openldap-technical

openldap-technical@openldap.org

5 participants
9899 discussions

pcache not working with dirx
by A. Schulze 13 Apr '23

13 Apr '23

Hello, I'm playing with the slapo-pcache overlay (openldap-2.6.4). Using the folloging configuration: ``` # https://www.openldap.org/doc/admin26/guide.html#The%20Proxy%20Cache%20Engine database ldap suffix dc=dirx,dc=example rootdn dc=dirx,dc=example uri ldap://dirx.example/ overlay pcache pcache mdb 1000 2 1000 20 pcacheAttrset 0 DKIMSelector pcacheTemplate (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=)) 0 10 pcacheAttrset 1 DKIMDomain DKIMSelector DKIMKey pcacheTemplate (DKIMSelector=) 1 10 directory /spool/dc=dirx,dc=example database ldap suffix dc=openldap,dc=example rootdn dc=openldap,dc=example uri ldap://openldap.example/ overlay pcache pcache mdb 1000 2 1000 20 pcacheAttrset 0 DKIMSelector pcacheTemplate (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=)) 0 10 pcacheAttrset 1 DKIMDomain DKIMSelector DKIMKey pcacheTemplate (DKIMSelector=) 1 10 directory /spool/dc=openldap,dc=example ``` One upstream server is DirX, the other openldap-2.6.4. Dirx don't work Openldap-cache is running with "slapd ... -d Config,Stats,pcache ..." this are the logs from a failing attempt: openldap-cache_1 | 643667a0.0584c8aa 0x7fa20ffff700 conn=1002 op=0 BIND dn="cn=reader,dc=dirx,dc=example" method=128 openldap-cache_1 | 643667a0.05b4d722 0x7fa20ffff700 conn=1002 op=0 BIND dn="cn=reader,dc=dirx,dc=example" mech=SIMPLE bind_ssf=0 ssf=71 openldap-cache_1 | 643667a0.05b5b312 0x7fa20ffff700 conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000018 etime=0.003246 text= openldap-cache_1 | 643667a3.1cdab2c4 0x7fa214d35700 conn=1002 op=1 SRCH base="ou=Domains,dc=dirx,dc=example" scope=2 deref=0 filter="(&(DKIMDomain=dirxdomain.de)(DKIMActive=TRUE)(DKIMKeyType=rsa))" openldap-cache_1 | 643667a3.1cdada18 0x7fa214d35700 conn=1002 op=1 SRCH attr=DKIMSelector openldap-cache_1 | 643667a3.1cdb0450 0x7fa214d35700 query template of incoming query = (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=)) openldap-cache_1 | 643667a3.1cdb36bf 0x7fa214d35700 Entering QC, querystr = (&(DKIMDomain=dirxdomain)(DKIMActive=TRUE)(DKIMKeyType=rsa)) openldap-cache_1 | 643667a3.1cdb4254 0x7fa214d35700 Lock QC index = 0x5572682fc520 openldap-cache_1 | 643667a3.1cdb4e08 0x7fa214d35700 Not answerable: Unlock QC index=0x5572682fc520 openldap-cache_1 | 643667a3.1cdb5617 0x7fa214d35700 QUERY NOT ANSWERABLE openldap-cache_1 | 643667a3.1cdb5cec 0x7fa214d35700 QUERY CACHEABLE openldap-cache_1 | 643667a3.1d40534b 0x7fa214d35700 conn=1002 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000014 etime=0.006697 nentries=0 text= and for a query to the openldap backend it works: openldap-cache_1 | 6436693c.35c382c5 0x7fa20ffff700 conn=1007 op=0 BIND dn="cn=reader,dc=openldap,dc=example" method=128 openldap-cache_1 | 6436693c.3663bbec 0x7fa20ffff700 conn=1007 op=0 BIND dn="cn=reader,dc=openldap,dc=example" mech=SIMPLE bind_ssf=0 ssf=71 openldap-cache_1 | 6436693c.36643fe0 0x7fa20ffff700 conn=1007 op=0 RESULT tag=97 err=0 qtime=0.000031 etime=0.010584 text= openldap-cache_1 | 64366940.08541952 0x7fa214d35700 conn=1007 op=1 SRCH base="ou=Domains,dc=openldap,dc=example" scope=2 deref=0 filter="(&(DKIMDomain=openldapdomain.de)(DKIMActive=TRUE)(DKIMKeyType=ed25519))" openldap-cache_1 | 64366940.08543f48 0x7fa214d35700 conn=1007 op=1 SRCH attr=DKIMSelector openldap-cache_1 | 64366940.0854686a 0x7fa214d35700 query template of incoming query = (&(DKIMDomain=)(DKIMActive=)(DKIMKeyType=)) openldap-cache_1 | 64366940.08547707 0x7fa214d35700 Entering QC, querystr = (&(DKIMDomain=openldapdomain.de)(DKIMActive=TRUE)(DKIMKeyType=ed25519)) openldap-cache_1 | 64366940.08547fde 0x7fa214d35700 Lock QC index = 0x5572682fda70 openldap-cache_1 | 64366940.08548a4b 0x7fa214d35700 Not answerable: Unlock QC index=0x5572682fda70 openldap-cache_1 | 64366940.0854925c 0x7fa214d35700 QUERY NOT ANSWERABLE openldap-cache_1 | 64366940.085499d1 0x7fa214d35700 QUERY CACHEABLE openldap-cache_1 | 64366940.0868a233 0x7fa214d35700 Added query expires at 1681287498 (POSITIVE) openldap-cache_1 | 64366940.0868bf3d 0x7fa214d35700 Lock AQ index = 0x5572682fda70 openldap-cache_1 | 64366940.0868cc0d 0x7fa214d35700 TEMPLATE 0x5572682fda70 QUERIES++ 1 openldap-cache_1 | 64366940.0868d3eb 0x7fa214d35700 Base of added query = ou=Domains,dc=openldap,dc=example openldap-cache_1 | 64366940.0868daa0 0x7fa214d35700 Unlock AQ index = 0x5572682fda70 openldap-cache_1 | 64366940.0868f2f2 0x7fa214d35700 UUID for query being added = 4d0928a8-6d56-103d-8d96-0b2b6342ea75 openldap-cache_1 | 64366940.092158fe 0x7fa214d35700 ENTRY ADDED/MERGED, CACHED ENTRIES=1 openldap-cache_1 | 64366940.09219238 0x7fa214d35700 STORED QUERIES = 1 openldap-cache_1 | 64366940.0921a8d6 0x7fa214d35700 conn=1007 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000014 etime=0.013522 nentries=1 text= If I run slapd with all Debug Logging enabled ( slapd ... -d -1 ...) I see, the DirX backend **do answer** with the expexted date but the log is so verbose, so I could not see a problem. using ldapsearch directly against both backend servers I verified, the requested data are accessible. One glitch I found in the Documentation at https://www.openldap.org/doc/admin26/guide.html#The%20Proxy%20Cache%20Engine Under "12.9.2.4. Example for slapd.conf" the is an Entry "cachesize 20" mentioned. If I enable this option, slapd fail to start: openldap-cache_1 | 64366b51.0ec4f7d9 0x7f4f046423c0 /usr/local/etc/openldap/slapd.conf: line 45 (cachesize 20) openldap-cache_1 | 64366b51.0ec5f70a 0x7f4f046423c0 /usr/local/etc/openldap/slapd.conf: line 45: unknown directive <cachesize> inside backend database definition. Is the documentation really correct? Andreas

2 2

Argon2-Support or secure hashing
by Lukas Adrian Kron 13 Apr '23

13 Apr '23

Hello, I am trying to use Argon2 or PBKDF2_SHA256 as a secure password hashing function. Since two weeks I am trying to get this to work with reading a lot of information on the internet and I just cannot get it to work. I am using Ubuntu 20.04 LTS, installed with slapd, ldap-utils, argon2 and trying to set it in the cn=config Frontend setting. @(#) $OpenLDAP: slapd (Ubuntu) (May 12 2022 13:11:05) $ Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org> This is the version that is installed from Slapd and when I try to set pw-argon2, {ARGON2}, pw-argon2.so... I tried a lot and it tells me no hash found. If I try {MD5} it works without problems. As there is no other secure usable password hashing installed the LDAP Server is right now insecure and I cannot move it to production Please does someone has any idea? Many kind regards, Lukas

2 1

meaning of bind_ssf
by Stefan Kania 13 Apr '23

13 Apr '23

Hi to all, when I connect to openldap, with simple-bind I see: ----------- mech=SIMPLE bind_ssf=0 ssf=256 ----------- When I connect to openldap with GSSAPI I see: ----------- mech=GSSAPI bind_ssf=56 ssf=256 ----------- So I uses strong-bind via GSSAPI there is no place where I can find anything about "bind_ssf". So what ist bind_ssf stands for? I only found: transport_ssf=<n> tls_ssf=<n> sasl_ssf=<n> Another strange thing (to me ;-) ) The openldap admin guide is telling me: ---------------- The server uses Security Strength Factors (SSF) to indicate the relative strength of protection. A SSF of zero (0) indicates no protections are in place. A SSF of one (1) indicates integrity protection are in place. A SSF greater than one (>1) roughly correlates to the effective encryption key length. For example, DES is 56, 3DES is 112, and AES 128, 192, or 256. ---------------- in my kdc.conf I have: --------------- supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal --------------- So no DES with a key-length of 56 is defined. Same when I look at the key from my user I'm using to connect. The infos about the user is telling me in kadmin ---------------- Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 ---------------- So why is the log telling me ssf=56? Stefan

2 3

Slow Search?
by Bradley T Gill 12 Apr '23

12 Apr '23

I have an ou with 3.2M users. Doing a simple search of 1 attribute with a scope of 1 and a base of that flat ou is taking 6.2 Seconds. In a replica database, I have attempted to remove all other indexes but the attribute I am searching for and it still is taking over 6 seconds. Is that to be expected? Apr 11 10:37:49 slapd[25081]: conn=1000 op=20 SRCH base="ou=FlatOU" scope=1 deref=3 filter="(attr=login102)" Apr 11 10:37:49 slapd[25081]: conn=1000 op=20 SRCH attr=objectClass Apr 11 10:37:55 slapd[25081]: conn=1000 op=20 SEARCH RESULT tag=101 err=0 qtime=0.000025 etime=6.267130 nentries=1 text= Only Idex: olcDbIndex: attr pres,eq After settting the index, I stopped ldap and ran slapindex CPU: Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 8 On-line CPU(s) list: 0-7 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 8 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 85 Model name: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz Stepping: 0 CPU MHz: 2992.968 BogoMIPS: 5985.93 Hypervisor vendor: VMware Virtualization type: full L1d cache: 32K L1i cache: 32K L2 cache: 1024K L3 cache: 25344K NUMA node0 CPU(s): 0-7 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ssbd rsb_ctxsw ibrs ibpb stibp fsgsbase tsc_adjust bmi1 avx2 smep bmi2 invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec arat pku ospke md_clear spec_ctrl intel_stibp flush_l1d arch_capabilities 24 GB of RAM with 10 GB Free Thanks for any suggestions: Bradley Gill

3 5

slapadd: bad configuration directory!
by cxb2000abc＠gmail.com 06 Apr '23

06 Apr '23

Hi all, I am new to OpenLDAP, recently I am following the official quick-start guide and finished the installation part. However when configuring the database which is step 9 in the guide su root -c /usr/local/sbin/slapadd -n 0 -F /usr/local/etc/slapd.d -l /usr/local/etc/openldap/slapd.ldif I got the error: slapadd: bad configuration directory! I look into the folder /usr/local/etc/, I don't see any slapd.d. Even I saw some discussion say that it located at /etc/openldap/. I can't see any either. Please help me out. Thank you very much.

3 2

How to build argon2.so ?
by Scott Classen 06 Apr '23

06 Apr '23

Hello, According to: servers/slapd/pwmods/README.argon2 Building -------- 1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP source root. For initial testing you might also want to edit DEFS to define SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on in production, as it prints passwords in cleartext). 2) Run 'make' to produce argon2.so 3) Copy argon2.so somewhere permanent. 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: moduleload ...path/to/argon2.so 5) Restart slapd. When I run make from within servers/slapd/pwmods/ I get the following error: [user@machine openldap-2.6.4]# cd servers/slapd/pwmods/ [user@machine pwmods]# make make: *** No rule to make target 'dummyvalue', needed by 'all-common'. Stop. I’m not sure what “dummyvalue” is supposed to be so I commented out line 288 in servers/slapd/pwmods/Makefile # LIBRARY = dummyvalue And get this error: [user@ machine pwmods]# make /bin/sh ../../../libtool --tag=disable-static --mode=compile cc -g -O2 -I../../../include -I../../../include -I.. -I./.. -DSLAPD_IMPORT -c version.c libtool: compile: cc -g -O2 -I../../../include -I../../../include -I.. -I./.. -DSLAPD_IMPORT -c version.c -fPIC -DPIC -o .libs/version.o version.c:1:6: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘:’ token usage: mkversion [-c] [-s] [-p package] [-v version] application ^ make: *** [Makefile:310: version.lo] Error 1 Any help in generating argon2.so would be greatly appreciated. If I’m somehow getting deeper in the weeds than I need to with the new OpenLDAP version 2.6.4 in order to support {ARGON2} hashes please let me know. Import of my slapd.ldif file is bonking on: olcPasswordHash: {ARGON2} So as with previous versions of OpenLDAP I assumed I would need to build and load the argon2 module manually. Sincerely, Scott Classen

2 2

slapd broken w/ppolicy
by Paulo Ricardo Bruck 05 Apr '23

05 Apr '23

Hi All Using : Ubuntu 22.04 slapd 2.5.14+dfsg-0ubuntu0.22.04.1 amd64 policy: # module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}memberof olcModuleLoad: {2}refint olcModuleLoad: {3}ppolicy # {2}ppolicy, {1}mdb, config dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: cn=default_policies,ou=policies,dc=contatogs,dc=com,dc=br olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE # contatogs-ppolicy, Policies, contatogs.com.br dn: cn=contatogs-ppolicy,ou=Policies,dc=contatogs,dc=com,dc=br objectClass: top objectClass: person objectClass: pwdPolicy cn: contatogs-ppolicy sn: policies pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 6 pwdCheckQuality: 2 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdAllowUserChange: TRUE pwdMaxRecordedFailure: 3 Using a simple ldapsearch with correct user and password works fine. xxx is the correct password root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w xxx |wc -l 10725 Using wrong password : (yyy) root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_bind: Invalid credentials (49) 0 So far so good but if I insert : pwdMaxDelay: 40 pwdMinDelay: 4 test with correct password is ok ( xxx) root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w xxx |wc -l 10725 But if I test with a wrong password ( yyy) I got: root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_result: Can't contact LDAP server (-1) 0 my openldap stop working.........Active: inactive (dead) root@zeus:/usr/lib/python3/dist-packages# systemctl status -l slapd ○ slapd.service - LSB: OpenLDAP standalone server (Lightweight Director> Loaded: loaded (/etc/init.d/slapd; generated) Drop-In: /usr/lib/systemd/system/slapd.service.d └─slapd-remain-after-exit.conf Active: inactive (dead) since Tue 2023-04-04 14:44:49 -03; 20s ago Docs: man:systemd-sysv-generator(8) Process: 986673 ExecStart=/etc/init.d/slapd start (code=exited, sta> Process: 986688 ExecStop=/etc/init.d/slapd stop (code=exited, statu> CPU: 47ms Apr 04 14:44:46 zeus slapd[986679]: auxpropfunc error invalid parameter> Apr 04 14:44:46 zeus slapd[986679]: _sasl_plugin_load failed on sasl_au> Apr 04 14:44:46 zeus slapd[986679]: ldapdb_canonuser_plug_init() failed> Apr 04 14:44:46 zeus slapd[986679]: _sasl_plugin_load failed on sasl_ca> Apr 04 14:44:46 zeus slapd[986680]: slapd starting Apr 04 14:44:46 zeus slapd[986673]: ...done. Apr 04 14:44:46 zeus systemd[1]: Started LSB: OpenLDAP standalone serve> Apr 04 14:44:49 zeus slapd[986688]: * Stopping OpenLDAP slapd Apr 04 14:44:49 zeus slapd[986688]: ...done. Apr 04 14:44:49 zeus systemd[1]: slapd.service: Deactivated successfull What am I doing wrong???? Cheers -- Paulo Ricardo Bruck consultor

3 2

.so dynamic library versioning
by Sam Dave 04 Apr '23

04 Apr '23

Hello, Thanks in advance for some clues on the below: 1. Has there ever been a release of LMDB that adds/removes/changes API? 2. On both Debian 10 (with lmdb 0.9.22) and Debian 11 (with lmdb 0.9.24) , under lib/ I see liblmdb.so -> liblmdb.so.0 (symlink) liblmdb.so.0 -> liblmdb.so.0.0.0 (symlink) liblmdb.so.0.0.0 (the original file) Has this always been at 0.0.0 since the beginning of LMDB? From the point of view of what the LMDB developers would expect, I mean. (I have no idea which distros were distributing LMDB in the early days) 3. What are your intentions regarding this .so versioning in relation to adding/removing/changes to the API? Something like this, perhaps? https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info… 4. Another Linux distribution (NixOS 22.11, with lmdb 0.9.29) has *only* this under lib/: liblmdb.so (the original file) Does this sound right to you? What I mean is, when people compile LMDB down to an .so, would you expect them to normally add a version after the ".so"? (As they apparently did in Debian) Regards, Sam

2 2

Re: Uninstall
by Eric Fetzer 03 Apr '23

03 Apr '23

OK, so how do I uninstall what I have installed now? On Fri, Mar 31, 2023 at 9:15 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Friday, March 31, 2023 4:03 PM -0600 Eric Fetzer > <eric.fetzer(a)gmail.com> wrote: > > > > > From what I read, there are no repositories for RHEL 8.7. They were > > there for RHEL 7 but not 8. I read this in several places including > > here: > > > > > > > https://medium.com/@fengliplatform/setup-openldap-2-6-server-on-rhel-8-4- > > d8640b7fa22 > > > > > > > > Am I wrong? > > Yes. > > <https://repo.symas.com/> > > or > > <https://ltb-project.org/download.html> > > --Quanah > > > > >

2 2

Configuring LDAP in a pure-UNIX environment...
by Marco Gaiarin 02 Apr '23

02 Apr '23

I use OpenLDAP by years, but binded to Samba and using for the user management mostly Samba-aware tools (LAM and smbldap-tools) and using Samba account policy. Now i need to setup a 'pure' UNIX environment, in a debian box; i've enabled shadow data in account, but found that some very simple things (like locking an account, AKA 'passwd -l') simply does not work. Also there's no info if an account is locked (eg, password start with '!'), because the info is 'embedded' on the same password data, and so (and obviously) protected. Most of these things are not OpenLDAP fault, but really i dont't know how to ask for elsewhere... But there's some way to get around some limitation? EG, there's some way (via an overlay?) to ''compute'' the field 'shadowLocked = yes' if userPassword start with an '!', end expose that via an ACL? I've tried to search for some examples, but found nothing. Thanks. -- ...e andate chissa` dove per non pagar le tasse col ghigno e l'ignoranza dei primi della classe. (F. Guccini)

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical