openldap-technical

openldap-technical@openldap.org

11 participants
9876 discussions

Get last SSL Error?
by Eric Nichols (DirWiz) 23 May '11

23 May '11

After attempting ldap_sasl_bind on a LDAPS connection I am trying to determine the return error message from openssl. I am using the following: ldap_get_option(ld,LDAP_OPT_X_TLS_SSL_CTX,&sslptr); rc=SSL_get_error(sslptr,ret); What I cannot find is how to populate 'ret' for the SSL_get_error function. Is the last return code from OpenSSL stored in OpenLDAP somewhere so I can get a clearer picture on an SSL connection failure? Many thanks in advance, Eric

1 0

Re: Need help to create a new DN "myNewDN: cn=testUser, ou=testOU, dc=test, dc=local"
by Mahmudur Rahman Jami 23 May '11

23 May '11

Hi Bill, May thanks for your reply. I am running an openldap server with around 12,000 users. I was looking to replace "dn:" with "myNewDN:". However, i have got the solution. I have added the following to schema, ### attributetype ( 1.3.6.1.4.1.XXXX.2.3.XXX NAME 'myNewDN' DESC 'Test DN replacement' SUP distinguishedName ) ## Cheers........JAMI. On Mon, May 23, 2011 at 5:31 PM, Bill MacAllister <whm(a)stanford.edu> wrote: > > > --On Monday, May 23, 2011 11:01:33 AM +1000 Mahmudur Rahman Jami < > infojami(a)gmail.com> wrote: > > Hi, >> >> I want to create a new distinguishedName as follows (NOT as "dn: >> cn=testUser,ou=testOU,dc=test,dc=local"), >> >> "myNewDN: cn=testUser,ou=testOU,dc=test,dc=local" >> >> I have got a ldif with similar definition to import. I googled and found >> lot >> of examples related to "attributetype" and "objectClass" only, not related >> to this. >> Any help will be highly appreciated. >> >> Thanks, >> Jami >> > > Assuming that the root of your directory is dc=test,dc=local then you > need to created an entry for ou=testOU before you attempt to create > the entry for cn=testUser. > > For example you might try: > > ldapadd -h somehost -b dc=test,dc=local<<EOF > dn: ou=testOU,dc=test,dc=local > objectClass: top > objectClass: organizationalUnit > ou: testOU > > > dn: cn=testUser,ou=testOU,dc=test,dc=local > objectclass: top > objectclass: person > cn: testUser > sn: Smith > EOF > > Of course, you will need to bind to the directory some credentials > that will allow you to write to the directory. > > Bill > > -- > > Bill MacAllister > Infrastructure Delivery Group, Stanford University > >

1 0

Need help to create a new DN "myNewDN: cn=testUser, ou=testOU, dc=test, dc=local"
by Mahmudur Rahman Jami 23 May '11

23 May '11

Hi, I want to create a new distinguishedName as follows (NOT as "dn: cn=testUser,ou=testOU,dc=test,dc=local"), "myNewDN: cn=testUser,ou=testOU,dc=test,dc=local" I have got a ldif with similar definition to import. I googled and found lot of examples related to "attributetype" and "objectClass" only, not related to this. Any help will be highly appreciated. Thanks, Jami

3 3

syncrepl unbinds every 24 hours
by Curt Blank 23 May '11

23 May '11

We're using openLDAP 2.3.43 on RedHat 5 ES with delta syncrepl, one master four consumers. Every 24 hours at the same time syncrepl on the four consumers disconnect from the master then don't reconnect for 60 seconds. We have retry=60 so we know that but the question is can this disconnect behavior be stopped completely? We have type=refreshAndPersist set, that to me means refresh and persist not refresh and persist for 24 hours. Data getting to the consumers is time sensitive to the point that 5 seconds might be too long and cause confusion for our users from an authentication standpoint. Is there any way to stop this syncrepl disconnect behavior? -- Curt Blank Systems Administrator Technical Services Specialist University Information Technology Services University of Wisconsin-Milwaukee e-mail: curt(a)uwm.edu phone : (414) 229-3814

3 2

TLS replication/SALS bindmethod
by Darouichi, Aziz 23 May '11

23 May '11

Hi, I configured Muti-master replication, everything worked fine till I hashed rootpw to confirm to a hardcoded password in Oracle. I configured OpenLDAP servers to us SALS. This is my configuration. provider=ldap://xxx.xxx.xxx:389 bindmethod=sasl saslmech=external starttls=yes tls_cert=/etc/pki/tls/certs/slapd.pem tls_key=/etc/pki/tls/private/ldap.pem tls_cacert=/etc/pki/tls/certs/ca-bundle.crt tls_reqcert=demand binddn="cn=ldap,dc=establishment,dc=edu" credentials={SSHA}2vNffW+5hEolqIykgH9tCpxq9jTTVSSu searchbase="dc=establishment,dc=edu" schemachecking=on type=refreshAndPersist retry="60 +" when I run ldapsearch against servers I get response from both machines. ldapsearch -H ldap://server.establishment.edu -D "cn=ldap,dc=establishment,dc=edu" -w "PASSWORD" -x -b "dc=establishment ,dc=edu" "(objectclass=*)" uid. This what I get in the logs: May 23 09:37:01 ldap1 slapd[1559]: slap_client_connect: URI=ldap://xxx.xxx.edu:389 ldap_sasl_interactive_bind_s failed (-6) May 23 09:37:01 ldap1 slapd[1559]: do_syncrepl: rid=002 rc -6 retrying May 23 09:37:58 ldap1 slapd[1559]: conn=5220 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" May 23 09:38:01 ldap1 slapd[1559]: slap_client_connect: URI=ldap://xxx.xxx.edu:389 Warning, ldap_start_tls failed (2) May 23 09:38:01 ldap1 slapd[1559]: slap_client_connect: URI=ldap://xxx.xxx.edu:389 ldap_sasl_interactive_bind_s failed (-6) May 23 09:38:01 ldap1 slapd[1559]: do_syncrepl: rid=002 rc -6 retrying Thanks

2 2

OpenLDAP Windows Compilation Failed
by mammar 23 May '11

23 May '11

Hi All, I am trying to compile the stable openldap-2.4.23 using the instructions mentioned in INSTALL file in the package. ./configure make depend The above two commands completed successfully make gives the following error Entering subdirectory libldap make[2]: Entering directory `/cygdrive/c/Documents and Settings/ma/Desktop/openldap-2.4.23/libraries/libldap' cc -g -O2 -I../../include -I../../include -c -o apitest.o apitest.c /bin/sh ../../libtool --mode=link cc -static -g -O2 -o apitest apitest.o libldap.la ../../libraries/liblber/liblber.la../../libraries/liblutil/liblutil.a -lsasl2 -lssl -lcrypto libtool: link: cannot find the library `Settings/ma/Desktop/openldap-2.4.23/libraries/liblber/liblber.la' or unhandled argument `Settings/ma/Desktop/openldap-2.4.23/libraries/liblber/ liblber.la' make[2]: *** [apitest] Error 1 make[2]: Leaving directory `/cygdrive/c/Documents and Settings/ma/Desktop/openldap-2.4.23/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/cygdrive/c/Documents and Settings/ma/Desktop/openldap-2.4.23/libraries' make: *** [all-common] Error 1 Can anyone suggest a solution/workaround? Regards,

1 0

Issue while Centralizing SUDO with OpenLDAP
by pradyumna dash 23 May '11

23 May '11

Hi, I am trying to acheive centralizing SUDO, but facing an issue,i suspect its something to do with sudoers.schema, May be am wrong. I think somehow the slapd process is not able to read it. Please suggest how to fix the issue. My LDAP structure is like : dc=example,dc=com Under this I have OU=People and i have created a OU called SUDOers. Then i have used the sudoers2ldif to generate the LDIF file for me. I have setted the env variable SUDOERS_BASE=ou=SUDOers,dc=example,dc=com. Then when am trying to add the ldif file it shows me below error. t710x02-6:/etc/openldap/schema # ldapadd -f /opt/newsudo.ldif -h 127.0.0.1 -D cn=Manager,dc=example,dc=com -W -x Enter LDAP Password: adding new entry "cn=defaults,ou=SUDOers,dc=example,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax sudoers.ldif dn: cn=defaults,ou=SUDOers,dc=example,dc=com #objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: always_set_home sudoOption: env_reset sudoOption: env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" sudoOption: targetpw dn: cn=ALL,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: ALL sudoUser: ALL sudoHost: ALL sudoRunas: ALL sudoCommand: ALL dn: cn=root,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoHost: ALL sudoRunas: ALL sudoCommand: ALL dn: cn=prad,ou=SUDOers,dc=example,dc=com objectClass: top objectClass: sudoRole cn: prad sudoUser: prad sudoHost: ALL sudoRunas: ALL sudoCommand: ALL sudoers.schema # # OpenLDAP schema file for Sudo # Save as /etc/openldap/schema/sudo.schema # attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) ) Please help me to solve this issue. I am using SLES 11 and SUDO 1.6.9p17 Regards, Neo

3 3

Slapd, GNUTLS on Debian/Squeeze
by David Dumortier 23 May '11

23 May '11

Hi everybody, I try to setup a slapd with TLS. ldd /usr/sbin/slapd returns gnutls.so as waited. I generated a self-signed certificate with these options : certtool --generate-privkey --outfile /etc/ldap/ssl/mykey.key certtool --generate-request --load-privkey /etc/ldap/ssl/mykey.key --outfile /etc/ldap/ssl/mycsr.csr Basic Constraints (critical): Certificate Authority (CA): TRUE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Code signing. OCSP signing. Time stamping. Key Usage (critical): Digital signature. Key encipherment. Certificate signing. CRL signing. My slapd start but when I try a debug I have : # gnutls-cli-debug -p 636 myip Checking for TLS 1.1 support... no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.0 support... no Checking for SSL 3.0 support... no Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 Here is my slapd conf : olcTLSVerifyClient: demand olcTLSCertificateFile: /etc/ldap/ssl/mycsr.csr olcTLSCertificateKeyFile: /etc/ldap/ssl/mykey.key Any help would be appreciate -- David Dumortier

5 12

smbk5pwd tries to load krb when not configured
by Mike Noordermeer 22 May '11

22 May '11

Hi, I'm running slapd v2.4.23 with a cn=config configuration format. The LDAP tree both has the Kerberos as well as the Samba scheme loaded. I'm trying to setup smbk5pwd to sync Samba passwords with the LDAP passwords. Note that I do not want to do anything with the Kerberos passwords. I use the following configuration snippet: dn: olcOverlay={2}smbk5pwd objectClass: olcOverlayConfig objectClass: olcSmbK5PwdConfig olcOverlay: {2}smbk5pwd olcSmbK5PwdEnable: samba olcSmbK5PwdMustChange: 0 This leads to an error in the logs and the module not loading: May 22 11:02:55 host slapd[3160]: smbk5pwd: unable to initialize krb5 admin context: failed to open /var/lib/heimdal-kdc/m-key: Permission denied (13). Seems like smbk5pwd still wants to load the Kerberos stuff... Any ideas? -- tia, Mike Noordermeer mike(a)normi.net

1 0

SSL Connect Error message?
by Eric Nichols (DirWiz) 21 May '11

21 May '11

I checked through the archives and couldn't find a real mention of this. When a failed connection happens over SSL (OpenSSL) the most information I can get back is what ldap_err2string returns. The problem is I don't know if it's a true connection failure or a SSL session error or even a certificate error. Is there a way to get more useful information out of a failed SSL connection. I do know about LDAP_OPT_X_TLS_SSL_CTX but can't figure out if that points to an error message somewhere. -- Many thanks Eric

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical