ldapdelete: Invalid DN on an Accesslog generated DN

2018-05-16 Thread Giuseppe Civitella 
Hi all,

while doing some tests to enable accesslog in my directory, I did enable the 
overlay and then disabled it because of login problems.
Once restored the directory, I found a few entries like this:

dn: reqStart=20180509102412.00Z,BASEDN
objectClass: auditModify
structuralObjectClass: auditModify
REQSTART: 20180509102412.00Z
REQEND: 20180509102412.01Z
REQTYPE: modify
REQSESSION: 1679
REQAUTHZID: cn=admin,BASEDN
REQDN: cn=gcivitella,ou=users,BASEDN
REQRESULT: 0
REQMOD: description:= description utente gcivitella (update check accesslog)
REQMOD: entryCSN:= 20180509102412.246481Z#00#000#00
REQMOD: modifiersName:= cn=admin,BASEDN
REQMOD: modifyTimestamp:= 20180509102412Z
REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b
entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3
creatorsName: cn=admin,BASEDN
createTimestamp: 20180509102412Z
entryCSN: 20180509102412.246481Z#00#000#00
modifiersName: cn=admin,BASEDN
modifyTimestamp: 20180509102412Z

Now I'm unable to delete them. I get an "invalid DN" error:

ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v 
"reqStart=20180509102412.00Z,BASEDN"

ldap_initialize( ldap://127.0.0.1:389/??base )
Enter LDAP Password: 
deleting entry "reqStart=20180509102412.00Z,BASEDN"
ldap_delete: Invalid DN syntax (34)
additional info: invalid DN

Is there a way to force the deletion or temporary disable the schema check?

Best regards,
Giuseppe

ldapdelete: Invalid DN on an Accesslog generated DN

2018-05-16 Thread Giuseppe Civitella 
Hi all,

while doing some tests to enable accesslog in my directory, I did enable the 
overlay and then disabled it because of login problems.
Once restored the directory, I found a few entries like this:

dn: reqStart=20180509102412.00Z,BASEDN
objectClass: auditModify
structuralObjectClass: auditModify
REQSTART: 20180509102412.00Z
REQEND: 20180509102412.01Z
REQTYPE: modify
REQSESSION: 1679
REQAUTHZID: cn=admin,BASEDN
REQDN: cn=gcivitella,ou=users,BASEDN
REQRESULT: 0
REQMOD: description:= description utente gcivitella (update check accesslog)
REQMOD: entryCSN:= 20180509102412.246481Z#00#000#00
REQMOD: modifiersName:= cn=admin,BASEDN
REQMOD: modifyTimestamp:= 20180509102412Z
REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b
entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3
creatorsName: cn=admin,BASEDN
createTimestamp: 20180509102412Z
entryCSN: 20180509102412.246481Z#00#000#00
modifiersName: cn=admin,BASEDN
modifyTimestamp: 20180509102412Z

Now I'm unable to delete them. I get an "invalid DN" error:

ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v  
"reqStart=20180509102412.00Z,BASEDN"
ldap_initialize( ldap://127.0.0.1:389/??base )
Enter LDAP Password: 
deleting entry "reqStart=20180509102412.00Z,BASEDN"
ldap_delete: Invalid DN syntax (34)
additional info: invalid DN

Is there a way to force the deletion or temporary disable the schema check?

Best regards,
Giuseppe

How to present the memberOf attribute in a syncrepl setup?

2018-05-16 Thread Robert Minsk 
/---\
| master1 <- mirror repl -> master2 |
\---/
     ^         ^               ^
     |         |               |
 syncrepl  syncrepl        syncrepl
     |         |               |
 /---\ /---\       /---\
 |cache01| |cache02|  ...  |cache n|
 \---/ \---/       \---/
The master servers are using mirror replication and are behind a load balancer 
setup for active/passive failover.  All writes go to the active master where 
the "member" attribute is maintained for the groups.  The cache servers get 
their data from the master servers using syncrepl replication.  All the end 
clients connect to the cache servers.

I need to be able to present the memberOf attribute on users on the cache 
servers.  The man page for slapo-memberof states that it is not compatible with 
syncrepl.  Because of this the cache servers are using slapo-dynlist to create 
the memberOf attribute.  The problem is since I am using a dynamic list I can 
not search using the memberOf attribute only query its value.  I need to be 
able to search by the memberOf attribute.

What is the recommended way generate the memberOf attribute?  Should I modify 
the schema for a user and somehow maintain the memberOf attribute on the 
masters?  I am a bit worried about this since looking at the slapo-memberOf 
source the memberOf attribute it is flagged as a DSAOperation.

About Openldap's functional testing

2018-05-16 Thread 郦旺 
To whom it may concern,




I am a student who is interested in software reliability. After read the 
Administrator's Guide, I only found the tests like “make test” to test the 
build before installation.




For the reason that I need to do some experiments, I wonder if there are some 
official functional tests against an existing Installation of OpenLDAP.




Thanks,

Wang

OpenLDAP, MySQL e MemberOf

2018-05-16 Thread Arianna Milazzo 
Hello!
I installed openLDAP with MySQL.
Now I don't know how can I do to use "memberOf"

in my slapd.conf I added:

overlay memberof
> memberof-group-oc groupOfNames
> memberof-member-ad member
> memberof-memberof-ad memberOf
>

But in database?
I tried to add member and memberon in ldap_attr_mappings...

How can I do???

Thank you,
Aria

SASL pass-through and changing passwords

2018-05-16 Thread linux nuse 

Hi,

There was similar topic 5 years ago, but the problem wasn't completely solved.
I've set `olcPasswordHash` to `{SASL}`, so ldappaswd is no longer smashing 
`userPassword` attribute.

I get the same error which Tim Watts encountered 5 years ago.
https://www.openldap.org/lists/openldap-technical/201302/msg00190.html
namely, ldappaswd says:

Result: Other (e.g., implementation specific) error (80)
Additional info: scheme provided no hash function


Tim wrote:
However, the kerberos principle does get updated - and userPassword is left alone. 


In my case I just get the error and the kerberos password is NOT updated.


Also, 9 years ago it was asked 
(https://www.openldap.org/lists/openldap-software/200909/msg00010.html):

- salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources
shows that passwd_extop()/slap_sasl_setpass() does the same. That
suggests it is possible to have slapd doing the thing, but how does
it works? In passwd_extop(), slap_sasl_setpass() will only be
called if op-o_bd is NULL. In what situation does it happen?


But the question is not answered.

Does anyone remember how passwd_extop() works and how to get into
the if-statement block with call to slap_sasl_setpass()?

Re: OTP or 2FA for Manager Account?

2018-05-16 Thread Dieter Klünter 
Am Wed, 16 May 2018 08:24:06 -0400
schrieb Dave Macias :

> I too have been wondering about TOTP with openldap but always found
> it hard to find documentation on it. Any chance to have this
> documented? Dont see it in the site
[...]

I have written an article an TOTP
https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OTP or 2FA for Manager Account?

2018-05-16 Thread Michael Ströder 
Dave Macias wrote:
> I too have been wondering about TOTP with openldap but always found it
> hard to find documentation on it. Any chance to have this documented?
> Dont see it in the site

Which of the three solutions / sites do you mean?

Ciao, Michael.

> On Wed, May 16, 2018 at 7:23 AM Peter  > wrote:
> 
> Hi Michael,
> 
> Thanks for this summary, to which I can only add the english page of
> the
> Russian activity:
> 
> http://cargosoft.ru/en/rm/118/119
> 
> Cheers,
> 
> Peter
> 
> 
> 
> Am 15.05.2018 um 19:06 schrieb Michael Ströder:
> > Douglas Duckworth wrote:
> >> Does OpenLDAP support use of one time passwords or 2FA for the
> Manager
> >> account?
> >
> > There are several solutions:
> >
> > 1. contrib/slapd-modules/passwd/totp/
> > A proof of concept overlay which AFAICS replaces checking a normal
> > password by checking a generated TOTP value. So not really 2FA.
> >
> > 2. OATH HOTP LDAP Plugin by cargosoft.ru 
> > Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
> > I never checked this myself anyway and therefore can't comment.
> >
> > 3. OATH-LDAP
> > Most flexible solution but hard to setup, especially since not fully
> > documented yet. It's currently directly integrated into Æ-DIR but
> > could be used stand-alone. Being the author I'm biased of course.
> >
> > Ciao, Michael.

Re: OTP or 2FA for Manager Account?

2018-05-16 Thread Dave Macias 
I too have been wondering about TOTP with openldap but always found it hard
to find documentation on it. Any chance to have this documented? Dont see
it in the site

Regards,
dave

On Wed, May 16, 2018 at 7:23 AM Peter  wrote:

> Hi Michael,
>
> Thanks for this summary, to which I can only add the english page of the
> Russian activity:
>
> http://cargosoft.ru/en/rm/118/119
>
> Cheers,
>
> Peter
>
>
>
> Am 15.05.2018 um 19:06 schrieb Michael Ströder:
> > Douglas Duckworth wrote:
> >> Does OpenLDAP support use of one time passwords or 2FA for the Manager
> >> account?
> >
> > There are several solutions:
> >
> > 1. contrib/slapd-modules/passwd/totp/
> > A proof of concept overlay which AFAICS replaces checking a normal
> > password by checking a generated TOTP value. So not really 2FA.
> >
> > 2. OATH HOTP LDAP Plugin by cargosoft.ru
> > Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
> > I never checked this myself anyway and therefore can't comment.
> >
> > 3. OATH-LDAP
> > Most flexible solution but hard to setup, especially since not fully
> > documented yet. It's currently directly integrated into Æ-DIR but
> > could be used stand-alone. Being the author I'm biased of course.
> >
> > Ciao, Michael.
> >
>
> --
> ___
>
> Peter Gietz (CEO)
> DAASI International GmbH   phone: +49 7071 407109-0
> Europaplatz 3  Fax:   +49 7071 407109-9
> D-72072 Tübingen   mail:  peter.gi...@daasi.de
> GermanyWeb:   www.daasi.de
>
> DAASI International GmbH, Tübingen
> Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
>
> Directory Applications for Advanced Security and Information Management
> ___
>
>
>

Re: OTP or 2FA for Manager Account?

2018-05-16 Thread Peter 

Hi Michael,

Thanks for this summary, to which I can only add the english page of the 
Russian activity:


http://cargosoft.ru/en/rm/118/119

Cheers,

Peter



Am 15.05.2018 um 19:06 schrieb Michael Ströder:

Douglas Duckworth wrote:

Does OpenLDAP support use of one time passwords or 2FA for the Manager
account?


There are several solutions:

1. contrib/slapd-modules/passwd/totp/
A proof of concept overlay which AFAICS replaces checking a normal 
password by checking a generated TOTP value. So not really 2FA.


2. OATH HOTP LDAP Plugin by cargosoft.ru
Sorry, I only found a Russian site: http://cargosoft.ru/ru/rm/113/115
I never checked this myself anyway and therefore can't comment.

3. OATH-LDAP
Most flexible solution but hard to setup, especially since not fully 
documented yet. It's currently directly integrated into Æ-DIR but 
could be used stand-alone. Being the author I'm biased of course.


Ciao, Michael.



--
___

Peter Gietz (CEO)
DAASI International GmbH   phone: +49 7071 407109-0
Europaplatz 3  Fax:   +49 7071 407109-9
D-72072 Tübingen   mail:  peter.gi...@daasi.de
GermanyWeb:   www.daasi.de

DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175

Directory Applications for Advanced Security and Information Management
___