openldap-technical

openldap-technical@openldap.org

9 participants
9868 discussions

ldap dump filter
by val john 24 Sep '13

24 Sep '13

Hi guys i have openldap server with base url dc=ldap,dc=company,dc=com and our all the users are under ou=users,dc=ldap,dc=company,dc=com within that user base we have users with mail different mail address domains (gmail, yahoo.com , company.com ) by using command "slapcat -l user.ldiff" we can get entire dump of the openldap Is there any way to filter the slapcat dump so the i can get the dump file , only with users with "company.com" mail domain Please advice Thanks John

2 1

OpenLdap 2.4.28 accesslogs
by Steve Herrera 23 Sep '13

23 Sep '13

Hello, I have 2 openldap servers running on Ubuntu 12.04. One is the primary and the other is a slave. My problem is that ldap keeps dumping files into that directory log.00000000001 then log.000000002 and so on thus filling up the drive. Is it safe to remove these logs? How do i know which one it is still using. Ideally it would be great for the server to automatically remove the log once it was done using it. I could set up a cronjob to prune it but I don't know how far back it needs to the logs to be. Any ideas? Thanks

4 4

Wrong certificate being presented
by espeake＠oreillyauto.com 23 Sep '13

23 Sep '13

The authentication works on the single server we have which is running an older version of openLDAP (2.4.21). In my packet captures it appears that the older version of openLDAP is presenting the certificate we want it to present. The new version (2.4.31), although it has the same cert installed in the same place it is presenting an older self signed cert that has been removed. The new servers have been rebooted since this change so where could this possibly be cached at? This is from my slapcat of the new servers. dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzPolicy: any olcPidFile: /var/run/slapd/slapd.pid olcServerID: 1 ldap://tntest-ldap-3.example.com olcServerID: 2 ldap://tntest-ldap-1.example.com olcServerID: 3 ldap://tntest-ldap-2.example.com olcThreads: 8 olcTLSCACertificateFile: /etc/ldap/gd_bundle.crt olcTLSCertificateFile: /etc/ldap/wildcard.example.com.crt olcTLSCertificateKeyFile: /etc/ldap/wildcard.example.com.key olcToolThreads: 1 structuralObjectClass: olcGlobal creatorsName: cn=config entryUUID: 91cc0ae0-9e13-1032-84b5-0151b658a842 createTimestamp: 20130820183919Z olcLogLevel: config acl stats conns olcTLSCipherSuite: NORMAL olcTLSCRLCheck: none olcTLSVerifyClient: never entryCSN: 20130923150907.574575Z#000000#001#000000 modifiersName: uid=admin,dc=oreillyauto,dc=com modifyTimestamp: 20130923150907Z contextCSN: 20130923150907.574575Z#000000#001#000000 contextCSN: 20130923150843.855673Z#000000#002#000000 contextCSN: 20130919185322.242639Z#000000#003#000000 I tried doing an ldapmodify and delete the olcTLSCipherSuite and olcTLSCRLCheck that I added and they will not disappear. Thanks Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

1 1

Re: Invalid DN
by Justin Brown 19 Sep '13

19 Sep '13

Quanah, Thanks for the reply. That ended up being the problem. I figured the olcAccess line would allow anonymous searches, but I changed it to "to * by users read by users write" and actually created the cn=admin,dc=appName,dc=app simpleSecurityObject. Cheers, J On Thu, Sep 19, 2013 at 3:07 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, September 19, 2013 2:35 PM -0500 Justin Brown > <justin.brown(a)fandingo.org> wrote: > >> The problem is that I can't locate these objects using the ldap tools >> (ldapsearch and python-ldap). > > > You are doing anonymous searches. Likely you haven't granted anonymous > access to read these entries. > > Try ldapsearch -x -b "..." -D "..." -W > > with the values that are correct for your installation. > > --Quanah > > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra Software, LLC > -------------------- > Zimbra :: the leader in open source messaging and collaboration

1 0

Invalid DN
by Justin Brown 19 Sep '13

19 Sep '13

Hello, I'm struggling to setup my Hdb database in OpenLDAP. I'm trying to create the entire directory from ldif files with cn=config. I have two initialization ldifs. The first one creates all the cn=config stuff, and also creates my Hdb database. The first file is too long to completely list here (I included core, cosine, nis, and inetorgperson schema ldifs.), but I'll put some excerpts here. dn: cn=config objectClass: olcGlobal cn: config ... dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema ... dn: cn={0}core,cn=schema,cn=config objectClass: olcSchemaConfig cn: {0}core ... (There are lots more for the other included schemas. I also have three custom objectClasses in cn=schema,cn=config, and one custom attributeType there, too.) The file finishes with the database configurations. dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend ... dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcRootDN: cn=config olcRootPW: secret ... dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=appName,dc=app olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=appName,dc=app olcRootPW: secret olcAccess: to * by * write by * read ... This file runs successfully with slapadd: sudo -u ldap slapadd -l init.ldif -F /etc/openldap/slapd.d -n0 The second file is very simple and just sets up the root objects in my database. dn: dc=appName,dc=app objectClass: top objectClass: dcObject objectclass: domain dc: addressbook dn: dc=directory,dc=appName,dc=app objectClass: top objectClass: domain dc: directory This also runs successfully with sudo -u ldap slapadd -l init2.ldif -F /etc/openldap/slapd.d -n1 Now if I use slapcat to view the directory, I see those objects: sudo slapcat 523b5022 hdb_monitor_db_open: monitoring disabled; configure monitor database to enable dn: dc=appName,dc=app objectClass: top objectClass: dcObject objectClass: domain dc: addressbook structuralObjectClass: domain entryUUID: 37f1bd06-b5ad-1032-824f-6ffc71c73dcf creatorsName: cn=admin,dc=appName,dc=app createTimestamp: 20130919192708Z entryCSN: 20130919192708.309183Z#000000#000#000000 modifiersName: cn=admin,dc=appName,dc=app modifyTimestamp: 20130919192708Z dn: dc=directory,dc=appName,dc=app objectClass: top objectClass: domain dc: directory structuralObjectClass: domain entryUUID: 37f4023c-b5ad-1032-8250-6ffc71c73dcf creatorsName: cn=admin,dc=appName,dc=app createTimestamp: 20130919192708Z entryCSN: 20130919192708.324059Z#000000#000#000000 modifiersName: cn=admin,dc=appName,dc=app modifyTimestamp: 20130919192708Z The problem is that I can't locate these objects using the ldap tools (ldapsearch and python-ldap). ldapsearch -xb 'dc=addressbook,dc=app' gives result: 34 Invalid DN syntax text: invalid DN If I don't specify a base DN, then I get 32: No such object: ldapsearch -x '(objectClass=*)' # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectClass=*) # requesting: ALL # # search result search: 2 result: 32 No such object Does anyone know why I cannot see my objects through the LDAP "interface?" My configuration seems entirely consistent with http://www.openldap.org/doc/admin24/slapdconf2.html. Thanks, J

2 1

PFS Ciphers
by manu＠netbsd.org 19 Sep '13

19 Sep '13

Hi I tried to use ciphers that bring PFS for OpenLDAP, but it did not work. I used this cipher specification: TLSCipherSuite ECDH:DH:!SHA:!MD5:!aNULL:!eNULL I test it this way: for i in `openssl ciphers ALL|tr ':' '\n'` ; do echo ''|openssl s_client -cipher $i -connect server:636 \ 2>/dev/null |awk '/ Cipher/{print }' ; done I get nothing. I understand ECDH needs some support code, but why aren't DH ciphers available? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

4 4

TLS negation failure
by espeake＠oreillyauto.com 19 Sep '13

19 Sep '13

We have a client server that is failing on the ssl handshake using TLS. The following is from the server log when the client is trying to connect. Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 fd=28 ACCEPT from IP=172.17.1.10:55469 (IP=0.0.0.0:389) Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 op=0 STARTTLS Sep 19 09:12:49 tntest-ldap-3 slapd[18796]: conn=3534 op=0 RESULT oid= err=0 text= Sep 19 09:12:50 tntest-ldap-3 slapd[18796]: conn=3534 fd=28 closed (TLS negotiation failure) On the client when I run the following: openssl s_client -showcerts -connect tntest-ldap.oreillyauto.com:389 I get this on the client CONNECTED(00000003) 139669033973408:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 226 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE If I do the same command on port 636 I can see the certificate. All of our applications that use ldap are all set for TLS. Even if I force them to port 636 they fail. Any ideas to look at are appreciated. Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2 2

auditing failed login attempts
by Paul B. Henson 18 Sep '13

18 Sep '13

Our security group is hassling us because we don't currently provide them an audit log of failed login attempts on our LDAP servers. For most of our other systems, we simply provide them a syslog feed with this information. However, openldap doesn't appear to have a logging level that provides detail about login attempts on a single line, but rather across many lines that would need to be correlated. It seems more like connection debugging logging as opposed to authentication logging. It looks like we might need to set up an accesslog overlay to log all of the attempted binds and then have a separate process that runs through that and generates the syslog feed to our ISO group's central logging server? That's a bit more overhead than I would like. Are there any other simpler ways of generating failed login logs? Thanks much.

5 8

Re: Multi-master setup in debian
by Listas de Correo 18 Sep '13

18 Sep '13

On Tue, Sep 17, 2013 at 9:49 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, September 17, 2013 9:06 PM -0300 Listas de Correo < > toshiro.listas(a)gmail.com> wrote: > > Would you mind to provide me more details about the bugs and potential >> problems of using Debian packages? I'm not putting your statements in >> doubt, I just need to have solid and documented arguments to convince my >> boss that this extra work is really needed. >> > > Read the release notes for OpenLDAP: > > <http://www.openldap.org/**software/release/changes.html<http://www.openldap.org/software/release/changes.html> > > > > The FAQ from the Debian OpenLDAP package maintainers: > > <http://www.openldap.org/faq/**data/cache/1456.html<http://www.openldap.org/faq/data/cache/1456.html> > > > > The use of GnuTLS (What Debian links to instead of OpenSSL) is harmful: > > <http://www.openldap.org/lists/openldap-devel/200802/msg00072.html> > Ok, thanks for the info, I will look into it right away. I have an additional question about compiling from source: how do you handle upgrades? In Debian, I've just use apt-get upgrade, in the case of compiliing yourself, you just compile and then 'make install'? Is that enough or do you need to do any previous housekeeping? (I'm asking because I haven't found any mention of upgrade in the Administrator's Guide)

2 1

Re: Multi-master setup in debian
by Listas de Correo 18 Sep '13

18 Sep '13

Hi Quanah, On Tue, Sep 17, 2013 at 12:21 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > It is always interesting to me when someone emails the technical list, > asking for guidance from people who know the most about the software, and > then ignore it. I know what you mean, I've suffered that myself :) but there's a valid reason for trying to ignore your suggestion (that I explained in a previous message). > The Debian build of OpenLDAP is old, links to a potentially insecure SSL > implementation, and has a variety of known bugs present in it that are > known to affect replication, particularly multi-master. Understand that by > continuing to use the Debian package, you are essentially setting yourself > up for failure when looking at using Multi-Master Replication. > Would you mind to provide me more details about the bugs and potential problems of using Debian packages? I'm not putting your statements in doubt, I just need to have solid and documented arguments to convince my boss that this extra work is really needed. Thanks in advance for your help!

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical