Quanah Gibson-Mount wrote:
>
>
> --On August 4, 2009 3:51:18 PM -0700 Ivan Ordonez
> <iordonez(a)nature.berkeley.edu> wrote:
>
>> Hello,
>>
>> We've been using an ldap based PDC from quite a while. Now we're
>> suddenly having trouble getting our main fileserver to talk with the
>> PDC.
>>
>> samba-3.2.13 on solaris 10.
>>
>> Here is our smb.conf global defs:
>>
>> Server role: ROLE_DOMAIN_MEMBER
>> [global]
>> workgroup = CNRDOM
>> server string = nature (Samba %v)
>> security = DOMAIN
>> passdb backend = ldapsam:ldaps://169.229.xxx.yyy
>> log level = 5
>> log file = /var/log/samba/log.%m
>> name resolve order = wins host lmhosts
>> os level = 65
>> local master = No
>> domain master = No
>> dns proxy = No
>> wins support = Yes
>> ldap ssl = start tls
>
> ldaps:// and startTLS are mutually exclusive. Pick one and only one.
We tried removing the "s" on ldaps:// and still no go.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
Hi
I am still struggling with the my openldap to AD proxy connection.
I have successfully connected such that I can do search when I bind to openldap with an AD dn, but I want to be able to do anon search and I want anon to map through to a dn I have created in AD which has read only rights.
dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * read
olcReadOnly: TRUE
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
olcSizeLimit: 500
olcSuffix: dc=xyz,dc=com
olcDburi: "ldap://ldap. xyz.com "
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcdbaclbind: bindmethod=simple binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no
olcDbIDAssertBind: bindmethod=none binddn="CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" credentials=":)" starttls=no
I have a subordinate db at ou=external, DC= xyz,DC=com
I can do a
ldapsearch -x -D " CN=ad readonly,OU=YB Services,OU= xyz,DC= xyz,DC=com" -b " DC= xyz,DC=com" -w :)
what I can't do is
ldapsearch -x -b " DC= xyz,DC=com"
I am thinking I want to map anon request through to the readonly DN. But still leave it such that when people bind to openldap as themselves they bind to AD as themselves
How would I do that ?
Thanks
Alex
On 11/05/12 08:29 +0100, Admus wrote:
>On 11/04/2012 11:59 PM, Dan White wrote:
>>On 11/04/12 23:13 +0100, admus wrote:
>>>Hello,
>>>I'm following https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls…
>>>how to:
>>>LDAP serwer starts correctly but when I tries to test StartTLS:
>>>ldapsearch -x -H ldap:/// -ZZ -d -1
>>>I gets the following error:
>>>TLS: peer cert untrusted or revoked (0x42)
>>>TLS: can't connect: (unknown error code).
>>>ldap_err2string
>>>ldap_start_tls: Connect error (-11)
>>> additional info: (unknown error code)
>>>Any idea?
>>
>>Your hostname will need to match the certificate you have installed. '-H
>>ldap:///' will, instead, need to include the hostname matching your
>>certificate.
>>
>>For project documentation, see chapter 16 of the OpenLDAP Administrator's
>>Guide, slapd-config(5), ldap.conf(5), and ldapsearch(1).
>>
>
>ldapsearch -x -H ldap://ldap1.example.com -ZZ -d -1
>
>Does not help, same error. CN in my certificate is ldap1.example.com.
Assuming that your OpenLDAP was compiled against GnuTLS, use the GnuTLS
tools to trouble shoot your certificate.
A google search for "peer cert untrusted or revoked (0x42)" finds users who
also received that error.
--
Dan White
Hello
On Wed, Jul 30, 2008 at 9:59 AM, J Davis <mrsalty0(a)gmail.com> wrote:
> Greetings,
>
> I'm testing an installation of openldap 2.4.9. I want to enforce TLS for
> all access to the directory.
> My problem is that I cannot get the client to meet the ssf restictions I
> have in place. The documentation I've seen on ssf and tls_ssf is very sparse
> so I don't really understand what it does.
>
> I'm using self signed cert created using the openssl CA.sh script.
>
> Relevant portions of the slapd.conf...
>
> TLSCACertificateFile /etc/ldap/ssl/cacert.pem
> TLSCertificateFile /etc/ldap/ssl/servercrt.pem
> TLSCertificateKeyFile /etc/ldap/ssl/serverkey.pem
> ...
> access to *
> by tls_ssf=128 ssf=128 anonymous auth
> by tls_ssf=128 ssf=128 self write
>
> Relevant portions of the lapd.conf...
>
> TLS_CACERT /etc/ldap/ssl/cacert.pem
>
> With those ACLs in place I get the following error:
>
> $ ldapsearch -x -ZZ -D "uid=jake,ou=people,dc=example,dc=com" -W -b
> "uid=jake,ou=people,dc=example,dc=com"
> ldap_bind: Invalid credentials (49)
>
You may want to try adding -q as one of the options to your ldapsearch. It
appears that the tls_ssf turns on STARTTLS, instead of LDAP over SSL and in
order to use that, you need to tell the client to use starttls as well,
which is what (if I read the man page correctly), -q does.
Have fun.
--
Personal Mail from Patrick Patterson
No company affiliation
I am having trouble accessing my openldap server over SSL using an iPhone/iPad/iPod Touch using ios 4.2.1. If I check the SSL box in the client setup on the iPhone/iPad/iPod Touch I get an error in the slapd log -- TLS negotiation Failure. With logging level 9 I get TLS accept failure error=-1 id=1.
Other clients work fine over SSL/StartTLS. Outlook, addressbook in osX 10.6, jxplorer.
I am using openldap 2.4.19-15 on RHEL6 with a comodo wildcard SSL cert.
Chris Jackson
Hi!
We've got a proxy OpenLDAP setup using the "ldap" proxy database (the newer
"meta" backend had some issues, so I couldn't use that one). Most of the time,
the proxy bind goes OK, but sometimes, the connection goes like this (proxy
log, using ldaps):
--clip--
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7716 fd=96 ACCEPT from IP=128.214.54.152:36460 (IP=0.0.0.0:636)
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7716 fd=96 TLS established tls_ssf=256 ssf=256
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7716 op=0 BIND dn="<removed>" method=128
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7716 op=0 RESULT tag=97 err=52 text=Start TLS failed
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7716 fd=96 closed (connection lost)
--clip--
On the backend, this appears to be the case that a new connection kind of
overruns the old one; see what happens with connection 6983:
--clip--
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6983 fd=23 ACCEPT from IP=128.214.222.155:46144 (IP=0.0.0.0:389)
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 fd=41 ACCEPT from IP=128.214.222.155:46146 (IP=0.0.0.0:389)
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6983 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6983 op=0 STARTTLS
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6983 op=1 UNBIND
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6983 fd=23 closed
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=0 STARTTLS
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=0 RESULT oid= err=0 text=
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 fd=41 TLS established tls_ssf=256 ssf=256
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=1 BIND dn="<removed>" method=128
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=1 BIND dn="<removed>" mech=SIMPLE ssf=0
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=1 RESULT tag=97 err=0 text=
[SRCH and result lines]
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 op=3 UNBIND
Jan 7 16:01:12 ldap-v-2 slapd[61739]: conn=6984 fd=41 closed
--clip--
This doesn't seem to have any correlation to the amount of binds of server
load, at least that I'm aware - and anyway, the servers are nowhere near at
capacity - we only get ~2 binds per second.
Normal connection would look like this:
--clip--
Jan 7 16:00:55 ldap-r-1 slapd[16851]: conn=7650 fd=159 ACCEPT from IP=128.214.54.152:36362 (IP=0.0.0.0:636)
Jan 7 16:00:55 ldap-r-1 slapd[16851]: conn=7650 fd=159 TLS established tls_ssf=256 ssf=256
Jan 7 16:00:55 ldap-r-1 slapd[16851]: conn=7650 op=0 BIND dn="<removed>" method=128
Jan 7 16:00:55 ldap-r-1 slapd[16851]: conn=7650 op=0 BIND dn="<removed>" mech=SIMPLE ssf=0
Jan 7 16:00:55 ldap-r-1 slapd[16851]: conn=7650 op=0 RESULT tag=97 err=0 text=
[SRCH and SEARCH RESULT lines]
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7650 op=219 UNBIND
Jan 7 16:01:12 ldap-r-1 slapd[16851]: conn=7650 fd=159 closed
--clip--
So this far, it looks as if the problem was that if we accept a second
connection for the same client before the proxy has had time to do a bind (or
indeed, a STARTTLS for the bind) on the backend for the second connection.
But we seem to be getting spurious Start TLS failed messages also without any
competing connections. Here's one using ldap+STARTTLS but no other ACCEPTs
anywhere near:
--clip--
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 fd=62 ACCEPT from IP=128.214.173.135:43148 (IP=0.0.0.0:389)
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 op=0 STARTTLS
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 op=0 RESULT oid= err=0 text=
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 fd=62 TLS established tls_ssf=256 ssf=256
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 op=1 BIND dn="ou=shibboleth,ou=login,dc=helsinki,dc=fi" method=128
Jan 17 17:46:20 ldap-r-1 slapd[28738]: conn=529684 op=1 RESULT tag=97 err=52 text=Start TLS failed
Jan 17 17:46:22 ldap-r-1 slapd[28738]: conn=529684 fd=62 closed (connection lost)
--clip--
on the proxy, and backend:
--clip--
Jan 17 17:46:20 ldap-v-2 slapd[40089]: conn=406149 fd=92 ACCEPT from IP=128.214.222.155:48996 (IP=0.0.0.0:389)
Jan 17 17:46:20 ldap-v-2 slapd[40089]: conn=406149 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 17 17:46:20 ldap-v-2 slapd[40089]: conn=406149 op=0 STARTTLS
Jan 17 17:46:20 ldap-v-2 slapd[40089]: conn=406149 op=0 RESULT oid= err=0 text=
Jan 17 17:46:20 ldap-v-2 slapd[40089]: conn=406149 fd=92 closed (TLS negotiation failure)
--clip--
Succesful ldap+starttls connection on proxy:
--clip--
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 fd=54 ACCEPT from IP=128.214.173.137:48700 (IP=0.0.0.0:389)
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=0 STARTTLS
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=0 RESULT oid= err=0 text=
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 fd=54 TLS established tls_ssf=256 ssf=256
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=1 BIND dn="<removed>" method=128
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=1 BIND dn="<removed>" mech=SIMPLE ssf=0
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=1 RESULT tag=97 err=0 text=
[SRCH and SEARCH RESULT lines]
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 op=3 UNBIND
Jan 17 18:11:01 ldap-r-1 slapd[28738]: conn=531181 fd=54 closed
--clip--
Any ideas what could be causing these? It's a bit hard to pinpoint the problem,
since it happens so rarely - we seem to get a couple dozen of these every hour
to around 16 000 succesful binds, not really depending on system load. This is
RHEL 7 and OpenLDAP 2.4.40.
It may be the case that the same DN binding very often increases the
probability of a Start TLS failed error, which I guess would be the first case
(a new ACCEPT + BIND for a DN too soon after the previous one). But as I said,
these seem to also sometimes appear even without any other connections being
opened at the same time. (Although there might be some old connections open for
the same DN.)
--Janne Peltonen
University of Helsinki
Hello,
I'm facing some issues with syncrepl...
The simplest situation in which I was able to reproduce the problem
consists of 1 provider and 1 consumer.
I have configured syncrepl to do a partial replication :
olcSyncrepl:
{0}rid=105
provider=ldaps://****:636
bindmethod=simple
timeout=0
network-timeout=0
starttls=no
filter="(mail=*)"
searchbase="ou=groups,o=mydir"
scope=sub
schemachecking=off
attrs="cn description mail member +"
type=refreshAndPersist
retry="60 +"
tls_cert=**** tls_cacert=**** tls_key=****
olcSyncrepl:
{1}rid=107
provider=ldaps://****:636
bindmethod=simple
timeout=0
network-timeout=0
starttls=no
filter="(objectclass=*)"
searchbase="ou=operators,o=mydir"
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
tls_cert=**** tls_cacert=**** tls_key=****
olcSyncrepl:
{2}rid=104
provider=ldaps://****:636
bindmethod=simple
timeout=0
network-timeout=0
starttls=no
filter="(uid=mytestuser)"
searchbase="ou=people,o=mydir"
scope=sub
schemachecking=off
type=refreshAndPersist
retry="60 +"
tls_cert=**** tls_cacert=**** tls_key=****
The initial sync (i.e. from an empty base) is fine, but then when I
modify an entry (uid=mytestuser), it is not updated on the consumer, and
I get the
following messages:
Feb 16 15:42:32 do_syncrep2: rid=107 NEW_COOKIE:
rid=107,csn=20110216144232.222152Z#000000#000#000000
Feb 16 15:42:32 do_syncrep2: rid=104
cookie=rid=104,csn=20110216144232.222152Z#000000#000#000000
Feb 16 15:42:32 slap_graduate_commit_csn: removing 0x7fb58c0227d0
20110216144232.222152Z#000000#000#000000
Feb 16 15:42:32 do_syncrep2: rid=104 CSN too old, ignoring
20110216144232.222152Z#000000#000#000000
Feb 16 15:43:05 do_syncrep2: rid=105 LDAP_RES_INTERMEDIATE - NEW_COOKIE
Feb 16 15:43:05 do_syncrep2: rid=105 NEW_COOKIE:
rid=105,csn=20110216144305.545784Z#000000#000#000000
Feb 16 15:43:05 slap_queue_csn: queing 0x7fb58c020b50
20110216144305.545784Z#000000#000#000000
Feb 16 15:43:05 do_syncrep2: rid=107 LDAP_RES_INTERMEDIATE - NEW_COOKIE
Feb 16 15:43:05 do_syncrep2: rid=107 NEW_COOKIE:
rid=107,csn=20110216144305.545784Z#000000#000#000000
Feb 16 15:43:05 do_syncrep2: rid=104
cookie=rid=104,csn=20110216144305.545784Z#000000#000#000000
Feb 16 15:43:05 slap_graduate_commit_csn: removing 0x7fb58c0227d0
20110216144305.545784Z#000000#000#000000
Feb 16 15:43:05 do_syncrep2: rid=104 CSN too old, ignoring
20110216144305.545784Z#000000#000#000000
(both servers are perfectly in sync with an NTP daemon)
It looks like ITS #6619 is quite similar, and unresolved.
What do these messages mean ? Is there a way to force the update ?
Regards,
Jeremy W.
On 4/15/19 10:09 AM, Dieter Kluenter wrote:
> Michael Ströder <michael(a)stroeder.com> writes:
>> On 4/14/19 5:32 PM, Dieter Kluenter wrote:
>>> § ldapfuse ldap://localhost ~/adbook
>>> Unhandled LDAP error code -1
>>> LDAP Can't contact LDAP server
>>
>> Is the server running?
>
> Yes, slapd is running. In fact I tested it with 3 hosts.
Do you have required StartTLS configured in your ldap.conf or .ldaprc?
Ciao, Michael.
On Oct 3, 2013, at 17.46, Axel Grosse <agrosse(a)axway.com> wrote:
> Hi all, Ben, Dieter,
> thank you for your help ...
> got it working on ldaps without TLS :-))
>
> we can close that thread
glad you had success. a note of pedantry - just because ldaps was used doesn't mean tls was not. those two concepts are orthogonal. [e.g. starttls and tls are two different things]. in fact, tls should be [and probably is] used with your ldaps connection. ssl should not be, having been replaced by tls.
-ben
Am Mon, 31 Aug 2015 19:43:39 -0400
schrieb Frank Crow <fjcrow2008(a)gmail.com>:
> Hi,
>
> I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
> client-side certificates via the SASL/EXTERNAL mechanism. I have
> successfully configured server-side certs with TLS and was wanting to
> expand my configuration on the client-side.
>
> If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y
> EXTERNAL", I get the following message:
>
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL (-4): no mechaism available:
>
>
> If I do a search on the DSE, I get the following available methods:
>
> dn:
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: PLAIN
>
>
> I know that other people are using this but nobody (here at work)
> knows why my particular configuration is getting this error. Can
> anyone help me figure this out?
It seems you have not initialised a TLS session, that is, either
startTLS
on port 389 or without starttls on secure port 636
ldapsearch -LLL -Y EXTERNAL -ZZ -H ldap://localhost -b "" -s base
supportedSASLMechanisms
SASL/EXTERNAL authentication started
SASL username: xxxxx
SASL SSF: 0
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E