openldap-technical

openldap-technical@openldap.org

5 participants
9899 discussions

Unable to ldapadd Kerberos schema in LDIF format
by Uwe Sauter 26 Sep '23

26 Sep '23

Dear all, I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-servers-2.6.6-1.el9.x86_64.) First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1 (/usr/share/doc/krb5-server-ldap/kerberos.ldif) ? If I use krb5-kdc.ldif I get the following: [root@gateway ~]# cd /opt/symas/etc/openldap/schema/ [root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=krb5-kdc,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed Is this a permission issue or does the provided LDIF file contain lines that prevent the addition of the schema? If I use the file provided by MIT Kerberos I get: [root@gateway ~]# cd /usr/share/doc/krb5-server-ldap [root@gateway krb5-server-ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: attributetypes: value #0 invalid per syntax The book I'm following still uses Symas' LDAP 2.4 and thus needs to convert the .schema file to .ldif provided by MIT Kerberos. The procedure is: #### start instructions #### # echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' > /tmp/slapd.conf # mkdir /tmp/slapd.d # slaptest -f /tmp/slapd.conf -F /tmp/slapd.d # cp '/tmp/slapd.conf/cn=config/cn=schema/cn={0}kerberos.ldif' /tmp/kerberos.conf Further instructions say: - remove '{0}' in /tmp/kerberos.conf in lines startig with 'dn:' and 'cn:' - add 'cn=schema,cn=config' to the DN - remove the lines containing 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName', 'modifyTimestamp' and 'entryCSN' at the end of the file After the modifications, there should be only lines containing 'objectClass', 'olcAttributeTypes', 'olcObjectClasses', 'cn' or 'dn'. #### end instructions #### If I follow these instructions and use the converted LDIF file the command succeeds: [root@gateway tmp]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif.converted SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=kerberos,cn=schema,cn=config" Is there an explanation for this behavior? Do the files provided by Symas and MIT contain errors? (For convenience I attached all three files to this mail.) Thank you, Uwe

3 4

Help troubleshooting SSL certificates issue
by Jérôme BECOT 26 Sep '23

26 Sep '23

Hello, We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration: # config dn: cn=config olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now. We tried to set LogLevel to any, but nothing really showed in the log. On the server side: slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing On the client side (localhost): openssl s_client -connect localhost:636 -servername ldap.deverywa.re CONNECTED(00000003) 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1695652388 Timeout : 300 (sec) Verify return code: 0 (ok) We still use 2048 RSA key to generate the certificates. We have checked permissions and it is fine. How could I debug what's wrong on the server side ? Thank you -- *Jérôme BECOT* Ingénieur DevOps Infrastructure Téléphone fixe: 01 82 28 37 06 Mobile : +33 757 173 193 Deveryware - 43 rue Taitbout - 75009 PARIS https://www.deveryware.com <https://www.deveryware.com> Deveryware_Logo <https://www.deveryware.com>

4 4

changing certificate and key for autoca
by Stefan Kania 21 Sep '23

21 Sep '23

Hi all, I like to change the certificate and the key for autoca, but I can't find any description how to do it. I tried the following LDIF: --------------- dn: dc=example,dc=net changetype: modify replace: cACertificate;binary cACertificate;binary:< file:///root/mycert/cacert.pem - replace: cAPrivateKey;binary cAPrivateKey;binary:< file:///root/mycert/cakey.pem --------------- I got: --------------- root@ldap-r01:~# ldapmodify -Y external -H ldapi:/// -f change-cert.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "dc=example,dc=net" ldap_modify: Invalid syntax (21) additional info: cACertificate;binary: value #0 invalid per syntax ---------------- So what is the right way to change the certificate and the key? Thank's Stefan

2 4

openldap + bind-dyndb-ldap + bind
by Marc 21 Sep '23

21 Sep '23

Anyone experience with openldap and dyndb from bind? I am getting this: critical extension is not recognized: unable to start SyncRepl session: is RFC 4533 supported by LDAP

5 8

Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
by cYuSeDfZfb cYuSeDfZfb 21 Sep '23

21 Sep '23

Hi, We're seeing this quite consistently. Before updating: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data After updating: [root@ldaps01 log]# ls -l /var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data And afterwards symas-openldap-server (running as ldap:ldap) no longer starts, since permission denied on /var/symas/openldap-data. Reverting the permissions back to ldap:ldap solves it. But...WHY is this happening. Are we somehow encouraged to run openldap as root..? Why would a post-install script reset permissions on /var/symas/openldap-data? Thanks!

2 2

assert error + core dump slapd v 2.6.6
by Frédéric Goudal 14 Sep '23

14 Sep '23

Hello, Openldap version 2.6.6 compiled on ubuntu 22.4 LTS For test purpose I’m trying to add an object with objectClass top+person at the root of my openldap (which is not empty), The dn is cn=toto,dc=my,dc=domain When I do something on this object, the slapd server crash, but when restarted the operation has been done. It seems that it is the accelog database that is causing a problem The error is : 501d0f3.15b397b4 0x7f929fc44700 <= index_entry_add( 5, "reqStart=20230913151043.000000Z,cn=accesslog" ) success 6501d0f3.15b410ee 0x7f929fc44700 => mdb_entry_encode(0x00000005): reqStart=20230913151043.000000Z,cn=accesslog 6501d0f3.15b4564d 0x7f929fc44700 <= mdb_entry_encode(0x00000005): reqStart=20230913151043.000000Z,cn=accesslog 6501d0f3.15e04a0b 0x7f929fc44700 mdb_add: added id=00000005 dn="reqStart=20230913151043.000000Z,cn=accesslog" 6501d0f3.15e0bab7 0x7f929fc44700 send_ldap_result: conn=1000 op=12 p=3 6501d0f3.15e0f6a9 0x7f929fc44700 send_ldap_result: err=0 matched="" text="" 6501d0f3.15e1603a 0x7f929fc44700 slap_graduate_commit_csn: removing 0x7f92901234d0 20230913151043.360508Z#000000#057#000000 6501d0f3.15e1c5a6 0x7f929fc44700 accesslog_response: adding minCSN 20230913151043.360508Z#000000#057#000000 6501d0f3.15e20736 0x7f929fc44700 accesslog_response: adding a new csn=20230913151043.360508Z#000000#057#000000 into minCSN 6501d0f3.15e3a20c 0x7f929fc44700 mdb_modify: cn=accesslog 6501d0f3.15e40781 0x7f929fc44700 mdb_dn2entry("cn=accesslog") 6501d0f3.15e45a2d 0x7f929fc44700 => mdb_dn2id("cn=accesslog") 6501d0f3.15e50b53 0x7f929fc44700 <= mdb_dn2id: got id=0x1 6501d0f3.15e57cc9 0x7f929fc44700 => mdb_entry_decode: 6501d0f3.15e5bb28 0x7f929fc44700 <= mdb_entry_decode 6501d0f3.15e5f9b4 0x7f929fc44700 mdb_modify_internal: 0x00000001: cn=accesslog 6501d0f3.15e63487 0x7f929fc44700 <= acl_access_allowed: granted to database root 6501d0f3.15e6881d 0x7f929fc44700 mdb_modify_internal: add minCSN slapd: attr.c:481: attr_merge: Assertion `( nvals == NULL && (*a)->a_nvals == (*a)->a_vals ) || ( nvals != NULL && ( ( (*a)->a_vals == NULL && (*a)->a_nvals == NULL ) || ( (*a)->a_nvals != (*a)->a_vals ) ) )' failed. Aborted (core dumped) Is it a bug ? f.g. — Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11

2 2

slapd-watcher -i X refreshing unexpectedly...?
by cYuSeDfZfb cYuSeDfZfb 13 Sep '23

13 Sep '23

Hi, We noticed that, when using "slapd-watcher -i X" option to refresh display every X seconds, lagging replication statuses are often not cleared, when in fact replication as already recovered. In our MMR environment, we often see this for longer periods of time in slapd-watcher output : contextCSN: 20230913104435.605937Z#000000#0dd#000000 actv@2023-09-13 10:44:35, idle@2023-09-13 10:44:37 But when running like this: do timeout --foreground 1 $SLAPDWATCHER -b $BASE -D $LDAPBINDDN -w $ADMINPW "${SERVERURIS[@]}" -s ${SERVERIDS[*]} done the lagging replication lines change back to "idle, sync'd" immediately after replication has recovered. It feels like perhaps there is something wrong in the way the -i X option is implemented. For the rest: great tool to have!

3 3

Trying to understand mdb_env_set_mapsize
by Siddharth Jain 12 Sep '23

12 Sep '23

Hello, can someone help me understand this parameter: http://www.lmdb.tech/doc/group__mdb.html#gaa2506ec8dab3d969b0e609cd82e619e5 1. why does a user need to specify this apriori? Other databases don't require user to declare the size of the db beforehand. its not something a user knows in advance. 2. quoting: "The size of the memory map is also the maximum size of the database.". what happens when the size of the db overflows this parameter? 3. what is the trade-off if a user sets this parameter too large than is necessary? S.

2 2

Enable debug logging on OpenLDAP 2.4.59 server running on Red Hat Enterprise Linux 8.7 (Ootpa)
by Kaushal Shriyan 31 Aug '23

31 Aug '23

Hi, I have the below settings as per https://www.openldap.org/doc/admin25/slapdconfig.html. I did check both /var/log and /etc/default/ on RHEL 8.7 but was unable to locate the log files. # grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif olcLogLevel: 256 # ldapwhoami: @(#) $OpenLDAP: ldapwhoami 2.4.59 (Jun 4 2021 16:57:15) $ build@c8rpm :/home/build/git/rheldap8/RHEL8_x86_64/BUILD/symas-openldap-2.4.59/openldap-2.4.59/clients/tools (LDAP library: OpenLDAP 20459) Is there a way to enable debug logging on openldap server and openldap client on "Red Hat Enterprise Linux 8.7 (Ootpa)" for debugging the ldap user logging issue? Please comment. Thanks in advance. Best Regards, Kaushal

2 1

removed syncrepl getting Server is unwilling to perform (53)
by Marc 31 Aug '23

31 Aug '23

I removed the synrepl from a ldap server. Now I am getting errors when deleting entries ldap_modify: Server is unwilling to perform (53) additional info: shadow context; no update referral I also tried adding this, but does not change anything. dn: olcDatabase={0}config,cn=config changetype:modify add: olcMirrorMode olcMirrorMode: FALSE I don't think it is the acl's as I was able to change logging level before, when it was a slave. However now I am also not able to update the logging level. What config settings should I look at?

3 8

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical