openldap-technical

openldap-technical@openldap.org

11 participants
9876 discussions

question about cn=config replication and security.
by Mailing Lists 12 Feb '11

12 Feb '11

Hello. I'm running a pair of openldap 2.4 servers which replicate cn=config DB in mirror mode. Is there a way to configure a RO user (like user from BDB) for cn=config DB, so should someone get a hold of it's password, and still will not be able to change the configs ? Regards.

3 2

Mac OS X OpenLDAP allows anonymous access to all fields
by RAT 11 Feb '11

11 Feb '11

The ongoing saga... While trying to add the ACL for to hide userPassword, we get the following error: ldap_modify: Insufficient access (50) I'm beginning to think Apple has this locked down... Robert Threet http://yesistilluseperl.blogspot.com/ ____________________________________________________________ Obama Urges Homeowners to Refinance If you owe under $729k you probably qualify for Obama's Refi Program http://thirdpartyoffers.netzero.net/TGL3231/4d559f3cb35e427677est06duc

2 1

port level security for auth and anon
by Christopher Louis Jackson 11 Feb '11

11 Feb '11

I am looking for help with setup of security with my openldap config. I currently have RHEL 6 with ldap:// and ldaps:// working for both auth binds and anon binds. What I want to do is allow anon binds on ldap:// and require authentication over an encrypted stream on ldaps:// my current access is set to: access to attrs=userPassword by anonymous auth by self read by * none access to * by * read I do not have a security statement in my slapd.conf. I have tried a few things such as changing the userpassword access to: access to userPassword > by anonymous auth sasl_ssf=128 break > by anonymous auth tls=128 > by self read but the syntax is not correct and the config will not load with above. Any help would be great. Chris Jackson

2 1

slapd security based on port
by Chris Jackson 11 Feb '11

11 Feb '11

Is it possible to prevent anonymous and unauthenticated binds to ldaps:// 636 but allow them on ldap:// 389? I want to allow staff to query my ldaps:// outside of my network while requiring them to login to do so but allow anyone to bind (anonymous, unauthenticated, or authenticated) internally on ldaps//: 389. I know: Anonymous bind can be disabled by "disallow bind_anon" and Unauthenticated bind mechanism is disabled by default. But if I use "disallow bind_anon it stops in on both ports. I want to stop it just on ldaps://. Chris Jackson ____________________________________________________________________________________ We won't tell. Get more on shows you hate to love (and love to hate): Yahoo! TV's Guilty Pleasures list. http://tv.yahoo.com/collections/265

1 0

10 Feb '11

Hello! Is it possible to use email to login to LDAP ? I'm working on mail management panel where users are identified by emails. Now I'm searching tree for DN of particular email and then I'm logging with DN and password, but I'd like to avoid this search if possible... best regards JT.

2 1

stopping anonymous access to userPassword
by RAT 10 Feb '11

10 Feb '11

I'm unaccustomed to the new (non-slapd.conf) way of adding ACL/ACI's. I'm trying exclude anonymous access to the password. We've tried this to no affect: olcAccess: to dn.base="cn=users,dc=lib-mac,dc=local" by * read olcAccess: to dn.base="cn=Subschema" by * read olcAccess: to attrs=userPassword by self write by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" read by * auth olcAccess: to dn.subtree="" by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" write by users read by anonymous auth Robert Threet http://yesistilluseperl.blogspot.com/ ____________________________________________________________ $65/Hr Job - 25 Openings Part-Time job ($20-$65/hr). Requirements: Home Internet Access http://thirdpartyoffers.netzero.net/TGL3231/4d540f18d12d722e5best03duc

2 1

slapo-lastbind: warning in doing slapcat
by Marco Pizzoli 10 Feb '11

10 Feb '11

Hi list, I'm using overlay slapo-lastbind using openldap head. I receive a warning when invoking slapcat to do a full backup of my user database. This is the output of my job: [ldap@ldap03 tmp]$ /usr/local/openldap/sbin/slapcat -b "dc=lan,dc=mycorp.it" -l dump_db_user.ldif UNKNOWN attributeDescription "AUTHTIMESTAMP" inserted. The backup seems done correctly. This warning could be due to an error of mine? If not, being this a contrib overlay, should I file an ITS anyway? Thanks Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

1 0

The correct way of updating a schema
by E.S. Rosenberg 09 Feb '11

09 Feb '11

A package I use recently updated the schema files related to the package, what is the correct way to go about replacing the schemas that were already loaded into cn=schema? My bruteforce solution was most likely not the correct way. Thanks and best regards, Eli

1 0

DB_CONFIG - Auto remove logs
by ldap＠mm.st 09 Feb '11

09 Feb '11

This may have been discussed, but i can not seem to find out why the transaction logs are not getting removed when I use DB_LOG_AUTOREMOVE in DB_CONFIG. This is on a Redhat 5 openldap 2.3 server. DB_CONFIG has the following: set_lg_dir /var/lib/ldap/bdblogs set_flags DB_LOG_AUTOREMOVE Doing slapd_db_archive shows about 134 unused files. I then did the following (is this the correct procedure to use when updating DB_CONFIG?): > serivice ldap stop > Edited DB_CONFIG > slapd_db_recover > slapd_db_archive > service ldap start The files are still there. I also manually did a checkpoint with "slapd_db_checkpoint -1" and verified the transaction log time changed. Reran "slapd_db_archive" and it outputs the same files. I read that earlier versions required a patch for this to work, but I was not sure about this one. I'm unclear on when the removal is suppose to take place, but it doesn't seem to be working.

2 2

tls_checkpeer directive
by Michael Starling 08 Feb '11

08 Feb '11

I'm running openldap-2.3.43-12.el5 on a RHEL 5.5 system: I believe I have TLS encryption working but I'd like to be able to verify my client connections. On my LDAP server I have the following in slapd.conf TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSCertificateFile /etc/openldap/cacerts/slapdcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/slapdkey.pem TLSCACertificateFile /etc/openldap/cacerts/slapdcert.pem On the client I have the following in /etc/ldap.conf uri ldaps://10.70.5.67/ ssl on tls_cacertfile /etc/openldap/cacerts/slapdcert.pem tls_checkpeer no On the client /etc/openldap/ldap.conf URI ldaps://10.70.5.67/ TLS_CACERT /etc/openldap/cacerts/slapdcert.pem TLS_REQCERT demand These commands work both from the client and server. openssl s_client -connect servername:636 -showcerts ldapsearch -x -H ldaps://servername -b dc=domain,dc=domain -D cn=root,dc=domain,dc=domain -W So my first question would be does this guarantee encrypted sessions? Second, if I change tls_checkpeer to yes then I can't contact the LDAP server. How can I verify my clients? -Mike

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical