openldap-technical

openldap-technical@openldap.org

7 participants
9864 discussions

Delta-sync replication: is it possible to force resync delta?
by skeletor 03 Mar '22

03 Mar '22

Hi. I use delta-sync replication on version 2.4. Sometimes, some records don't send to slave. Insofar as this is delta-sync after a new update slave receive only last update. Therefore slave and master are not consistent. Is it possible run force resync from accesslog to consistent check if all records are present on slave? May be this is a bug on version 2.4 and it already has been fixed in newer version? master 2.4.57 slave 2.4.55

6 10

disable SSL/TLS renegotiation
by Stefan Bauer 03 Mar '22

03 Mar '22

Hi, our security scanner reports SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094) for port TCP/636. I could not find a way to disable SSL/TLS renogitation for openldap. How can this be disabled? Any help is greatly appreciated. Thank you. Stefan

2 1

Problem with ppolicy overlay and userPassword attribute
by Frederic Dussurget 01 Mar '22

01 Mar '22

Hi, We're facing the following issue : * From one side, we have to store two values (same password with two different encodings) within the userPassword attribute (eg. https://datatracker.ietf.org/doc/html/rfc4519#section-2.41) * On the other side, we do have to use the ppolicy overlay in order to hash to Argon2 automatically passwords that are sent in cleartext, in order to to use the pwdLastSuccess attribute (storing last authentication date) and pwdAccountLockedTime (account deactivation), but this overlay does not seem to support multiple values in the userPassword attribute as it looks to be described in the following abstract : https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10#… and https://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apr… We're not able to add a user account with two values in the userPassword attribute : [root@openldap25 ~]# cat testuser_add.ldif dn: uid=testuser,ou=people,dc=my-domain,dc=fr objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top uid: testuser cn: testuserCN sn: testuserSN userPassword: password userPassword: drowssap [root@openldap25 ~]# ldapadd -H ldaps://localhost:636 -x -D "cn=Manager,dc=my-domain,dc=fr" -W -f testuser_add.ldif Enter LDAP Password: adding new entry "uid=testuser,ou=people,dc=my-domain,dc=fr" ldap_add: Constraint violation (19) additional info: Password policy only allows one password value However, we're able to add a user with a single value in the userPassword attribute, then, adding a second value thru the next LDAP request : [root@openldap25 ~]# cat testuser_add.ldif dn: uid=testuser,ou=people,dc=my-domain,dc=fr objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top uid: testuser cn: testuserCN sn: testuserSN userPassword : password [root@openldap25 ~]# ldapadd -H ldaps://localhost:636 -x -D "cn=Manager,dc=my-domain,dc=fr" -W -f testuser_add.ldif Enter LDAP Password: adding new entry "uid=testuser,ou=people,dc=my-domain,dc=fr" [root@openldap25 ~]# cat testuser_mod.ldif dn: uid=testuser,ou=people,dc=my-domain,dc=fr changetype: modify add: userPassword userPassword: drowssap [root@openldap25 ~]# ldapmodify -H ldaps://localhost:636 -x -D "cn=Manager,dc=my-domain,dc=fr" -W -f testuser_mod.ldif Enter LDAP Password: modifying entry "uid=testuser,ou=people,dc=my-domain,dc=fr" [root@openldap25 ~]# ldapsearch -x -H ldaps://localhost:636 -D "cn=Manager,dc=my-domain,dc=fr" -W -LLL -b "ou=people,dc=my-domain,dc=fr" "(uid=testuser)" userPassword Enter LDAP Password: dn: uid=testuser,ou=people,dc=my-domain,dc=fr userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MixwPTEkZjlPc3NtRFZ DWmlzQk1IVEhWczRMZyRsMVAvbWdEdTA1bEpBc2pxcVF6aERYaENMV1BudnQyeDlRTDdweXFnVDFV userPassword:: e0FSR09OMn0kYXJnb24yaWQkdj0xOSRtPTY1NTM2LHQ9MixwPTEkVk5ST1FMZFp 2Q0ptajNIcHQxYWtZdyRRcjJDYUpKSjZSWlhvZjFicDJmNGNOaGlRa3E5czlCU0FTbEtVNFoxYjBj Considering configuration, we're running an OpenLDAP 2.5.7 server (LTB project) on a RHEL8 OS. * ppolicy overlay dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyDisableWrite: FALSE olcPPolicySendNetscapeControls: FALSE olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-domain,dc=fr * default password policy dn: ou=ppolicies,dc=my-domain,dc=fr objectClass: organizationalUnit objectClass: top ou: ppolicies dn: cn=default,ou=ppolicies,dc=my-domain,dc=fr objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAttribute: userPassword pwdLockout: TRUE * password storage dn: olcDatabase={-1}frontend,cn=config olcPasswordHash: {ARGON2} Question : * Is that behaviour normal ? * May we keep on leaning on this behaviour without fearing that this ability of adding a second value to the userPassword attribute will be revoked in the future versions/fix/patches of the service ? Thank you in advance for your assistance. Best regards, Frédéric Dussurget / Maxime Schmutz Université Lumière Lyon 2

3 15

LMDB storage layout and page structure
by Ivan Unknown 28 Feb '22

28 Feb '22

Hello! I have been looking at the LMDB project code trying to learn and understand how a database could be implemented; however, I have been struggling to answer the questions below for quite some time, partially due to my limited knowledge of C: - How does LMDB store keys and values in the page? I have learned that a page consists of the header, slots, and key-value pairs but how does the database handle keys and values that are too large to fit within a page? - I found that LMDB does not keep a fixed number of keys per page, so that would depend on the key-value pairs' sizes already inserted into the page. Is this correct? Does it mean that B+tree pages (branch or leaf) could have a different number of keys depending on the key size? How does it affect performance or implementation of the B+tree? - Are there any limitations on the size of a key? Can it be of an arbitrary length? - What is the difference between IS_LEAF and IS_LEAF2 flags in the page header? What is the difference between these pages? - How do overflow pages work in LMDB? From what I could understand, if a key or a value does not fit in the page, it will be stored in the overflow page (the entire page is allocated for that specific key or value). Is this correct? What happens when the key size is several times larger than the page size, e.g. 1MB value with 4KB pages? - What is a sub-page in LMDB (F_SUBDATA)? How does it work? I would greatly appreciate it if someone could share links to the documentation that covers internals of the database, online videos, research papers, mailing lists, or any notes you could share to help me understand the above. Thank you very much! Cheers, Ivan

2 1

Password policies and hashed passwords
by Felix Natter 26 Feb '22

26 Feb '22

Dear openldap-technical users, my password policies (openldap 2.5.11) are not enforced and Roland Gruber (author of LAM (Pro)) kindly advised me that passwords must be stored in plaintext (Hash=PLAIN) in order to be able to enforce password minimal length, password quality etc (i.e. when using passwd(1) on Linux or an LDAP client on Windows). Currently we are storing passwords as base64 encoded (::*) Salted SHA1 hashes ("{SSHA}*") (according to slapcat -n 1). tl;dr: For enforcing password policies, what is the role of "password-hash:PLAIN"(?) and olcPPolicyHashCleartext: TRUE (applied to dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config) and what is the security implication of these changes (we are using starttls on linux / ssl on windows with a self-signed certificate in intranet)? - Is it (necessary and) enough to switch to "password-hash:PLAIN" to be able to enforce password policies? Does olcPPolicyHashCleartext: TRUE [alone] help as written in this post [1]? [1] https://www.openldap.org/lists/openldap-technical/201708/msg00024.html EDIT: I think that olcPPolicyHashCleartext==ppolicy_hash_cleartext (one is OLC, one is trad. config)? -> can we update the documentation [2]? [2] https://www.openldap.org/doc/admin25/guide.html#Password%20Policies - I am worried about security when storing/transferring pwds in plain text (we are using starttls on linux / ssl on windows with a self-signed certificate in intranet) [3]. Will "ppolicy_hash_cleartext" [2] help with this? [3] The manual states "Unfortunately, as dictionary and brute force attacks are generally quite easy for attackers to successfully mount, this advantage is marginal at best (this is why all modern Unix systems use shadow password files)." Many Thanks and Best Regards, Felix -- Felix Natter

3 11

ldap_start_tls_s fails
by James Gordon 25 Feb '22

25 Feb '22

Hi, I have just installed symas openldap v2.6. Everything seems to be running ok, except that I cannot get C interface ldap_start_tls_s() to work. If I do something like this the program works fine: ldap_initialize(&ld, HOST)); rc = ldap_simple_bind_s(ld, BASEDN, BASEPWD); ldap_unbind(ld); However, if I do something like this the program fails with ldap error string "local error": ldap_initialize(&ld, HOST)); ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE); ldap_start_tls_s(ld, NULL, NULL); rc = ldap_simple_bind_s(ld, BASEDN, BASEPWD); ldap_unbind(ld); From the command line, TLS seems to work fine: The following works ok: ldapsearch -H ldap://ldap.domain.com:389 -D "cn=admin,dc=domain,dc=com" -w secret -b “ou=users,dc=domain,dc=com” -ZZ This also works ok from a different server openssl s_client -verify 10 -starttls ldap -showcerts -connect ldap.domain.com:389 -CApath /etc/ssl/certs (verification = ok): However, if I omit the CApath it fails, not sure if that is a clue to the problem: openssl s_client -verify 10 -starttls ldap -showcerts -connect ldap.domain.com:389 (Verification error: unable to get local issuer certificate). Any help would be appreciated. If this is the wrong list, let me know. ldapsearch -H ldap://ldap.red0rb.com:389 -D "cn=admin,dc=red0rb,dc=com" -w MdKlUIGYm0o63HxQ0RWYuKWkRkgr3Ohy -b “ou=users,dc=red0rb,dc=com” -ZZ

1 0

Re: 2.5 Quick-Start guide roadblock: ldap_bind: Confidentiality required (13)
by Ben Poliakoff 24 Feb '22

24 Feb '22

> > Steps 1-7 involve building the software, which I would not expect you to > be > doing if you're using Symas' packages? > You are, of course, correct about my having not compiled slapd, I misspoke. > In any case, I have no idea what changes you made to the original LDIF. I > have no such issue doing only the changes advised in the quickstart guide: > I sorted out what was happening. I was using the ldapadd command syntax from the Quick-Start guide, which doesn't use the '-H ldap:///' parameter, so ldapadd was picking up defaults from /etc/ldap/ldap.conf and happily talking to our existing production slapd, running on a different server (which of course does require secure binds). However, when I added '-H ldap:///' to the ldapadd command, ensuring that the ldap traffic was now going to the correct server (headpalm), the command fails with "ldap_bind: Invalid credentials (49)". At this point the olcRootPW in my slapd.ldif is the default ("secret"), and I can see that the base64 encoded olcRootPW in "slapd.d/cn=config/olcDatabase={1}mdb.ldif" is "olcRootPW:: c2VjcmV0" (which is, in fact the base64 encoding for "secret"). Does anyone have debugging approaches that might help me sort out why slapd isn't happy with the password? Also with regard to this mailing list's protocol, would it be better to ask this question in a separate thread? (It's humbling to be asking such phenomenally basic questions, having built and managed our existing openldap servers for many many years.) Ben

2 1

Is there a way to expose SLDAP Server Metrics to Prometheus?
by vtejaswini1＠gmail.com 24 Feb '22

24 Feb '22

It would be interesting if there were any official Prometheus exporter to monitor LDAP metrics. If we have one such exporter, does it authenticate LDAP Server to aggregate/formulate/capture metrics? Thanks, Teja

3 4

Unable to change ssl version on openldap 2.6.0
by Frédéric Goudal 24 Feb '22

24 Feb '22

Hello, For a legacy application we need to drop the ssl version available on our openldap server. Currently it supports TLSv1.2, checked with nmap --script ssl-enum-ciphers -p 636 host What ever value I put on olcTLSProtocolmin the ssl version does not change… I have tried 3.0 3.1 3.2… What do I miss ? Or is it a feature ? Thanks in advance f.g. — Frédéric Goudal Ingénieur Système, DSI Bordeaux-INP +33 556 84 23 11

2 6

Is there a way to silence or redirect BIND Operation Logs in SLDAP?
by vtejaswini1＠gmail.com 23 Feb '22

23 Feb '22

Hi, For each LDAP BIND Operation, SLDAP Server logs a significant amount of logs (> 10 Log Lines). Is there a way to silence or redirect or configure these logs or BIND Operation itself? Thanks, Teja

2 5

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical