Re: unable to add DB DIT , getting value #0 invalid per syntax error in alpine Linux.

[Quanah Gibson-Mount]

--On Sunday, June 6, 2021 12:19 PM + govid   
wrote:



and then if i execute "ldapadd -x -D 'cn=config' -w secret -f
create_sns_db.ldif" it works fine without any errors.  not sure if the
same line are present in the slapd.conf, why backend db modules are not
initialized.


One either uses slapd.conf OR cn=config.

You clearly need to add an additional moduleload for the syncprov module to 
your cn=config configuration.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: pw-totp

[Stefan Kania]

Hi Quanah,

Am 05.06.21 um 22:11 schrieb Quanah Gibson-Mount:
> 
> 
> --On Saturday, June 5, 2021 4:27 PM +0200 Stefan Kania
>  wrote:
> 
>> Hello,
>>
>> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
>> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
>> everything via Ansible. My configure-options are:
>>
>>
>> root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>>  scheme not available ({TOTP1})
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>>  no valid hashes found
>> Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
>> cn=config:  no valid hashes found
> 
> Hm, I've only ever used the OTP module that ships as a core part of
> OpenLDAP 2.5:
> 
> 
> 
> 
> Personally I'd combine that with ARGON2 password hashes for secure
> password hash storage + 2 Factor auth.
> 
I have not tried this one yet, I will give it a try next week.

Stefan
> Regards,
> Quanah
> 
> 
> 
> -- 
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html






smime.p7s
Description: S/MIME Cryptographic Signature

Re: pw-totp

[Stefan Kania]

Hello Dieter,
I think I read everything I could find, also your posting :-). The only
thing I did not not set is "security ssf=1" but I think that has nothing
to do with my error message.
What I don't understand is why can I set the option olcPasswordHash
without an error, but as soon as I try to do anything or restart slapd,
the slapd chrashes.


Am 06.06.21 um 11:01 schrieb Dieter Klünter:
> Am Sat, 5 Jun 2021 15:27:40 +0200
> schrieb Stefan Kania :
> 
>> Hello,
>>
>> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
>> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
>> everything via Ansible. My configure-options are:
>> -
>> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
>> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
>> --enable-modules --enable-dynamic --enable-syslog --enable-debug
>> --enable-local --enable-spasswd --disable-sql
>> --prefix=/opt/openldap-current
>> -
>>
>> In addition I build:
>> 
>> /opt/openldap-current/contrib/slapd-modules/passwd/sha2
>> /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
>> /opt/openldap-current/contrib/slapd-modules/passwd/totp/
>> 
>>
>> "make test" is runnning without any error.
>>
>> The setup is running without any error, here my cn=config:
>> 
>> dn: cn=config
>> objectClass: olcGlobal
>> cn: config
>> olcArgsFile: /opt/openldap-current/var/run/slapd.args
>> olcLogLevel: sync
>> olcLogLevel: stats
>> olcLogLevel: stats
>> olcPidFile: /opt/openldap-current/var/run/slapd.pid
>> olcToolThreads: 1
>> olcTLSCertificateFile:
>> /opt/openldap-current/etc/my_certificates/ldap25-p01-ce
>>  rt.pem
>> olcTLSCertificateKeyFile:
>> /opt/openldap-current/etc/my_certificates/ldap25-p01
>>  -key.pem
>> olcTLSCACertificateFile:
>> /opt/openldap-current/etc/my_certificates/cacert.pem
>> olcPasswordHash: {TOTP1}
>>
>> dn: cn=module{0},cn=config
>> objectClass: olcModuleList
>> cn: module{0}
>> olcModulePath:
>> /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
>>  dap
>> olcModuleLoad: {0}back_mdb
>> olcModuleLoad: {1}back_monitor
>> olcModuleLoad: {2}pw-totp.la
>> olcModuleLoad: {3}autoca.la
>>
>> ... schema
>>
>> dn: olcBackend={0}mdb,cn=config
>> objectClass: olcBackendConfig
>> olcBackend: {0}mdb
>>
>> dn: olcDatabase={-1}frontend,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcFrontendConfig
>> olcDatabase: {-1}frontend
>> olcAccess: {0}to *  by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>>  l,cn=auth manage  by
>> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>>  ternal,cn=auth manage  by * break
>> olcAccess: {1}to dn=""  by * read
>> olcAccess: {2}to dn.base="cn=subschema"  by * read
>> olcSizeLimit: 500
>>
>>
>> dn: olcDatabase={0}config,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {0}config
>> olcAccess: {0}to *  by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>>  l,cn=auth manage  by
>> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>>  ternal,cn=auth manage  by
>> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>>  write  by * break
>> olcRootDN: cn=admin,cn=config
>> olcRootPW:
>>
>>
>> dn: olcDatabase={1}monitor,cn=config
>> objectClass: olcDatabaseConfig
>> olcDatabase: {1}monitor
>> olcAccess: {0}to dn.subtree="cn=monitor" by
>> dn.exact=cn=admin,cn=config read
>>   by dn.exact=cn=admin,dc=example,dc=net read
>>
>> dn: olcDatabase={2}mdb,cn=config
>> objectClass: olcDatabaseConfig
>> objectClass: olcmdbConfig
>> olcDatabase: {2}mdb
>> olcDbDirectory: /opt/openldap-current/var/lib/ldap
>> olcSuffix: dc=example,dc=net
>> olcAccess: {0} to *  by
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
>>  al,cn=auth manage  by
>> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=e
>>  xternal,cn=auth manage  by
>> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>>   write  by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
>> by * break
>> olcAccess: {1}to dn.exact=""  by * read
>> olcAccess: {2}to dn.base="cn=subschema"  by * read
>> olcAccess: {3} to attrs=userPassword  by anonymous auth by self write
>> by
>> * non
>>  e
>> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
>> time=unl
>>  imited size=unlimited
>> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
>> time=unlim
>>  ited size=unlimited
>> olcRootDN: cn=admin,dc=example,dc=net
>> olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
>> olcSizeLimit: unlimited
>> olcTimeLimit: unlimited
>> olcDbCheckpoint: 512 30
>> olcDbIndex: default eq
>> olcDbIndex: objectClass
>> olcDbIndex: entryUUID
>> olcDbIndex: entryCSN
>> olcDbIndex: cn pres,eq,sub
>> olcDbIndex: uid pres,eq,sub
>> olcDbIndex: mail pres,eq,sub
>> olcDbIndex: sn pres,eq,sub
>> olcDbIndex: description pres,eq,sub
>> olcDbIndex: title pres,eq,sub
>> olcDbIndex: givenName pres,eq,sub
>> olcDbMaxSize: 85899345920
>>
>> dn: 

Re: unable to add DB DIT , getting value #0 invalid per syntax error in alpine Linux.

[govid]

Hi,
was able to overcome the issue by adding below lines to load the back_end db 
modules in the ldif file "create_sns_db.ldif " 

#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/openldap
olcModuleload: back_bdb
olcModuleload: back_mdb
olcModuleload: back_ldap

and then if i execute "ldapadd -x -D 'cn=config' -w secret -f 
create_sns_db.ldif" it works fine without any errors. 
not sure if the same line are present in the slapd.conf, why backend db modules 
are not initialized.

Now we are facing another issue while executing "ldapmodify -x -D 'cn=config'  
-w secret -f update_config.ldif" 

adding new entry "olcDatabase={2}mdb,cn=config"

adding new entry "olcOverlay=syncprov,olcDatabase={2}mdb,cn=config"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax

we have installed "opeldap-overlay-all" package and tried to execute the ldap 
modify command in Alpine. Any configurations are to be done before executing 
ldapmodify in Alpine?

below are the contents of update_config.ldif

dn: olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
olcDbDirectory: /usr/local/var/openldap-data/sns_accesslog_db
olcSuffix: cn=accesslog
olcAccess: {0}to * by dn.base="cn=admin,dc=smartsan" read by * break
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=config
olcLimits: dn.exact="cn=admin,dc=smartsan" time=unlimited size=unlimited
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcMonitoring: TRUE
olcDbCheckpoint: 0 0
olcDbIndex: entryCSN eq
olcDbIndex: objectClass eq
olcDbIndex: entryUUID eq
olcDbMode: 0600
olcDbSearchStack: 16
olcDbMaxsize: 85899345920

dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=replicator,cn=appaccts,dc=example,dc=com" 
time=unlimited size=unlimited

Re: pw-totp

[Dieter Klünter]

Am Sat, 5 Jun 2021 15:27:40 +0200
schrieb Stefan Kania :

> Hello,
> 
> I try to set up TOTP1 and TOTP1ANDPW as passworthash. I use Debian 10
> with Kernel 5.9 from the backports. As OpenLDAP I use 2.5.5. I set up
> everything via Ansible. My configure-options are:
> -
> ./configure --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> --enable-modules --enable-dynamic --enable-syslog --enable-debug
> --enable-local --enable-spasswd --disable-sql
> --prefix=/opt/openldap-current
> -
> 
> In addition I build:
> 
> /opt/openldap-current/contrib/slapd-modules/passwd/sha2
> /opt/openldap-current/contrib/slapd-modules/passwd/pbkdf2
> /opt/openldap-current/contrib/slapd-modules/passwd/totp/
> 
> 
> "make test" is runnning without any error.
> 
> The setup is running without any error, here my cn=config:
> 
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /opt/openldap-current/var/run/slapd.args
> olcLogLevel: sync
> olcLogLevel: stats
> olcLogLevel: stats
> olcPidFile: /opt/openldap-current/var/run/slapd.pid
> olcToolThreads: 1
> olcTLSCertificateFile:
> /opt/openldap-current/etc/my_certificates/ldap25-p01-ce
>  rt.pem
> olcTLSCertificateKeyFile:
> /opt/openldap-current/etc/my_certificates/ldap25-p01
>  -key.pem
> olcTLSCACertificateFile:
> /opt/openldap-current/etc/my_certificates/cacert.pem
> olcPasswordHash: {TOTP1}
> 
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath:
> /opt/openldap-current/libexec/openldap:/usr/local/libexec/openl
>  dap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}back_monitor
> olcModuleLoad: {2}pw-totp.la
> olcModuleLoad: {3}autoca.la
> 
> ... schema
> 
> dn: olcBackend={0}mdb,cn=config
> objectClass: olcBackendConfig
> olcBackend: {0}mdb
> 
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcFrontendConfig
> olcDatabase: {-1}frontend
> olcAccess: {0}to *  by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>  l,cn=auth manage  by
> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>  ternal,cn=auth manage  by * break
> olcAccess: {1}to dn=""  by * read
> olcAccess: {2}to dn.base="cn=subschema"  by * read
> olcSizeLimit: 500
> 
> 
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to *  by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=externa
>  l,cn=auth manage  by
> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=ex
>  ternal,cn=auth manage  by
> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>  write  by * break
> olcRootDN: cn=admin,cn=config
> olcRootPW:
> 
> 
> dn: olcDatabase={1}monitor,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {1}monitor
> olcAccess: {0}to dn.subtree="cn=monitor" by
> dn.exact=cn=admin,cn=config read
>   by dn.exact=cn=admin,dc=example,dc=net read
> 
> dn: olcDatabase={2}mdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcmdbConfig
> olcDatabase: {2}mdb
> olcDbDirectory: /opt/openldap-current/var/lib/ldap
> olcSuffix: dc=example,dc=net
> olcAccess: {0} to *  by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
>  al,cn=auth manage  by
> dn.exact=gidNumber=+uidNumber=,cn=peercred,cn=e
>  xternal,cn=auth manage  by
> dn.exact=uid=ldap-admin,ou=users,dc=example,dc=net
>   write  by dn.exact=uid=repl-user,ou=users,dc=example,dc=net read
> by * break
> olcAccess: {1}to dn.exact=""  by * read
> olcAccess: {2}to dn.base="cn=subschema"  by * read
> olcAccess: {3} to attrs=userPassword  by anonymous auth by self write
> by
> * non
>  e
> olcLimits: {0} dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
> time=unl
>  imited size=unlimited
> olcLimits: {1} dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net"
> time=unlim
>  ited size=unlimited
> olcRootDN: cn=admin,dc=example,dc=net
> olcRootPW: {SSHA}D6GKFhWChzpTnTmsxLVqJqTnFm+8fr3K
> olcSizeLimit: unlimited
> olcTimeLimit: unlimited
> olcDbCheckpoint: 512 30
> olcDbIndex: default eq
> olcDbIndex: objectClass
> olcDbIndex: entryUUID
> olcDbIndex: entryCSN
> olcDbIndex: cn pres,eq,sub
> olcDbIndex: uid pres,eq,sub
> olcDbIndex: mail pres,eq,sub
> olcDbIndex: sn pres,eq,sub
> olcDbIndex: description pres,eq,sub
> olcDbIndex: title pres,eq,sub
> olcDbIndex: givenName pres,eq,sub
> olcDbMaxSize: 85899345920
> 
> dn: olcOverlay={0}totp,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> olcOverlay: {0}totp
> 
> dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcAutoCAConfig
> olcOverlay: {1}autoca
> olcAutoCAuserKeybits: 4096
> olcAutoCAserverKeybits: 4096
> olcAutoCAKeybits: 4096
> 
> 
> After a few minutes or if I restart slapd I get the following
> error-message: -
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
> (Jun  5 2021