openldap-technical

openldap-technical@openldap.org

18 participants
9801 discussions

memberof overlay surpresses accesslog olcAccessLogOps = all
by Jan Prinsloo 21 Aug '14

21 Aug '14

Hi All, I would appreciate it if someone could give me some insight into the following issue: I have a standalone openldap 2.4.26 setup. We would like to use the accesslog overlay for auditing. I have enabled the accesslog overlay with olcAccessLogOps = all. This writes all groups of operations (writes, reads, session) to cn=accesslog without issues. We would also like to make use of the memberof overlay. The issue we're seeing is that once you enable the memberof overlay, only search, unbind, add operations are logged to accesslog. We do not see delete, modify, modrdn values logged. If I then change the logops to "olcAccessLogOps = add delete modify modrdn" we see those operations logged, but no bind, search, unbind operations (ie. no reads or session). Is this a limitation of using these two overlay's together, or am I completely missing something? Here is the configuration output: dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=Subschema" by * read structuralObjectClass: olcDatabaseConfig entryUUID: 174cbd2c-bbe1-1033-97e1-99c5bb2fcfe1 creatorsName: cn=config createTimestamp: 20140819113832Z entryCSN: 20140819113832.018426Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819113832Z dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=config structuralObjectClass: olcDatabaseConfig entryUUID: 174cc498-bbe1-1033-97e2-99c5bb2fcfe1 creatorsName: cn=config createTimestamp: 20140819113832Z olcAccess: {0}to * by * manage entryCSN: 20140819153732.253785Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819153732Z dn: olcDatabase={1}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=novell,dc=com olcAccess: {0}to attrs=userPassword by self write by * auth olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to attrs=userPKCS12 by self read by * none olcAccess: {3}to * by * read olcRootDN: cn=admin,dc=novell,dc=com olcRootPW:: e1NTSEF9eTUrcGVLRmtBSlY4aytQUVJZOVVDTzByN1FwV1RrbENSZz09 olcDbCacheSize: 10000 olcDbCheckpoint: 1024 5 olcDbConfig: {0}set_cachesize 0 15000000 1 olcDbConfig: {1}set_lg_regionmax 262144 olcDbConfig: {2}set_lg_bsize 2097152 olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE olcDbConfig: {4}set_lk_max_locks 30000 olcDbConfig: {5}set_lk_max_objects 30000 olcDbIDLcacheSize: 30000 olcDbIndex: objectclass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: member eq olcDbIndex: memberUid eq olcDbIndex: mail eq olcDbIndex: cn eq,sub olcDbIndex: displayName eq,sub olcDbIndex: uid eq,sub olcDbIndex: sn eq,sub olcDbIndex: givenName eq,sub olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq structuralObjectClass: olcBdbConfig entryUUID: 174ccbbe-bbe1-1033-97e3-99c5bb2fcfe1 creatorsName: cn=config createTimestamp: 20140819113832Z entryCSN: 20140819114039.896372Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819114039Z dn: olcOverlay={0}accesslog,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcAccessLogDB: cn=accesslog olcAccessLogPurge: 07+00:00 01+00:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig entryUUID: 827deb2a-bbe1-1033-8b97-93a12773fffb creatorsName: cn=config createTimestamp: 20140819114131Z olcOverlay: {0}accesslog olcAccessLogOps: writes entryCSN: 20140819154607.969610Z#000000#000#000000 modifiersName: cn=admin,dc=novell,dc=com modifyTimestamp: 20140819154607Z dn: olcOverlay={1}refint,olcDatabase={1}bdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner structuralObjectClass: olcRefintConfig entryUUID: e5b204be-bbfb-1033-9b62-8fa7905953f2 creatorsName: cn=config createTimestamp: 20140819145025Z entryCSN: 20140819145025.207784Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819145025Z dn: olcDatabase={2}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=novell,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart structuralObjectClass: olcBdbConfig entryUUID: 827bc75a-bbe1-1033-8b95-93a12773fffb creatorsName: cn=config createTimestamp: 20140819114131Z entryCSN: 20140819114131.842907Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819114131Z Regards, Jan Prinsloo

2 1

setting up mirroring with ldaps
by Sterling Sahaydak 20 Aug '14

20 Aug '14

Setting up mirroring between 2 servers - (ldap1 and ldap2) Have a self signed cert installed on ldap1(provider) and connecting to ldap2(consumer) which is using the same cert as ldap1. What I'm not sure about is can I put the same self signed cert on both ldap1 and ldap2? Or on ldap2 create a self signed cert and copy it to ldap1 and register it using (certutil) to fix the issue below? Thanks! [root@ldap1 log]# slapd -d Sync @(#) $OpenLDAP: slapd 2.4.23 (Feb 3 2014 19:11:35) $ mockbuild@c6b10.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd /etc/openldap/slapd.conf: line 149: warning, destination attributeType 'sAMAccountName' is not defined in schema PROXIED attributeDescription "SAMACCOUNTNAME" inserted. /etc/openldap/slapd.conf: line 199: rootdn is always granted unlimited privileges. bdb_monitor_db_open: monitoring disabled; configure monitor database to enable slapd starting TLS: error: the certificate '/etc/openldap/certs/testldap1cert.pem' could not be found in the database - error -8174:security library: bad database.. TLS: certificate '/etc/openldap/certs/testldap1cert.pem' successfully loaded from PEM file. TLS: no unlocked certificate for certificate 'E=sterling.sahaydak(a)example.com,CN=ldap1.example.net,OU=IT,O=example,L=xxxx,ST=xx,C=xx'. TLS: hostname (ldap2.example.net) does not match common name in certificate (ldap1.example.net). TLS: can't connect: TLS error -8157:Certificate extension not found.. slap_client_connect: URI=ldaps://ldap2.example.net DN="cn=testsync,ou=roles,dc=example,dc=net" ldap_sasl_bind_s failed (-1) do_syncrepl: rid=001 rc -1 retrying

1 0

question about ldap log file
by Wang, Holly 20 Aug '14

20 Aug '14

Hello, I am working on configure the OpenLDAP log file. Openldap has a document on the log level. However, I can't find where to configure the log file location and how to configure the log file in our current sladp.conf file. Where do we usually define the log file location? How to configure the log files? Holly Wang CSUN IT Department Identity and Directory Service 818-677-2031 holly.wang(a)csun.edu

2 1

TLS negotiation failed on ldaps:// - sslv3 alert bad record mac
by Oriol Rosa Ramoneda 19 Aug '14

19 Aug '14

2 1

Antw: Q: querying accesslog with reqStart>=partial time spec
by Ulrich Windl 18 Aug '14

18 Aug '14

>>> Ulrich Windl schrieb am 18.08.2014 um 11:53 in Nachricht <53F1CD10.741 : 161 : 60728>: > Hi! > > Can anybody explain when openLDAP with bdb succeeds on a filter like >(reqStart>=X) on accesslog? > When I use "(reqStart>=2014080100)" I get "no match", but when I use >"(reqStart>=20140801000)" I get the expected matches. > (And I don't get any match when just using "reqStart>=20140801)") > I see no log messages on the server's syslog... Sorry, I was telling nonsense (my program just dropped the longer stings) due to a bad regex match. It seems I must specify the full legth date specification (20140811073600.000000Z) > > Regards, > Ulrich > >

2 1

using {CRYPT} for rootpw, using SHA512?
by Brian Reichert 18 Aug '14

18 Aug '14

I've been messing with trying to get SHA512 password hash formats in openldap 2.4.39 under a 64-bit CentOS 6 distribution, using the LTB RPMs. I have read the FAQ at http://www.openldap.org/faq/data/cache/1467.html - The first entry describes a third-party module; I have been using that for years on a 32-bit CentOS 5 platform, using the vendor-provided openldap-2.3.43 RPMs. My efforts to build that module for 2.4.39 seemed to build clean, but effort to bind as a user with a {SHA512} hashed password cause slapd to segfault. I didn't try very hard to track that down, as there seem to be better supported techniques. - The third entry describes a slapo-pw-sha2 overlay, but no LTB RPM provides the overlay. I tried exactly once to build this overlay, but that failed due to a configure failure. I blame me; I'll revisit this when I have the time. However, I had some luck with the second entry, using {CRYPT}. Following these instructions, I was able to create users, successfully bind, and even use ldappasswd to change the passwords: http://www.openldap.org/lists/openldap-technical/201305/msg00002.html But, when I generated a hashed password using suggestions like this: http://serverfault.com/questions/330069/how-to-create-an-sha-512-hashed-pas… # python -c 'import crypt; print crypt.crypt("test", "$6$random_salt")' $6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10 and tried to embed this rootpw in my config file; rootpw {CRYPT}$6$random_salt$BnOQxEG8Gk2rzFYwoWXjr59zLVYzwshvca5oV0PtU8fAfT4a571evgca.E0hLnYNCdfq//zw9YyQN33QtztI10 I would get bind errors. Have I misunderstood how to use {CRYPT} for storing root's password? -- Brian Reichert <reichert(a)numachi.com> BSD admin/developer at large

8 13

what happened to the openldap toolbox project?
by Miroslaw Baran 18 Aug '14

18 Aug '14

Dear all, I don't want to sound too alarmistic, but it seems that the LTB project has disappeared from the 'net sometime this week. Would you happen to know what happened, what's going on (and perhaps if some help with the infrastructure is needed)? I've been relying on project-ltb packages for a while and would be quite unhappy to see it go; and I find the lack of information and the abrupt disappearance a bit troubling. While I know it's not strictly on-topic here, I know also that OpenLdap Toolbox folks are subscribed to this list, and ltb-project.org packages are quite widely used here – so I hope someone would be able to provide a bit of information… Kind regards – Miroslaw Baran -- » miroslaw baran » chaos monkey • pope • general nuisance » 0101010 Down with categorical imperative!

4 3

Q: querying accesslog with reqStart>=partial time spec
by Ulrich Windl 18 Aug '14

18 Aug '14

Hi! Can anybody explain when openLDAP with bdb succeeds on a filter like (reqStart>=X) on accesslog? When I use "(reqStart>=2014080100)" I get "no match", but when I use "(reqStart>=20140801000)" I get the expected matches. (And I don't get any match when just using "reqStart>=20140801)") I see no log messages on the server's syslog... Regards, Ulrich

1 0

Password Policy Questions
by Bram Cymet 18 Aug '14

18 Aug '14

Hi, It looks like the password policy overlay will do exactly what I need it to I just can't get it to work. I have applied the overlay my directory. I have a default policy set that has: pwdAttribute set to userPassword and pwdMustChange set to TRUE. However when I change a user's password either with an ldapmodify or the ldappassword command that user is still able to bind to the directory just fine. I was assuming that a bind attempt would return an error saying that the user had to change their password or is this not the expected behavior? Also I have tried adding pwdReset = TRUE to my user's object but it complains the pwdReset is not allowed in the schema. Is there a specific objectclass that I have to add to my user entries? I have also tried creating a schema with pwdReset and pwdPolicySubentry but when I add that schema it complains that these are operational attributes. I have upped the logging and when I user tries to bind I see: Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from IP=10.20.48.66:55519 (IP=0.0.0.0:389) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in cache (userPassword) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to "uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry "uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn", attr "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0) Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: * Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying auth(=xd) (stop) Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email(a)test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE ssf=0 So it looks to me like the default policy has been applied but nothing happens when a password is reset by an administrator. So I think I am missing something fundamental here. I have a few questions that I think will help me to narrow down my problem though. 1) What is the best way to debug an overlay? 2) Is there a proper way for an administrator to change a password so that the pwdReset flag is set on the user (or whatever is supposed to happen so that the user needs to reset their password on their next bind) 3) Is it enough to have a password policy with just pwdAttribute and pwdMustChange set or are there other values that need to be set to make this work. 4) Are there any extra object classes that have to added to my user entries for the password policies to work? 5) I would like users to have to reset their password on first bind do I need to set something on object creation? 6) Anything else I might be missing? Any help would be awesome. Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752

2 2

pwdChangedTime/authTimestamp, MMR etc.
by Michael Ströder 15 Aug '14

15 Aug '14

HI! I have a replication topology with providers running with MMR and a layer of r/o consumers.. - spread across three data centers - in two different countries (DE and foreign country) Network traffic between the countries has higher latency so consumers are only accessing providers within the same country. Write operations go nearly 100% to a single provider in Germany. All systems are using these overlays: - slapo-ppolicy (mostly for password expiry) - slapo-lastbind overlays - slapo-accesslog (yes, also on consumers) Now occasionally contextCSN values differ most times for a couple of minutes on the consumers in the foreign country from their local providers. I cannot tell exactly which conditions are causing this. But I observed that most times there was a login failure on the provider in Germany which results in 'pwdChangedTime' being set and replicated to the consumers. Most times followed by 'authTimestamp' being correctly set. So I wonder whether the differences of the contextCSN values could be caused by 'pwdChangedTime' and 'authTimestamp' being replicated to providers but not to consumers. Any clue? Thanks in advance. Ciao, Michael.

2 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical