Re: can't use godaddy SSL cert
On Thursday, 25 November 2010 17:26:56 bluethundr wrote: [r...@lbsd2:/usr/home/bluethundr]#grep -i tls /usr/local/etc/openldap/slapd.conf## TLS options for slapd TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /usr/local/etc/openldap/cacerts/LBSD2.summitnjhome.com.crt TLSCertificateKeyFile /usr/local/etc/openldap/cacerts/slapd.pem TLSCACertificateFile /usr/local/etc/openldap/cacerts/sf_issuing.crt I have tried each of the following certs with no luck in getting my cert to talk to it's CA: -rw-r--r-- 1 root bluethundr 2604 Nov 25 11:37 ca_bundle.crt -r--r- 1 root ldap4604 Nov 24 18:57 gd_bundle.crt -r--r- 1 root ldap1537 Nov 25 02:00 sf_issuing.crt and I get the same result for each when I attempt to connect to SSL on the LDAP server: [r...@lcent01:/tmp/Foswiki-1.1.2]#openssl s_client -connect ldap.example.com:389 -showcerts -CAfile sf_issuing.crt I doubt your hostname is ldap.example.com, it looks like it is LBSD2.summitnjhome.com. Since hostname = certificate subjectCN is important, you may prefer to provide *accurate* information while asking for help ... 13730:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('sf_issuing.crt','r') Please read the error message above carefully. Your working directory of /tmp/Foswiki-1.1.2 most likely doesn't contain your certificate sf_issuing.crt. Maybe you should try: openssl s_client -connect LBSD2.summitnjhome.com:636 -showcerts -CAfile /usr/local/etc/openldap/cacerts/sf_issuing.crt (note, I don't think s_client can test LDAP+start_tls, only ldaps ... so this test assumes you have slapd started with a -h option that includes ldaps:///) 13730:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 13730:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:279: CONNECTED(0003) 13730:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: ldapsearch -h ldap.example.com -d -1 -ZZ dc=example,dc=com ldapsearch doesn't read slapd.conf, did you supply the correct TLS_CACERT value in /usr/local/etc/openldap/ldap.conf ? Of course, you should use the hostname for which the cert is issued, or the next failure will be due to hostname/certificate subject mismatch. Please see 'man ldap.conf' TLS certificate verification: depth: 0, err: 20, subject: /O=LBSD2.summitnjhome.com/OU=Domain Control Validated/CN=LBSD2.summitnjhome.com, issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 TLS certificate verification: Error, unable to get local issuer certificate tls_write: want=7, written=7 : 15 03 01 00 02 02 30 ..0 TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed It seems to indicate that it can't talk to it's CA... No, seems it doesn't know where to look for the CA certificate ... does anyone have any suggestions on how to make this work? echo TLS_CACERT /usr/local/etc/openldap/cacerts/sf_issuing.crt /usr/local/etc/openldap/ldap.conf ? Regards, Buchan
Setting up primary/secondary LDAP servers with TLS/SSL enabled
Hello, I am using primary/secondary LDAP servers configuration, it works quite normal. I need to make LDAP authentication secure. I.e., I need both LDAP servers to provide LDAP over SSL/TLS, so that both primary and secondary LDAP server be used (mentioned in ldap.conf). I have to use self-signed SSL certificates, since the servers are located in intranet, they have no 'real' domain names. The problem is I can't figure out how to specify ldap.conf SSL parameters so that they could - verify LDAP server certificate - be used with both primary and secondary LDAP servers Also, I'd prefer to use TLS - how do I run slapd so that it provided TLS-aware connection on the standard port? Is it possible to set up slapd so that TLS be optional (for testing/transition purposes). I would greatly appreciate references to the relevant docs on these. Thank you. Sincerely, Konstantin
Re: Problem when trying to authenticate squid with openldap server
On Wednesday, 24 November 2010 12:59:05 Bruno Lamps wrote: [snip irrelevent information] *auth_param basic program /usr/lib/squid/squid_ldap_auth -D cn=admin,dc=pisolar -w mypassword -b ou=usuarios,dc=pisolar -h 192.168.1.7 -v 3* Note that without a filter (-f option), this does DN construction, which may not be what you want ... *cn=admin,dc=pisolar *= my root user. *ou=usuarios,dc=pisolar *= the OU where my users are stored. Please provide the exact DN of the user for which you are testing. * * I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser: I assume you tried to log in with username 'lamps' = acl_mask: access to entry uid=lamps,ou=usuarios,dc=pisolar, attr userPassword requested = acl_mask: to value by , (=0) = check a_dn_pat: cn=admin,dc=pisolar = check a_dn_pat: anonymous = acl_mask: [2] applying none(=0) (stop) = acl_mask: [2] mask: none(=0) = slap_access_allowed: auth access denied by none(=0) = access_allowed: no more rules send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=49 matched= text= send_ldap_response: msgid=1 tag=97 err=49 It seems your ACLs are not sufficient for *any* simple binds to this DN. Please test the following on your LDAP server: $ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W Until this command works, please don't bother with anything related to squid. I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates. What I'm doing wrong? Is there any problem with my openldap server? Did you ever test simple binds to your LDAP server as these users except from squid? It doesn't seem like it ... Regards, Buchan
Re: memberof overlay 2.4.08
Hi, Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr: LALOT Dominique wrote: I'm testing memberof overlay and I'd like to get it working properly for a database migration My tests showed me that's it's working when adding members in groups, but for an initial loading, it does not work. Correct. This still seams to be true. I tested slapadd -q or slapadd without success. Could you tell us, or write something in the documentation to explain, the right way for an initial loading. Currently, there is no solution besides writing a script that populates the memberOf attribute in the LDIF file. When we will be in production, I imagine that sometimes, we can get out of sync between members and memberof. What can we do in such case. It should not happen. I have a lot of syncrepl consumers. For disaster recovery these are repopulated with slapadd and a recent provider dump. With overlay memberof this would not work any more, because the memberOf references are lost on this consumer until the member object changes, right? The overlay should be reworked in order to have some means to repair its connectivity. This is known but not hardly worked at. You could open an ITS requesting this as an enhancement (or a bug fix, it's a matter of taste). Is there any yet or do I have to do it? Marc
Content-Based Access Control?
Hi all, would it be possible to configure a content-based access control? I have following configuration: my ldap contains user data. Some of the users are local ones and have a regular password entry. They shall be able to change their password. Other users are remotely authenticated with saslauthd. They shall not be able to change their 'password' which is just a redirection. Example: dn: uid=remoteuser,ou=People,dc=mydomain,dc=de uid: remoteuser cn: Adam Example uidNumber: 9007 gidNumber: 90 sn: Example userPassword: {SASL}remoteuser dn: uid=localuser,ou=People,dc=mydomain,dc=de uid: localuser cn: Bruce Somename uidNumber: 1001 gidNumber: 10 sn: Somename userPassword: {SHA}03de6c570bfe24bfc328ccd7ca46b76eadaf4334 User localuser shall be able to change his password, user remoteuser not. Can this be done by a fancy ACL entry, rejecting to change passwords starting with '{SASL}' ? Thanks in advance, Frank
memberOF overlay - memberof-memberof-ad
Hi, I installed a openldap latest 2.4.23 with a basic database setup: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/rfc2307bis.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/personaddon.schema loglevel config stats stats2 pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd/slapd.args modulepath /usr/lib/openldap/modules moduleload memberof.la moduleload refint.la access to dn.base= by * read access to dn.base=cn=Subschema by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read access to * by * read databasebdb suffix dc=my-domain,dc=com checkpoint 10245 cachesize 1 rootdn cn=Manager,dc=my-domain,dc=com rootpw secret directory /var/lib/ldap index objectClass eq index uid,cn,mail,member,sn,manager eq Then I included a standard memberof overlay config: overlay memberof memberof-group-oc groupOfNames memberof-member-ad member memberof-memberof-ad memberOf memberof-refint true This works fine (database population below). After that I configured a second memberof overlay like this: overlay memberof memberof-group-oc inetOrgPerson memberof-member-ad manager memberof-memberof-ad owner memberof-refint true memberof-dangling error I pointed from one inetOrgPerson object by attribute manager to another there this should be shown as owner. For the latter I created a AUXILIARY objectclass to include the owner attribute to the inetOrgPerson object. But memberof-memberof-ad does not work - it is still memberOf and mot owner. Here is the dump (I removed some attributes like creatersname etc.): dn: dc=my-domain,dc=com objectClass: dcObject objectClass: domain dc: my-domain dn: ou=humans,dc=my-domain,dc=com objectClass: organizationalUnit objectClass: top ou: humans dn: ou=accounts,dc=my-domain,dc=com objectClass: organizationalUnit objectClass: top ou: accounts dn: uid=fa770001,ou=accounts,dc=my-domain,dc=com gidNumber: 9000 objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person uidNumber: 9000 uid: fa770001 homeDirectory: /home/fa770001 cn: Max Mustermann sn: Mustermann manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: personAddon employeeNumber: 0001 sn: Mustermann cn: Max Mustermann memberOf: cn=users2,ou=groups,dc=my-domain,dc=com memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com dn: ou=groups,dc=my-domain,dc=com objectClass: organizationalUnit objectClass: top ou: groups dn: cn=users1,ou=groups,dc=my-domain,dc=com objectClass: groupOfNames objectClass: top cn: users1 member: employeeNumber=0002,ou=humans,dc=my-domain,dc=com dn: employeeNumber=0002,ou=humans,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: personAddon employeeNumber: 0002 sn: Hermann cn: Heinz Hermann memberOf: cn=users1,ou=groups,dc=my-domain,dc=com dn: uid=fa770002,ou=accounts,dc=my-domain,dc=com gidNumber: 9001 objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person uidNumber: 9001 uid: fa770002 homeDirectory: /home/fa770002 sn: Hermann cn: Heinz Hermann manager: employeeNumber=0001,ou=humans,dc=my-domain,dc=com dn: cn=users2,ou=groups,dc=my-domain,dc=com objectClass: groupOfNames objectClass: top cn: users2 member: employeeNumber=0001,ou=humans,dc=my-domain,dc=com And here is a ldapsearch for employeeNumber=0001, who is a member of cn=users2,ou=groups and a manager in uid=fa770001ou=accounts and uid=fa770002,ou=accounts - but the two memberof overlays both effectively use the default memberof-memberof-ad memberOf attribute. # 0001, humans, my-domain.com dn: employeeNumber=0001,ou=humans,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: personAddon employeeNumber: 0001 sn: Mustermann cn: Max Mustermann structuralObjectClass: inetOrgPerson entryUUID: ee628de6-8d8c-102f-9f77-3d86f090c509 creatorsName: cn=Manager,dc=my-domain,dc=com createTimestamp: 20101126094021Z memberOf: cn=users2,ou=groups,dc=my-domain,dc=com memberOf: uid=fa770002,ou=accounts,dc=my-domain,dc=com memberOf: uid=fa770001,ou=accounts,dc=my-domain,dc=com modifiersName: cn=Manager,dc=my-domain,dc=com entryCSN: 20101126112349.873160Z#00#000#00 modifyTimestamp: 20101126112349Z entryDN:
Re: memberof overlay 2.4.08
Hi again, Marc Patermann schrieb am 26.11.2010 11:36 Uhr: Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr: LALOT Dominique wrote: I'm testing memberof overlay and I'd like to get it working properly for a database migration My tests showed me that's it's working when adding members in groups, but for an initial loading, it does not work. Correct. This still seams to be true. I tested slapadd -q or slapadd without success. Could you tell us, or write something in the documentation to explain, the right way for an initial loading. Currently, there is no solution besides writing a script that populates the memberOf attribute in the LDIF file. When we will be in production, I imagine that sometimes, we can get out of sync between members and memberof. What can we do in such case. It should not happen. I have a lot of syncrepl consumers. For disaster recovery these are repopulated with slapadd and a recent provider dump. With overlay memberof this would not work any more, because the memberOf references are lost on this consumer until the member object changes, right? As I found out, the memberOf attributes are 'slapcat'ed, too. So a) I have to enable overlay memberof on the master too or b) I have to take the dump from another slave/consumer to restore. Right? This seams manageable. Sorry for the noise. Marc
Re: Content-Based Access Control?
Frank Rust wrote: Hi all, would it be possible to configure a content-based access control? Yes. Read the slapd.access(5) manpage. I have following configuration: my ldap contains user data. Some of the users are local ones and have a regular password entry. They shall be able to change their password. Other users are remotely authenticated with saslauthd. They shall not be able to change their 'password' which is just a redirection. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: How to set Multiple base dn
Please keep replies on the list. Then others can help when I'm not around. Laurent gobalraja writes: In fact i need a complete split of the bases. The reason is that i need duplication of cn in both domain and that is not possible in a single base as the CN must be unique. I think you mean dc instead of cn here, but I don't think that's what you're supposed to mean:-) Maybe you mean the part of the DN below the database suffix must include the fully qualified domain name, like this? Domain here.org in database foo and there.org in database bar: database bdb suffix o=foo database bdb suffix o=bar Object names: o=foo dc=org,o=foo dc=here,dc=org,o=foo o=bar dc=org,o=foo dc=there,dc=org,o=bar or o=foo associatedDomain=here.org,o=foo o=bar associatedDomain=there.org,o=bar 'o' is short for organization name. associatedDomain, unlike dc, is for full domain names. For 'o' you need the organization object class, for associatedDomian you need domainRelatedObject from cosine.schema. Anyway, you don't need to use 'dc' if that does not suit you. Look for attributes and object classes that describe the actual structure of your intended directory tree. Though note that 'ou' (organizational unit) is often abused for container objects like ou=people. Or write slapd.conf first according to the Admin Guide and then use sbin/slaptest -f slapd.conf filename -F slapd.d directory to convert to cn=config format. Is it safe to make successives updates of slapd.conf and then convert to the slapd.d directory directly without removing it each time ? That's not supposed to work. Maybe you should just stay with slapd.conf instead? Or find some tool to help edit cn=config - there are supposed to be several, but I'm not up to date on that. -- Hallvard