openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

olcPcacheAttrset/olcPcacheTemplate values for set acl
by Tio Teath 19 Nov '12

19 Nov '12

I'm trying to write ACL, using set entries, like this: to * by set="[cn=remote group,dc=host]/member & user" write, where cn=remote group,dc=host is a remote group, available via ldap-proxy. The remote group looks like this: dn: cn=remote group,dc=host cn: remote member: cn=user1,ou=users,dc=host member: cn=user2,ou=users,dc=host objectClass: group It works fine, except it raises search query to remote ldap server each time, I'm trying to search against objects, the ACL applies. Is it possible to set up pcache overlay to handle such kind of requests to speed up ACL processing? Which values olcPcacheAttrset and olcPcacheTemplate attributes should have?

1 0

Assertion failed: errno != EDEADLK, file alock.c, line 77
by cjkry156＠yahoo.co.jp 19 Nov '12

19 Nov '12

Hi World, We are using OpenLDAP 2.3.5 on Solaris 9. For security reason, System administrator start to use corporate LDAP, (disable local authorization) and disable inetd services (comment out inetd.conf). After that, when we try to start the OpenLDAP, this is not same as the corporate LDAP, we recived Dead lock error message as, Assertion failed: errno != EDEADLK, file alock.c, line 77 And the OpenLDAP was aborted. Does anybody know this error? Best Regards, Ken

2 2

OpenLDAP-Client TLS
by Martin.Heinzmann＠belden.com 19 Nov '12

19 Nov '12

Hi, i am trying to write my own client which connects to an active directory and searches for an user. So far it works, i call "ldap_initialize", set version 3, "ldap_simple_bind_s" and then search the directory. Now i want the connection to be secure by executing a "Simple TLS handshake ". I changed my hostname variable to "ldaps://ip:636" and tried "ldap_start_tls_s(ld,NULL,NULL)" before the bind but get a "cant contact ldap server" error. I think my active directory is configured the right way because with JXplorer it works over ssl and port 636. Does anyone know which functions i have to call so a successful tls connection will be set up? Regards Martin DISCLAIMER: Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

3 3

Re: n-way multimaster replication with ssl and tls
by anil beniwal 16 Nov '12

16 Nov '12

Yes I am able to access using JXplorer using tls and 636. I am using diff self singed certificate for each server. I have done same configuration on 3 servers. i am having /etc/openldap/ldap.conf and /apps/openldap/etc/openldap/ldap.conf file I have compiled ldap to /apps/openldap directory. I am getting same output running on each server against the other 2 servers. [root@sjprodam01 ~]# openssl s_client -connect mmprodam01.abc.com:636 -showcerts CONNECTED(00000003) depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com verify error:num=18:self signed certificate verify return:1 depth=0 C = IN, ST = HR, L = GGN, O = SAP, OU = ISST, CN = mmprodam01.abc.com verify return:1 --- Certificate chain 0 s:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com i:/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com -----BEGIN CERTIFICATE----- MIICoDCCAgmgAwIBAgIJAJ5P5x76CGAUMA0GCSqGSIb3DQEBBQUAMGkxCzAJBgNV BAYTAklOMQswCQYDVQQIDAJIUjEMMAoGA1UEBwwDR0dOMRAwDgYDVQQKDAdTQVBJ RU5UMQ0wCwYDVQQLDARJU1NUMR4wHAYDVQQDDBVtbXByb2RhbTAxLm5hc2Nhci5j b20wHhcNMTIxMTE2MDMyMDAxWhcNMTMxMTE2MDMyMDAxWjBpMQswCQYDVQQGEwJJ TjELMAkGA1UECAwCSFIxDDAKBgNVBAcMA0dHTjEQMA4GA1UECgwHU0FQSUVOVDEN MAsGA1UECwwESVNTVDEeMBwGA1UEAwwVbW1wcm9kYW0wMS5uYXNjYXIuY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDETDjOiWY1hkHcZ82BRtDabD7mPN8 A9OwLAule0NC6Y76mI8fHDs+vip9P6ASyVaSkxT8g+dOLGDBBy7winj52wcnP9aW u38kE5Sm+suSFLlJ3A0uIfgmLr6dglyGsFMiYJCkeHKxBpF5zeJHTnKpqWZ+emwj XwO0Dv22AYvATQIDAQABo1AwTjAdBgNVHQ4EFgQUhhRZ1mSzr1zccS4aHSKcoy8o F5owHwYDVR0jBBgwFoAUhhRZ1mSzr1zccS4aHSKcoy8oF5owDAYDVR0TBAUwAwEB /zANBgkqhkiG9w0BAQUFAAOBgQCr2gh0U000EttpCQeSjAoUjjkHB3zWMpGZ64Pr SynPEy7uTFT4N5SRx11dZAHIOslQLhr8MiobqX+9EGvQo9ua3TQKd/jT+tgX32Nc iZZyerd6IcT4SZTvH67UZwTxtlqu397Ti8cI8fcqziHoY76MBHCVcG6pvpW4e5H+ LvitdA== -----END CERTIFICATE----- --- Server certificate subject=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com issuer=/C=IN/ST=HR/L=GGN/O=SAP/OU=ISST/CN=mmprodam01.abc.com --- No client certificate CA names sent --- SSL handshake has read 1008 bytes and written 311 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 2D97EE613D427036C9A1B1BB5E2371283763DDA8A761D9BED3385D4793E6E061 Session-ID-ctx: Master-Key: 161A39EC4E5B5C0E0F211A014E6CE4B643F77C8C77B9175BFEF399A08319A56C9C199AF417E09EA9508579368E31F7AA Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 82 43 eb e1 46 c2 bd 6f-7a 8b 44 20 cc 8a d5 c4 .C..F..oz.D .... 0010 - 9f 34 ee 02 36 1b 24 32-05 7e e4 3c a7 de 01 e6 .4..6.$2.~.<.... 0020 - c0 b9 39 8b 50 b6 b8 b2-21 3a 81 02 16 3d a1 b1 ..9.P...!:...=.. 0030 - b6 ac 98 fe 34 f5 ba e2-f1 e2 30 c8 ed ad f8 8b ....4.....0..... 0040 - 00 5f bf f8 ed 75 90 65-7e c1 e6 b5 b1 e7 a3 ba ._...u.e~....... 0050 - 75 67 6e a3 d2 ab f5 2b-20 77 31 90 cd 3f b0 38 ugn....+ w1..?.8 0060 - 1f 60 da e9 8e dc 7c e2-97 56 95 55 61 c9 51 da .`....|..V.Ua.Q. 0070 - c7 4f 65 13 48 64 8f 67-1d d1 75 b2 91 b2 7c b5 .Oe.Hd.g..u...|. 0080 - 7e 5f 6b 7b 61 e3 73 63-2b d7 91 c0 91 61 e7 27 ~_k{a.sc +....a.' 0090 - 16 4b c5 e9 e0 ea 03 7a-6c 77 51 77 5c b6 f0 93 .K.....zlwQw\... 00a0 - ab 82 f9 8c 23 06 61 88-86 43 5a 20 1a 11 c5 e7 ....#.a..CZ .... Compression: 1 (zlib compression) Start Time: 1353129151 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- ^C On Sat, Nov 17, 2012 at 11:22 AM, houston <houston.r.hopkins(a)gmail.com>wrote: > just curious, did you get ldap running over ssl on rhel 6.3? if so did > you have to compile your ownnor did you use the red hat version? i cant > seem to get ldapsearch to work over ldaps when using red hats 2.4 version > > thx, > Houston > > anil beniwal <beni.anil(a)gmail.com> wrote: > Hi List > > Can any body guide me through the steps required to setup n-way > multimaster(3 or more servers at diff countries) replication with > openldap 2.4.2 > > 1. ssl based > 2. tls based > > I am having normal replication running b/w 3 servers. Now i want to setup > secure replication. > > i am using self signed certificate on RHEL 6.3. > How can i validate whether replication is working fine for ssl or tls. > How to enable replication logs. > > Anything else i should check out. > > I have already gone through a lot of postings on google. > > > > > > > > -- > > Thanks&Regards > Anil Beniwal > > >

1 0

n-way multimaster replication with ssl and tls
by anil beniwal 16 Nov '12

16 Nov '12

Hi List Can any body guide me through the steps required to setup n-way multimaster(3 or more servers at diff countries) replication with openldap 2.4.2 1. ssl based 2. tls based I am having normal replication running b/w 3 servers. Now i want to setup secure replication. i am using self signed certificate on RHEL 6.3. How can i validate whether replication is working fine for ssl or tls. How to enable replication logs. Anything else i should check out. I have already gone through a lot of postings on google. -- Thanks&Regards Anil Beniwal

1 0

restricting access *to* entries by a group member
by Elan Ruusamäe 16 Nov '12

16 Nov '12

hi the goal is to make some users hidden from part of the ldap tree from Apache, as Apache mod_ldap requires only one entry to be returned for anonymous search it performs. there can be duplicates in the same ldap directory, like, for example there's another uid=glen present the tree looks like this: +- dc=example,dc=net +- cn=Manager +- ou=People +- uid=glen +- ou=Basement +- uid=glen +- ou=Groups +- cn=Hidden Users +- member: uid=glen,ou=People,dc=example,dc=net in what ou=Basement,ou=People,dc=example,dc=net is filled by "database ldap", and it causes duplicate uid entries in the directory (unavoidable) so far i have just static acl that is working: access to dn.regex="uid=(glen|somebody-else),ou=People,dc=delfi,dc=net" attrs=uid by anonymous =rcxd it would be better if that can be done by dynamic group lookup via acl. as i see it, there shoould be acl stating if access to uid=.+,ou=People,dc=example,dc=net is attempted, it is checked first that it is not "member" of cn=Hidden Users,ou=Groups,dc=example,dc=net and if it's member, access to entry is denied. however i'm unable to complete such acl rule i have read manual, and tried to experiment, but i can't make up such dynamic configuration. any help from the list? -- glen

1 0

Question about "sockbuf_max_incoming"
by Tianyin Xu 16 Nov '12

16 Nov '12

Hi, all, Good day! Could anyone explain the two following configuration directive: *sockbuf_max_incoming* <*integer*> Specify the maximum incoming LDAP PDU size for anonymous sessions. The default is 262143. *sockbuf_max_incoming_auth* <*integer*> Specify the maximum incoming LDAP PDU size for authenticated sessions. The default is 4194303. In which scenario, we need to configure these directive? What value should we set? Thanks a lot! Tianyin -- Tianyin XU, http://cseweb.ucsd.edu/~tixu/

1 0

DN matching rules
by Chris Card 16 Nov '12

16 Nov '12

Hi all, I see that openldap supports a number of matching rules for DNs, e.g. dnOneLevelMatch, dnSubtreeMatch, dnSubordinateMatch and dnSuperiorMatch. Please can someone point me to documentation about these matching rules? (Google doesn't seem to bring up much useful). Chris

4 9

Password policy
by jeevan kc 15 Nov '12

15 Nov '12

Hello thereI want to enable password policy on Openldap 2.4.30(to all users) running on Linux machine. I see that the ppolicy.ldif and ppolicy.schema are listed under /usr/local/etc/openldap/schema but are not present on /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the policy.ldif to the cn=config folder ? Is there like specific procedure to do that or can I add manually with ldapadd ? Also how do I enable that schema to all users ? Please help.

1 0

Re: last login time
by Clément OUDOT 15 Nov '12

15 Nov '12

2012/11/15 Quanah Gibson-Mount <quanah(a)zimbra.com> > > > d) I would note that RedHat's 2.4 build is linked to NSS, which is fairly > problematic. See <http://www.openldap.org/**lists/openldap-devel/201204/* > *msg00019.html<http://www.openldap.org/lists/openldap-devel/201204/msg00019.html>> > and <http://www.openldap.org/its/**index.cgi/?findid=7367<http://www.openldap.org/its/index.cgi/?findid=7367>>. > I do not know if the LTB project makes this same mistake or not. > > LTB packages use OpenSSL. Clément.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical