openldap-technical

openldap-technical@openldap.org

5 participants
9899 discussions

SSL certificate install
by Jean-Luc Chandezon 15 Dec '23

15 Dec '23

Hello dear community, I'm trying to enable LDAPS. I don't understanrd what is cause error. Is anybody have an idea please? OpenLDAP is 2.5.13, on Debian 12. Here is our certificate chain definition: dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/LEXP_Infra_CA1.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/annuaire.lexp.fr.key - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/annuaire.lexp.fr.pem - Request is: root@bea-chicago:/etc# ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/01-SSL.ldif Result: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) Here are slapd logs: cago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.094605+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.094773+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.094922+01:00 bea-chicago slapd[63531]: slap_listener_activate(10): 2023-12-13T08:30:42.095070+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.095216+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.095352+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 busy 2023-12-13T08:30:42.095489+01:00 bea-chicago slapd[63531]: >>> slap_listener(ldapi:///) 2023-12-13T08:30:42.095658+01:00 bea-chicago slapd[63531]: daemon: accept() = 12 2023-12-13T08:30:42.095790+01:00 bea-chicago slapd[63531]: daemon: listen=10, new connection on 12 2023-12-13T08:30:42.095927+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.096046+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.096165+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.096284+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.096424+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.096545+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.096701+01:00 bea-chicago slapd[63531]: daemon: added 12r (active) listener=(nil) 2023-12-13T08:30:42.096832+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.096981+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.097099+01:00 bea-chicago slapd[63531]: 12r 2023-12-13T08:30:42.097227+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.097335+01:00 bea-chicago slapd[63531]: daemon: read active on 12 2023-12-13T08:30:42.097503+01:00 bea-chicago slapd[63531]: conn=1001 fd=12 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi) 2023-12-13T08:30:42.097727+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.097845+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.098084+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.098282+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.098501+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.098688+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.098848+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.099006+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.099205+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.099396+01:00 bea-chicago slapd[63531]: connection_get(12) 2023-12-13T08:30:42.099620+01:00 bea-chicago slapd[63531]: connection_get(12): got connid=1001 2023-12-13T08:30:42.099824+01:00 bea-chicago slapd[63531]: connection_read(12): checking for input on id=1001 2023-12-13T08:30:42.100038+01:00 bea-chicago slapd[63531]: op tag 0x60, time 1702452642 2023-12-13T08:30:42.100268+01:00 bea-chicago slapd[63531]: conn=1001 op=0 do_bind 2023-12-13T08:30:42.100499+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.100687+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.100882+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.101076+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.101292+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.101503+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.101781+01:00 bea-chicago slapd[63531]: >>> dnPrettyNormal: <> 2023-12-13T08:30:42.102002+01:00 bea-chicago slapd[63531]: <<< dnPrettyNormal: <>, <> 2023-12-13T08:30:42.102205+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND dn="" method=163 2023-12-13T08:30:42.102431+01:00 bea-chicago slapd[63531]: do_bind: dn () SASL mech EXTERNAL 2023-12-13T08:30:42.102525+01:00 bea-chicago slapd[63531]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 2023-12-13T08:30:42.102620+01:00 bea-chicago slapd[63531]: SASL Canonicalize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.102709+01:00 bea-chicago slapd[63531]: slap_sasl_getdn: conn 1001 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55] 2023-12-13T08:30:42.102817+01:00 bea-chicago slapd[63531]: ==>slap_sasl2dn: converting SASL name gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth to a DN 2023-12-13T08:30:42.102908+01:00 bea-chicago slapd[63531]: <==slap_sasl2dn: Converted SASL name to <nothing> 2023-12-13T08:30:42.103004+01:00 bea-chicago slapd[63531]: SASL Canonicalize [conn=1001]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.103121+01:00 bea-chicago slapd[63531]: SASL proxy authorize [conn=1001]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.103220+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 2023-12-13T08:30:42.103322+01:00 bea-chicago slapd[63531]: SASL Authorize [conn=1001]: proxy authorization allowed authzDN="" 2023-12-13T08:30:42.103421+01:00 bea-chicago slapd[63531]: send_ldap_sasl: err=0 len=-1 2023-12-13T08:30:42.103527+01:00 bea-chicago slapd[63531]: conn=1001 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 2023-12-13T08:30:42.103619+01:00 bea-chicago slapd[63531]: do_bind: SASL/EXTERNAL bind: dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" bind_ssf=0 2023-12-13T08:30:42.103713+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=1 tag=97 err=0 2023-12-13T08:30:42.103804+01:00 bea-chicago slapd[63531]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000061 etime=0.000517 text= 2023-12-13T08:30:42.103913+01:00 bea-chicago slapd[63531]: <== slap_sasl_bind: rc=0 2023-12-13T08:30:42.104010+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.104102+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.104185+01:00 bea-chicago slapd[63531]: 12r 2023-12-13T08:30:42.104268+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.104352+01:00 bea-chicago slapd[63531]: daemon: read active on 12 2023-12-13T08:30:42.104435+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.104518+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.104600+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.104683+01:00 bea-chicago slapd[63531]: connection_get(12) 2023-12-13T08:30:42.104766+01:00 bea-chicago slapd[63531]: connection_get(12): got connid=1001 2023-12-13T08:30:42.104851+01:00 bea-chicago slapd[63531]: connection_read(12): checking for input on id=1001 2023-12-13T08:30:42.104941+01:00 bea-chicago slapd[63531]: op tag 0x66, time 1702452642 2023-12-13T08:30:42.105037+01:00 bea-chicago slapd[63531]: conn=1001 op=1 do_modify 2023-12-13T08:30:42.105129+01:00 bea-chicago slapd[63531]: conn=1001 op=1 do_modify: dn (cn=config) 2023-12-13T08:30:42.105223+01:00 bea-chicago slapd[63531]: >>> dnPrettyNormal: <cn=config> 2023-12-13T08:30:42.105316+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor 2023-12-13T08:30:42.105401+01:00 bea-chicago slapd[63531]: daemon: activity on: 2023-12-13T08:30:42.105486+01:00 bea-chicago slapd[63531]: 2023-12-13T08:30:42.105587+01:00 bea-chicago slapd[63531]: <<< dnPrettyNormal: <cn=config>, <cn=config> 2023-12-13T08:30:42.105675+01:00 bea-chicago slapd[63531]: conn=1001 op=1 modifications: 2023-12-13T08:30:42.105770+01:00 bea-chicago slapd[63531]: #011add: olcTLSCACertificateFile 2023-12-13T08:30:42.105862+01:00 bea-chicago slapd[63531]: #011#011one value, length 33 2023-12-13T08:30:42.105951+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateKeyFile 2023-12-13T08:30:42.106034+01:00 bea-chicago slapd[63531]: #011#011one value, length 37 2023-12-13T08:30:42.106124+01:00 bea-chicago slapd[63531]: #011add: olcTLSCertificateFile 2023-12-13T08:30:42.106219+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=8 active_threads=0 tvp=zero 2023-12-13T08:30:42.106303+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=9 active_threads=0 tvp=zero 2023-12-13T08:30:42.106387+01:00 bea-chicago slapd[63531]: daemon: epoll: listen=10 active_threads=0 tvp=zero 2023-12-13T08:30:42.106469+01:00 bea-chicago slapd[63531]: #011#011one value, length 35 2023-12-13T08:30:42.106557+01:00 bea-chicago slapd[63531]: conn=1001 op=1 MOD dn="cn=config" 2023-12-13T08:30:42.106644+01:00 bea-chicago slapd[63531]: conn=1001 op=1 MOD attr=olcTLSCACertificateFile olcTLSCertificateKeyFile olcTLSCertificateFile 2023-12-13T08:30:42.106737+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCACertificateFile) 2023-12-13T08:30:42.106823+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCACertificateFile" requested 2023-12-13T08:30:42.106918+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCACertificateFile 2023-12-13T08:30:42.107007+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCACertificateFile" requested 2023-12-13T08:30:42.107095+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T08:30:42.107182+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T08:30:42.107283+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T08:30:42.107374+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T08:30:42.107457+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.107543+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.107636+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateKeyFile) 2023-12-13T08:30:42.107724+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateKeyFile" requested 2023-12-13T08:30:42.107812+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateKeyFile 2023-12-13T08:30:42.107898+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateKeyFile" requested 2023-12-13T08:30:42.107992+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T08:30:42.108074+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T08:30:42.108157+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T08:30:42.108240+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T08:30:42.108323+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.108398+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.108494+01:00 bea-chicago slapd[63531]: => access_allowed: result not in cache (olcTLSCertificateFile) 2023-12-13T08:30:42.108589+01:00 bea-chicago slapd[63531]: => access_allowed: add access to "cn=config" "olcTLSCertificateFile" requested 2023-12-13T08:30:42.108678+01:00 bea-chicago slapd[63531]: => acl_get: [1] attr olcTLSCertificateFile 2023-12-13T08:30:42.108762+01:00 bea-chicago slapd[63531]: => acl_mask: access to entry "cn=config", attr "olcTLSCertificateFile" requested 2023-12-13T08:30:42.108852+01:00 bea-chicago slapd[63531]: => acl_mask: to value by "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth", (=0) 2023-12-13T08:30:42.108936+01:00 bea-chicago slapd[63531]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 2023-12-13T08:30:42.109014+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] applying manage(=mwrscxd) (stop) 2023-12-13T08:30:42.109090+01:00 bea-chicago slapd[63531]: <= acl_mask: [1] mask: manage(=mwrscxd) 2023-12-13T08:30:42.109172+01:00 bea-chicago slapd[63531]: => slap_access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.109253+01:00 bea-chicago slapd[63531]: => access_allowed: add access granted by manage(=mwrscxd) 2023-12-13T08:30:42.109337+01:00 bea-chicago slapd[63531]: slap_get_csn: conn=1001 op=1 generated new csn=20231213073042.095886Z#000000#000#000000 manage=1 2023-12-13T08:30:42.109424+01:00 bea-chicago slapd[63531]: slap_queue_csn: queueing 0x7f57dc000ce0 20231213073042.095886Z#000000#000#000000 2023-12-13T08:30:42.109535+01:00 bea-chicago slapd[63531]: oc_check_required entry (cn=config), objectClass "olcGlobal" 2023-12-13T08:30:42.109647+01:00 bea-chicago slapd[63531]: oc_check_allowed type "objectClass" 2023-12-13T08:30:42.109739+01:00 bea-chicago slapd[63531]: oc_check_allowed type "cn" 2023-12-13T08:30:42.109829+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcArgsFile" 2023-12-13T08:30:42.109917+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcLogLevel" 2023-12-13T08:30:42.110080+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcPidFile" 2023-12-13T08:30:42.110173+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcToolThreads" 2023-12-13T08:30:42.110266+01:00 bea-chicago slapd[63531]: oc_check_allowed type "structuralObjectClass" 2023-12-13T08:30:42.110367+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryUUID" 2023-12-13T08:30:42.110464+01:00 bea-chicago slapd[63531]: oc_check_allowed type "creatorsName" 2023-12-13T08:30:42.110541+01:00 bea-chicago slapd[63531]: oc_check_allowed type "createTimestamp" 2023-12-13T08:30:42.110617+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCACertificateFile" 2023-12-13T08:30:42.110707+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateKeyFile" 2023-12-13T08:30:42.110793+01:00 bea-chicago slapd[63531]: oc_check_allowed type "olcTLSCertificateFile" 2023-12-13T08:30:42.110875+01:00 bea-chicago slapd[63531]: oc_check_allowed type "entryCSN" 2023-12-13T08:30:42.110972+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifiersName" 2023-12-13T08:30:42.111058+01:00 bea-chicago slapd[63531]: oc_check_allowed type "modifyTimestamp" 2023-12-13T08:30:42.111144+01:00 bea-chicago slapd[63531]: send_ldap_result: conn=1001 op=1 p=3 2023-12-13T08:30:42.111233+01:00 bea-chicago slapd[63531]: send_ldap_result: err=80 matched="" text="" 2023-12-13T08:30:42.111321+01:00 bea-chicago slapd[63531]: send_ldap_response: msgid=2 tag=103 err=80 2023-12-13T08:30:42.111407+01:00 bea-chicago slapd[63531]: conn=1001 op=1 RESULT tag=103 err=80 qtime=0.000070 etime=0.002380 text= 2023-12-13T08:30:42.111498+01:00 bea-chicago slapd[63531]: slap_graduate_commit_csn: removing 0x7f57dc000ce0 20231213073042.095886Z#000000#000#000000 2023-12-13T08:30:42.111590+01:00 bea-chicago slapd[63531]: daemon: activity on 1 descriptor Best regards, Jean-Luc

5 8

superuser and normal user in OpenLdap services
by Kaushal Shriyan 13 Dec '23

13 Dec '23

Hi, I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa) # rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) # Do we have root and normal user privileges in OpenLDAP service as similar to Linux OS? For example, if I have to reset cn=admin password, do we need to use root or something? I am a little confused. Are there superuser concept in OpenLDAP? Please guide me. Thanks in advance. Best Regards, Kaushal

2 1

lloadd and cn=config
by Stefan Kania 11 Dec '23

11 Dec '23

Hi to all, when I setup the loadbalancer lloadd via slapd.conf everything is working fine. Here my slapd.conf ----------------- TLSCertificateFile /opt/symas/etc/openldap/example-net-cert.pem TLSCertificateKeyFile /opt/symas/etc/openldap/example-net-key.pem TLSCACertificateFile /opt/symas/etc/openldap/cacert.pem pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args loglevel 256 modulepath /opt/symas/lib/openldap moduleload lloadd.la backend lload listen "ldap://:1389 ldaps://:1636" feature proxyauthz TLSShareSlapdCTX true bindconf bindmethod=simple network-timeout=5 binddn=uid=lloadd,ou=users,dc=example,dc=net credentials=geheim tls_cacert="/opt/symas/etc/openldap/cacert.pem" tls_cert="/opt/symas/etc/openldap/example-net-cert.pem" tls_key="/opt/symas/etc/openldap/example-net-key.pem" tier roundrobin backend-server uri=ldaps://provider01.example.net retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 backend-server uri=ldaps://provider02.example.net retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 database monitor rootdn cn=monitor rootpw geheim ----------------- As soon as I change to cn=config with the following configuration: ----------------- dn: cn=config objectClass: olcGlobal cn: config olcLogLevel: stats olcPidFile: /var/symas/run/slapd.pid olcArgsFile: /var/symas/run/slapd.args olcToolThreads: 1 olcTLSCACertificateFile: /opt/symas/etc/openldap/cacert.pem olcTLSCertificateFile: /opt/symas/etc/openldap/example-net-cert.pem olcTLSCertificateKeyFile: /opt/symas/etc/openldap/example-net-key.pem dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /opt/symas/lib/openldap olcModuleLoad: lloadd.la olcModuleLoad: argon2.la dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcSizeLimit: 500 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcPasswordHash: {ARGON2} dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=admin,cn=config #olcRootPW: geheim olcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage dn: olcBackend={0}lload,cn=config objectClass: olcBackendConfig objectClass: olcBkLloadConfig olcBackend: {0}lload olcBkLloadBindconf: bindmethod=simple timeout=0 network-timeout=5 binddn="uid=lloadd,ou=users,dc=example,dc=net" credentials="geheim" keepalive=0:0:0 tcp-user-timeout=0 tls_cert="/opt/symas/etc/openldap/example-net-cert.pem" tls_key="/opt/symas/etc/openldap/example-net-key.pem" tls_cacert="/opt/symas/etc/openldap/cacert.pem" olcBkLloadIOThreads: 1 olcBkLloadListen: ldap://:1389 olcBkLloadListen: ldaps://:1636 olcBkLloadSockbufMaxClient: 16777215 olcBkLloadSockbufMaxUpstream: 16777215 olcBkLloadMaxPDUPerCycle: 10 olcBkLloadIOTimeout: 10000 olcBkLloadFeature: proxyauthz olcBkLloadTLSCRLCheck: none olcBkLloadVerifyClient: never olcBkLloadTLSProtocolMin: 0.0 olcBkLloadTLSShareSlapdCTX: TRUE olcBkLloadClientMaxPending: 0 olcBkLloadWriteCoherence: 0 dn: cn={0}tier 1,olcBackend={0}lload,cn=config objectClass: olcBkLloadTierConfig cn: {0}tier 1 olcBkLloadTierType: roundrobin dn: cn={0}server 1,cn={0}tier 1,olcBackend={0}lload,cn=config objectClass: olcBkLloadBackendConfig cn: {0}server 1 olcBkLloadBackendUri: ldaps://provider01.example.net olcBkLloadNumconns: 10 olcBkLloadBindconns: 5 olcBkLloadRetry: 5000 olcBkLloadMaxPendingOps: 50 olcBkLloadMaxPendingConns: 10 olcBkLloadStartTLS: critical olcBkLloadWeight: 1 dn: cn={1}server 2,cn={0}tier 1,olcBackend={0}lload,cn=config objectClass: olcBkLloadBackendConfig cn: {1}server 2 olcBkLloadBackendUri: ldaps://provider02.example.net olcBkLloadNumconns: 10 olcBkLloadBindconns: 5 olcBkLloadRetry: 5000 olcBkLloadMaxPendingOps: 50 olcBkLloadMaxPendingConns: 10 olcBkLloadWeight: 1 dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to dn.subtree="cn=monitor" by dn.exact=cn=admin,cn=config read ----------------- The slapd is stating and with "ss -tlpn" I see port 1636 and 1389 as listen (next to 636 and 389) I git the following errormessage when I try to contect the ldap-server via the loadbalancer. ------------------- ldap_bind: Server is unavailable (52) additional info: no connections available ------------------- Did I miss sommthing? I also try to translate the working slapd.conf with slaptest, but the result is the same. Stefan

3 14

slapd 2.5 forwarding request .. please help
by enrico.becchetti＠gmail.com 09 Dec '23

09 Dec '23

Hi everyone, I have a particular setup and I need your help. I have a Slapd 2.5 running in a debian virtual machine. This ldap server has its own tree, dc=example,dc=com. I need this slapd server to forward the authentication requests for two domains other than its own, for example dc=example2,dc=com towards -> 192.168.1.1 dc=example3,dc=com towards -> 192.168.2.1 I read in the documentation that it is possible to do this forward but I can't modify the configuration using ldapmodify. Can you help me ? Thanks Willy

2 2

ldapsearch and own .ldaprc
by Stefan Kania 05 Dec '23

05 Dec '23

Hi to all, I just started to use my own .ldaprc file in $HOME: ------------- URI ldaps://provider01.example.net ldaps://provider02.example.net BASE dc=example,dc=net BINDDN uid=repl-user,ou=users,dc=example,dc=net TLS_REQCERT demand TLS_CACERT /opt/symas/etc/openldap/cacert.pem ------------- All options are working except "BINDDN". If I use the same user with "-D" it works, so the user is present. I expected that ldapsearch will ask for a password when using "BINDDN" but ldapsearch is executing as anonymous. Did I miss something? If "yes" then what? Stefan

3 8

Transitioning from slapd.conf to slapd.d, best practices for maintaining configuration comments?
by Ben Poliakoff 01 Dec '23

01 Dec '23

This is more of a practical question than a technical one, but it's prompted by a technical change: I'm *very* **very** belatedly transitioning from flat file slapd.conf config to slapd.d/OLC. With flat file configuration, it was straightforward to include text comments (e.g. "# blah blah"), but as far as I know there isn't any sort of analog for comments, when using slapd.d. Looking for any tips about how best to annotate slapd configuration, in a slapd.d/olc world. Does anyone have a practice that they find works well for them? Do people just maintain separate documents/wiki pages/etc that describe their servers' configs? Ben

13 15

solaris client ldap-backend to AD and DSE
by Craig H Silva (Cenitex) 30 Nov '23

30 Nov '23

I need to configure openldap as a proxy to AD so that AD can be upgraded to version 2019. Currently using Unix services for Windows, which works to provide nis information to solaris (11) and zfsappliance but it was deprecated after windows 2012. There's still nis info info in various attributes in AD schema, but the nis service is about to go. So an alternative is needed. I have the proxy configured with ldap-backend and its very happy to provide all the attribute information, but the solaris ldap client wants the DSE through the proxy and for the life of me I can't work out what is impeding it. I can "ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base -LLL "+"" on the openldap system and the DSE is returned and I can get the DSE with an ldapsearch from the solaris client if I point directly at the AD ldap server, but if i point solaris at the openldap proxy - nada. This really upsets the ldapclient on solaris - it feels degraded. It feels like its an access issue as I can get a DSE when root on the openldap system. from config: # {1}ldap, config dn: olcDatabase={1}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {1}ldap olcSuffix: dc=myorg,dc=lcl olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=Schema" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcAccess: {3}to * by self read by users read by anonymous auth olcAddContentAcl: FALSE olcLastMod: FALSE olcMaxDerefDepth: 15 olcReadOnly: TRUE olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcDbURI: "ldaps://myorgdevad.myorgdev.lcl:636" Any guidance appreciated - logs available on request. Craig Silva | Specialist Engineer – Unix & Storage Services Level 18, 80 Collins Street, Melbourne 3000 (03) 9063 5126 cenitex.vic.gov.au Cenitex acknowledges the Traditional Owners and custodians of the land and we pay our respects to their Elders, past, present and emerging. We are an inclusive workplace that embraces diversity in all its forms. ---------------------------------------------------------------------- Notice: This email and any attachments may contain information that is personal, confidential, legally privileged and/or copyright. No part of it should be reproduced, adapted or communicated without the prior written consent of the copyright owner. It is the responsibility of the recipient to check for and remove viruses. If you have received this email in error, please notify the sender by return email, delete it from your system and destroy any copies. You are not authorised to use, communicate or rely on the information contained in this email. Please consider the environment before printing this email.

2 2

Re: Need assistant to Implement and Configure OpenLDAP for users authentication from Multi-Domain
by Quanah Gibson-Mount 28 Nov '23

28 Nov '23

--On Thursday, November 23, 2023 12:21 PM +0000 Sunil Sharma <sunil.sharma(a)mdsglobalit.com> wrote: > • What would be the Best OS for OpenLDAP currently, is it Linux, > CentOS or any other? Generally any current linux distribution with a current openldap release. > • We have users from Multi-Domain where these domains do not have any > trust relationship between each other and we need to authenticate the > users from multi-Domain for UC applications (CUCM, CUC, CER, UCCE, > Expressways and Jabber). > > > > We are looking if we can sync the user database from > these multidomain to a single OpenLDAP server and then from this OpenLDAP > to UC applications using single search base for authentication, is this > possible? Probably? --Quanah

1 0

Access to cn=monitor from read-only ldap
by Kevin Cousin 21 Nov '23

21 Nov '23

Hi List, I've got an LDAP architecture with one read-write OpenLDAP (primary) and some read-only OpenLDAP (replica). I load the cn=monitor backend on the primary? is it sufficient to have the cn=monitor backend on the slave too or should I activate it on the replicas ? Regards, Kevin C

3 2

syncrepl between 2.4.57.0.1 and 2.6.2-3
by Frank, Michael 16 Nov '23

16 Nov '23

Airbus Amber Dear all, basically I trying to establish a syncrepl/refreshAndpersist Setup between: OpenLDAP: 2.4.57.0.1 @ Solaris < - > OpenLDAP: 2.6.2-3 @ Rhel 9.latest (don`t ask) An intial syncrepl activation does works properly (replication of ou`s content in both directions), but when I afterwards restart one of the replication Partners, the sync failes and in consequence on one of replication Partner the ou`s are deleted. From logging point of view there are somekind of issues to identify the remote object via the UUID which leads then to the deletion: ##schnipp 6538d3db.38892890 0x7f9fe65fe640 nonpresent_callback: rid=044 nonpresent UUID 25a0c72c-0364-103e-83af-fb52f2a7ef64, dn ou=permissions,dc=xxx,dc=xxxx,dc=xxxxxx 6538d3db.388983a6 0x7f9fe65fe640 nonpresent_callback: rid=044 adding entry ou=permissions,dc=xxxx,dc=xxxxx,dc=xxxx to non-present list ###schnapp Unfortunately I cannot find any Information which says something useful about the basic backward compatibility of the synrepl/refreshAndPersist implementation from 2.6 to 2.4. Can someone state why this mission is hopeless in detail or should the setup work basically ? (I know the best practice : everywhere same versions...) Best regards and thanks in advance, michael This Item has been reviewed and was determined as not listed under German regulation, nor EU export controls, nor U.S. export controls. However, in the case of the item has to be resold, transferred, or otherwise disposed of to an embargoed country, to an end user of concern or in support of a prohibited end use, you may be required to obtain an export license. The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.

3 8

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical