Re: can't use godaddy SSL cert

[Buchan Milne]

On Thursday, 25 November 2010 17:26:56 bluethundr wrote:

 
 [r...@lbsd2:/usr/home/bluethundr]#grep -i tls
 /usr/local/etc/openldap/slapd.conf## TLS options for slapd
 TLSCipherSuite HIGH:MEDIUM:+SSLv2
 TLSCertificateFile 
 /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt
 TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem
 TLSCACertificateFile  /usr/local/etc/openldap/cacerts/sf_issuing.crt
 
 I have tried each of the following certs with no luck in getting my
 cert to talk to it's CA:
 
 -rw-r--r--  1 root  bluethundr  2604 Nov 25 11:37 ca_bundle.crt
 -r--r-  1 root  ldap4604 Nov 24 18:57 gd_bundle.crt
 -r--r-  1 root  ldap1537 Nov 25 02:00 sf_issuing.crt
 
 
 and I get the same result for each when I attempt to connect to SSL on
 the LDAP server:
 
 [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect
 ldap.example.com:389 -showcerts -CAfile sf_issuing.crt

I doubt your hostname is ldap.example.com, it looks like it is 
LBSD2.summitnjhome.com. Since hostname = certificate subjectCN is important, 
you may prefer to provide *accurate* information while asking for help ...

 13730:error:02001002:system library:fopen:No such file or
 directory:bss_file.c:122:fopen('sf_issuing.crt','r')

Please read the error message above carefully.

Your working directory of /tmp/Foswiki-1.1.2 most likely doesn't contain your 
certificate sf_issuing.crt. Maybe you should try:

openssl s_client -connect LBSD2.summitnjhome.com:636 -showcerts -CAfile 
/usr/local/etc/openldap/cacerts/sf_issuing.crt

(note, I don't think s_client can test LDAP+start_tls, only ldaps ... so this 
test assumes you have slapd started with a -h option that includes ldaps:///)

 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
 13730:error:0B084002:x509 certificate
 routines:X509_load_cert_crl_file:system lib:by_file.c:279:
 CONNECTED(0003)
 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
 failure:s23_lib.c:188:


 ldapsearch -h ldap.example.com -d -1 -ZZ dc=example,dc=com


ldapsearch doesn't read slapd.conf, did you supply the correct TLS_CACERT 
value in /usr/local/etc/openldap/ldap.conf ? Of course, you should use the 
hostname for which the cert is issued, or the next failure will be due to 
hostname/certificate subject mismatch.

Please see 'man ldap.conf'

 TLS certificate verification: depth: 0, err: 20, subject:
 /O=LBSD2.summitnjhome.com/OU=Domain Control
 Validated/CN=LBSD2.summitnjhome.com, issuer:
 /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
 Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
 Certification Authority/serialNumber=07969287
 TLS certificate verification: Error, unable to get local issuer certificate
 tls_write: want=7, written=7
   :  15 03 01 00 02 02 30   ..0
 TLS trace: SSL3 alert write:fatal:unknown CA
 TLS trace: SSL_connect:error in SSLv3 read server certificate B
 TLS trace: SSL_connect:error in SSLv3 read server certificate B
 TLS: can't connect.
 ldap_perror
 ldap_start_tls: Connect error (-11)
   additional info: error:14090086:SSL
 routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 
 It seems to indicate that it can't talk to it's CA...

No, seems it doesn't know where to look for the CA certificate ...

 does anyone have any suggestions on how to make this work?

echo TLS_CACERT /usr/local/etc/openldap/cacerts/sf_issuing.crt  
/usr/local/etc/openldap/ldap.conf
?

Regards,
Buchan

Setting up primary/secondary LDAP servers with TLS/SSL enabled

[Konstantin Boyandin]

Hello,

I am using primary/secondary LDAP servers configuration, it works quite 
normal.


I need to make LDAP authentication secure. I.e., I need both LDAP 
servers to provide LDAP over SSL/TLS, so that both primary and secondary 
LDAP server be used (mentioned in ldap.conf).


I have to use self-signed SSL certificates, since the servers are 
located in intranet, they have no 'real' domain names.


The problem is I can't figure out how to specify ldap.conf SSL 
parameters so that they could

- verify LDAP server certificate
- be used with both primary and secondary LDAP servers

Also, I'd prefer to use TLS - how do I run slapd so that it provided 
TLS-aware connection on the standard port? Is it possible to set up 
slapd so that TLS be optional (for testing/transition purposes).


I would greatly appreciate references to the relevant docs on these.

Thank you.
Sincerely,
Konstantin

Re: Problem when trying to authenticate squid with openldap server

[Buchan Milne]

On Wednesday, 24 November 2010 12:59:05 Bruno Lamps wrote:

[snip irrelevent information]

 
 *auth_param basic program /usr/lib/squid/squid_ldap_auth -D
 cn=admin,dc=pisolar -w mypassword -b ou=usuarios,dc=pisolar -h
 192.168.1.7 -v 3*

Note that without a filter (-f option), this does DN construction, which may 
not be what you want ...

 *cn=admin,dc=pisolar *= my root user.


 *ou=usuarios,dc=pisolar *= the OU where my users are stored.

Please provide the exact DN of the user for which you are testing.

 *
 *
 I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered
 VM, and this is the text shown when I try to authenticate in my browser:

I assume you tried to log in with username 'lamps'

 = acl_mask: access to entry uid=lamps,ou=usuarios,dc=pisolar, attr
 userPassword requested
 = acl_mask: to value by , (=0)
 = check a_dn_pat: cn=admin,dc=pisolar
 = check a_dn_pat: anonymous
 = acl_mask: [2] applying none(=0) (stop)
 = acl_mask: [2] mask: none(=0)
 = slap_access_allowed: auth access denied by none(=0)
 = access_allowed: no more rules
 send_ldap_result: conn=0 op=0 p=3
 send_ldap_result: err=49 matched= text=
 send_ldap_response: msgid=1 tag=97 err=49

It seems your ACLs are not sufficient for *any* simple binds to this DN.

Please test the following on your LDAP server:
$ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W

Until this command works, please don't bother with anything related to squid.

 I tried to set a lot of different config syntaxes at squid.conf, but it
 always come to the same kind of problem at slapd debug: After reading the
 user CN and his password, slapd fails to read something else (ldap_read:
 want=8 error=Resource temporarily unavailable) and then it doesn't
 authenticates.
 
 What I'm doing wrong? Is there any problem with my openldap server?

Did you ever test simple binds to your LDAP server as these users except from 
squid? It doesn't seem like it ...

Regards,
Buchan

Re: memberof overlay 2.4.08

[Marc Patermann]

Hi,

Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr:

LALOT Dominique wrote:
I'm testing memberof overlay and I'd like to get it working 
properly for a database migration


My tests showed me that's it's working when adding members in 
groups, but for an initial loading, it does not work.

Correct.

This still seams to be true.


I tested slapadd -q or slapadd without success. Could you tell us,
or write something in the documentation to explain, the right way
for an initial loading.
Currently, there is no solution besides writing a script that 
populates the memberOf attribute in the LDIF file.


When we will be in production, I imagine that  sometimes, we can 
get out of sync between  members and memberof. What can we do in 
such case.

It should not happen.

I have a lot of syncrepl consumers. For disaster recovery these are
repopulated with slapadd and a recent provider dump.
With overlay memberof this would not work any more, because the memberOf 
references are lost on this consumer until the member object changes, 
right?


The overlay should be reworked in order to have some means to repair 
its connectivity.  This is known but not hardly worked at.  You could
 open an ITS requesting this as an enhancement (or a bug fix, it's a 
matter of taste).

Is there any yet or do I have to do it?

Marc

Content-Based Access Control?

[Frank Rust]

Hi all,

would it be possible to configure a content-based access control?
I have following configuration: my ldap contains user data.
Some of the users are local ones and have a regular password entry.
They shall be able to change their password.
Other users are remotely authenticated with saslauthd. 
They shall not be able to change their 'password' which is just a
redirection.

Example:

dn: uid=remoteuser,ou=People,dc=mydomain,dc=de
uid: remoteuser
cn: Adam Example
uidNumber: 9007
gidNumber: 90
sn: Example
userPassword: {SASL}remoteuser

dn: uid=localuser,ou=People,dc=mydomain,dc=de
uid: localuser
cn: Bruce Somename
uidNumber: 1001
gidNumber: 10
sn: Somename
userPassword: {SHA}03de6c570bfe24bfc328ccd7ca46b76eadaf4334

User localuser shall be able to change his password, user remoteuser
not. Can this be done by a fancy ACL entry, rejecting to change
passwords starting with '{SASL}' ?

Thanks in advance,
Frank

memberOF overlay - memberof-memberof-ad

[Marc Patermann]

Hi,

I installed a openldap latest 2.4.23 with a basic database setup:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/personaddon.schema

loglevel config stats stats2

pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args

modulepath  /usr/lib/openldap/modules
moduleload  memberof.la
moduleload  refint.la

access to dn.base=
by * read

access to dn.base=cn=Subschema
by * read

access to attrs=userPassword,userPKCS12
by self write
by * auth

access to attrs=shadowLastChange
by self write
by * read

access to *
by * read

databasebdb
suffix  dc=my-domain,dc=com
checkpoint  10245
cachesize   1
rootdn  cn=Manager,dc=my-domain,dc=com
rootpw  secret
directory   /var/lib/ldap
index   objectClass eq
index uid,cn,mail,member,sn,manager eq

Then I included a standard memberof overlay config:

overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint true

This works fine (database population below).
After that I configured a second memberof overlay like this:

overlay memberof
memberof-group-oc inetOrgPerson
memberof-member-ad manager
memberof-memberof-ad owner
memberof-refint true
memberof-dangling error

I pointed from one inetOrgPerson object by attribute manager to another 
there this should be shown as owner. For the latter I created a 
AUXILIARY objectclass to include the owner attribute to the 
inetOrgPerson object. But memberof-memberof-ad does not work - it is 
still memberOf and mot owner.


Here is the dump (I removed some attributes like creatersname etc.):

dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: domain
dc: my-domain

dn: ou=humans,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: humans

dn: ou=accounts,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: accounts

dn: uid=fa770001,ou=accounts,dc=my-domain,dc=com
gidNumber: 9000
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uidNumber: 9000
uid: fa770001
homeDirectory: /home/fa770001
cn: Max Mustermann
sn: Mustermann
manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com

dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0001
sn: Mustermann
cn: Max Mustermann
memberOf: cn=users2,ou=groups,dc=my-domain,dc=com
memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com
memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com

dn: ou=groups,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: cn=users1,ou=groups,dc=my-domain,dc=com
objectClass: groupOfNames
objectClass: top
cn: users1
member: employeeNumber=0002,ou=humans,dc=my-domain,dc=com

dn: employeeNumber=0002,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0002
sn: Hermann
cn: Heinz Hermann
memberOf: cn=users1,ou=groups,dc=my-domain,dc=com

dn: uid=fa770002,ou=accounts,dc=my-domain,dc=com
gidNumber: 9001
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
uidNumber: 9001
uid: fa770002
homeDirectory: /home/fa770002
sn: Hermann
cn: Heinz Hermann
manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com

dn: cn=users2,ou=groups,dc=my-domain,dc=com
objectClass: groupOfNames
objectClass: top
cn: users2
member: employeeNumber=0001,ou=humans,dc=my-domain,dc=com

And here is a ldapsearch for employeeNumber=0001, who is a member of 
cn=users2,ou=groups and a manager in uid=fa770001ou=accounts
and uid=fa770002,ou=accounts - but the two memberof overlays both 
effectively use the default memberof-memberof-ad memberOf attribute.


# 0001, humans, my-domain.com
dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: personAddon
employeeNumber: 0001
sn: Mustermann
cn: Max Mustermann
structuralObjectClass: inetOrgPerson
entryUUID: ee628de6-8d8c-102f-9f77-3d86f090c509
creatorsName: cn=Manager,dc=my-domain,dc=com
createTimestamp: 20101126094021Z
memberOf: cn=users2,ou=groups,dc=my-domain,dc=com
memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com
memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com
modifiersName: cn=Manager,dc=my-domain,dc=com
entryCSN: 20101126112349.873160Z#00#000#00
modifyTimestamp: 20101126112349Z
entryDN: 

Re: memberof overlay 2.4.08

[Marc Patermann]

Hi again,

Marc Patermann schrieb am 26.11.2010 11:36 Uhr:

Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr:

LALOT Dominique wrote:
I'm testing memberof overlay and I'd like to get it working properly 
for a database migration


My tests showed me that's it's working when adding members in groups, 
but for an initial loading, it does not work.

Correct.

This still seams to be true.


I tested slapadd -q or slapadd without success. Could you tell us,
or write something in the documentation to explain, the right way
for an initial loading.
Currently, there is no solution besides writing a script that 
populates the memberOf attribute in the LDIF file.


When we will be in production, I imagine that  sometimes, we can get 
out of sync between  members and memberof. What can we do in such case.

It should not happen.

I have a lot of syncrepl consumers. For disaster recovery these are
repopulated with slapadd and a recent provider dump.
With overlay memberof this would not work any more, because the memberOf 
references are lost on this consumer until the member object changes, 
right?

As I found out, the memberOf attributes are 'slapcat'ed, too. So
a) I have to enable overlay memberof on the master too or
b) I have to take the dump from another slave/consumer to restore.
Right?

This seams manageable.

Sorry for the noise.

Marc

Re: Content-Based Access Control?

[Howard Chu]

Frank Rust wrote:

Hi all,

would it be possible to configure a content-based access control?


Yes. Read the slapd.access(5) manpage.


I have following configuration: my ldap contains user data.
Some of the users are local ones and have a regular password entry.
They shall be able to change their password.
Other users are remotely authenticated with saslauthd.
They shall not be able to change their 'password' which is just a
redirection.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: How to set Multiple base dn

[Hallvard B Furuseth]

Please keep replies on the list.  Then others can help when I'm not
around.

Laurent gobalraja writes:
 In fact i need a complete split of the bases.  The reason is that i need
 duplication of cn in both domain and that is not possible in a single base
 as the CN must be unique.

I think you mean dc instead of cn here, but I don't think that's
what you're supposed to mean:-)  Maybe you mean the part of the DN
below the database suffix must include the fully qualified domain name,
like this?

Domain here.org in database foo and there.org in database bar:
   database bdb
   suffix   o=foo

   database bdb
   suffix   o=bar
Object names:
o=foo
 dc=org,o=foo
 dc=here,dc=org,o=foo
o=bar
 dc=org,o=foo
dc=there,dc=org,o=bar
or
   o=foo
 associatedDomain=here.org,o=foo
   o=bar
associatedDomain=there.org,o=bar

'o' is short for organization name.  associatedDomain, unlike dc, is
for full domain names.  For 'o' you need the organization object class,
for associatedDomian you need domainRelatedObject from cosine.schema.

Anyway, you don't need to use 'dc' if that does not suit you.  Look for
attributes and object classes that describe the actual structure of your
intended directory tree.  Though note that 'ou' (organizational unit)
is often abused for container objects like ou=people.

 Or write slapd.conf first according to the Admin Guide and then use
  sbin/slaptest -f slapd.conf filename -F slapd.d directory
 to convert to cn=config format.

 Is it safe to make successives updates of slapd.conf and then convert to the
 slapd.d directory directly without removing it each time ?

That's not supposed to work.  Maybe you should just stay with slapd.conf
instead?  Or find some tool to help edit cn=config - there are supposed
to be several, but I'm not up to date on that.

-- 
Hallvard