openldap-technical

openldap-technical@openldap.org

9 participants
9867 discussions

ldapsearch filter behaviour
by mradu＠live.com 16 Jun '20

16 Jun '20

Hi, I have 2 LDAP servers. The old one is running openldap2-2.3.32 and the new one is running openldap2-2.4.41. They both have identical configuration and data. Running the following ldapsearch command against the 2 servers only yields results on the old openldap 2.3.32: ldapsearch -H ldap://server -b 'dc=mycorp,dc=com' -D 'cn=Administrator,dc=mycorp,dc=com' -w 'passwd' '(cn=*)' cn Aparently every time I am using a filter having the "*" wildcard the new openldap fails to give back any results. Any ideea what is going on? Thanks

2 1

Re: Info needed on OpenLDAP support / compliance on FIPS 140.2
by Vijay Kumar 16 Jun '20

16 Jun '20

Thank you Quanah, As i mentioned, we are using OpenLDAP 2.4.48 version from https://www.openldap.org/ which internally uses OpenSSL I would like to know, is this version of OpenLDAP with OpennSSL does FIPS compliant.? Regards, Vijay Kumar On Mon, Jun 15, 2020 at 10:22 PM Quanah Gibson-Mount <quanah(a)symas.com> wrote: > > > --On Monday, June 15, 2020 5:03 PM +0530 Vijay Kumar > <pasumarthivijaykumar(a)gmail.com> wrote: > > > > > Hi Team, > > > > > > We are using the version 2.4.48 OpenLDAP, we would like to know which > > versions of OpenLDAP which used OpenSSL are compliant towards FIPS 140.2 > > standards.? > > Hello, > > Do *NOT* post to multiple lists. > > The FIPS question is not really an OpenLDAP question at all. Either the > build of OpenLDAP you are using is linked to a FIPS version of OpenSSL or > it isn't. You'd need to find out from whomever provided your OpenLDAP > build (and that's assuming it's linked to OpenSSL) if that OpenSSL build > is > FIPS enabled. > > Reards, > Quaanh > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

5 4

Re: Re: Info needed on OpenLDAP support / compliance on FIPS 140.2
by Vijay Kumar 16 Jun '20

16 Jun '20

Thanks a lot Philip Guenther Absolute needful Info to all. Regards, Vijay Kumar On Tue, Jun 16, 2020 at 1:43 PM Marc Roos <M.Roos(a)f1-outsourcing.eu> wrote: > > Thanks for this clear insight! > > > -----Original Message----- > To: Scott Classen > Cc: Vijay Kumar; openldap-technical(a)openldap.org > Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance > on FIPS 140.2 > > On Mon, 15 Jun 2020, Scott Classen wrote: > > Did you build the OpenLDAP binary from source or are you using a > > binary distribution from somewhere? Like Quanah already stated, you > > need to determine if the version of OpenSSL you linked against is FIPS > > > compliant. The FIPS designation has nothing to do with OpenLDAP per > se. > > > > e.g. on my CentOS distro I can type > > > > # openssl version > > OpenSSL 1.0.2k-fips 26 Jan 2017 > > > > And it lets me know that OpenSSL is FIPS compliment. Then if I build > > OpenLDAP using the openssl libraries provided with my distro then I’m > > > assuming it would then inherit some of this FIP-ness. > > Simply _using_ that library is not nearly enough to pass any sort of > compliance check. Here's a session using a similar library (CentOS > 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant > cipher > suite: > > $ openssl version > OpenSSL 1.0.2k-fips 26 Jan 2017 > $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] > 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet > foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 > -nocert -quiet ^C $ > > > First, you have to actually tell the library to go into FIPS mode. The > CLI 'openssl' tool will do that when the OPENSSL_FIPS environment > variable is set and I seem to recall that the system openssl libs on > RedHat systems (don't remember if it carried over to CentOS) would do so > if a kernel parameter was set, but in general applications using libssl > and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode > themselves. > Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your > system libcrypto has something external to force FIPS mode *and your're > using it*, OpenLDAP will _not_ be using the library in FIPS mode. > > > Furthermore, is that build of openssl still covered by a valid FIPS > certificate? "It's a build of sources for which some build has had a > FIPS certificate issued" is cute verbiage and there are many people that > only care about that: verbiage so they can check a unclearly specified > box on their documents. Not a bad option if that's all your customers > expect and all you sell/promise, given that FIPS mode is not strictly > beneficial with the difficulty it creates for fixing bugs in crypto > implementations, including--historically--in openssl's code base. > > While some customers will find that sufficient to check a box on their > documents, it ain't going to make real FIPS compliance people (U.S. > government agencies) blink before ignoring it. If you're going to have > a compliance audit from such a group, with scheduled followups and > 30/60/90 day remediation requirements, then no, stock openldap on stock > centos, for example, will not get you there. > > > Philip Guenther > > > -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

1 0

Re: syncrepl does not work as expected
by Giuseppe De Marco 15 Jun '20

15 Jun '20

Ciao kumar, A fully working example, configurable with ansible with delta syncrepl ready to go, for studies and prototyping, Is here: https://github.com/peppelinux/ansible-slapd-eduperson2016 Run as It come in a container, for a replica node see delta repl readme, Have fun and don't give up Il lun 15 giu 2020, 21:29 Quanah Gibson-Mount <quanah(a)symas.com> ha scritto: > > > --On Monday, June 15, 2020 8:05 PM +0000 Kumar Rahul > <rahul2002mit(a)gmail.com> wrote: > > > dn: olcDatabase={1}mdb,cn=config > > objectClass: olcMdbConfig > > olcDatabase: {1}mdb > > olcDbDirectory: /usr/local/var/openldap-data/data_db > > olcSuffix: dc=smartsan > > olcRootDN: cn=info,dc=data > > olcAccess: {0}to * by dn.base="cn=info,dc=data" read by * break > > Assuming the above is your actual configuration, then.. > > Your sync replication configuration uses: > > binddn="cn=admin,dc=smartsan" > > But this identity is given no access to your database, as it's not the > rootDN, and there are no ACLs providing access to it. > > As an aside, your ACL {0} makes no sense since you have cn=info,cn=data as > your rootdn, and rootdn's are not subject to access control. The only > other thing it does is break to the default ACL of to * by * none. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > <http://www.symas.com> > -- ------------------------------------------------------------------------------------------------------------------ Il banner è generato automaticamente dal servizio di posta elettronica dell'Università della Calabria <https://www.unical.it/portale/portaltemplates/view/view.cfm?100061>

1 0

OpenLDAP with SSL connection and search only with wildcard
by a.leurs＠consense-gmbh.de 15 Jun '20

15 Jun '20

Hello, I have successfully managed to create my SSL-Connection to the OpenLDAP and from the OpenLDAP the two different Active Directorys. But now when I perform a search with only a wildcard (e.g. (sn=*)), I don't get any results. A search with the filter (sn=l*) works fine. I get all users wich lastname starts with the letter 'l'. When I switch back to LDAP instead of LDAPS it works fine. Here is my slapd.conf: #LDAP Backend configuration file # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. ucdata-path ./ucdata include ./schema/core.schema include ./schema/cosine.schema include ./schema/nis.schema include ./schema/inetorgperson.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args # Full log level loglevel 32768 16384 2048 1024 512 256 128 64 32 16 8 4 2 1 sizelimit unlimited timelimit unlimited # Enable TLS if port is defined for ldaps (to openldap) TLSVerifyClient never TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3 TLSProtocolMin 3.3 TLSCertificateFile ./secure/certs/maxcrc.cert.pem TLSCertificateKeyFile ./secure/certs/maxcrc.key.pem TLSCACertificateFile ./secure/certs/maxcrc.cert.pem # Configuration for Connection to example.com database meta suffix "DC=example,DC=com" rootdn "DC=example,DC=com" rebind-as-user yes uri ldaps://example.com:636/dc=example,DC=com lastmod off chase-referrals no idassert-bind bindmethod=simple binddn="cn=CN=username,OU=Users,OU=Orga,DC=example,DC=com" credentials="XXXX" tls_reqcert=never tls_cacert=./secure/certs/example.pem tls ldaps tls_reqcert=allow tls_cacert=./secure/certs/example.pem # Configuration for Connection to Test-LDAP uri ldap://ldap.andrew.cmu.edu/dc=test,dc=exapmle,dc=com suffixmassage "dc=test,dc=example,dc=com" "dc=edu,dc=meta,dc=com" overlay rwm rwm-map attribute uid samaccountname rwm-map attribute member memberOf rwm-map objectclass inetOrgPerson user

3 3

Info needed on OpenLDAP support / compliance on FIPS 140.2
by Vijay Kumar 15 Jun '20

15 Jun '20

Hi Team, We are using the version 2.4.48 OpenLDAP, we would like to know which versions of OpenLDAP which used OpenSSL are compliant towards FIPS 140.2 standards.? Please let us know the details. Thank you. -- Thanks & Regards, Vijay Kumar *+91-94944 44009*

2 1

Best practices in storing user device data
by Nick Milas 13 Jun '20

13 Jun '20

Hello everyone, In our (non-profit, research) organization we are already using OpenLDAP for many years, storing people data and dns records (LDAP-based DNS server). We are now looking into how we could organize our LDAP DIT in order to store device data (descriptions, MAC addresses, IP Addresses). The idea is to be able to use the DIT for combined and/or independent user- and device- based authentication throughout the network (e.g. using TACACS, Radius pulling data from LDAP DIT or elsewhere). Currently we are storing data about devices (IP and MAC) Addresses using phpIPAM and NetDisco open source software, so data is stored in relational databases (postgresql on NetDisco, MySQL on phpIPAM), yet network-related data is not directly (i.e. integrated in db schemas) associated to users (except in descriptions). In phpIPAM we are organizing our IP Spaces (public and private). NetDisco uses SNMP to scan the network and automatically associate end-devices ("nodes") to switches ("devices") and MAC addresses to IP addresses. We are currently investigating whether we should: 1. Store device data in the DIT as part of user records. Thus, each user entry would also include info about the devices the user is responsible for, most importantly IP Addresses assigned to them and MAC addresses. Is this approach considered sane? If so, which Object Class(es) would serve this need? 2. Store data in a separate branch, for example: dn: cn=devicexxx,ou=Nodes,dc=example,dc=com objectClass: device objectClass: ieee802Device objectClass: radiusprofile objectClass: simpleSecurityObject objectClass: top cn: devicexxx description: Main Server at Net Lab l: Main Campus macAddress: 00:24:8c:3c:xx:xx ou: tech owner: cn=TechAdmins,ou=Groups,dc=example,dc=com radiusArapSecurity: 195.xxx.xxx.1 radiusArapZoneAccess: 255.255.255.128 radiusFramedIPAddress: 195.xxx.xxx.63 radiusHint: 50004 radiusNASIpAddress: 195.xxx.xxx.125 radiusTerminationAction: 33 radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1 radiusTunnelType: VLAN userPassword:: **************** We have successfully tried this approach using FreeRadius and Cisco 2960 switches but I didn't find this solution ideal/intuitive, especially because devices are totally dis-associated from users. It seems to be more natural to authenticate users based on their personal (ldap-based) credentials and devices based on their MAC addresses alone. But of course, I may be wrong... 3. Use an non-LDAP store, e.g. MySQL. I would be grateful to people here who have already dealt with this issue and would be eager to share their experience. Any reference(s) to relevant documents regarding the above will be valuable too! Thanks in advance. Cheers, Nick

1 0

Restoring from prod into qa
by John C. Pfeifer 12 Jun '20

12 Jun '20

I have a both a production cluster and a qa cluster of servers. Each cluster is setup with multi-master (mirror-mode) delta-sync replication. On a weekly basis, I need to reload the data in qa from production. My problem is that, after successfully loading the dump, there is an epic flurry of replication events which tend to exhaust my burst balances in AWS. While I could request more resources (at a greater cost), I first want to verify that I have a reasonable process. On one of the production servers, I generate a dump: /usr/sbin/slapcat -F /etc/openldap/slapd.d -b dc=umd,dc=edu -l dump.ldif On each of the qa servers (simultaneously): 1) fetch the dump 2) delete the dc=umd,dc=edu and cn=accesslog LMDB files 3) /usr/sbin/slapadd -F /etc/openldap/slapd.d -b dc=umd,dc=edu -q -w -S 0 -l dump.ldif Is this a reasonable approach? Is the use of the ‘-S’ flag correct? Should I be modifying the dump in any manner (e.g. deleting the entryCSN attributes)? Thanks for any advise. // John Pfeifer Division of Information Technology University of Maryland, College Park

3 2

Rewriting attribute.
by Jan Hugo Prins 11 Jun '20

11 Jun '20

Hello, I'm trying to do a rewrite using the rwm overlay: I'm trying to rewrite uid: user1-branch1 to uid: user1 Some context: We have the following situation: We have a central OpenLDAP with several OU's. In these OU's we have user SubOU's and a user has a UID that is a combination of his CN with a dash and an abbreviation for the OU he is living in. For example: OU=Branch1,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch1 OU=Branch2,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch2 The reason this is done in the past (15 or 20 years ago) was that they wanted to have multiple branches and people could authenticate with the cn within there own branch. All very complicated history, but I have to work with it now. Someone setup a new Samba server a while back and wanted to normalize this Samba config a little so he created a LDAP proxy on this server where he proxied only one OU and did a rwm map from cn to uid. Part of this config: overlay rwm rwm-map attribute uid cn This works fine to some extend. One of the problems I found just now is that I don't have a cn anymore in the DN's that I get from this LDAP proxy, besides that, if the proxy has to much access and you search for a uid=User1 it will return both User1 from Branch1 and Branch2, and this could result in some security issues. For this reason I'm currently doing a little redesign of this setup and I would like to change the rwm-map to a rewrite of the uid where I simply strip everything including the dash in the uid, besides that I'm going to limit access of this proxy by using a proxy user with limited access to only the OU that it needs access to. The access limitation works just fine. I only need a little help with the rewrite. Thanks, Jan Hugo Prins

1 1

Configuring multiple proxies for Mirror-Mode
by wayne.mcnaught＠landregistry.gov.uk 11 Jun '20

11 Jun '20

I am looking for some advice and information. I have configured multiple LDAPs in a Mirror-Mode configuration and fronted by OpenLDAP in proxy mode. I understand that the list contained in the DBURI attribute is used to define the backends, and all the proxies are configured with the same list. I understand that first URI in the DbURI attribute will be used unless this fails, in which case it will fall back to the second URI. It will then keep on the second one until that one fails. This seems fine for most failure cases, when all proxies recognise the same failure. If communication fails between one proxy and the one backend LDAP and doesn't affect all proxies, writes will now be directed to different backends from different proxies. Is there some way to keep the proxies in-line or recognise a failure on one proxy and force the others to change. Thanks in advance Wayne McNaught

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical