openldap-technical

openldap-technical@openldap.org

14 participants
9796 discussions

Slapd-meta and multiple uri
by Nicolas RENAULT 31 Jul '15

31 Jul '15

Hello , I have a problem with meta and multiple uri : Two AD server opensuse 13.1 openldap 2.4.39 (install from repo) make a meta backend that work but I when I configure it I use this directive , try to make a failover conf : uri ldap://172.17.150.47:3268/ou=AD,ou=TOUT,dc=example,dc=fr ldap://172.17.150.48:3268/ Work like a charm until 172.17.150.47 go down --> slapd never try to contact 172.17.150.48 ... slapd.conf ( relevant part ) ---------------------------------------------------------- network-timeout 1 timeout 3 idletimeout 10 writetimeout 10 database meta suffix "ou=AD,ou=TOUT,dc=example,dc=fr" uri ldap://172.17.150.47:3268/ou=AD,ou=TOUT,dc=example,dc=fr ldap://172.17.150.48:3268/ suffixmassage "ou=AD,ou=TOUT,dc=example,dc=fr" "dc=example,dc=fr" idassert-bind bindmethod=simple binddn="cn=xxxxxx,cn=Users,dc=example,dc=fr" credentials=<secret> mode=none idassert-authzFrom "dn.regex:.*" -------------------------------------------------------------- I search on the list and found this : http://www.openldap.org/lists/openldap-technical/201208/msg00231.html (one post on the thread, I read all of them) The problem is exactly the same : if I start slapd and 172.17.150.47 not present (iptable output drop or reject) never ask 172.17.150.48 (tcpdump on the interface of slapd server) in http://www.openldap.org/lists/openldap-technical/201208/msg00247.html (same thread) Howard Chu : Sounds like you should file an ITS. Pierangelo: looking at libldap/request.c and libldap/.open.c, it appears that request.c:ldap_new_connection() expects open.c:ldap_int_open_connection() to return -2 on an asynch open, but ldap_int_open_connection() unconditionally returns 0. This is probably interfering with back-meta's urllist_proc. -- -- Howard Chu CTO, Symas Corp.http://www.symas.com Director, Highland Sunhttp://highlandsun.com/hyc/ Chief Architect, OpenLDAPhttp://www.openldap.org/project/ so I look to the ITS 7372 http://www.openldap.org/its/index.cgi/Incoming?id=7372;selectid=7372 But no answers, and no trace on changelog it's something wrong in my conf (if so tell me what) and if no can some of the dev take a look at the problem ? Thank's and have a good day. Nicolas

2 2

Re: Integrate LDAP in Hadoop
by Dieter Klünter 31 Jul '15

31 Jul '15

Am Fri, 31 Jul 2015 14:23:27 +0500 schrieb Aneela Saleem <aneela(a)platalytics.com>: > But my directory is already running. > > What do you mean by object class=person is not part of published LDAP? That's been a mental error, I was thinking of objectclass=user. If your directory is running, what is your problem? I have integrated Hadoop and Jenkins into my directory without any problems. You should probably run slapd in debugging mode while trying hadoop to connect to the directory. -Dieter > > Regards, > Aneela Saleem > On Jul 31, 2015 11:48 AM, "Dieter Klünter" <dieter(a)dkluenter.de> > wrote: > > > Am Thu, 30 Jul 2015 20:06:44 +0500 > > schrieb Aneela Saleem <aneela(a)platalytics.com>: > > > > > Hi all, > > > > > > I want to integrate LDAP in my HDFS, i have changed core-site.xml > > > Attached is my core-site.xml file. > > > > > > Can anyone please send me complete steps, how to integrate LDAP > > > with HDFS ? > > > > > > i have followed this link: > > > > > > http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ > > > > > > but the *services.ldif *file is missing in the link. > > > > Get your directory running first, and then you may attach hadoop > > to this directory. > > Please note that objectclass=person is not part of a published LDAP > > schema. > > > > -Dieter > > > > -- > > Dieter Klünter | Systemberatung > > http://sys4.de > > GPG Key ID: E9ED159B > > 53°37'09,95"N > > 10°08'02,42"E > > > > -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

1 0

ldap proxy to AD - UnicodePwd: attribute type undefined
by Meike Stone 31 Jul '15

31 Jul '15

Hello I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway. That all works very well, but password change from client fails with following error: slapd[30661]: conn=1001 op=5 do_modify slapd[30661]: conn=1001 op=5 do_modify: dn (cn=XPTEST5,ou=Users,dc=myorg,dc=net) slapd[30661]: >>> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net> slapd[30661]: <<< dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>, <cn=xptest5,ou=users,dc=myorg,dc=net> slapd[30661]: conn=1001 op=5 modifications: slapd[30661]: delete: UnicodePwd slapd[30661]: one value, length 26 slapd[30661]: add: UnicodePwd slapd[30661]: one value, length 26 slapd[30661]: conn=1001 op=5 MOD dn="cn=TEST5,ou=Users,dc=myorg,dc=net" slapd[30661]: conn=1001 op=5 MOD attr=UnicodePwd UnicodePwd slapd[30661]: send_ldap_result: conn=1001 op=5 p=3 slapd[30661]: send_ldap_result: err=17 matched="" text="UnicodePwd: attribute type undefined" slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17 slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd: attribute type undefined slapd[30661]: daemon: activity on 1 descriptor slapd[30661]: daemon: activity on: slapd[30661]: slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero slapd[30661]: daemon: activity on 1 descriptor slapd[30661]: daemon: activity on: As I understand, UnicodePwd is a proprietary "standard" MS attribute in AD to store the password but the RFC attribute is the userPassword. Is it possible, to get the proxy working to process this MOD request, may be that openldap proxy pass through the MOD operation with the attribute UnicodePwd from the VPN-gateway? I use openldap 2.4.40, here is my configuration: ============================================================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules moduleload back_ldap disallow bind_anon require authc TLSCACertificateFile /etc/openldap/certs/myorg.net.root.pem TLSCertificateFile /etc/openldap/certs/proxy1.myorg.net.pem TLSCertificateKeyFile /etc/openldap/certs/proxy1.myorg.net.pem.key TLSVerifyClient never TLSCipherSuite ALL:!DH:!EDH database ldap security tls=256 rebind-as-user yes suffix "dc=myorg,dc=net" uri "ldap://dc1.myorg.net ldap://dc2.myorg.net" tls start tls_cacert=/etc/openldap/certs/adroot.pem chase-referrals no protocol-version 3 loglevel -1 ============================================================== Thanks for help!! Meike

2 2

Integrate LDAP in Hadoop
by Aneela Saleem 31 Jul '15

31 Jul '15

Hi all, I want to integrate LDAP in my HDFS, i have changed core-site.xml Attached is my core-site.xml file. Can anyone please send me complete steps, how to integrate LDAP with HDFS ? i have followed this link: http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/ but the *services.ldif *file is missing in the link.

2 1

docker and openldap
by Aleks 24 Jul '15

24 Jul '15

Dear openldapers. What is your opinion about the different docker information out there. https://github.com/osixia/docker-openldap https://github.com/Enalean/docker-ldap ... My Question goes primary for the data persistency issue and replication setup. I think that a good sync setup (olcSyncrepl)and the dynamic slapd-config http://www.openldap.org/software/man.cgi?query=slapd-config&sektion=5&aprop… could be enough for a docker setup? Due to the fact that I'm not aware that openldap have a storage back-end for the hadoop universe https://hadoop.apache.org/ or any other cloud methods except the olcSyncrepl. Thank you for your time. Best Reagards Aleks

1 0

LMDB Replication
by Kristoffer Sjögren 23 Jul '15

23 Jul '15

Hi Are there any battle-tested good practices for incrementally replicating LMDB? Cheers, -Kristoffer

2 3

Issue renewing my TLSCertificateFile(s)
by Olivier 22 Jul '15

22 Jul '15

Hi everyone Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? See below why I ask : I have used the following configuration in my slapd servers for quite a while without any problem : olcTLSCACertificateFile: /etc/openldap/cacerts/CA.crt olcTLSCertificateFile: /etc/openldap/cacerts/server.crt olcTLSCertificateKeyFile: /etc/openldap/cacerts/server.key olcTLSCipherSuite: HIGH olcTLSVerifyClient: allow See for example my configuration for syncrepl (see: tls_reqcert=demand) : olcSyncrepl: {0}rid=411 provider=ldap://ldap1.example.fr bindmethod=sasl sizelimit=unlimited timeout=0 network-timeout=0 saslmech=external type =refreshAndPersist retry="5 +" starttls=yes tls_cacert=/etc/openldap/cacer ts/CA.crt tls_cert=/etc/openldap/cacerts/replicator.crt tls_key=/etc/openldap /cacerts/replicator.key scope=sub schemachecking=on keepalive=0:0:0 fil ter="(objectclass=*)" searchbase="dc=example,dc=fr" tls_reqcert=demand -> I have used this for couple of years on my multimastered ldap servers, and until yesterday that worked perfectly : replication was working properly and clients talked with the servers using TLS without any problem. But I since my certicates were too weak (see this : sha1, 512 bit) : $ openssl x509 -text -in server.crt Certificate: Data: Version: 1 (0x0) Serial Number: 13998752034197585248 (0xc2458ece791fbd60) Signature Algorithm: sha1WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap(a)example.fr Validity Not Before: Dec 29 15:41:56 2011 GMT Not After : Jul 29 15:41:56 2021 GMT Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap(a)example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) I have renewed them using the same self signed authority to validate them, and of course using exactly the same subject. My new certificate look like this : $ openssl x509 -text -in server.crt (see this : sha2, 4096 bit) : Certificate: Data: Version: 1 (0x0) Serial Number: 10208063777793278590 (0x8daa53ebd7e6827e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=fr, ST=IDF, L=Town, O=example, OU=IT, CN=ldap/emailAddress=ldap(a)example.fr Validity Not Before: Jul 22 15:24:50 2015 GMT Not After : Feb 19 15:24:50 2025 GMT Subject: C=fr, ST=IDF, L=Town, O=example, OU=IT,CN= ldap1.example.fr/emailAddress=ldap(a)example.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: I installed my new certificate on ldap1 without changing the configuration, and restarting the server here is what I get on ldap4 logs (loglevel = sync ) : $ tail -f /var/log/ldap.log ... Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:10 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-2) Jul 22 17:31:10 ldap4 slapd[53489]: do_syncrepl: rid=432 rc -2 retrying Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap://ldap1.example.fr Warning, ldap_start_tls failed (-11) Jul 22 17:31:15 ldap4 slapd[53489]: slap_client_connect: URI=ldap:// ldap1.example.fr ldap_sasl_interactive_bind_s failed (-6) Jul 22 17:31:15 ldap4-mrs slapd[53489]: do_syncrepl: rid=432 rc -6 retrying When reinstalling the previous certificates and restarting ldap1 the server I see this appearing in ldap4 logs : ... Jul 22 17:31:20 ldap4-mrs slapd[53489]: do_syncrep2: rid=432 LDAP_RES_INTERMEDIATE - REFRESH_DELETE Question : are there some limitations (key size, encryption algorithm, etc.) for certificates used by openldap to manage TLS connexions ? Does openldap tls connections work with certificates sha 256 With RSA Encryption using a 4096 public key length ? May be I missed something ? (note : I use openssl to manage my certificates) Thanks for any help. --- Olivier

2 1

Multi Master Openldap replication
by Kaushal Shriyan 21 Jul '15

21 Jul '15

Hi, I have a Multi Master Openldap replication setup and when i create user on the Primary Master Node and while i query it on the secondary master node i do not see the user. Any thing specific i need to look at and please do let me know if anyone wants the config files? Any help will be highly appreciable. Regards, Kaushal

2 1

OpenLDAP and DH parameter size / LogJam vulnerability
by Jens Vagelpohl 19 Jul '15

19 Jul '15

Hi all, In my setup (CentOS7, OpenLDAP 2.4.41 from the LDAP Tool Box project) I am using the following slapd.conf parameters for SSL-related configuration: TLSProtocolMin 3.1 TLSCertificateFile /etc/pki/tls/certs/NNN.crt TLSCertificateKeyFile /etc/pki/tls/private/NNN.key TLSCACertificateFile /etc/pki/tls/certs/NNN.ca.pem TLSDHParamFile /usr/local/openldap/etc/openldap/dh_2048.pem TLSCipherSuite AESGCM:!RSA:!DSS:!ADH:!aECDH The file /usr/local/openldap/etc/openldap/dh_2048.pem is a valid DH parameter file with size 2048: <snip> # openssl dh -in /usr/local/openldap/etc/openldap/dh_2048.pem -text -noout PKCS#3 DH Parameters: (2048 bit) prime: </snip> I am now testing the actual DH parameter size used during a TLS connection with instructions from https://bettercrypto.org/blog/2015/05/20/tls-logjam/ and it only shows DH parameter size 1024: <snip> $ echo | openssl s_client -connect alias01.alias.ooo:636 -cipher "EDH" 2>/dev/null … much output … No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: DH, 1024 bits </snip> I was expecting "Server Temp Key: DH, 2048 bits”. Am I just testing this the wrong way or is there an issue with DH parameter configurations in OpenLDAP? Thanks for any help! jens

5 13

Strategy for using ldapsearch and security
by Rhodes, Neal A 17 Jul '15

17 Jul '15

So, I'm trying to implement a login running inside Webspeed inside Apache inside linux. There are good reasons to do this inside this application program and not just let Apache do it. (inactivity timeouts, daily quotas, IP reasonability, etc) So, what I get from user is network-user-id (let's call him "bob") and password. What I need to know is: Does this userid exist (samaccountname=%s), is the password provided correct? if above is good, is this user memberof a specific group? What I've got working as proof-of-concept is: A. Do a simple bind to LDAP with an admin/service account as a DN, and search for this user-id (samaccountname=bob), and get back the DN for user "bob". Using $OpenLDAP: ldapsearch 2.4.39 ldapsearch -v -d 0 -P 3 -D "CN=rslXXXXXXXreq,OU=Service Accou....................................DC=com" -w "XXXXXXXX" -oldif-wrap=no -s sub '(&(objectclass=*)(samaccountname=rhodesne))' cn userAccountControl objectclass userPrincipalName B. Then do ANOTHER simple bind to LDAP using "bob"s as DN, and "bob"s password, and return the memberof attribute. That fails if I don't give it the correct password. ldapsearch -P 3 -D "CN=Rhodes\, Neal A,OU=............C=COM" -w "BobsPasswd" -oldif-wrap=no -s sub '(&(objectclass=*)(samaccountname=rhodesne))' cn userAccountControl objectclass memberOf userPrincipalName manager OK, it works. I can walk through the results and confirm that Bob is in a desired group. I don't claim to know LDAP; but isn't this convoluted? Is there a way to do this in one shot with the ldapsearch command? I can do it this way, but it seems clunky. I don't know how to search in one shot given just samaccountname and passwd. The other topic is security: I was intending to invoke the ldapsearch from inside the Apache/Webspeed/Progress/ABL application as a "input-output through", meaning we run this and read/write its STDIn/StdOut. Since Progress ABL is an interpreted DB language this makes some sense. It also provides portability between Linux and Solaris that we don't have if we try to call the shared C libraries. And the C libraries calls are locking up. Best practices would indicate we'd want to hide the passwords. We don't want some administrator doing a 'top' command seeing passwords. Unfortunately, this does not seem readily possible without jumping through hoops. The openldap ldapsearch has a -W option to prompt for passwd, but that appears to not read StdIn, but rather /dev/tty. So I cannot feed it passwords that way. There is a "-f" option, which offers a - flavor to read StdIn, but I don't see any examples of what the input to -f looks like, eg: can I specify password there. There is a -y option to specify a file which contains the password. ok, I could write the file, put it somewhere not readable by anybody but Apache, run ldapsearch, and then delete the file. Still, that doesn't smell like best practices to me. Today I tried making the file a named pipe; that also works if I get the timing just right. I guess I could do that if there isn't a better way. So, it seems like either I'm missing something or the use of ldapsearch for password validation opens up holes and less than best practices. Yes, I could dork around with calling shared libraries, and then fight that portability battle between linux and Solaris. Why is it so hard? For a contents, this is a low volume, probably 200-400 people, one time in the morning, each day. Neal Rhodes | Software Engineer - REALServicing(r) Development Altisource(tm) P: (770)933-6625 extension 256625 F: (770)644-7420 Neal.Rhodes(a)altisource.com<mailto:Laura.Carrozza@altisource.com>| www.altisource.com<http://www.altisource.com/> Progress and Enterprise RDBMS OpenEdge are trademarks or registered trademarks of Progress Software Corporation in the U.S. and other countries. Citrix, GoToAssist, GoToMeeting, GoToMyPC, GoToTraining, GoToWebinar, Podio and Sharefile are trademarks of Citrix Systems, Inc. or a subsidiary thereof, and are or may be registered in the U.S. Patent and Trademark Office and other countries. Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Any other trademarks contained herein are the property of their respective owners. *********************************************************************************************************************** This email message and any attachments are intended solely for the use of the addressee. If you are not the intended recipient, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply email and immediately delete this message from your system. This message and any attachments may contain information that is confidential, privileged or exempt from disclosure. Delivery of this message to any person other than the intended recipient is not intended to waive any right or privilege. Message transmission is not guaranteed to be secure or free of software viruses. ***********************************************************************************************************************

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical