--On Wednesday, June 27, 2012 3:31 PM +0200 Guillaume Rousse
<guillomovitch(a)gmail.com> wrote:
> Sorry, I'm not a Zimbra admin, and I may have been confusing in my
> explanations. The problem occurs with Zimbra acting as an LDAP client
> against an external LDAP server, performing a bind operation for
> authenticating users, with the following behaviour:
>
> Zimbra against on openldap 2.3.x server, with TLS on port 389: OK
> Zimbra against on openldap 2.4.x server, on port 636: OK
> Zimbra against on openldap 2.4.x server, with TLS on port 389: 30s delay
Ok, so what you are saying is:
You upgraded your OS to CentOS6
You use external auth
The external auth from CentOS6 to your own LDAP server shows a 30 second
delay on closing.
That sounds like a bug in Java/JNDI. I did see some 30 second issues with
RHEL6, but it was with initiating a connection, not closing it. You can
see more about that at
<https://stomp.colorado.edu/blog/blog/2011/06/29/on-rhel-6-ssh-dns-firewalls…>
I would note that JNDI behavior varies based on startTLS vs SSL on port 636
as well.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
Hi,
I have a provider server and five consumer servers, all of which have the
memberOf overlay configured:
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-refint true
memberof-dangling ignore
syncrepl rid=005
provider=ldap://<server>:389
type=refreshAndPersist
interval=00:00:05:00
retry="60 10 600 +"
searchbase="dc=<removed>,dc=<removed>"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
starttls=no
bindmethod=simple
binddn="cn=replica,dc=<removed>,dc=<removed>"
credentials=<removed>
When I bring a new replica online, it appears that entries are replicated
in the order that they were created on the provider server which produces
many "memberof_value_modify failed err=32" messages in the log, and
incomplete memberOf data. To get around this, I wrote a script which
empties all groups prior to replication, and then recreates the memberships
after the initial replication. This seems to work, but is hardly ideal. Is
there a "more correct" way of replicating memberOf values without
manipulating my provider each time I bring up a new consumer?
Thank you very much,
Todd
Hello Team,
I have an issue with OpenLDAP TLS based replication
Getting below error
slap_client_connect: URI=ldap://gb0135embldap01.emb.slb.com Error, ldap_start_tls failed (-11)
Sep 13 16:13:34 ae0043app05 slapd[2582]: do_syncrepl: rid=365 rc -11 retrying
I have openLDAP in Ubuntu 9.04 version 2.4.19 then I thought to updgrade it and first I upgraded on my consumer openldap server which I migrated to Ubuntu 12.04 and version 2.4.28.
I have created the certificate for my consumer from existing server. but when I go for TLS based replication, the database is not syncing and it is synching when remove starttls=no
Any idea why this is causing
Thanks & Regards,
Arun Sasi Venmalassery
-------------------------------------------------------------------------------------------------------------------------------------
Sr. Engineer - Server Management (UNIX),
Wipro Ltd (Dubai) |Mob: +971 566489491 | E: arun.sasi1(a)wipro.com<mailto:koresh.dash@wipro.com>
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for
authentication/authorization. I'm a bit confused on how to get it all
working but I've gotten far enough that I can run getent passwd test.user
and it pulls down the information from ldap (ran as root and non-root user).
I can also successfully get a ticket with kinit from various users. Where I
run into problems, is actually getting services to use GSSAPI. I am
currently using nss_ldap and pam_ldap to authenticate during ssh login, if
there's a better alternative please let me know.
Here's the setup I've got:
Services -> FQDN -> IP
ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5
ssh -> cake.crazy.lan -> 192.168.1.6
Running kinit:
==============================================================
cake# kinit ldapadm
ldapadm(a)CRAZY.LAN's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
cake# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ldapadm(a)CRAZY.LAN
Issued Expires Principal
Aug 9 17:45:41 Aug 10 03:45:41 krbtgt/CRAZY.LAN(a)CRAZY.LAN
==============================================================
Here's what I run to authenticate with SSH:
==============================================================
cr4z3d@Allan-PC:~$ ssh -v -oGSSAPIAuthentication=yes
-oGSSAPIDelegateCredentials=yes test.user(a)cake.crazy.lan
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to cake.crazy.lan [192.168.1.6] port 22.
debug1: Connection established.
debug1: identity file /home/cr4z3d/.ssh/identity type -1
debug1: identity file /home/cr4z3d/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/cr4z3d/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1
FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cake.crazy.lan' is known and matches the DSA host key.
debug1: Found key in /home/cr4z3d/.ssh/known_hosts:47
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
==============================================================
I've tried different options in /usr/local/etc/ldap.conf for
pam_ldap/nss_ldap (the conf files are symlinked). The first one is with SASL
turned on and the second with out.
==============================================================
#define the ldap server's fqdn
host frisbee.crazy.lan
# define the base search pattern
base dc=crazy,dc=lan
# define the uri
uri ldap://frisbee.crazy.lan
# use starttls
ssl start_tls
# use sasl for all authentications
use_sasl on
# SASL authorization ID
sasl_auth_id host/cake.crazy.lan
#check the server's cert
tls_checkpeer yes
# full path to CA's cert
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug
#debug 9
==============================================================
Here is the logs from the ldap server:
==============================================================
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP=
192.168.1.6:56955 (IP=0.0.0.0:389)
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text=
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established
tls_ssf=256 ssf=256
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163
Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find
mech GSSAPI
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7
text=SASL(-4): no mechanism available: Couldn't find mech GSSAPI
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed
==============================================================
This is where I get a bit confused, it tells me that there's no mechanism
for GSSAPI.. So I try changing to no SASL options in the configuration file:
==============================================================
#define the ldap server's fqdn
host frisbee.crazy.lan
# define the base search pattern
base dc=crazy,dc=lan
# define the uri
uri ldap://frisbee.crazy.lan
# use starttls
ssl start_tls
#check the server's cert
tls_checkpeer yes
# full path to CA's cert
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug
#debug 9 ==============================================================
This leads to the following in the ldap logs when trying to SSH in:
==============================================================
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 ACCEPT from IP=
192.168.1.6:63817 (IP=0.0.0.0:389)
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 STARTTLS
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 RESULT oid= err=0 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 TLS established
tls_ssf=256 ssf=256
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 BIND dn="" method=128
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 RESULT tag=97 err=0 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH
base="dc=crazy,dc=lan" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=test.user))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass shadowLastChange shadowMax shadowExpire
Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not
indexed
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH
base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixGroup))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH attr=cn userPassword
memberUid uniqueMember gidNumber
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH
base="dc=crazy,dc=lan" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=test.user))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass shadowLastChange shadowMax shadowExpire
Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not
indexed
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
==============================================================
It just keeps asking for my password and outputs the following in auth.log
on the ssh server:
==============================================================
Aug 9 18:36:42 cake sshd[63643]: pam_ldap: error trying to bind as user
"uid=test.user,ou=people,dc=crazy,dc=lan" (Server is unwilling to perform)
Aug 9 18:36:42 cake sshd[63640]: error: PAM: authentication error for
test.user from 192.168.1.119
Aug 9 18:36:42 cake sshd[63644]: nss_ldap: reconnected to LDAP server
ldap://frisbee.crazy.lan after 1 attempt
==============================================================
So while root I tried su test.user and was surprised to see that had worked.
I was able to run commands as test.user souch as touch file, but if I tried
whoami it just sat there until I broke the command with ctrl+c. On the ldap
server I had the following in the logs:
==============================================================
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 ACCEPT from IP=
192.168.1.6:60126 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 closed (TLS negotiation
failure)
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 ACCEPT from IP=
192.168.1.6:60601 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 closed (TLS negotiation
failure)
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 ACCEPT from IP=
192.168.1.6:50915 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 closed (TLS negotiation
failure)
==============================================================
There seems to be something wrong with the TLS negotiation, but I've ensured
that the CN for my key is frisbee.crazy.lan. I Set the CA's cert CN to
allanfeid.com (i own the domain)
At this point I'm unsure where to go to continue troubleshooting and getting
this to work. I'm just trying to get a solid Single Sign-on solution using
kerberos, ldap, and sasl for a learning experience. If there is a more
appropriate way of acheiving this, I'm open to suggestions. Here's my ldap
and slapd configuration files:
(server) frisbee# cat /usr/local/etc/openldap/ldap.conf
==============================================================
TLS_CACERT /usr/local/etc/openldap/certs/CA/cacert.pem
==============================================================
(client) cake# cat /usr/local/etc/openldap/ldap.conf
==============================================================
# path to CA's cert
TLS_CACERT /usr/local/etc/openldap/certs/cacert.pem
# define base to our search
BASE dc=crazy,dc=lan
# define uri to openldap
URI ldap://frisbee.crazy.lan
==============================================================
(server) frisbee# cat /usr/local/etc/openldap/slapd.conf
note: i removed a lot of comments to save space
==============================================================
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/krb5-kdc.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# SSL/TLS cipher order preference
TLSCipherSuite HIGH
# Full path to CA cert file
TLSCACertificateFile /usr/local/etc/openldap/certs/CA/cacert.pem
# Full path to server's TLS cert
TLSCertificateFile /usr/local/etc/openldap/certs/private/slapdcert.pem
# Full path to server's TLS key
TLSCertificateKeyFile /usr/local/etc/openldap/certs/private/slapdkey.pem
# Password hashing mechanism
password-hash {SSHA}
# log level
loglevel 256
# refuse simple binds
disallow bind_simple
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=crazy,dc=lan"
directory /var/db/openldap-data
# Indices to maintain
index default eq,pres
index objectClass eq
index cn,sn,givenname,mail eq,pres,sub
# ACL Definitions
authz-policy from
authz-regexp
uid=(.*),cn=crazy.lan,cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=crazy,dc=lan
# SASL hostname
sasl-host frisbee.crazy.lan
access to *
by dn="uid=ldapadm,cn=gssapi,cn=auth" write
by * read
access to *
by * read
==============================================================
Thats my actual config and the message on the logs is : Unauhtenticated
================================================
uri "ldaps://ldap.google.com/dc=proxy"
suffixmassage "dc=proxy" "dc=example,dc=com"
lastmod off
readonly on
idassert-bind bindmethod=sasl
saslmech=EXTERNAL
tls_reqcert=demand
tls_reqsan=demand
tls_cert=/root/ldapcerts/google_cert.crt
tls_key=/root/ldapcerts/google_cert.key
tls_cacert=/root/ldapcerts/ca/gtsr1.pem
================================================
I've actually been trying all kinds of configurations for the last 2 weeks. Is
there a chance that this doesn't work with Google's LDAP? I can't find a
single example on the entire internet of someone who has managed to do this
whit the LDAP of google.
El mar, 5 nov 2024 a las 12:51, Quanah Gibson-Mount (<quanah(a)fast-mail.org>)
escribió:
>
>
> --On Monday, November 4, 2024 8:29 PM -0300 tmp 2810 <t2810mp(a)gmail.com>
> wrote:
>
> > Once again, I apologize; I ran so many tests that I accidentally copied
> > one where the binddn was incorrect.
> >
> > The target looks more like this:
> >
> >## example.com
> > uri "ldaps://ldap.google.com/dc=proxy"
> > suffixmassage "dc=proxy" "dc=example,dc=com"
> > lastmod off
> > readonly on
> > idassert-bind bindmethod=simple
> > binddn="cn=ChiwewDaw"
>
> cn, is by definition, case insensitive. If Google LDAP is forcing case
> sensitivity in this attribute, it is gross violation of the LDAP RFCs.
> However, having had to interface with it in the past, I don't believe that
> is the case. I would generally suspect that this is not the full DN of
> the
> user.
>
> > idassert-bind bindmethod=sasl
> > saslmech=EXTERNAL
> > tls_reqcert=demand
> > tls_reqsan=demand
> > starttls=critical
>
>
> This is not sufficient, please read the man page:
>
>
> idassert-bind bindmethod=none|simple|sasl [binddn=<simple
> DN>]
> [credentials=<simple password>] [saslmech=<SASL
> mech>]
> [secprops=<properties>] [realm=<realm>]
> [authcId=<authentication
> ID>] [authzId=<authorization ID>]
> [authz={native|proxyauthz}]
> [mode=<mode>] [flags=<flags>]
> [starttls=no|yes|critical]
> [tls_cert=<file>] [tls_key=<file>]
> [tls_cacert=<file>]
> [tls_cacertdir=<path>]
> [tls_reqcert=never|allow|try|demand]
> [tls_reqsan=never|allow|try|demand]
> [tls_cipher_suite=<ciphers>]
> [tls_ecname=<names>]
> [tls_protocol_min=<version>]
> [tls_crlcheck=none|peer|all]
>
>
> You *must* specify tls_cert, tls_key, and tls_cacert as a part of
> idassert-bind as it provides the TLS identity to bind as. In your
> configuration for simple bind, tls_cert and tls_key are unnecessary as
> you're not doing SASL/EXTERNAL binds.
>
> --Quanah
>
>
>
>
Dieter Kluenter schrieb:
> Götz Reinicke - IT-Koordinator <goetz.reinicke(a)filmakademie.de> writes:
>
>> Hi folks,
> [...]
>> My consumer server should bind to the provider using sasl with the
>> saslmech external. (Red Hat 5.x, cyrus-sasl-2.1.22, openldap-2.3.43-3 )
>>
>> I'v changed the slapd.conf files on both servers:
>>
>> consumer:
>>
>> syncrepl ...
>> bindmethod=sasl
>> saslmech=EXTERNAL
>> starttls=yes
>>
>> provider:
>>
>> authz-regexp
>> "dn=email=webmaster(a)filmakademie.de,cn=ldap2.filmakademie.de,ou=it
>> officenet,o=filmakademie baden-wuerttemberg
>> gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de"
>> "cn=replicator,dc=filmakademie,dc=de"
>>
>> after restarting both servers I do get the error:
>>
>> <==slap_sasl2dn: Converted SASL name to <nothing>
>> SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such
>> file or directory
>
> [...]
>
> I don't see a configuration for client certs, as an example I provide
> my slapd.conf
>
> syncrepl rid=042
> provider=ldap://rubin.avci.de
> sizelimit=unlimited
> bindmethod=sasl
> saslmech=external
> starttls=yes
> tls_cert=/etc/openldap/certs/replicator.pem
> tls_key=/etc/openldap/certs/replicator-key.pem
> tls_cacert=/etc/openldap/certs/avciCA.pem
> tls_reqcert=demand
> searchbase="o=avci,c=de"
> scope=sub
> [...]
Hi Dieter,
it looks like I still have some misunderstanding of where to set some
options after following my manual.... Maybe your book is better ;-)
I added the tls_* options to my consumer slapd.conf and started both
servers again. Now I still get messages on the provider which confuse
me, in particular the line "Converted SASL name to <nothing>"
do_sasl_bind: dn (cn=replicator,dc=filmakademie,dc=de) mech EXTERNAL
==>slap_sasl2dn: converting SASL name
email=webmaster(a)filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de to a DN
slap_authz_regexp: converting SASL name
email=webmaster(a)filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Authorize [conn=0]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/EXTERNAL bind:
dn="email=webmaster(a)filmakademie.de,cn=ldap2.filmakademie.de,ou=it
officenet,o=filmakademie baden-wuerttemberg
gmbh,l=ludwigbsburg,st=baden-wuerttemberg,c=de" sasl_ssf=0
Any suggestions? Thanks for your response,
/Götz
--
Götz Reinicke
IT-Koordinator
Tel. +49 7141 969 420
Fax +49 7141 969 55 420
E-Mail goetz.reinicke(a)filmakademie.de
Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg
www.filmakademie.de
Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Geschäftsführer:
Prof. Thomas Schadt
On 4/8/21 5:24 PM, Michael Ströder wrote:
> On 4/8/21 4:07 PM, work(a)seyboldt.org wrote:
>> i need to open my LDAP-Directory to a public available Server.
>>
>> What is the best secure way to connect my LDAP-Server to my Public
>> server?
>
> This is a pretty broad question.
>
> Good answers usually need more info:
> - which kind of data is stored inside the LDAP server?
> - how do LDAP clients access the server?
> - which OS is the LDAP server running on?
> - against which attacks do you want to protect your deployment?
Some more:
- how is the data maintained?
- do you only need data integrity or also data confidentiality?
> Some general security measures include:
> - use TLS-protected connections everywhere (StartTLS or LDAPS)
> - use decently secure authentication mechs
> - implement secure OpenLDAP ACLs to protect the database content
> - build stripped-down, specific OpenLDAP packages for your needs
> - use systemd's sand-boxing options (if using systemd on Linux at all)
> - use kernel-level MAC like SELinux or AppArmor (if OS is Linux)
Some more:
- have decent monitoring
- implement decent metrics and log analysis (SIEM)
- maybe implement push-replication (depending on network architecture)
Ciao, Michael.
Quanah and all, hello.
On 30 Mar 2022, at 18:54, Quanah Gibson-Mount wrote:
> --On Wednesday, March 30, 2022 8:28 PM +0200 Stefan Kania <stefan(a)kania-online.de> wrote:
>
>> That's what can be found in the FAQ on openldap.org:
>>
>> https://www.openldap.org/faq/data/cache/605.html
>>
>> I would trust this more then any rumors on any stackxxxx page ;)
>
> Unfortunately, the FAQ is dead weight we want to kill and not maintained in any way, shape, or form. It's currently provided for historical purposes.
Since the copyright dates at the bottom of that page are '1998-2013', so that the content of the site is now nearly a decade out of date, I feel the FAQ-o-matic now has negative utility, and that you should give in to the urge to kill it.
I respect and applaud the desire to preserve the content for historical reasons, but surely that goal can be served by making a tarball of the content available at whatever page https://www.openldap.org/faq/.../* were to redirect to (ie, the pages shouldn't be 404-ed, but neither should they be 200; 301 is good).
I have previously (indeed recently) looked at that page and, without thinking much about the question, taken its deprecation of LDAPS as current doctrine.
And.... ah, FAQ-o-matic I have fond memories of FAQ-o-matics, back when wikis were new...
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
Ok. Maybe you are right. Sometimes "Less is more".
I am moving forward to high availability and i am planning to set two ldap
servers in Mirror mode.
I have already setup a haproxy in front but i have two problems.
1. Not able to enable StartTLS (currently only SSL is functional)
2. It seems quite slower. Is this normal?
Στις Πέμ, 22 Σεπ 2016 στις 12:20 μ.μ., ο/η Dirk Kastens <
dirk.kastens(a)uni-osnabrueck.de> έγραψε:
> Hi,
>
> > Do you know a good policy for increamental backup? I mean i only have
> > now 10000 users but in the future it will really get bigger and i hate
> > to dump the whole database
> > every night.
>
> Why not? I'm dumping our directory with 70.000 entries using slapcat
> every night in less than a minute.
>
> Dirk
>
> --
Δρ. Νικόλας Στυλιανίδης
Ηλεκτρολόγος Μηχανικός και Μηχ. Υπολογιστών
Nikolas Stylianides, Dr.
Dr. Eng. in Electrical & Computer Engineering
Contacts
-------------
Mobile Tel.: +35796741315
Email: nstylianides(a)leafnet.com.cy, nstylianides(a)gmail.com
Skype: nicostyl
Affilication
---------------
LEAF NET LTD: Research & Development
Open University of Cyprus: Research Associate, APPLIED HEALTH INFORMATICS
Master Programme Academic Board Member
Tο λακωνίζειν εστί φιλοσοφείν / Μηδέν Άγαν - Χίλων ο Λακεδαιμόνιος:
Brevity is the soul of wit - Shakespeare William (Hamlet)
I have slapd listening on port 636 only because I want to enforce use of
SSL/TLS
It all works successfully (I now have my UNIX users, mail, and about a
dozen apps authenticating against it), however...
I wanted fault tolerance, and I thought that the way to achieve this
would be using DNS SRV and replication (which was also easy to get working)
What I've observed:
- if I create _ldaps._tcp.example.org SRV records, they are ignored
- if I create _ldap._tcp.example.org SRV records, and I ldapsearch with
a URI of the form "ldaps:///dc%3Dexample%2Cdc%3Dorg" it works
So, it seems to be the combination of the ldaps URI prefix with the
_ldap._tcp SRV record that is working, this doesn't seem right
I've also found that other LDAP apps have slightly different
expectations too:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661955
I went searching for a definite answer:
+site:ietf.org ldaps srv
http://tools.ietf.org/html/rfc2782 refers to the name of the service
from `Assigned Numbers',
http://tools.ietf.org/html/rfc1700
which omits ldaps, but it is defined elsewhere as a distinct service name:
http://www.ietf.org/assignments/service-names-port-numbers/service-names-po…
Therefore, my feeling is that
- if an ldaps: URI is used, the SRV query should be seeking
_ldaps._tcp, and
-if an ldap: URI is used (and StartTLS may or may not be requested by
the user), the SRV query should be looking for _ldap._tcp
Also, can anyone comment on why the URI needs to be escaped manually
when using DNS SRV?
