Just found the problem and the solution. It occurred that there was also a (probably mistakenly) second config module activated.
The module I had configured with ppolicy, was not used. The extra module that was active, did not have the ppolicy overlay loaded.
After correcting this, all seems to work as expected.
-----Oorspronkelijk bericht----- Van: openldap-technical [mailto:openldap-technical-bounces@openldap.org] Namens openldap-technical-request@openldap.org Verzonden: donderdag 28 juli 2016 14:00 Aan: openldap-technical@openldap.org Onderwerp: openldap-technical Digest, Vol 104, Issue 21
Send openldap-technical mailing list submissions to openldap-technical@openldap.org
To subscribe or unsubscribe via the World Wide Web, visit http://www.openldap.org/lists/mm/listinfo/openldap-technical or, via email, send a message with subject or body 'help' to openldap-technical-request@openldap.org
You can reach the person managing the list at openldap-technical-owner@openldap.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of openldap-technical digest..."
Send openldap-technical mailing list submissions to openldap-technical@openldap.org When replying, please edit your Subject: header so it is more specific than "Re: openldap-technical digest..."
Today's Topics:
1. Re: need to recover slapd password and upgrade openldap (Dan Hyatt) 2. Re: Antw: Intermediate certificates not being sent (Nat Sincheler) 3. Re: sizelimit (Maily Peng) 4. Missing user entries after restoring a backup ldif (Matt Spaulding) 5. password policies not functioning properly (Kruger, P (Justid)) 6. Re: sizelimit (Dieter Kl?nter) 7. Re: Antw: Intermediate certificates not being sent (Ulrich Windl)
----------------------------------------------------------------------
Message: 1 Date: Tue, 26 Jul 2016 12:15:00 -0500 From: Dan Hyatt dhyatt@dsgmail.wustl.edu To: Aaron Richton richton@nbcs.rutgers.edu, dhyatt@wustl.edu Cc: openldap-technical@openldap.org Subject: Re: need to recover slapd password and upgrade openldap Message-ID: b5a9dc49-8420-ef20-0779-d65ddfcdcad7@dsgmail.wustl.edu Content-Type: text/plain; charset=windows-1252; format=flowed
So, a more simple question...
Can I install a current version of OpenLDAP on a current RedHat/Centos server (specially built for this purpose. Then use slapcat to export the information from the old server, import it to the new server, where the admin password is not corrupt.
Can I import the schemas or are there likely substantial changes to the schemas across versions?
My goals are to create a new LDAP server running Centos/Redhat, transfer 20 users and allow them to keep their existing passwords, allow them to access my servers, and allow them authentication to samba. and create an LDAP slave (or cluster) not sure if syncrepl is the current way to go.
I have root to the server, but I do not have the admin password to the Openldap 2.2 as it became corrupted somehow.
On 07/24/2016 09:15 PM, Aaron Richton wrote:
On Fri, 22 Jul 2016, Dan Hyatt wrote:
My admin openLDAP 2.2 password became corrupt in the last week and I cannot
[...]
I found some instructions which seem simple risky and no backout strategy. Simply running http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
That link (apparently from 2011) doesn't apply to your software from 2003. There's no back-config in OpenLDAP 2.2. So don't try that...
@(#) $OpenLDAP: slapd 2.2.13 (Nov 26 2010 07:45:22) $ mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
[...]
Having the LDAP on two separate hyper visors (with local disks) to avoid the storage/authentication chicken/egg Is there a better upgrade plan
Are you saying that your one and only LDAP server uses itself for its own A&A?
Authentication and Authorization? The server provides authentication and authorization for my group. The server only does LDAP and home dirs. I want to upgrade it to Centos 6.8 or Centos 7 (that is equal to redhat 6.8 or redhat 7) on a hypervisor with a slave running the current favored release.
[...]
I have the log files, is there a way to backout to last week without the admin password (which became corrupt last week).
I'm not sure what you're referring to by "log files." The general-case OpenLDAP backup tool is slapcat(8). Hopefully you have been running it routinely. The resulting LDIF can be easily inspected; if you have enough backups, you might even be able to find one without corruption.
We took over responsibility the LDAP in December, there was not a happy handoff... no documenation..just the password and had to move it to the new VLAN.
------------------------------
Message: 2 Date: Tue, 26 Jul 2016 08:20:14 -0700 From: Nat Sincheler fai1107@macrotex.net To: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de, openldap-technical@openldap.org Subject: Re: Antw: Intermediate certificates not being sent Message-ID: 991f77f9-fd05-eb9b-7f07-f350c4a7bc68@macrotex.net Content-Type: text/plain; charset=windows-1252; format=flowed
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
Nat Sincheler fai1107@macrotex.net schrieb am 25.07.2016 um 19:06 in
Nachricht c19c2a3a-3c90-5baa-43c7-800b050ea5b7@macrotex.net:
We have an OpenLDAP server that is listening on port 636 over ldaps. When I run
openssl s_client -showcerts -connect ldap-server:636
I only see the host certificate. The intermediate and root certificates do *not* come through.
If I di that on one of outr servers, I get: Root CA Intermediate CA Server Certificate
... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit
For this server I have in the file slapd.d/cn=config.ldif the setting
olcTLSCACertificatePath: /etc/ssl/certs
Hi!
Here it works with these settings: olcTLSCACertificatePath: /etc/ssl/certs olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
Could it be a permissions problem? Did you try to check the certificate chain with openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get no intermediate or root certificates sent. I see this in the output: "No client certificate CA names sent".
It appears that OpenLDAP is not sending the intermediate or root certificates.
However, if I put all the intermediate and root certificates into a single file and point olcTLSCACertificateFile at this file, those intermediate certificates _are_ sent.
So, it appears that olcTLSCACertificateFile sends the certificates but but olcTLSCACertificatePath does not.
Am I misunderstanding the purpose olcTLSCACertificatePath?
Thanks.
Regards, Ulrich
I checked and all the intermediate and root certificates are in /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 -> /etc/ssl/certs/incommon-usertrust-2024.pem
Any idea why the intermediate and root certificates do not get sent to the LDAPS client? Is there something in the LDAP log that might give me a clue as to what is going on?
------------------------------
Message: 3 Date: Tue, 26 Jul 2016 19:47:27 +0200 From: Maily Peng mpeng@keyyo.com To: Frank Swasey Frank.Swasey@uvm.edu Cc: openldap-technical@openldap.org Subject: Re: sizelimit Message-ID: 6fedd3fe-f1c4-9897-0eae-3c77159add6d@keyyo.com Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hello Frank,
Nope, the limits directive are unlimited on the provider.
First of all, I need to have access to all of the entries on the consumers , in order to check EntryCSN between provider and consumers. I use the python script : check_syncrepl_extended that needs to bind provider and consumer via the same dn. That's why I could not use rootdn . ( not the same between slapd servers) .
thank you
Le 26/07/2016 ? 19:09, Frank Swasey a ?crit :
You have shown us what the syncrepl, sizelimit and limits look like on your consumer. Have you got that limits directive also set up on your provider? It is the provider that needs to allow your replication DN to obtain unlimited entries.