code, can anyone explain why mdb_freelist_save consumes so much time? is this the expected result when lmdb data gets bigger? Is there any way to restore the write performance after the write becomes worse? What is the suggestion to improve the write performance of lmdb?

3 5

RE: Issues deploying openldap 2.6.4 Proxy on RHEL 8.7
by Vikram Sharma 04 May '23

04 May '23

Hello Support, Please see the screenshot for more information. [cid:image001.png@01D97E87.92DA8720] Warm Regards, Vikram Sharma Vikram.Sharma(a)investec.co.in<mailto:Vikram.Sharma@investec.co.in> Investec Global Services (India) Pvt. Ltd. Tel: +91 22 68497512 Mob: +91 9930600995 From: Vikram Sharma Sent: 04 May 2023 11:22 To: openldap-technical(a)openldap.org Cc: Amit Kulkarni <Amit.Kulkarni(a)investec.co.in>; Wyvern Bozec-Pearce <Wyvern.Bozec-Pearce(a)investec.co.uk> Subject: Issues deploying openldap 2.6.4 Proxy on RHEL 8.7 Hello Support, We are trying to deploy Openldap proxy from the available package from the openldap site version 2.6.4 on the Red Hat Enterprise Linux version 8.7 ootpa. We are aware that Red Hat enterprise 8.7 support openldap clients however, installing openldap-server is not supported. We are referring to the support tech link https://computingforgeeks.com/install-configure-openldap-server-centos/ to deploy openldap 2.6.4 however, when the deployment installation is completed following steps we are unable to start slapd service as slapd.d file is missing can we get some guidance on this please? Download site - https://www.openldap.org/software/download/OpenLDAP/openldap-release/ Install Procedure ------------------------------------------------------------------------------------------- #login as root user sudo su - #update required as pre-requisite sudo dnf update -y #restart once update is completed. sudo reboot #install the required dependencies sudo dnf install wget vim cyrus-sasl-devel libtool-ltdl-devel openssl-devel libdb-devel make libtool autoconf tar gcc perl perl-devel -y #create a non-privileged system user for OpenLDAP. sudo useradd -r -M -d /var/lib/openldap -u 55 -s /usr/sbin/nologin svcldapusr #Download the openldap tgz file from site https://www.openldap.org/software/download/OpenLDAP/openldap-release/ Transfer the file via Winscp and extract tar xzf openldap-$VER.tgz #Install OpenLDAP on RHEL 8 sudo mv openldap-$VER /opt # Change your working directory to OpenLDAP source. cd /opt/openldap-$VER #Install Development Tools: sudo dnf groupinstall "Development Tools" -y #Compile the source files sudo ./configure --prefix=/usr --sysconfdir=/etc --enable-debug --with-tls=openssl --with-cyrus-sasl --enable-dynamic --enable-crypt --enable-spasswd --enable-slapd --enable-modules --enable-rlookups #Upon successful compilation, you should see an output that says: "Please run "make depend" to build dependencies" #Run make depend to build OpenLDAP dependencies. sudo make depend #Compile OpenLDAP. sudo make #Install OpenLDAP on RHEL 8: sudo make install #A successful installation creates configuration files at /etc/openldap. The following files are available after installation: $ ls /etc/openldap certs ldap.conf ldap.conf.default schema slapd.conf slapd.conf.defaul Warm Regards, Vikram Sharma Vikram.Sharma(a)investec.co.in<mailto:Vikram.Sharma@investec.co.in> Investec Global Services (India) Pvt. Ltd. Tel: +91 22 68497512 Mob: +91 9930600995 Investec Bank plc is authorised and regulated by the UK Financial Services Authority. Registered in England and Wales (No. 489604). Registered office at 30 Gresham St, London EC2V 7QP. Investec Asset Finance Plc is a subsidiary of Investec Bank plc. Registered in England and Wales (No. 2179313). Registered office at Reading International Business Park, Reading RG2 6AA. We may monitor e-mail traffic data and the content of email. Calls may be monitored and recorded. If we collect personal information, the personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. For further details on how your information will be used by Investec and these fraud prevention agencies, and your data protection rights, please refer to our Fraud Prevention Notice https://www.investec.com/en_gb/legal/UK/fraud-prevention-notice.html This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. This e-mail is subject to terms available at the following link: www.investec.co.uk/emaildisclaimer. By communicating electronically with us, you consent to these terms.

2 1

Unable to filter only group name
by BANDANI MAHARANA 03 May '23

03 May '23

Hi team, I am facing problem with filtering the group names in Ad server using openldap libraries. I am using ldap search api to get the list of group. My requirement is, with the provided input, i need to display all the available group similar to the entered group name. For example, if user types dev, it should display all the group names starting with dev. Like develop, development Kindly suggest how to achieve this. Thank you Bandani

2 1

olcPPolicyForwardUpdates not working
by Benjamin Renard 03 May '23

03 May '23

Hello, I have problem with the olcPPolicyForwardUpdates option that seem not working : On master and slave, I configured Ppolicy with pwdLockout. When I try to connect on master with a bad password, the pwdFailureTime attribute of the entry is successfully updated, but not if I do the same on the slave. On slave, my ppolicy configuration is exactly the same as on master but I add olcPPolicyForwardUpdates=TRUE. I also configured the chain overlay and the updateref parameter on the database. Extract of my slave configuration : olcDatabase={1}mdb,cn=config [...] olcSyncrepl: [...] olcUpdateRef: ldaps://ldap-master olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig objectClass: top olcOverlay: {0}chain olcChainReturnError: TRUE olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={1}mdb,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase objectClass: top olcDatabase: {0}ldap olcDbURI: ldaps://ldap-master olcDbIDAssertBind: bindmethod=simple binddn="[same user used in olcSyncrepl of the database]" credentials="secret" mode=self olcDbRebindAsUser: TRUE olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: TRUE Do you have any idea of what I doing wrong ? Thanks, -- Benjamin Renard - Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37 - mailto:brenard@easter-eggs.com

3 17

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2023