openldap-technical

openldap-technical@openldap.org

18 participants
9897 discussions

overlay autoca in OpenLDAP 2.5
by Stefan Kania 23 Oct '20

23 Oct '20

Hello, I play around al little bit with the OpenLDAP 2.5alpha. I'm trying the new overlay for the certificates. I start with the configuration with slapd.conf, because it's faster to change ;-). I started with the two lines from the manpage: -------- overlay autoca caKeybits 4096 ------- The first start of the slapd failed with the error-message: --------- Oct 20 20:39:47 ldap25 systemd[1]: slapd-current.service: Control process exited, code=exited, status=1/FAILURE Oct 20 20:39:47 ldap25 systemd[1]: slapd-current.service: Failed with result 'exit-code'. --------- I checked the config, everything was ok, I tried it a second time and then the slapd startet without problem. This happens after neatly every change of the parameters for this overlay. First start failed, second start was ok without any change in the configuration. Now, when I do an ldapsearch I see: --------- dn: dc=example,dc=net objectClass: domain objectClass: dcObject objectClass: autoCA dc: example cACertificate;binary:: MIIFcDCCA1igAwIBAgIJAKh3GIChqUPoMA0GCSqGSIb3DQEBCwUAMC4 ... VYd8XlDNv6d/04FDyEqKH9KAV5RMXiI9GHbQ== --------- Then I did the following changes in my configuration: --------- overlay autoca caKeybits 4096 userClass inetOrgPerson userKeybits 4096 serverClass ipHost serverKeybits 4096 --------- Because it's a TESTSYSTEM my acl are set: --------- access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=pKCS8PrivateKey by self ssf=128 write access to * by self write by users read by anonymous auth --------- But when I create a user or a server there is no certificate. In the manpage said: --------- Certificates for users and servers are generated on demand using a Search request --------- But I never saw any certificate. As a user I search for my own Object, but I don't see any certificate. Can I (if it works ;-) ) the server-certificate for TLS? Where can I find some more information about autoca. Thanks for any help Stefan

2 4

Symas OpenLDAP for Linux 2.4.54-1 released
by Quanah Gibson-Mount 22 Oct '20

22 Oct '20

The latest version of Symas OpenLDAP for Linux, 2.4.54-1, is now available. There are a few small changes for this build vs previous builds, in that the lastbind and noopsrch overlays have been added. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Modifying 'top' objectClass
by Zahoor Alizai 16 Oct '20

16 Oct '20

Can I modify the 'top' objectClass in openLDAP to incorporate some activedirectory attributes. Existing schemas in '/etc/ldap/slapd.d/cn=config/cn=schema' can be modified using ldapmodify. But i cannot find 'top' objectClass in any of these. To my knowledge, 'top' is part of system schema but can it be modified?

4 3

ldapsearch -Y EXTERNAL not working
by Stefan Kania 15 Oct '20

15 Oct '20

Hello, I just compiled OpenLDAP 2.5alpha on a debian 10 system. I used this howto: https://tylersguides.com/guides/install-openldap-source-debian-stretch/ Slapd is running and I load the following ldif: ----------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap-current/var/run/slapd.args olcPidFile: /opt/openldap-current/var/run/slapd.pid olcTLSCACertificateFile: /etc/ssl/certificates/demoCA/cacert.pem olcTLSCertificateFile: /etc/ssl/certificates/ldap01-cert.pem olcTLSCertificateKeyFile: /etc/ssl/certificates/ldap01-key.pem olcTLSCipherSuite: TLSv1.2:HIGH:!aNULL:!eNULL olcTLSProtocolMin: 3.3 dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /opt/openldap-current/libexec/openldap olcModuleload: back_mdb.la olcModuleload: pw-sha2.la include: file:///opt/openldap-current/etc/openldap/schema/core.ldif include: file:///opt/openldap-current/etc/openldap/schema/cosine.ldif include: file:///opt/openldap-current/etc/openldap/schema/nis.ldif include: file:///opt/openldap-current/etc/openldap/schema/inetorgperson.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend olcPasswordHash: {SSHA512} olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcRootDN: cn=config olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none ----------------- When I try to do a ldapsearch with -Y EXTERNAL I get the following error: ----------------- root@lda25:~# ldapsearch -Y EXTERNAL -H ldaps://ldap25.example.net -b cn=config SASL/EXTERNAL authentication started ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: ----------------- Ldapsearch -ZZ is working: ----------------- root@lda25:~# ldapsearch -x -ZZ -H ldap://ldap25.example.net -b cn=config -LLL No such object (32) root@lda25:~# ldapsearch -x -H ldaps://ldap25.example.net -b cn=config -LLL No such object (32) ----------------- So ldaps and ldap+tls is working. Did I miss something during "configure". I would like to help testing version 2.5. Stefan

2 2

OpenLDAP 2.5.0 ALPHA released
by Quanah Gibson-Mount 15 Oct '20

15 Oct '20

Hello -technical, The first alpha release for the OpenLDAP 2.5 series released today, and the source can be obtained from the download page: <https://www.openldap.org/software/download/> The OpenLDAP 2.5 series contains numerous bug fixes and enhancements. Note that some features listed in the ANNOUNCEMENT file in the source tarball are not yet available (I.e., the load balancer). A list of issues marked complete for this alpha can be found in Bugzilla: <https://bugs.openldap.org/buglist.cgi?bug_status=VERIFIED&list_id=858&produ…> Any testing in dev/qa/test environments that people can engage in with this alpha would be extremely helpful. I will be working on making binary builds available to help with testing in the near future. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Re: OpenLDAP 2.5.0 ALPHA released
by Dave Macias 14 Oct '20

14 Oct '20

Sorry for the unnecessary email but my jaw literally dropped... Look forward to the binary builds for testing Stay safe everyone! -Dave On Wed, Oct 14, 2020 at 6:15 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > Hello -technical, > > The first alpha release for the OpenLDAP 2.5 series released today, and > the > source can be obtained from the download page: > > <https://www.openldap.org/software/download/> > > The OpenLDAP 2.5 series contains numerous bug fixes and enhancements. > Note > that some features listed in the ANNOUNCEMENT file in the source tarball > are not yet available (I.e., the load balancer). > > A list of issues marked complete for this alpha can be found in Bugzilla: > > < > https://bugs.openldap.org/buglist.cgi?bug_status=VERIFIED&list_id=858&produ… > > > > Any testing in dev/qa/test environments that people can engage in with > this > alpha would be extremely helpful. I will be working on making binary > builds available to help with testing in the near future. > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> >

1 0

RE24 testing call #1 (OpenLDAP 2.4.54)
by Quanah Gibson-Mount 14 Oct '20

14 Oct '20

This is the first testing call for OpenLDAP 2.4.54. Depending on the results, this may be the only testing call. Generally, get the code for RE24: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_4/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Thanks! OpenLDAP 2.4.54 Engineering Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) Fixed slapd sessionlog to use a TAVL tree (ITS#8486) Fixed slapd syncrepl to be fully serialized (ITS#8102) Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345) Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353) Fixed slapo-accesslog normalizer for reqStart (ITS#9358) Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

7 20

smbk5pwd sambaPwdLastSet
by corey＠electrickite.org 11 Oct '20

11 Oct '20

Hello, I have run into an issue with the smbk5pwd overlay in slapd 2.4.49 on FreeBSD and I'm hoping someone can point me in the right direction. The majority of the overlay is functioning correctly - when a user updates their password using an exop the sambaLMPassword and sambaNTPassword attributes are updated along with userPassword. However, the sambaPwdLastSet attribute does not update correctly. After an exop password change the value of sambaPwdLastSet is set to 0. It does not seem to matter whether this attribute is added or updated, it is always set to zero after password change. This is honestly not a huge issue in my environment, but some applications treat a sambaPwdLastSet of zero as an indication that the user must change their password. Below is my smbk5pwd config: dn: olcOverlay={5}smbk5pwd objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcSmbK5PwdConfig objectClass: top olcOverlay: {5}smbk5pwd olcSmbK5PwdEnable: samba olcSmbK5PwdMustChange: 0 -- Corey Hinshaw

1 0

Does openldap support authPassword?
by Siddharth Jain 11 Oct '20

11 Oct '20

If yes, where can I find documentation on how to use/enable it? https://tools.ietf.org/html/rfc3112 The userPassword attribute type [RFC2256<https://tools.ietf.org/html/rfc2256>] is intended to be used to support the LDAP [RFC2251<https://tools.ietf.org/html/rfc2251>] "simple" bind operation. However, values of userPassword must be clear text passwords. It is often desirable to store values derived from the user's password(s) instead of actual passwords. The authPassword attribute type is intended to be used to store information used to implement simple password based authentication. RFC 3112 - LDAP Authentication Password Schema<https://tools.ietf.org/html/rfc3112> RFC 3112 LDAP Authentication Password Schema May 2001 hash algorithm/implementation is flawed), the hashing of passwords is intended to be as an additional layer of protection. It is RECOMMENDED that hashed values be protected as if they were clear text passwords. This attribute may be used in conjunction with server side password generation mechanisms (such as the LDAP Password Modify ... tools.ietf.org

2 1

running slapd under valgrind
by Michael Ströder 10 Oct '20

10 Oct '20

HI! An Æ-DIR installation with self-compiled OpenLDAP 2.4.53 on Debian (now buster) has memory leak issues on the Æ-DIR providers. The read-only consumers do not have this issue. The provider config is more complex with more overlays. slapd is automatically restarted (by monit) when memory consumption reaches 80%. Thus monitoring clearly shows a frequent saw tooth pattern. I'm experimenting with valgrind to track down the issue: valgrind --leak-check=full --show-leak-kinds=all --track-origins=yes --verbose --log-file=valgrind-out.txt -- /opt/openldap-ms/libexec/slapd [...] Does that make sense or are some other command-line options needed? Ciao, Michael.

2 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical