Hi,
I am trying to modify my DB parameters to fix following issue,
root@laselainfldap01p:~# ldaplist passwd
ldaplist: libsldap.so.1 internal error LDAP configuration problem: LDAP ERROR (4): Error occurred while receiving results. Size limit exceeded. and libldap returned: (4) using ldaps://laselainfldap01p:636
root@laselainfldap01p:~#
To achieve this, I attempted the following but I got priviledge issue accessing the DB ....
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: -1
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -H ldapi:/// -Y EXTERNAL -f sizelimit.ldif ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 replace olcSizeLimit: -1 modifying entry "cn=config" ldap_modify: Insufficient access (50)
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -h 10.136.16.197 -D "cn=Manager,dc=tosa,dc=thales" -w tco_tosa_thales -f sizelimit.ldif ldap_initialize( ldap://10.136.16.197 ) replace olcSizeLimit: -1 modifying entry "cn=config" ldap_modify: Insufficient access (50)
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#mailto:root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#
Some priviledge access seems missing but I do not understand how to setup this. Could you, please, provide some directions on this.
Kind regards, Alain
--On Friday, June 3, 2022 1:51 PM +0000 RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com wrote:
To achieve this, I attempted the following but I got priviledge issue accessing the DB ….
# cat sizelimit.ldif
dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: -1
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -H ldapi:/// -Y EXTERNAL -f sizelimit.ldif
Hello,
We have no way of knowing how the system was configured to allow access to the cn=config database. You'll have to consult with the LDAP adminstrators of the deployment you're working on.
Regards, Quanah
Hi,
First thanks for replying and sorry for not providing enough material to help answering .
Maybe if I provide cn=config ldif files you could help providing directions ....
ldif files below are attached -rw-r--r-- 1 root other 193024 Jun 7 17:47 ldif.tar
root@ccase03 # tar -tvf ldif.tar -rw------- 0/1 1503 Jun 7 17:38 2022 cn=config.ldif -rw------- 0/1 84729 Jun 7 14:09 2022 cn=schema.ldif -rw------- 0/1 15546 Jun 7 17:40 2022 cn={0}core.ldif -rw------- 0/1 11363 Jun 7 17:40 2022 cn={1}cosine.ldif -rw------- 0/1 2857 Jun 7 17:40 2022 cn={2}inetorgperson.ldif -rw------- 0/1 3835 Jun 7 17:40 2022 cn={3}ppolicy.ldif -rw------- 0/1 40712 Jun 7 17:40 2022 cn={4}solaris.ldif -rw------- 0/1 13538 Jun 7 17:40 2022 cn={5}kerberos.ldif -rw------- 0/1 621 Jun 7 14:09 2022 olcDatabase={-1}frontend.ldif -rw------- 0/1 649 Jun 7 14:09 2022 olcDatabase={0}config.ldif -rw------- 0/1 2576 Jun 7 14:09 2022 olcDatabase={1}mdb.ldif -rw------- 0/1 536 Jun 7 14:09 2022 olcDatabase={2}monitor.ldif -rw------- 0/1 432 Jun 7 17:42 2022 olcOverlay={0}syncprov.ldif -rw------- 0/1 605 Jun 7 17:42 2022 olcOverlay={1}ppolicy.ldif -rw-r--r-- 0/1 72 Jun 7 14:09 2022 sizelimit.ldif root@ccase03 #
Kind regards, Alain
-----Message d'origine----- De : Quanah Gibson-Mount quanah@fast-mail.org Envoyé : vendredi 3 juin 2022 22:27 À : RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com; openldap-technical@openldap.org Objet : Re: Failing to modify olcSizeLimit
--On Friday, June 3, 2022 1:51 PM +0000 RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com wrote:
To achieve this, I attempted the following but I got priviledge issue accessing the DB ….
# cat sizelimit.ldif
dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: -1
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -H ldapi:/// -Y EXTERNAL -f sizelimit.ldif
Hello,
We have no way of knowing how the system was configured to allow access to the cn=config database. You'll have to consult with the LDAP adminstrators of the deployment you're working on.
Regards, Quanah
--On Tuesday, June 7, 2022 4:53 PM +0000 RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com wrote:
Hi,
First thanks for replying and sorry for not providing enough material to help answering .
Maybe if I provide cn=config ldif files you could help providing directions ....
You should be using the LDAP tools to export the config files, and never touching anything directly in the configuration database.
For example, slapcat -n 0 -l config.ldif will export the configuration DB into LDIF format for easy consumption. You would want to ensure any password values are removed before sharing it with anyone.
In the LDIF tar file you shared, it shows that to modify cn=config, one must do a simple bind as the cn=config user, using whatever password was configured. You will need to talk to whomever manages the installation to discover that password. I'd also advise them to change it, since you publicly shared the SHA-1 hash with the world. I'd also advise them to use a more secure hashing function (At least SSHA512, or even better upgrade to a currently supported release of OpenLDAP and use ARGON2).
I.e:
ldapmodify -x -D cn=config -H ... -W
Regards, Quanah
Quanah Gibson-Mount quanah@fast-mail.org schrieb am 08.06.2022 um 18:03
in Nachricht <1AA0097E3E4235DC5675E461@[192.168.1.17]>:
discover that password. I'd also advise them to change it, since you publicly shared the SHA‑1 hash with the world. I'd also advise them to use
Ignoring weak passwords, what are realistic brute-force attack times on SSHA today? I also wonder whether trying brute-force is worth it as the poster could have swapped one or two characters in the BASE64 encpoding before sending ;-)
a more secure hashing function (At least SSHA512, or even better upgrade to
a currently supported release of OpenLDAP and use ARGON2).
Personally I think weak passwords (or the handling of such) is much more of a security problem as SSH is. However from the standpoint of admin, you are better off to use a strong hashing function as it allows you to argue: It must be the user's fault if the password became available...
Regards, Ulrich
Thanks all for all your advises. I am working on it ...
Alain
-----Message d'origine----- De : Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Envoyé : jeudi 9 juin 2022 09:04 À : RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com; quanah@fast-mail.org; openldap-technical@openldap.org Objet : Antw: [EXT] RE: Failing to modify olcSizeLimit
Quanah Gibson-Mount quanah@fast-mail.org schrieb am 08.06.2022 um 18:03
in Nachricht <1AA0097E3E4235DC5675E461@[192.168.1.17]>:
discover that password. I'd also advise them to change it, since you publicly shared the SHA‑1 hash with the world. I'd also advise them to use
Ignoring weak passwords, what are realistic brute-force attack times on SSHA today? I also wonder whether trying brute-force is worth it as the poster could have swapped one or two characters in the BASE64 encpoding before sending ;-)
a more secure hashing function (At least SSHA512, or even better upgrade to
a currently supported release of OpenLDAP and use ARGON2).
Personally I think weak passwords (or the handling of such) is much more of a security problem as SSH is. However from the standpoint of admin, you are better off to use a strong hashing function as it allows you to argue: It must be the user's fault if the password became available...
Regards, Ulrich
--On Thursday, June 9, 2022 10:04 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Ignoring weak passwords, what are realistic brute-force attack times on SSHA today?
Well, there's also massive databases of known passwords. With a single GPU, it would take a while. But there are massive GPU farms out there that can be used for password cracking as well. It'd likely depend on whether or not one was considered a high value target.
--Quanah
RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com
schrieb am 03.06.2022 um 14:51 in Nachricht bf0f0f6351b94d74b437c24db1da4817@external.thalesgroup.com: ...
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: ‑1
Despite of the rest we use a large positive number here, and the docs here mention "unlimited", but not -1.
...
Regards, Ulrich
--On Tuesday, June 7, 2022 8:47 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com
schrieb am 03.06.2022 um 14:51 in Nachricht bf0f0f6351b94d74b437c24db1da4817@external.thalesgroup.com: ...
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: ‑1
Despite of the rest we use a large positive number here, and the docs here mention "unlimited", but not -1.
Definitely a valid observation that this value would likely end up being rejected or not do what is expected, but they hadn't gotten this far yet, since their issue was lacking access.
--Quanah
Thanks for pointing at this element. I modified my ldif in consequence
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: unlimited
root@ccase03 # grep olcRoot olcDatabase={1}mdb.ldif olcRootDN: cn=Manager,dc=tosa,dc=thales olcRootPW:: e1NTSEF9QTVnK3BPV2dWM2p6V29DZkRrSjVZZ1YwUDROS2RDTWg= ^ strange ! two semicolons in a row
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -h 10.136.16.197 -D "cn=Manager,dc=tosa,dc=thales" -w tco_tosa_thales -f sizelimit.ldif ldap_initialize( ldap://10.136.16.197 ) replace olcSizeLimit: unlimited modifying entry "cn=config" ldap_modify: Insufficient access (50)
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#
Kind regards, Alain
-----Message d'origine----- De : Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Envoyé : mardi 7 juin 2022 07:48 À : RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com; openldap-technical@openldap.org Objet : Antw: [EXT] Failing to modify olcSizeLimit
RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com
schrieb am 03.06.2022 um 14:51 in Nachricht bf0f0f6351b94d74b437c24db1da4817@external.thalesgroup.com: ...
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: ‑1
Despite of the rest we use a large positive number here, and the docs here mention "unlimited", but not -1.
...
Regards, Ulrich
RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com
schrieb am 08.06.2022 um 12:47 in Nachricht a8c0c01e1db244ec8d75d61bb5b16694@external.thalesgroup.com:
Thanks for pointing at this element. I modified my ldif in consequence
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: unlimited
root@ccase03 # grep olcRoot olcDatabase={1}mdb.ldif olcRootDN: cn=Manager,dc=tosa,dc=thales olcRootPW:: e1NTSEF9QTVnK3BPV2dWM2p6V29DZkRrSjVZZ1YwUDROS2RDTWg= ^ strange ! two semicolons in a row
First they are two _colons_, and second the LDIF specification says the data is encodes as BASE64, usually because of "unusual" characters: "{SSHA}A5g+pOWgV3jzWoCfDkJ5YgV0P4NKdCMh"
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -h 10.136.16.197 -D "cn=Manager,dc=tosa,dc=thales" -w tco_tosa_thales -f sizelimit.ldif ldap_initialize( ldap://10.136.16.197 ) replace olcSizeLimit: unlimited modifying entry "cn=config" ldap_modify: Insufficient access (50)
That was expected; does you manager have access?
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#
Kind regards, Alain
-----Message d'origine----- De : Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Envoyé : mardi 7 juin 2022 07:48 À : RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com;
openldap-technical@openldap.org Objet : Antw: [EXT] Failing to modify olcSizeLimit
RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com
schrieb am 03.06.2022 um 14:51 in Nachricht bf0f0f6351b94d74b437c24db1da4817@external.thalesgroup.com: ...
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: ‑1
Despite of the rest we use a large positive number here, and the docs here mention "unlimited", but not -1.
...
Regards, Ulrich
RAIMBAULT Alain - Contractor wrote:
Thanks for pointing at this element. I modified my ldif in consequence
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: unlimited
root@ccase03 # grep olcRoot olcDatabase={1}mdb.ldif olcRootDN: cn=Manager,dc=tosa,dc=thales olcRootPW:: e1NTSEF9QTVnK3BPV2dWM2p6V29DZkRrSjVZZ1YwUDROS2RDTWg= ^ strange ! two semicolons in a row
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -h 10.136.16.197 -D "cn=Manager,dc=tosa,dc=thales" -w tco_tosa_thales -f sizelimit.ldif ldap_initialize( ldap://10.136.16.197 ) replace olcSizeLimit: unlimited modifying entry "cn=config" ldap_modify: Insufficient access (50)
AFAIK you have to use "cn=config" as username (-D parameter) to modify the configuration. Additionly you will have to use the -x parameter for simple auth. IMHO you will need a olcAuthzRegexp like gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth dn:cn=config to use SASL mech EXTERNAL to modyfy your configuration.
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config#
Kind regards, Alain
-----Message d'origine----- De : Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> Envoyé : mardi 7 juin 2022 07:48 À : RAIMBAULT Alain - Contractor <alain.raimbault(a)external.thalesgroup.com>; openldap-technical(a)openldap.org Objet : Antw: [EXT] Failing to modify olcSizeLimit
RAIMBAULT Alain - Contractor <alain.raimbault(a)external.thalesgroup.com>
schrieb
am 03.06.2022 um 14:51 in Nachricht <bf0f0f6351b94d74b437c24db1da4817(a)external.thalesgroup.com>: ...
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: ‑1
Despite of the rest we use a large positive number here, and the docs here mention "unlimited", but not -1.
...
Regards, Ulrich
--On Wednesday, June 8, 2022 4:21 PM +0000 carsten.jaeckel@tu-dortmund.de wrote:
AFAIK you have to use "cn=config" as username (-D parameter) to modify the configuration. Additionly you will have to use the -x parameter for simple auth. IMHO you will need a olcAuthzRegexp like gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth dn:cn=config to use SASL mech EXTERNAL to modyfy your configuration.
Without looking at the configuration that is already deployed, its hazardous to suggest solutions like this as it may conflict with what is already there.
--Quanah
--On Wednesday, June 8, 2022 11:47 AM +0000 RAIMBAULT Alain - Contractor alain.raimbault@external.thalesgroup.com wrote:
Thanks for pointing at this element. I modified my ldif in consequence
# cat sizelimit.ldif dn: cn=config changetype: modify replace: olcSizeLimit olcSizeLimit: unlimited
root@ccase03 # grep olcRoot olcDatabase={1}mdb.ldif olcRootDN: cn=Manager,dc=tosa,dc=thales olcRootPW:: e1NTSEF9QTVnK3BPV2dWM2p6V29DZkRrSjVZZ1YwUDROS2RDTWg= ^ strange ! two semicolons in a row
root@laselainfldap01p:/etc/openldap/slapd.d/cn=config# ldapmodify -v -h 10.136.16.197 -D "cn=Manager,dc=tosa,dc=thales" -w tco_tosa_thales -f sizelimit.ldif ldap_initialize( ldap://10.136.16.197 ) replace olcSizeLimit: unlimited modifying entry "cn=config" ldap_modify: Insufficient access (50)
As long as you continue to bind with an identity that does not have access to the configuration database, this will be the end result - Insufficient access.
--Quanah
openldap-technical@openldap.org