openldap-technical

openldap-technical@openldap.org

13 participants
9906 discussions

Re: error while setting password policy
by Quanah Gibson-Mount 04 Oct '23

04 Oct '23

--On Tuesday, October 3, 2023 11:57 PM -0400 Jignesh Patel <jignesh(a)icare.com> wrote: > > We are using LDAP version 2.5.16 . > > > when we try to set policy > we are getting this error olcAttributeTypes: value #0 olcAttributeTypes: > Duplicate attributeType: > "1.3.6.1.4.1.42.2.27.8.1.1" slapadd: could not add entry > The .ldif file is as attached. > > > And if we don't import than we are getting pException: [LDAP result > code 17 - undefinedAttributeType] pwdAttribute: attribute type undefined I suggest carefully reading the release notes for OpenLDAP 2.5, specifically around the changes to ppolicy since the 2.4 series. --Quanah

3 2

Configuring custom port 10389 for openldap-servers
by Kaushal Shriyan 04 Oct '23

04 Oct '23

Hi, I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa) # rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) # Port 389 is the default port. Can it be configured for custom port 10389 for example? Please guide me. Thanks in advance. Best Regards, Kaushal

2 1

Group ACLs
by Emmanuel Seyman 04 Oct '23

04 Oct '23

Hello, all. I have an instance of OpenLDAP in which I use groups to manage access controls, similar to the way the FAQ and admin guide describe it. My DIT layout: uid=userildr1,ou=people,o=gdAA,dc=example,dc=com uid=userildr2,ou=people,o=gdAA,dc=example,dc=com ... cn=readINT,ou=groups,o=gdAA,dc=example,dc=com cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com ... ou=people,o=INT,dc=example,dc=com ... ou=groups,o=INT,dc=example,dc=com Outside of the DIT, my slapd.conf file (yes, I know) contains: access to dn.sub="o=INT,dc=example,dc=com" by self write by group/groupOfUniqueNames/uniqueMember="cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=readINT,ou=groups,o=gdAA,dc=example,dc=com" read The uid=userildr1,ou=people,o=gdAA,dc=example,dc=com entry is in the readINT group yet seems unable to run a search. I get an error 50 ("Operations are restricted to bind/unbind/abandon/StartTLS/modify password") and cannot figure out why this is happening. If anyone can tell me what's going on, I would appreciate it. I'm seeing "config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context" in the log files but this looks harmless. This is OpenLDAP 2.5.14 running on RHEL 8, with the LTB packages. Logs and the configuration file are available if necessary. Emmanuel

2 1

Re: setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)
by Kaushal Shriyan 04 Oct '23

04 Oct '23

On Tue, Oct 3, 2023 at 11:45 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Monday, October 2, 2023 2:26 PM +0530 Kaushal Shriyan > <kaushalshriyan(a)gmail.com> wrote: > > > Is there a way to set up two DN's in OpenLDAP server? > > > > > > dn: cn=admin,dc=corporate,dc=mydomain,dc=com > > > > dn: cn=admin,dc=checker,dc=mydomain,dc=com > > This is trivial to create as 2 different entries in your > dc=mydomain,dc=com > database. There's no need for them to be rootdns, you can simply give > them > manage access to whatever they need to control. > > --Quanah > Thanks Quanah for the email response. Much appreciated. I am not sure if I completely understand it. Do I need to have the below format as explained by you to create as 2 different entries in your dc=mydomain,dc=com? dn: cn=admin,ou=*corporate*,dc=mydomain,dc=com dn: cn=admin,ou=*checker*,dc=mydomain,dc=com Please guide me. Thanks in advance. Best Regards, Kaushal

1 0

setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)
by Kaushal Shriyan 04 Oct '23

04 Oct '23

Hi, I am running the openldap server on Red Hat Enterprise Linux release 8.8 (Ootpa) # rpm -qa | grep -i ldap sssd-ldap-2.8.2-3.el8_8.x86_64 symas-openldap-servers-2.4.59-1.el8.x86_64 openldap-2.4.46-18.el8.x86_64 symas-openldap-2.4.59-1.el8.x86_64 symas-openldap-clients-2.4.59-1.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) # Is there a way to set up two DN's in OpenLDAP server? dn: cn=admin,dc=corporate,dc=mydomain,dc=com dn: cn=admin,dc=checker,dc=mydomain,dc=com Please guide me. Thanks in advance. Best Regards, Kaushal

6 13

reset openldap root and cn=admin password
by Kaushal Shriyan 02 Oct '23

02 Oct '23

Hi, Is there a way to reset both openldap root and cn=admin password? Please guide me. Thanks in Advance. Best Regards, Kaushal

2 2

Limit number of concurrent sessions to OpenLDAP 2.6.3 server running on windows
by awsome jang 28 Sep '23

28 Sep '23

Hello, I would like to ask if it's possible to limit the number of concurrent sessions of an openldap server running on Windows? I found in FAQ: https://www.openldap.org/faq/data/cache/1126.html https://www.openldap.org/faq/data/cache/1127.html What I understand it requires rebuilding of OpenLDAP but I would like to change it as a parameter. Is there any other way to do it dynamically without recompilation? On Linux there is possibility to configure iptables to limit number of connections: -A RH-Firewall-1-INPUT -p tcp --dport ldaps -m connlimit --connlimit-above 100 -j REJECT Thank you in advance for your response, Best regards, Piotr

1 0

Unable to ldapadd Kerberos schema in LDIF format
by Uwe Sauter 26 Sep '23

26 Sep '23

Dear all, I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-servers-2.6.6-1.el9.x86_64.) First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1 (/usr/share/doc/krb5-server-ldap/kerberos.ldif) ? If I use krb5-kdc.ldif I get the following: [root@gateway ~]# cd /opt/symas/etc/openldap/schema/ [root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=krb5-kdc,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed Is this a permission issue or does the provided LDIF file contain lines that prevent the addition of the schema? If I use the file provided by MIT Kerberos I get: [root@gateway ~]# cd /usr/share/doc/krb5-server-ldap [root@gateway krb5-server-ldap]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=schema" ldap_modify: Invalid syntax (21) additional info: attributetypes: value #0 invalid per syntax The book I'm following still uses Symas' LDAP 2.4 and thus needs to convert the .schema file to .ldif provided by MIT Kerberos. The procedure is: #### start instructions #### # echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' > /tmp/slapd.conf # mkdir /tmp/slapd.d # slaptest -f /tmp/slapd.conf -F /tmp/slapd.d # cp '/tmp/slapd.conf/cn=config/cn=schema/cn={0}kerberos.ldif' /tmp/kerberos.conf Further instructions say: - remove '{0}' in /tmp/kerberos.conf in lines startig with 'dn:' and 'cn:' - add 'cn=schema,cn=config' to the DN - remove the lines containing 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName', 'modifyTimestamp' and 'entryCSN' at the end of the file After the modifications, there should be only lines containing 'objectClass', 'olcAttributeTypes', 'olcObjectClasses', 'cn' or 'dn'. #### end instructions #### If I follow these instructions and use the converted LDIF file the command succeeds: [root@gateway tmp]# ldapadd -Y EXTERNAL -H ldapi:/// -f kerberos.ldif.converted SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=kerberos,cn=schema,cn=config" Is there an explanation for this behavior? Do the files provided by Symas and MIT contain errors? (For convenience I attached all three files to this mail.) Thank you, Uwe

3 4

Help troubleshooting SSL certificates issue
by Jérôme BECOT 26 Sep '23

26 Sep '23

Hello, We have a couple of old ldap servers (Debian 7/openldap 2.4.31) on which we try to replace the certificates. On these servers we have a bundled configuration: # config dn: cn=config olcTLSCACertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateFile: /etc/ldap/tls/multi.deverywa.re.pem olcTLSCertificateKeyFile: /etc/ldap/tls/multi.deverywa.re.pem The file is a bundle containing both the certificates (wildcard and it's issuer) and the key. Until this year we just had to upload the new bundle and restart slapd. This year Gandi changed their signing certificate but it is still issued by UserTrust. But OpenLDAP refuses to use it now. We tried to set LogLevel to any, but nothing really showed in the log. On the server side: slapd[9217]: connection_read(16): TLS accept failure error=-1 id=1041, closing On the client side (localhost): openssl s_client -connect localhost:636 -servername ldap.deverywa.re CONNECTED(00000003) 140365161965224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 315 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1695652388 Timeout : 300 (sec) Verify return code: 0 (ok) We still use 2048 RSA key to generate the certificates. We have checked permissions and it is fine. How could I debug what's wrong on the server side ? Thank you -- *Jérôme BECOT* Ingénieur DevOps Infrastructure Téléphone fixe: 01 82 28 37 06 Mobile : +33 757 173 193 Deveryware - 43 rue Taitbout - 75009 PARIS https://www.deveryware.com <https://www.deveryware.com> Deveryware_Logo <https://www.deveryware.com>

4 4

changing certificate and key for autoca
by Stefan Kania 21 Sep '23

21 Sep '23

Hi all, I like to change the certificate and the key for autoca, but I can't find any description how to do it. I tried the following LDIF: --------------- dn: dc=example,dc=net changetype: modify replace: cACertificate;binary cACertificate;binary:< file:///root/mycert/cacert.pem - replace: cAPrivateKey;binary cAPrivateKey;binary:< file:///root/mycert/cakey.pem --------------- I got: --------------- root@ldap-r01:~# ldapmodify -Y external -H ldapi:/// -f change-cert.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "dc=example,dc=net" ldap_modify: Invalid syntax (21) additional info: cACertificate;binary: value #0 invalid per syntax ---------------- So what is the right way to change the certificate and the key? Thank's Stefan

2 4

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical