openldap-technical

openldap-technical@openldap.org

13 participants
9906 discussions

Bind failures via open ldap proxy for few users -
by shekhar.shrinivasan＠gmail.com 11 Jun '22

11 Jun '22

Hi, We have setup a open ldap proxy with AD backend and we are seeing the following bind error for some users. The only difference in successful bind users versus the failed ones is the addition of square brackets "[]" in the user profile. As seen below for the failed users "X" is inside square brackets. Can you please provide some pointers on this issues. Thanks for your help as always. For example - cn=Terry\2C Troy [X],ou=X Accounts,ou=Users,ou=Users & Groups,dc=or,dc=myorg,dc=org --> BIND FAILED cn=CN=Meza\, Rosalinda X,ou=X Accounts,ou=Users,ou=Users & Groups,dc=or,dc=myorg,dc=org --> BIND SUCCESS slapd[15544]: conn=3206402 op=6 BIND dn="cn=Terry\2C Troy [X],ou=X Accounts,ou=Users,ou=Users & Groups,dc=or,dc=myorg,dc=org" method=128 slapd[15544]: conn=3206402 op=6 meta_back_search[3] match="OU=X Accounts,OU=Users,OU=Users & Groups,dc=or,dc=myorg,dc=org" err=32 (No such object) text="0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:#012#011'OU=X Accounts,OU=Users,OU=Users & Groups,DC=or,dc=myorg,DC=org'#012". slapd[15544]: conn=3206402 op=6 meta_back_bind: no target for dn "cn=Terry\2C Troy [X],ou=X Accounts,ou=Users,ou=Users & Groups,dc=or,dc=myorg,dc=org" (32). slapd[15544]: conn=3206402 op=6 RESULT tag=97 err=49 text=

1 0

Failing to modify olcSizeLimit
by RAIMBAULT Alain - Contractor 10 Jun '22

10 Jun '22

Hi, I am trying to modify my DB parameters to fix following issue, root@laselainfldap01p:~# ldaplist passwd ldaplist: libsldap.so.1 internal error LDAP configuration problem: LDAP ERROR (4): Error occurred while receiving results. Size limit exceeded. and libldap returned: (4) using ldaps://laselainfldap01p:636 root@laselainfldap01p:~# To achieve this, I attempted the following but I got priviledge issue accessing the DB .... # cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: -1 root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -H ldapi:/// -Y EXTERNAL -f sizelimit.ldif ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 replace olcSizeLimit: -1 modifying entry "cn=config" ldap_modify: Insufficient access (50) root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -h 10.136.16.197 -D "cn=Manager,dc=tosa,dc=thales" -w tco_tosa_thales -f sizelimit.ldif ldap_initialize( ldap://10.136.16.197 ) replace olcSizeLimit: -1 modifying entry "cn=config" ldap_modify: Insufficient access (50) root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#<mailto:root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#> Some priviledge access seems missing but I do not understand how to setup this. Could you, please, provide some directions on this. Kind regards, Alain

4 13

dynlist +memberOf loses casing in memberOf attribute
by Felix Schäfer 07 Jun '22

07 Jun '22

Good evening, We are currently in the process of upgrading our OpenLDAP installation and we have hit a behaviour we can’t explain by perusing the documentation. When using slapo-dynlist to set memberOf attributes the dn of the group the object is a member of gets lowercased. So for example the object that is a member of a group has: === memberOf: ou=kiosk,ou=ags,ou=groups,dc=fsinfo,dc=cs,dc=tu-dortmund,dc=de === Although the group has a dn of: === dn: ou=Kiosk,ou=AGs,ou=groups,dc=fsinfo,dc=cs,dc=tu-dortmund,dc=de === Is this expected behaviour? Is there a setting we overlooked? Is this is a bug in the version shipped with Ubuntu (2.5.6+dfsg-1~exp1ubuntu1.1)? Thank you, Felix

5 21

olcTLSProtocolMin not taking effect
by juan＠quantifind.com 06 Jun '22

06 Jun '22

Hi all - As part of routine security remediation my company asked me to remove the support for older TLS versions from my LDAP server. To this effect I restarted the service after running the following: sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -a -f olcTLSProtocolMin.ldif Here is the content of olcTLSProtocolMin.ldif dn: cn=config changetype: modify add: olcTLSProtocolMin olcTLSProtocolMin: 3.3 When I look at the /etc/ldap/slapd.d/cn=config.ldif file I can see the olcTLSProtocolMin: 3.3 entry. however, when I scan the LDAP server using Nessus, the scanner reports older versions of TLS still available. Also if I scan the supported TLS version using nmap it also reports TLS1.0-TLS1.2 If it helps here is the cn=config.ldif file is here dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: stats sync olcPidFile: /var/run/slapd/slapd.pid olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem olcTLSCertificateFile: /etc/ssl/certs/my_cert.pem olcTLSCertificateKeyFile: /etc/ssl/private/my_slapd_key.pem olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: SomeUUID creatorsName: cn=config createTimestamp: 20160311213839Z olcTLSProtocolMin: 3.3 entryCSN: 20220601202658.429433Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber Any help will be greatly appreciated. JRosario

2 4

Re: Antw: [EXT] Re: slow memberOf queries in 2.5 with dynlist overlay
by Paul B. Henson 03 Jun '22

03 Jun '22

On 5/30/2022 11:53 PM, Ulrich Windl wrote: > I wonder: Would forcing a core dump help in that situation, or would a > gprof-compile be helpful? Unfortunately I can't reproduce it; it just happens randomly on my production boxes, less frequently since I increased the amount of memory on them. I'm not sure I could run a debug or profiling build in production for an extended amount of time waiting for it to happen. And with my luck it would be a heisenbug anyway 8-/. > Maybe one could track down the page fault to some code (function) using tools > from the valgrind family (Cachegrind, callgrind, etc.) > http://www.valgrind.org/docs/manual/manual-core-adv.html#manual-core-adv.va…

1 0

OpenLDAP 2.6.2 on RHEL8: add password policy
by Real Villafan, Elizabeth (US 392K) 01 Jun '22

01 Jun '22

Hello, I'm upgrading from openldap 2.4 running on RHEL7 up to 2.6.2 and RHEL8 on new hardware, apparently the way to configure password policy now is by configuring the slapd.conf file rather than loading the ppolicy schema. How do I modify that file properly? I read https://www.openldap.org/doc/admin26/overlays.html#Password%20Policies on section 12.10.2. Password Policy Configuration, what does it mean to "Instantiate the module in the database"? do you have a sample slapd.conf file I can refer to? Thank you, Liz

2 3

2.5 LTS release with OpenSSL 3.0
by barry.greenberg＠oracle.com 01 Jun '22

01 Jun '22

Is there any information about the release of OpenLDAP 2.5.x that includes support for OpenSSL 3.0? I see that it's now supported in 2.6.2 but we'd prefer to stay on the 2.5 branch for the foreseeable future. Thanks.

1 0

slow memberOf queries in 2.5 with dynlist overlay
by Paul B. Henson 30 May '22

30 May '22

I'm still trying to figure out why my servers sometimes get into a state where queries requesting the memberOf attribute take an exceedingly long time to process, for example: Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 fd=104 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" method=128 Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" mech=SIMPLE bind_ssf=0 ssf=71 Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000050 text= Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=1 SRCH base="dc=cpp,dc=edu" scope=2 deref=0 filter="(uid=henson)" Feb 13 19:46:05 ldap-02 slapd[13564]: conn=297643 op=1 SRCH attr=memberOf Feb 13 19:46:42 ldap-02 slapd[13564]: conn=297643 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000012 etime=36.955710 nentries=1 text= How is the qtime calculated? It is nice and short, despite the wall clock reading over 30 seconds :(. Usually I have to reboot the server completely to clear this up, but this time I just had to restart it, and then the queries were lickity split again: Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 fd=40 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" method=128 Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=0 BIND dn="cn=ldaproot,dc=cpp,dc=edu" mech=SIMPLE bind_ssf=0 ssf=71 Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000088 text= Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=1 SRCH base="dc=cpp,dc=edu" scope=2 deref=0 filter="(uid=henson)" Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=1 SRCH attr=memberOf Feb 13 19:55:01 ldap-02 slapd[89655]: conn=1556 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000013 etime=0.213149 nentries=1 text= Over 30 seconds elapsed time to .2 seconds? I'd like to see the .2 all the time :). When the server gets like this, there's a very high read IO load, 200-300Mb/s, compared to generally less than 1Mb/s when things are working right. It almost seems like it's doing a full disk scan searching for members every time. Any suggestions on what to dig into? Thanks...

5 16

rewriting non-DN attribute values with rwm?
by Kartik Subbarao 29 May '22

29 May '22

I'd like to rewrite the following entry: dn: uid=user(a)olddomain.com,dc=olddomain,dc=com uid: user(a)olddomain.com mail: user(a)olddomain.com to appear and behave like this: dn: uid=user(a)newdomain.com,dc=newdomain,dc=com uid: user(a)newdomain.com mail: user(a)newdomain.com I can get the DN rewritten with slapd-relay and rwm-suffixmassage, and can use rwm-rewriterule with the searchFilter and searchEntryDN contexts to return the entry when querying for mail=user(a)newdomain.com. But I can't figure out how to rewrite the *values* of the uid and mail attributes in the returned entry to user(a)newdomain.com. What is the best way to achieve this? Thanks, -Kartik

2 2

result not in cache
by Stefan Kania 29 May '22

29 May '22

I'm testing the openldap cache module pcache with OpenLDAP 2.6 on Debian11 (symas-packages). The proxy has the following config: (I'm testing caching so no security is set) -------------- include /opt/symas/etc/openldap/schema/core.schema include /opt/symas/etc/openldap/schema/cosine.schema include /opt/symas/etc/openldap/schema/nis.schema include /opt/symas/etc/openldap/schema/inetorgperson.schema pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args loglevel any modulepath /opt/symas/lib/openldap moduleload back_mdb.la moduleload argon2.la moduleload back_ldap moduleload pcache sizelimit 500 tool-threads 1 database ldap suffix "dc=example,dc=net" uri "ldap://ldap-server.example.net" rootdn "cn=admin,dc=example,dc=net" protocol-version 3 rebind-as-user overlay pcache pcachePersist TRUE pcache mdb 100000 2 1000 100 pcacheAttrset 0 mail postaladdress telephonenumber givenname pcacheAttrset 1 uid employeetype pcacheTemplate (sn=) 0 3600 pcacheTemplate (&(sn=)(givenName=)) 0 3600 pcacheTemplate (&(departmentNumber=)(secretary=*)) 0 3600 directory /var/symas/cache index objectclass eq index uid,cn,sn,mail,givenname pres,eq,sub -------------- The following host are involved: ldap-server<----->ldap-proxy<----->ldap-client The ldap-client can only access the ldap-proxy. (ldap.conf ist pointing to the ldap-proxy) Now I do a: ldapsearch -x '(&(sn=Kania)(givenName=Stefan))' givenname The first time I can see that the proxy is asking the ldap-server and is giving the result to the ldap-client. Each time I repeat the command on the ldap-client, only the log from the ldap-proxy is showing the access from the ldap-client. The ldap-client is getting the result from the proxy. I can even shutdown the ldap-server and the client is still getting the result from the proxy. Up to this point I understand the log but if I set "loglevel any" I see: ------------ access_allowed: result not in cache (givenName) ------------ But I think the result IS in the cache otherwise I would not get the result with the ldap-server turned off. So why do I get this messages?

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical