openldap-technical

openldap-technical@openldap.org

9 participants
9868 discussions

slapd verifyclient fails on demand
by E.therepa 21 Apr '15

21 Apr '15

Dear Tech list, I'd like to use CRL's to regulate client connections to my slapd server. So i've build working certs and keys with gnutls. The whole keysetup is tested and working properly, by invoking gnu-serv and gnu-cli i could succesfully create connections and drop clients in my revocation list. In order to use this in slapd/ldap utils i use this settings, slapd.conf, TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key TLSCRLFile /etc/ldap/ssl/crl.pem TLSCipherSuite SECURE256:-VERS-SSL3.0 TLSVerifyClient hard ldap.conf # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ldap/ssl/ca-cert.pem TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key TLS_REQCERT hard Slapd debug, 55353d59 slapd starting 55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636) TLS: can't accept: No certificate was found.. 55353d5b conn=1000 fd=16 closed (TLS negotiation failure) ldapsearch debug, ldap_start_tls: Can't contact LDAP server (-1) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 4 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7 error=Broken pipe ldap_free_connection: actually freed As far as i can see and found info my client and servers TLS settings are configured properly. What i really don't get is that the client doesnt send his certs to the server. Best regards, E.therepa

6 6

Re: R: Antw: Re: Elapsed Time logging
by Quanah Gibson-Mount 21 Apr '15

21 Apr '15

--On Tuesday, April 21, 2015 1:16 PM +0200 Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: >>>> "fabymoscarella(a)virgilio.it" <fabymoscarella(a)virgilio.it> schrieb am >>>> 21.04.2015 > um 11:23 in Nachricht <14cdb4a4678.fabymoscarella(a)virgilio.it>: >> Hi, >> thank you for your interest. I was mistakenly sure of the field's >> availability. >> >> I would have liked to use the "etime" field to monitor OpenLDAP >> dependability through my SIEM platform, by identifying long lasting >> operations. >> Could you please give me some pointers about monitoring "operations >> completed" or any other useful parameter? > ># if you configured monitoring... ># just querying "search" operations here... > e.g. ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=operations,cn=monitor' -s > sub '(cn=Search)' monitorOpCompleted As Ulrich notes, simply enable the monitoring backend. I suggest reading up on the slapd-monitor(5) man page. Btw, I've patched my openldap build with the ITS noted, and it's working just fine, although the term is "duration" not "etime". --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

LDAPCon 2015
by Andrew Findlay 21 Apr '15

21 Apr '15

LDAPCon 2015 ============ **** Please note the new submissions address **** The fifth International Conference on LDAP and Directory Services will be held in the UK at the University of Edinburgh School of Informatics Forum. Tutorials: 11th November 2015 Conference: 12th and 13th November 2015 Call for papers and tutorials ============================= Topics You are using LDAP in interesting projects? You do LDAP client or server development? You have used LDAP in a new way? You do identity and access management on top of LDAP? Why not share your ideas and experiences with others? We are looking for speakers who are willing to talk about any topic related to LDAP and identity management, including: LDAP technology implementation (Servers, API, User interfaces etc.) LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.) LDAP related technologies (PKI, XACML, SAML, etc.) LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.) Best Practices for directory services. Accepted talks will be grouped into tracks such as a standards/development and deployment/administration. Deadlines & Important Dates Submission Deadline: 28th June Author Notification: 10th July Final Papers due: 10th October 2015 Tutorials: 11th November 2015 Conference: 12th-13th November 2015 Talk Submissions Main presentations should last about 45 minutes including discussion; we will also provide smaller slots of 15 minutes and 5 minutes for poster presentations or lightning talks. Please tell us which duration you prefer when proposing your talk. The talk must be in English. The one and only way to submit your abstract (approximately 200-800 words, accompanied by your biography of about 100-300 words) is via email to submissions2015(a)lists.ldapcon.org. Abstracts must reach the Program Committee by 28th June 2015. Early submission is encouraged. We already have several papers. All abstracts will be reviewed by the program committee. For accepted talks we expect you to submit slides and/or a paper of approximately 2-10 pages (A4 or US Letter format, 25mm borders, preferably LaTeX source or OpenOffice). For 5-minute talks, a brief abstract is required. A short paper, slides or a poster should be provided for accepted talks. We will provide display boards for posters throughout the conference. By submitting a paper you grant the conference organizers the non-exclusive right to publish your paper in the conference proceedings and on the website; you maintain the right to publish it elsewhere at your discretion. Tutorial Submissions We are looking for high-quality tutorials on LDAP and related subjects, at any level from introductory to advanced. Tutorial length can range from an hour to a full day. Wireless Internet access will be available if required. The purpose of the tutorials is focussed education, so they should cover established topics and best practice rather than presenting new work. Tutorials will be on Wednesday 11th November 2015. The Programme Committee has an open mind about the format of the tutorial day, but has a limited number of rooms available. Make your proposal early and we will aim to build an attractive programme for the day. Expenses Speakers get free access to the conference, including the social event. If requested in advance we will provide accommodation for speakers. Travel expenses might also be covered in special cases. If you need this, please contact us early so we can try to arrange it. Website http://ldapcon.org/2015/ Contacts General enquiries: enquiries(a)lists.ldapcon.org Paper/Tutorial submissions: submissions2015(a)lists.ldapcon.org -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

R: Antw: Re: Elapsed Time logging
by fabymoscarella＠virgilio.it 21 Apr '15

21 Apr '15

Hi, thank you for your interest. I was mistakenly sure of the field's availability. I would have liked to use the "etime" field to monitor OpenLDAP dependability through my SIEM platform, by identifying long lasting operations. Could you please give me some pointers about monitoring "operations completed" or any other useful parameter? Regards, Fabiano ----Messaggio originale---- Da: Ulrich.Windl(a)rz.uni-regensburg.de Data: 21-apr-2015 8.28 A: <openldap-technical(a)openldap.org>, <fabymoscarella(a)virgilio.it>, "Quanah Gibson-Mount"<quanah(a)zimbra.com> Ogg: Antw: Re: Elapsed Time logging If it's enough to know the average, he could monitor "operations completed" and divide those by elapsed time...

1 0

How to disable SSF (integrity) on GSSAPI mech?
by Osipov, Michael 21 Apr '15

21 Apr '15

Hi folks, I am binding against Active Directory with GSSAPI mech and would like to disable SASL integrity for debugging purposes with Wireshark. Unfortunately, this call fails: char *secprops = "minssf=0,maxssf=0"; rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops); with: Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input parameter could not be read (Unknown error) Result code: -2 I am used to this with Java's SASL client where I can set SASL QOP with auth, auth-int, auth-conf. Is that not possible with OpenLDAP along with CyrusSASL? For what it is worth, I am on FreeBSD 9.3 with latest OpenLDAP and CyrusSASL from the ports tree. Regards, Michael

3 5

Elapsed Time logging
by fabymoscarella＠virgilio.it 20 Apr '15

20 Apr '15

Hi everyone, my name is Fabiano and I'm an italian IT Security professional involved in a IAM project which comprises several OpenLDAP instances. I'm using OpenLDAP 2.4.40 on a x86_64 Red Hat Enterprise Linux Server release 6.5 and my target is logging LDAP operations elapsed time. I configured logging through RSyslog but I can't see an "etime" field in my logfiles; below is a sample log row: Apr 20 17:46:56 hostname slapd[9884]: conn=1019 op=0 RESULT tag=97 err=0 text= I'm not using OLC and tried without specifying a "loglevel" parameter in my slapd.conf (default should be 256, shoulndn't it?) and later with several "loglevel" values, but no "etime" field appeared. Could you please help and tell me what am I doing wrong? Thank you in advice, Fabiano Moscarella

2 1

how to check user lock status
by rockwang 20 Apr '15

20 Apr '15

Hi, all I set policy for user as following # default, policies, abc.com dn: cn=default,ou=policies,dc=abc,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE my question is how to check user lock status. Another question is pwdMustChange doesn't work in linux client when user first login. Rock.wang

4 4

Structural object class rules
by dE 20 Apr '15

20 Apr '15

"An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class. This structural object class is referred to as the structural object class of the entry." There's a bit of ambiguity with this "which has a single structural object class as the most subordinate object class" What do you mean by 'most subordinate'? Is it that there must be no parallel entries at the same level in the hierarchy?

3 9

Auxiliary object class practically of no use?
by dE 20 Apr '15

20 Apr '15

According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule associated with the structural object class of the entry. From what I understand, this means auxiliary classes do not 'augment'; the no. of attributes which are possible in an entry must be a subset of the structural object class the entry belongs to.

4 8

Help: LDAP using alias to reference value of another attribute
by Poul Etto 17 Apr '15

17 Apr '15

Hi, As we store a lot of information in our LDAP server, we are looking to simplify and optimize our LDAP strucutre. Actually we have plenty OUs (like people and vpn shown hereunder) and lot of fields are duplicate (same fields with same content in different OUs). As this is not optimum and makes us push any change for a user into all concerned OUs, we woul like to use aliasing to avoid duplicating entries: This is an example of what a user would look like: dn: uid=1,ou=people,dc=red,dc=com objectClass: organizationalPerson objectClass: person objectClass: top objectClass: extensibleObject cn: Frank sn: Moses givenName: Frank Moses mail: frank.moses(a)red.com userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX uid: 1 This is an example of what is to be found in the vpn account of the same user (we have home made schemas, so there are some special attributes): dn: uid=1,ou=vpn,dc=red,dc=com objectClass: top objectClass: openvpn objectClass: extensibleObject uid: 1 cn: Frank sn: Moses userUid: 1 vpnEnabled: TRUE mail: frank.moses(a)red.com userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX As you can see fields cn, sn, mail are the same in both... We would like to change this to make our LDAP more dynamic. Therefore, we changed the vpn account to: dn: uid=1,ou=vpn,dc=red,dc=com objectClass: top objectClass: openvpn objectClass: extensibleObject objectClass: alias uid: 1 aliasedObjectName: uid=1,ou=people,dc=red,dc=com userUid: 1 vpnEnabled: TRUE But when requesting the server with ldapsearch it seems not to work, or maybe we just are missing someting...! For example when requesting the cn of the vpn user we would like to have the cn field in the "uid=1,ou=people,dc=red,dc=com" account. Our search: ldapsearch -W -D "cn=admin,dc=red,dc=com" -x -b 'uid=1,ou=vpn,dc=red,dc=com' cn Gives: # extended LDIF # # LDAPv3 # base <uid=1,ou=vpn,dc=red,dc=com> with scope subtree # filter: (objectclass=*) # requesting: cn # # 1, vpn, red.com dn: uid=1,ou=vpn,dc=red,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 But no "cn" value returned... What are we doing wrong ? Thank you, Best regards, ZP

4 16

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical