Re: OpenLDAP 2.5 + GSSAPI + Kerberos

[Dieter Klünter]

Am Wed, 05 Jul 2023 18:18:31 -
schrieb dbars...@nd.edu:

> Total newbie here so please be gentle. I'm trying to set up a simple
> ldap server that uses SASL and Kerberos for authentication. I built
> OpenLDAP --with-cyrus-sasl and --enable-spasswd. I have the service
> principal and testsaslauthd works. I used slapadd to build the
> initial config (from slapd.ldif) and ldapadd to define a rootdn and
> basedn (basically ou=people and ou=groups). Added a user (me) and a
> group.
> 
> I have a slapd.conf file at /usr/lib/sasl2 that defines keytab:
> krb5.keytab, mech_list: GSSAPI, pwcheck_method: saslauthd,
> saslauthd_path: /run/saslauthd/mux.

You should create a service principal i.e. a ldap principal.

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: -Y external and SUSE

[Dieter Klünter]

Am Wed, 5 Jul 2023 20:37:34 +0200
schrieb Stefan Kania :

Hi All,
I'm still alive,

> Hi to all,
> 
> I just installed openSUSE 15.5 and the actual symas packages. After 
> installing OpenLDAP I could start slapd but "ldapsearch -Y external
> -H ldapi:///" is giving me a "can't connect to ldapserver"

I'm on Tumbleweed and use openldap2:

 rpm -qi openldap2
Name: openldap2
Version : 2.6.4
Release : 2.1
Architecture: x86_64
Install Date: Do 29 Jun 2023 19:11:20 CEST

with regard to  your questions:

ldapwhoami -Y gssapi -H ldapi:///
SASL/GSSAPI authentication started
SASL username: die...@avci.de
SASL data security layer installed.
[...]

ldapwhoami -Y external -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
[...]


-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E


pgp6pQiXv0dds.pgp
Description: Digitale Signatur von OpenPGP

Re: symas openldap-packages and kerberos

[Dieter Klünter]

Am Wed, 22 Dec 2021 14:27:37 +0100
schrieb Stefan Kania :

> Am 22.12.21 um 13:18 schrieb Dieter Klünter:
> > /* OpenLDAP SASL options */
> > [...]
> > /* OpenLDAP GSSAPI options */
> > #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT  0x6200
> > #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL   0x6201  
> 

Did you simply test by ldapwhoami(1) with all available Mechanism?

ldapwhoami -Y gssapi -U dieter -H ldapi:///
SASL/GSSAPI authentication started
SASL username: dieter@MyREALM
SASL SSF: 256
SASL data security layer installed.
dn: 

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

[Dieter Klünter]

Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter :

> Am Wed, 22 Dec 2021 11:38:32 +0100
> schrieb Stefan Kania :
> 
> > Am 22.12.21 um 10:31 schrieb Stefan Kania:  
> > > either it's still a configuration problem, or it's missing. If
> > > it's a configuration problem, how can I fix it?
> > 
> > I now built OpenLDAP from source with this options:
> > --
> > ./configure --enable-argon2 --with-argon2=libargon2
> > --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> > --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> > --enable-modules --enable-dynamic --enable-syslog --enable-debug
> > --enable-local --enable-spasswd --disable-sql
> > --prefix=/opt/openldap-current --with-sasl=yes
> > --
> > Still no gssapi :-(. Did I miss something here?  
> [...]
> 
> You probabely missed the header files, check /usr/include/gssapi/ 
> and /usr/include/krb5/
> and probabely some more.

Sorry, just an other hint. Check the sources files
openldap/include/ldap.h

/* OpenLDAP SASL options */
[...]
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT  0x6200
#define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL   0x6201

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

[Dieter Klünter]

Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter :

> Am Wed, 22 Dec 2021 11:38:32 +0100
> schrieb Stefan Kania :
> 
> > Am 22.12.21 um 10:31 schrieb Stefan Kania:  
> > > either it's still a configuration problem, or it's missing. If
> > > it's a configuration problem, how can I fix it?
> > 
> > I now built OpenLDAP from source with this options:
> > --
> > ./configure --enable-argon2 --with-argon2=libargon2
> > --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> > --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> > --enable-modules --enable-dynamic --enable-syslog --enable-debug
> > --enable-local --enable-spasswd --disable-sql
> > --prefix=/opt/openldap-current --with-sasl=yes
> > --
> > Still no gssapi :-(. Did I miss something here?  
> [...]
> 
 You probabely missed the header files, check /usr/include/gssapi/ 
 and /usr/include/krb5/
 and probabely some more.
 and check the libraries in /usr/lib64/sasl2/
 
-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

[Dieter Klünter]

Am Wed, 22 Dec 2021 11:38:32 +0100
schrieb Stefan Kania :

> Am 22.12.21 um 10:31 schrieb Stefan Kania:
> > either it's still a configuration problem, or it's missing. If it's
> > a configuration problem, how can I fix it?  
> 
> I now built OpenLDAP from source with this options:
> --
> ./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl
> --with-tls=openssl --enable-overlays=mod --enable-backends=mod
> --disable-perl --disable-ndb --enable-crypt --enable-modules
> --enable-dynamic --enable-syslog --enable-debug --enable-local
> --enable-spasswd --disable-sql --prefix=/opt/openldap-current
> --with-sasl=yes
> --
> Still no gssapi :-(. Did I miss something here?
[...]

You probabely missed the header files, check /usr/include/gssapi/ 
and /usr/include/krb5/
and probabely some more.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

[Dieter Klünter]

Am Sat, 18 Dec 2021 07:28:16 +0100
schrieb Dieter Klünter :

> Am Fri, 17 Dec 2021 16:34:41 +0100
> schrieb Stefan Kania :
> 
> > Hello to all,
> > 
> > I'm trying to get GSSAPI authentication running with the
> > symas-packages. I generated a ldap.keytab file and it's readable for
> > the ldap-user running the slapd. With the Debian-packages I ad:
>[...]
> /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 cram-md5 external
> keytab: /etc/openldap/ldap.keytab
> 
> /etc/ldap.conf
> KRB5_KTNAME=/etc/openldap/krb5.keytab
> SASL_MECH GSSAPI
> SASL_REALM My.SASL.REALM

I remeber that I did in the old days some succesful debugging with
sasl-server and sasl-client.

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

[Dieter Klünter]

Am Fri, 17 Dec 2021 16:34:41 +0100
schrieb Stefan Kania :

> Hello to all,
> 
> I'm trying to get GSSAPI authentication running with the
> symas-packages. I generated a ldap.keytab file and it's readable for
> the ldap-user running the slapd. With the Debian-packages I ad:
> -
> export KRB5_KTNAME="/path/to/ldap.keytab"
> -
> 
> I don't want to use the system keytab /etc/krb5.keytab. How do I tell
> slapd from the symas-packages to use my service-keytab?
> 
> I try to add to my /etc/default/symas-openldap:
> -
> KRB5_KTNAME="/path/to/ldap.keytab
> -
> but it's not working.

/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab

/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM

-Dieter

-- 
Dieter Klünter | Systemberatungslapd
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: pw-totp

[Dieter Klünter]

onfig
> objectClass: olcOverlayConfig
> olcOverlay: {0}totp
> 
> dn: olcOverlay={1}autoca,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcAutoCAConfig
> olcOverlay: {1}autoca
> olcAutoCAuserKeybits: 4096
> olcAutoCAserverKeybits: 4096
> olcAutoCAKeybits: 4096
> 
> 
> After a few minutes or if I restart slapd I get the following
> error-message: -
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
> (Jun  5 2021 14:07:21) $
> 
> root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>  scheme not available ({TOTP1})
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
>  no valid hashes found
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: config error processing
> cn=config:  no valid hashes found
> -
> I used the documentation from symas for configuring TOTP. What's wrong
> and why is slapd starting after configuration but chrashes when I
> restart slapd?

Have a look at this blog entry. dated 2015.
https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E


pgptsEdCcmeAT.pgp
Description: Digitale Signatur von OpenPGP

Re: hdb to mdb

[Dieter Klünter]

Quanah Gibson-Mount  writes:

> --On Thursday, June 3, 2021 12:49 AM -0400 Dave Macias
>wrote:
>
>>
>>
>> Hello,
>>
>> Saw this link in a recent mail to this list.
>> https://www.openldap.org/doc/admin25/appendix-upgrading.html
>>
>> Looks like hdb would no longer be supported.
>> I googled a bit to see what it would take to move over to mdb and
>> stumbled on this post.
>> https://www.mail-archive.com/openldap-technical@openldap.org/msg25484.html
>>
>> My question is:
>> Is it really that easy?
>
> yes.  Make sure that you have back_mdb moduleloaded as well if it's
> built as a module.  You do have to export your DB via slapcat and then
> reimport with slapadd as well.

In order to check for static built-in modules run ./slapd -VVV

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)

[Dieter Klünter]

Am Fri, 23 Apr 2021 10:20:28 +0200
schrieb Dieter Klünter :

> Am Thu, 22 Apr 2021 09:56:42 -0700
> schrieb Quanah Gibson-Mount :
> 
> > This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP
> > 2.5.4) Depending on the results, this may be the only testing call.
> > 
> > Generally, get the code for RE25:
> > 
> > <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/openldap-OPENLDAP_REL_ENG_2_5.tar.gz>
> > 
> > Extract, configure, and build.
> > 
> > Execute the test suite (via make test) after it is built.
> > Optionally, cd tests && make its to run through the regression
> > suite.
> > 
> > Note that there are new features in 2.5, so please examine the
> > options available with configure carefully.  Some examples:
> > 
> > The new load balancer, which can either be built as a module for
> > slapd (--enable-balancer=mod) or as a standalone server
> > (--enable-balancer=yes)
> > 
> > The libargon2 password module (--enable-argon2).
> > 
> > Systemd notification support (--with-systemd=yes).  
> 
> 
> >>>> Starting test085-homedir for mdb...  
> running defines.sh
> Running slapadd to build slapd database...
> slapadd: bad configuration file!
> slapadd failed (1)!
> make[2]: *** [Makefile:301: mdb-yes] Fehler 1
> make[2]: Verzeichnis
> „/home/dieter/work/openldap-OPENLDAP_REL_ENG_2_5/tests“ wird verlassen
> make[1]: *** [Makefile:287: test] Fehler 2 make[1]: Verzeichnis
> „/home/dieter/work/openldap-OPENLDAP_REL_ENG_2_5/tests“ wird verlassen
> make: *** [Makefile:299: test] Fehler 2

There is a broken symlink in tests/testdata/homedir/skel/directory/ 
which points to it self.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)

[Dieter Klünter]

Am Thu, 22 Apr 2021 09:56:42 -0700
schrieb Quanah Gibson-Mount :

> This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP
> 2.5.4) Depending on the results, this may be the only testing call.
> 
> Generally, get the code for RE25:
> 
> <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_5/openldap-OPENLDAP_REL_ENG_2_5.tar.gz>
> 
> Extract, configure, and build.
> 
> Execute the test suite (via make test) after it is built.
> Optionally, cd tests && make its to run through the regression suite.
> 
> Note that there are new features in 2.5, so please examine the
> options available with configure carefully.  Some examples:
> 
> The new load balancer, which can either be built as a module for
> slapd (--enable-balancer=mod) or as a standalone server
> (--enable-balancer=yes)
> 
> The libargon2 password module (--enable-argon2).
> 
> Systemd notification support (--with-systemd=yes).


>>>> Starting test085-homedir for mdb...
running defines.sh
Running slapadd to build slapd database...
slapadd: bad configuration file!
slapadd failed (1)!
make[2]: *** [Makefile:301: mdb-yes] Fehler 1
make[2]: Verzeichnis
„/home/dieter/work/openldap-OPENLDAP_REL_ENG_2_5/tests“ wird verlassen
make[1]: *** [Makefile:287: test] Fehler 2 make[1]: Verzeichnis
„/home/dieter/work/openldap-OPENLDAP_REL_ENG_2_5/tests“ wird verlassen
make: *** [Makefile:299: test] Fehler 2

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Authentication by the mail attribute

[Dieter Klünter]

Am Wed, 7 Apr 2021 10:56:09 +
schrieb Клеусов Владимир Сергеевич :

> Hi
> Please tell me how (if possible) to authenticate in OpenLDAP not by
> cn but by the mail attribute ?

Try this one:

authz-regexp "uid=(.*),cn=.*,cn=auth"
 "ldap:///cn=example,cn=com??sub?mail=$1;


-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: acl for attrs with regex

[Dieter Klünter]

Am Tue, 8 Sep 2020 11:59:01 +0200
schrieb Stefan Kania :

> Hello,
> 
> I would like to set ACLs to a bunch of attributes via ACL. Is it
> possible to use regular expressions in the x field for attrs,
> someting like
> 
> access to attrs.regex=[a.*]
>   by . read
>   by * break
> 
> I couldn't figure it out :-( If it is possible could someone please
> write a short example
[...]

You may consider sets, 
access to dn:xxx
by set.regex=xxx
 https://www.openldap.org/faq/data/cache/1133.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: groupOfNames vs. groupOfUniqueNames

[Dieter Klünter]

Am Wed, 2 Sep 2020 11:11:56 +0200
schrieb Olaf Hopp :

> Hi everybody,
> 
> we are at the point of reorganising our LDAP.
> Currently we only have posixGroups, but in future we also want to
> support groupOfNames or groupOfUniqueNames
> My question what is the common sense of usage ?
> groupOfNames or groupOfUniqueNames ?
> 
> I know your answers, you will say "it depends on your applications"
> but currently I have no application using it. All my current
> applications use my posixGroups. I just want to extend my LDAP for
> future use cases.
> 
> So what to take  : groupOf Names or groupOfUniqueNames besides
> posixGroup ?

I would vote for groupOfnames. If you prefer groupOfUniqueNames you
should provide uniqueness.

https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
https://ldapwiki.com/wiki/UniqueMember

The use of posixgroup depends on your requirements.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: memberof Overlay not showing in base search

[Dieter Klünter]

Am Wed, 2 Sep 2020 18:26:52 +0500
schrieb Umar Draz :

> Hi,
> 
> I am running OpenLDAP server on Ubuntu 18.
> 
> The memberOf attribute is not showing in ldap simple search, if I do
> the following then memberOf attribute is hidden.
> 
> *ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com*
> # udraz, Users, example.com <http://lablynx.com/>
> dn: uid=udraz,ou=Users,dc=example,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: udraz
> sn: Draz
> givenName: Umar
> mail: ud...@example.com
> cn: Umar Draz
> displayName: Umar Draz
> uidNumber: 5000
> gidNumber: 5000
> gecos: Umar Draz
> loginShell: /bin/bash
> homeDirectory: /home/udraz
> 
> But if I do the following then memberOf attribute appear
> 
> *ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
> # udraz, Users, example.com
> dn: uid=udraz,ou=Users,dc=example,dc=com
> memberOf: cn=developers,ou=Users,dc=example,dc=com
> 
> Would you please help me how to solve this

The memberof attribute type is a, on the fly generated, operational
attribute.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: RE24 testing call #1 (OpenLDAP 2.4.50, LMDB 0.9.26)

[Dieter Klünter]

On 24.07.20 00:02, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.4.51.  Depending on the 
results, this may be the only testing call.


Generally, get the code for RE24:

 



Extract, configure, and build.

Execute the test suite (via make test) after it is built. Optionally, 
cd tests && make its to run through the regression suite.


Thanks!

[...]
Some erors on OpenIndiana Hipster 2020.04, I have to check this.

> test032-chain failed for mdb
(exit 1)
*** Error code 1
The following command caused the error:
./run -b mdb all
make: Fatal error: Command failed for target `mdb-yes'

-Dieter

GSSAPI Probs was: [GSSAPI Error: No credentials were supplied ... unknown mech-code 0 for mech unknown]

[Dieter Klünter]

Am Thu, 14 May 2020 13:22:28 -0400
schrieb Braiam :

Sorry for hijacking this thread.
> Hi,
> 
> I'm trying to get slapd to use heimdal kerberos to provide
> a single authentication backend for my network. I've followed
> the Administrator's Guide on SASL[1] and cyrus faq entry
> about connecting OpenLDAP with GSSAPI[2]. I'm stuck
> at the what I believe is a misunderstanding from my part.
[...]

Out of curiosity and facing similar problems, I have just setup a
playground mostly based on Raspian, bur additionaly OpenIndiana and
OpenSUSE.
The Environment:
Packages: 
opensuse: openldap2.2-2.4.50-52.1.x86_64
  cyrus-sasl-2.1.27-3.2.x86_64  

raspian:  slapd/stable,now 2.4.47
  libsasl2-modules-gssapi-heimdal/stable 2.1.27
  libsasl2-modules-gssapi-mit/stable,now 2.1.27

openindiana: slapd-2.4.48
 security/gss@5.11
 kernel GSSAPI V2

slapd on opensuse
indiana:~$ /usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H
ldap://pink.fritz.box SASL/GSSAPI authentication started
SASL username: die...@fritz.box
SASL SSF: 56
SASL data security layer installed.
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

raspian:~ $ ldapwhoami -Ygssapi -Hldap://pink.fritz.box
SASL/GSSAPI authentication started
SASL username: die...@fritz.box
SASL SSF: 256
SASL data security layer installed.
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

slapd on openindiana
pink➜ ᐅ  ldapwhoami -Ygssapi -H ldap://indiana.fritz.box
SASL/GSSAPI authentication started
SASL username: die...@fritz.box
SASL SSF: 256
SASL data security layer installed.
dn:uid=die...@fritz.box,cn=gssapi,cn=auth

slapd on Raspian
pink➜ ᐅ  ldapwhoami -Ygssapi -H ldap://raspi3.fritz.box
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

indiana:~$ /usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H
ldap://raspi3.fritz.box SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

KDC is MIT-KRB5

slapd configuration is identical on all hosts,
krb5.keytab is individually setup  for all hosts, each host has
appropriate keys.

If applicable an individual ldap.keytab  path is configured in
sasl2/slapd.conf
this ldap.keytabs are readable by slapd and owned by slapd user and
group.

 ldap/raspi3.fritz@fritz.box
 ldap/pink.fritz@fritz.box
 ldap/indiana.fritz@fritz.box

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: "GSSAPI Error: No credentials were supplied ... unknown mech-code 0 for mech unknown"

[Dieter Klünter]

Am Thu, 14 May 2020 13:22:28 -0400
schrieb Braiam :

> Hi,
> 
> I'm trying to get slapd to use heimdal kerberos to provide
> a single authentication backend for my network. I've followed
> the Administrator's Guide on SASL[1] and cyrus faq entry
> about connecting OpenLDAP with GSSAPI[2]. I'm stuck
> at the what I believe is a misunderstanding from my part.

> I believe when I use -Y GSSAPI I should be using my
> braiam/admin credentials, but according to SASL facility
> in slapd I'm not providing any. strace confirms that
> it reads the /tmp/krb5cc_1000 file correctly.
> 
> I'm very confused as to how to proceed since most of
> the relevant results point to having not kinit'd.
> 
> I'm using Debian stable, slapd=2.4.47+dfsg-3+deb10u1,
> libsasl2-modules-gssapi-heimdal=2.1.27+dfsg-1+deb10u1.
> 
> debian@ldap01:~$ sudo ktutil -k /etc/krb5.keytab list
> /etc/krb5.keytab:
> 
> Vno  Type Principal
>   Aliases
>   4  aes256-cts-hmac-sha1-96  host/ldap01.example@example.com
>   4  des3-cbc-sha1host/ldap01.example@example.com
>   4  arcfour-hmac-md5 host/ldap01.example@example.com
>   9  aes256-cts-hmac-sha1-96  ldap/ldap01.example@example.com
>   9  des3-cbc-sha1ldap/ldap01.example@example.com
>   9  arcfour-hmac-md5 ldap/ldap01.example@example.com
> 
> debian@ldap01:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: braiam/ad...@example.com
> 
>   IssuedExpires   Principal
> May 12 20:34:05 2020  May 13 20:34:05 2020
> krbtgt/example@example.com May 12 20:34:11 2020  May 13 20:34:05
> 2020  ldap/ldap01.example@example.com
> 
> debian@ldap01:~$ ldapsearch -LLL -Y GSSAPI -s "base" -b ""
> supportedSASLMechanisms -H $ldap_host
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
> error (80) additional info: SASL(-1): generic failure: GSSAPI Error:
> No credentials were supplied, or the credentials were unavailable or
> inaccessible. (unknown mech-code 0 for mech unknown)

Long time ago that I used a Heimdal KDC. AFAIR there are some minor
differnces between  sasl libgssapi, MIT-KRB5 libs and tools, and heimdal
gss-api and kerberos tools. 
Please check the sasl2 configuration path for slapd.conf.
https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
While some distributions change this path to /etc/sasl2/slapd.conf, or
/etc/ldap/sasl2/slapd.conf, sasl refers to /usr/lib/sasl2/slapd.conf
This slapd.conf must be readable by slapd.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Can't get LDAPS connection with OpenLDAP as a Proxy working (error:14090086)

[Dieter Klünter]

a.le...@consense-gmbh.de writes:

> Hello,
>
> I'm farely now to OpenLDAP. I have successfully build a connection to
> an Windows Active Directory with LDAP over Port 389.
>
> But when I switch to LDAPS and Port 636 and try a connection via the
> Softerra LDAP Browser I get the following error:
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS: can't connect: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable
> to get local issuer certificate).
>
> I have installed the certificate of the Server I want to connect to on my 
> machine.
>
> But I still get this error. Does anyone have an idea why this error happens?
>
> Here is my slapd.conf-File:
> # MDB Backend configuration file
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> ucdata-path   ./ucdata
> include   ./schema/core.schema
> include   ./schema/cosine.schema
> include   ./schema/nis.schema
> include   ./schema/inetorgperson.schema
> #include  ./schema/openldap.schema
> #include  ./schema/dyngroup.schema
>
>
> pidfile   ./run/slapd.pid
> argsfile  ./run/slapd.args
>
> loglevel 256
>
> sizelimit unlimited
> timelimit unlimited
>
>
>
> ###
> # mdb database definitions
> ###
>
>
> database meta
> suffix "dc=example,dc=com"
>
> uri "ldaps://dc001.example.com:636/DC=example,DC=com"
 
Read the manual pages on slapd.conf(5), slapd-mdb(5), slapd-meta(5), and
read on Transport Layer Security (TLS)
In order order to verify the host certificate of host dc001.example.com
you should provide and configure the certification authority (CA) that
signed the host certificate.

The configuration of a ucdata path is obsolete.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: rootdn & password policy

[Dieter Klünter]

Am Tue, 14 Apr 2020 16:26:20 +0200
schrieb Dieter Klünter :

> Am Mon, 13 Apr 2020 10:34:36 -0700
> schrieb Hannah Chenh :
> 
> > Hello,
> > 
> > I have a question related to rootdn and password policy.
> > 
> > I understand that the rootdn can bypass all restrictions.
> > 
> > We have a requirement to bypass a password policy for the admin
> > user.
> > 
> > Is there a way to create the admin user so that this user can have
> > the same privilege as rootdn and I don't need to bind as rootdn in
> > my application?
> > 
> > Currently I have granted the following to the admin_user:
> [...] 
>  
> > 
> > Any help would be appreciated.
> 
> man slapo-ppolicy(5) read on pwdPolicy objectclass, and
> pwdPolicySubentry.
> Create a policy subtree und add all users policy objects to this
> subtree.

Sorry, my bad, this is rubbish. It should have been the answer to a
different list.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: rootdn & password policy

[Dieter Klünter]

Am Mon, 13 Apr 2020 10:34:36 -0700
schrieb Hannah Chenh :

> Hello,
> 
> I have a question related to rootdn and password policy.
> 
> I understand that the rootdn can bypass all restrictions.
> 
> We have a requirement to bypass a password policy for the admin user.
> 
> Is there a way to create the admin user so that this user can have the
> same privilege as rootdn and I don't need to bind as rootdn in my
> application?
> 
> Currently I have granted the following to the admin_user:
[...] 
 
> 
> Any help would be appreciated.

man slapo-ppolicy(5) read on pwdPolicy objectclass, and
pwdPolicySubentry.
Create a policy subtree und add all users policy objects to this
subtree.

-Dieter

--- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: front end for openldap

[Dieter Klünter]

Am Mon, 6 Apr 2020 14:58:07 -0300
schrieb paulo bruck :

> Hi All
> 
> I have been using openldap for many years and I would like to thanks
> to all .
> 
> Is there a framewok to use with openldap as backend? Preferably based
> on Python 80)
> 
> I look at django-ldapdb but project is almost dead and does not have
> all that I need.


openldapjs
https://github.com/6labs/openldapjs.git
perl Net::LDAP
python-ldap
https://stroeder.com/software.html

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: [EXT] Re: logging through systemd-journald is bottleneck

[Dieter Klünter]

Am Thu, 19 Mar 2020 08:57:11 +0100
schrieb "Ulrich Windl" :

> >>> Dieter Klünter  schrieb am 18.03.2020 um
> >>> 19:57 in  
> Nachricht
> <30206_1584557842_5e726f12_30206_1570_1_20200318195706.1d992...@pink.fritz.box>:
> 
> > Am Wed, 18 Mar 2020 17:16:53 +
> > schrieb :
> >   
> >> Dear all,
> >> 
> >> we're currently testing performance of OpenLDAP on Oracle/RedHat
> >> Linux and quite unexpected actually hit systemd-journald to be a
> >> bottleneck. While OpenLDAP happily makes use of all available CPUs,
> >> that one is single threaded, braking everything. The only way
> >> around I have found is to set olcLoglevel to 0, speeding up my
> >> test run by a factor of 6(!). That now of course is not an option
> >> to use in production. I'd happily directly write to a file as I
> >> did in the old days but I cannot get olcLogfile to work. And even
> >> if I was able to get there, how do I stop OpenLDAP from logging to
> >> syslogd (which is inevitably forwarding everything to
> >> system-journald ) ? Can anyone give advice how to handle this
> >> ? Any hint appreciated (short of "get a decent OS" - that is not
> >> an option).  
> > 
> > I support Qanah's advice!
> > Beside this, consider a logging strategy based on required
> > information and neglected information, as well as min. and max.
> > server load.
> > 
> > Based on my experience I would disable logging as default, but
> > enable logging for a short given time, just a modify operation on
> > atribute olcLogLevel.
> > With regard to journald I advice to define filters, see man
> > journalctl(1).
> > If syslog is a requirement, change to rsyslog. Don't make use of
> > logstash!  
> 
> Can't openLDAP simply log to a different port than the default syslog
> port? If so, just set up some alternate local syslog server.
> Or, in case an external syslog server is supported, just use one that
> isn't using systemd-journald.
> 
> Sorry, I neved had the need to use a different syslog mechanism...

mann slapd(8), syslog-local-user, slapd logs, as default, to local4

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: logging through systemd-journald is bottleneck

[Dieter Klünter]

Am Wed, 18 Mar 2020 17:16:53 +
schrieb :

> Dear all,
> 
> we're currently testing performance of OpenLDAP on Oracle/RedHat
> Linux and quite unexpected actually hit systemd-journald to be a
> bottleneck. While OpenLDAP happily makes use of all available CPUs,
> that one is single threaded, braking everything. The only way around
> I have found is to set olcLoglevel to 0, speeding up my test run by a
> factor of 6(!). That now of course is not an option to use in
> production. I'd happily directly write to a file as I did in the old
> days but I cannot get olcLogfile to work. And even if I was able to
> get there, how do I stop OpenLDAP from logging to syslogd (which is
> inevitably forwarding everything to system-journald ) ? Can
> anyone give advice how to handle this ? Any hint appreciated (short
> of "get a decent OS" - that is not an option).

I support Qanah's advice!
Beside this, consider a logging strategy based on required information
and neglected information, as well as min. and max. server load.

Based on my experience I would disable logging as default, but enable
logging for a short given time, just a modify operation on  atribute
olcLogLevel.
With regard to journald I advice to define filters, see man
journalctl(1).
If syslog is a requirement, change to rsyslog. Don't make use of
logstash!

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: pwdChangedTime not defined when creating new entry

[Dieter Klünter]

Am Thu, 5 Mar 2020 18:15:41 +0100
schrieb Clément OUDOT :

> Le 05/03/2020 à 10:10, Dieter Klünter a écrit :
> > Am Wed, 04 Mar 2020 13:36:08 +
> > schrieb Manuela Mandache :
> >  
> >> Hello all,
> >>
> >> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
> >> overlay on the main database. When a new entry with a userPassword
> >> defined is created, pwdChangedTime is not defined, so this initial
> >> userPassword never expires.
> >>
> >> The directory has been migrated from its OpenLDAP 2.3.34 instance
> >> (yes, we missed some steps...), and there the pwdChangedTime is
> >> set, and naturally equal to createTimestamp.
> >>
> >> The overlay is configured as follows:
> >> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
> >> objectClass: olcOverlayConfig
> >> objectClass: olcPPolicyConfig
> >> olcOverlay: {2}ppolicy
> >> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
> >> olcPPolicyHashCleartext: TRUE
> >> olcPPolicyUseLockout: TRUE
> >>
> >> Is there a parameter I missed which would switch on setting
> >> pwdChangedTime at entry creation? Do I have to provide some other
> >> configuration elements?
> >>
> >> Or is it unreasonable to expect this initialisation of the
> >> attribute this way, and only a password change can set it? I think
> >> the setting at creation is rather handy... Using pwdMustChange
> >> would be difficult, we have a lot of client apps which would be
> >> forced to check and probably adapt their authentication
> >> procedures.  
> > [...]
> > The password attribute value must be set by a password modify
> > exented operation in order to set password policy in effect, see man
> > slapo-ppolicy(5)   
> 
> 
> Are you sure? The password modify extended operation is required for
> smbk5pwd overlay, but not for ppolicy overlay?

From ldappasswd(1)
ldappasswd
  uses the LDAPv3 Password Modify (RFC 3062) extended operation.
> 
> I just test a creation of an entry with a password when ppolicy
> overlay is configured, and the pwdChangedTime is well created.

That is, what it should do.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: [EXT] Re: pwdChangedTime not defined when creating new entry

[Dieter Klünter]

Am Thu, 05 Mar 2020 12:22:28 +0100
schrieb "Ulrich Windl" :

> >>> Dieter Klünter  schrieb am 05.03.2020 um
> >>> 10:10 in  
> Nachricht
> <25580_1583399661_5e60c2ec_25580_1796_1_20200305101027.4c15a...@pink.fritz.box>:
> 
> > Am Wed, 04 Mar 2020 13:36:08 +
> > schrieb Manuela Mandache :
> >   
> >> Hello all,
> >> 
> >> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
> >> overlay on the main database. When a new entry with a userPassword
> >> defined is created, pwdChangedTime is not defined, so this initial
> >> userPassword never expires.
> >> 
> >> The directory has been migrated from its OpenLDAP 2.3.34 instance
> >> (yes, we missed some steps...), and there the pwdChangedTime is
> >> set, and naturally equal to createTimestamp.
> >> 
> >> The overlay is configured as follows:
> >> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
> >> objectClass: olcOverlayConfig
> >> objectClass: olcPPolicyConfig
> >> olcOverlay: {2}ppolicy
> >> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
> >> olcPPolicyHashCleartext: TRUE
> >> olcPPolicyUseLockout: TRUE
> >> 
> >> Is there a parameter I missed which would switch on setting
> >> pwdChangedTime at entry creation? Do I have to provide some other
> >> configuration elements?
> >> 
> >> Or is it unreasonable to expect this initialisation of the
> >> attribute this way, and only a password change can set it? I think
> >> the setting at creation is rather handy... Using pwdMustChange
> >> would be difficult, we have a lot of client apps which would be
> >> forced to check and probably adapt their authentication
> >> procedures.  
> > [...]
> > The password attribute value must be set by a password modify
> > exented operation in order to set password policy in effect, see man
> > slapo-ppolicy(5)   
> 
> Yes, but shouldn't there be some magic to add it to all existing
> passweords when enabling it? Without having each user to change the
> password...
> 
Sure, man ldappasswd(1) points to some solutions, in conjunction with
postread ext.
Note that ldappasswd doesn't require a password string, as slapd will
generate a password which can be echoed to stdout.
Some magic Perl5 or Python may do all the workload. :-)

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de 
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: pwdChangedTime not defined when creating new entry

[Dieter Klünter]

Am Wed, 04 Mar 2020 13:36:08 +
schrieb Manuela Mandache :

> Hello all,
> 
> We have a directory running on OpenLDAP 2.4.44 with the ppolicy
> overlay on the main database. When a new entry with a userPassword
> defined is created, pwdChangedTime is not defined, so this initial
> userPassword never expires.
> 
> The directory has been migrated from its OpenLDAP 2.3.34 instance
> (yes, we missed some steps...), and there the pwdChangedTime is set,
> and naturally equal to createTimestamp.
> 
> The overlay is configured as follows:
> dn: olcOverlay={2}ppolicy,olcDatabase={2}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcPPolicyConfig
> olcOverlay: {2}ppolicy
> olcPPolicyDefault: ou=ppolicy,dc=example,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
> 
> Is there a parameter I missed which would switch on setting
> pwdChangedTime at entry creation? Do I have to provide some other
> configuration elements?
> 
> Or is it unreasonable to expect this initialisation of the attribute
> this way, and only a password change can set it? I think the setting
> at creation is rather handy... Using pwdMustChange would be
> difficult, we have a lot of client apps which would be forced to
> check and probably adapt their authentication procedures.
[...]
The password attribute value must be set by a password modify exented
operation in order to set password policy in effect, see man
slapo-ppolicy(5) 

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: ldapuri vs. ldaphost

[Dieter Klünter]

Am Sun, 9 Feb 2020 12:28:53 +
schrieb Howard Chu :

> Dieter Klünter wrote:
> > Hi,
> > 
> > The manual pages ldapsearch(1) et.al. describe ldapuri abbriviation
> > as -H and ldaphost abbriviation -h. Both, ldapuri and ldpaphost
> > description might be of host name or host ip. If ldapuri is a ipv6
> > address,  an error occurs:
> > Could not parse LDAP URI(s)=2001:16b8:c115:9f00:44ff:f15b:11d1:e620
> > (3
> > 
> >  ldapsearch -YGSSAPI -H 2001:16b8:c115:9f00:44ff:f15b:11d1:e620 -b
> > "" -s base +. Just for verification one may use ipv6 address ::1
> > 
> > The question is: must ldapuri contain a hostname, or would a
> > hostaddress be sufficient. While ldaphost accepts hostname and
> > hostaddress?  
> 
> ldapuri must contain a URI. That is why it is called what it is.
> 
> A bare hostname or IP address are not valid URIs.

That is rather strange, while (the escape sequences are zsh related)
 
ldapurl -H ldap://localhost/o=avci,c=de\?\+\?\?
scheme: ldap
host: localhost
port: 389
dn: o=avci,c=de
selector: +
scope: base

ldapurl -H ldap://127.0.0.1/o=avci,c=de\?\+\?\?
scheme: ldap
host: 127.0.0.1
port: 389
dn: o=avci,c=de
selector: +
scope: base

ldapurl -H ldap://::1/o=avci,c=de\?\+\?\?
unable to parse URI "ldap://::1/o=avci,c=de?+??;

It seems this is more likely  ipv6 related.

-Dieter

-- 

Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

ldapuri vs. ldaphost

[Dieter Klünter]

Hi,

The manual pages ldapsearch(1) et.al. describe ldapuri abbriviation as
-H and ldaphost abbriviation -h. Both, ldapuri and ldpaphost
description might be of host name or host ip. If ldapuri is a ipv6
address,  an error occurs:
Could not parse LDAP URI(s)=2001:16b8:c115:9f00:44ff:f15b:11d1:e620 (3

 ldapsearch -YGSSAPI -H 2001:16b8:c115:9f00:44ff:f15b:11d1:e620 -b "" -s
base +. Just for verification one may use ipv6 address ::1

The question is: must ldapuri contain a hostname, or would a
hostaddress be sufficient. While ldaphost accepts hostname and
hostaddress?

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: what the error "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)" means?

[Dieter Klünter]

Am Mon, 13 Jan 2020 15:44:02 -0500
schrieb Peter Sui :

> Hi Michael,
>1. If I want to use  Unix peer credentials, I just need to
> specify the url as ldapi://... , and still use ldapwhoami command
> like: ldapwhoami -H ldapi://example.com:389  -YEXTERNAL
> right ?
>2. what If I want to use TLS client certs, except we set the
> certificate file in the .ldaprc, do we still run the same ldapwhoami
> command, like:
> ldapwhoami -H ldap://example.com:389 -YEXTERNAL
> or
> ldapwhoami -H ldap://example.com:389 -YEXTERNAL -Z
> 
> Thanks!
> 
> Peter
[...]

If authz-regexp is set correctly, it should be:

ldapwhoami  -YEXTERNAL-H ldapi:///


-Dieter




-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: ldapwhoami translate sasl-name to dn

[Dieter Klünter]

die...@dkluenter.de (Dieter Klünter) writes:

> Quanah Gibson-Mount  writes:
>
>> --On Monday, December 23, 2019 10:19 PM +0100 Dieter Klünter
>>  wrote:
>>
>>> /usr/bin/ldapwhoami -Y gssapi -H ldap://indiana.example.com
>>> SASL/GSSAPI authentication started
>>> SASL username: die...@example.com
>>> SASL SSF: 256
>>> SASL data security layer installed.
>>> dn:uid=die...@example.com,cn=gssapi,cn=auth
>>>
>>>
>>> LDAP-Server is OpenLDAP-2.4.48 on all hosts and OS's
>>
>> Cyrus-sasl version on each?
>
> OpenIndiana provides package security/gss-5.11-2019 which provides GSSAPI v2,
> security/libsasl and security/kerberos-5.
> OpenSuSE provides cyrus-sasl-2.1.27

OpenIndiana built slapd with:

ldd /usr/lib/amd64/slapd

ldlibldap_r-2.4.so.2 =>/usr/lib/64/libldap_r-2.4.so.2
liblber-2.4.so.2 =>  /usr/lib/64/liblber-2.4.so.2
libltdl.so.7 =>  /usr/lib/64/libltdl.so.7
libuuid.so.1 =>  /lib/64/libuuid.so.1
libsasl.so.1 =>  /usr/lib/64/libsasl.so.1
libnsl.so.1 =>   /lib/64/libnsl.so.1
libsocket.so.1 =>/lib/64/libsocket.so.1
libc.so.1 => /lib/64/libc.so.1
libbresolv.so.2 =>/lib/64/libresolv.so.2
libssl.so.1.0.0 =>   /lib/64/libssl.so.1.0.0
libcrypto.so.1.0.0 =>/lib/64/libcrypto.so.1.0.0
libdlpi.so.1 =>  /lib/64/libdlpi.so.1
libpthread.so.1 =>   /lib/64/libpthread.so.1
libmd.so.1 =>/lib/64/libmd.so.1
libmp.so.2 =>/lib/64/libmp.so.2
libdl.so.1 =>/lib/64/libdl.so.1
libinetutil.so.1 =>  /lib/64/libinetutil.so.1
libdladm.so.1 => /lib/64/libdladm.so.1
libdevinfo.so.1 =>   /lib/64/libdevinfo.so.1
libscf.so.1 =>   /lib/64/libscf.so.1
librcm.so.1 =>   /lib/64/librcm.so.1
libnvpair.so.1 =>/lib/64/libnvpair.so.1
libexacct.so.1 =>/usr/lib/64/libexacct.so.1
libkstat.so.1 => /lib/64/libkstat.so.1
libpool.so.1 =>  /usr/lib/64/libpool.so.1
libsec.so.1 =>   /lib/64/libsec.so.1
libgen.so.1 =>   /lib/64/libgen.so.1
libuutil.so.1 => /lib/64/libuutil.so.1
libsmbios.so.1 =>/usr/lib/64/libsmbios.so.1
libxml2.so.2 =>  /usr/lib/64/libxml2.so.2
libavl.so.1 =>   /lib/64/libavl.so.1
libidmap.so.1 => /usr/lib/64/libidmap.so.1
libz.so.1 => /usr/lib/64/libz.so.1
liblzma.so.5 =>  /usr/lib/64/liblzma.so.5
libm.so.2 => /lib/64/libm.so.2
libofmt.so.1 =>  d /usr/lib/amd64/slapd

-Dieter

--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E

Re: ldapwhoami translate sasl-name to dn

[Dieter Klünter]

Quanah Gibson-Mount  writes:

> --On Monday, December 23, 2019 10:19 PM +0100 Dieter Klünter
>  wrote:
>
>> /usr/bin/ldapwhoami -Y gssapi -H ldap://indiana.example.com
>> SASL/GSSAPI authentication started
>> SASL username: die...@example.com
>> SASL SSF: 256
>> SASL data security layer installed.
>> dn:uid=die...@example.com,cn=gssapi,cn=auth
>>
>>
>> LDAP-Server is OpenLDAP-2.4.48 on all hosts and OS's
>
> Cyrus-sasl version on each?

OpenIndiana provides package security/gss-5.11-2019 which provides GSSAPI v2,
security/libsasl and security/kerberos-5.
OpenSuSE provides cyrus-sasl-2.1.27

-Dieter

--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E

Re: ldapwhoami translate sasl-name to dn

[Dieter Klünter]

Dieter Klünter  writes:

> Am Fri, 20 Dec 2019 20:54:13 +0100
> schrieb Stefan Kania :
>
>> Hello,
>> 
>> I try to do the authentication in LDAP via Kerberos. The
>> Kerberos-Database is in LDAP, no problem, I can login to the system
>> as a normal user but when I do a "ldapwhomami" I get the following
>> output: -
>> u1-verw@ldapserver:~$ ldapwhoami
>> SASL/GSSAPI authentication started
>> SASL username: u1-v...@example.net
>> SASL SSF: 256
>> SASL data security layer installed.
>> dn:uid=u1-verw,cn=gssapi,cn=auth
>> -
>> I would like to get the original DN from the user not the
>> dn:*,cn=gssapi,cn=auth. So I put into my configuration:> [...]
>
> I face the same problem with OpenIndiana. To my experience it's only 
> GSSAPI, DIGEST-MD5 and CRAM-MD5 work as expected. But I must admit, it
> is only on Solaris not on Linux.

A few examples of my sides:
 
KDC: raspberrypi, OS raspian
host: pink, OS OpenSUSE Tumbleweed
host: indiana OS OpenIndiana

On Indiana:
/usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H
ldap://pink.example.com

SASL/GSSAPI authentication started
SASL username: die...@example.com
SASL SSF: 56
SASL data security layer installed.
dn:cn=dieter kluenter,ou=partner,o=avci,c=de


/usr/lib/openldap/bin/amd64/ldapwhoami -Y gssapi-H ldap://indiana.example.com
SASL/GSSAPI authentication started
SASL username: die...@example.com
SASL SSF: 56
SASL data security layer installed.
dn:uid=dieter@example,cn=gssapi,cn=auth


On Tumbleweed:

/usr/bin/ldapwhoami -Y gssapi -H ldap://indiana.example.com
SASL/GSSAPI authentication started
SASL username: die...@example.com
SASL SSF: 256
SASL data security layer installed.
dn:uid=die...@example.com,cn=gssapi,cn=auth


LDAP-Server is OpenLDAP-2.4.48 on all hosts and OS's


-Dieter

--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E

Re: ldapwhoami translate sasl-name to dn

[Dieter Klünter]

Am Fri, 20 Dec 2019 20:54:13 +0100
schrieb Stefan Kania :

> Hello,
> 
> I try to do the authentication in LDAP via Kerberos. The
> Kerberos-Database is in LDAP, no problem, I can login to the system
> as a normal user but when I do a "ldapwhomami" I get the following
> output: -
> u1-verw@ldapserver:~$ ldapwhoami
> SASL/GSSAPI authentication started
> SASL username: u1-v...@example.net
> SASL SSF: 256
> SASL data security layer installed.
> dn:uid=u1-verw,cn=gssapi,cn=auth
> -
> I would like to get the original DN from the user not the
> dn:*,cn=gssapi,cn=auth. So I put into my configuration:
[...]

I face the same problem with OpenIndiana. To my experience it's only 
GSSAPI, DIGEST-MD5 and CRAM-MD5 work as expected. But I must admit, it
is only on Solaris not on Linux.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Postgres and Attributes

[Dieter Klünter]

Am Fri, 13 Dec 2019 11:15:48 -0500
schrieb Mark Murawski :

> Apologies ahead of time for the self-reply, but I'm hoping for even a 
> tiny shred of information about getting this to work... in return I'm 
> more than willing to contribute patches to improve slapd-back-sql...
> 
> I just need a starting point where attributes actually work.  Any
> help would be greatly appreciated.
> 
> Thanks!
> 
> 
> 
> On 2019-11-22 16:55, Mark Murawski wrote:
> > Hi!
> > 
> > Attachments:
> > www.kobaz.net/misc/slapd.zip
> > www.kobaz.net/misc/ldap.sql
> > www.kobaz.net/misc/attributes.png
> > 
> > Disclaimer: Let me first start out saying that this isn't my first
> > run around the block.  I understand that this is experimental and I
> > accept the risks and issues that might come with back-sql.
> > 
> > I started with the backend examples located in: 
> > servers/slapd/back-sql/rdbms_depend/pgsql
> > ... and then started adding support for things like
> > organizationUnit that are not included in the test db
> > 
> > Attached is my ldap postgres database.
> > Attached is my ldap /etc/ldap/slapd
> > 
> > I'm aware that passwords/etc are in there, but it's not a big deal.
> > It's just testing stuff on an internal system.
> > 
> > The issue I'm having:
> > - Attributes are not coming back when requesting ldap information
> > or doing ldap search (Screenshot)
> > 
> > Also noted is that the sample inetOrgPerson entries do not show any 
> > attributes like surname, despite them being stored in the postgres 
> > database in what looks like the correct format (exactly the same as
> > the test db import)
> > 
> > 
> > -- The organizationUnit has been added like this:
> > 
> > 1-users-ou.ldif
> > -
> > dn: ou=users,dc=directory, dc=pbx, dc=local
> > ou: users
> > description: holds users of the directory
> > objectClass: organizationalUnit
> > -
> > ldapadd -x -D "cn=admin,dc=directory, dc=pbx, dc=local" -w 'asdf'
> > -v -f 1-users-ou.ldif
> > 
> > 
> > Despite having specified 'description', this has not been added to
> > the database as shown in the export.  The organizational_unit table
> > looks like this:
> >    id | ou | description
> > ++-
> >     1 |    |
> > 
> > Looking at the postgres query logs, slapd has made no attempt
> > whatsoever to set the description field, despite this field being
> > mapped in the attributes as shown in the export. Also here for
> > quick reference: Table: ldap_attr_mappings
> > -[ RECORD 16 ]+
> > id    | 20
> > oc_map_id | 5
> > name  | description
> > sel_expr  | organizational_unit.description
> > sel_expr_u    |
> > from_tbls     | organizational_unit
> > join_where    |
> > add_proc  | UPDATE organizational_unit SET description=? WHERE
> > id=? delete_proc   | SELECT 1 FROM organizational_unit WHERE ou = ?
> > AND ID=? param_order   | 3
> > expect_return | 0
> > 
> > 
> > Can someone shed some light on what's wrong here? 

 I am missing the odbinst.ini and odbc.ini files. Did you include
 unixodbc module in /etc/unixodbc?

-Dieter
 
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Question about OpenLDAP and rwm overlay

[Dieter Klünter]

Am Sat, 26 Oct 2019 00:28:36 +
schrieb "Vandenburgh, Steve Y" :

> I'm attempting to use OpenLDAP as a proxy to an Active Directory
> domain.  Using the ldap backend, I'm able to configure the proxy and
> that configuration seems to be working well.   But account entries
> are frequently moved from ou to ou in a domain and Microsoft permits
> the bind DN to be a userPrincipalName attribute value of the entry
> instead of the full DN of the account; this features avoids having to
> make many bind DN application configuration changes.
> 
> With just the ldap backend configured, OpenLDAP rejects the
> userPrincipalName (UPN) bind DN as an invalid DN.  To work around
> this error, I was trying to see if I could use the rwm overlay to
> detect the UPN  and convert to the actual domain entry DN using an
> attribute map.  If I use the form
> 
> mail=UPN
> 
> the map works as expected; however, if I only provide the UPN as the
> bind DN, OpenLDAP still rejects it as an invalid DN.   I suspect that
> the rwm overlay manipulations to not take effect until after the bind
> DN syntax is checked.  I wanted to confirm my suspicion and see if
> any one else has been able to get a UPN-based bind to work through
> OpenLDAP.
> 
> For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required attribute
types and object classes.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: not getting ldap proxy to AD working... please help

[Dieter Klünter]

Am Tue, 1 Oct 2019 18:35:16 +1000
schrieb Drikus Brits :

> Heya experts.
> 
> I need some guidance. I am having difficulty deploying my
> requirements. I need to deploy a couple of U18 servers/containers.
> These servers all needs to authenticate with LDAP accounts that is
> active and in a certain group on AD, but the IT team doesn't want to
> allow IPs and ports from servers across the network and so I have to
> set up a ldap proxy that will speak to AD on behalf of all the other
> machines eg jumphost. The windows AD cannot be modified to add extra
> groups eg posixAccount, uidNumber, gidNumber, loginShell,
> homeDirectory etc.
> 
> I can successfully run a ldapsearch from the proxy machine to the AD
> and query a user based on the sAMAccountName and am getting successful
> results back from AD. However, when the jumphost (proxy set as ldap
> authhost) tries to authenticate with the proxy, then I see the request
> coming in from the jumphost to ldap proxy, and see the ldap proxy
> sending the request to the windows AD, but it forwards the same
> details as it sent to the local to the remote; eg
> objectClass=posixAccount, uid=testuser. This doesn't exist on the AD
> and so returns no result. I've tried to do rewrites and according to
> the packet captures, saw that the rewrite was working somewhat. I was
> able to rewrite uid to sAMAccountName, but not sure what to rewrite
> the posixAccount to
> 
> So ideally what I'd like to see happening is that :
> 
>  1) user logs onto jumphost with username "testuser"
> 2) user lookup & authentication goes to ldap_proxy
> 3) ldap_proxy send request to AD to check if user exists and is active
> and match against the password
> 4) upon username=exists, is=active, password=ok return the result to
> ldap_proxy 5) ldap_proxy returns the necessary to jumphost eg;
> a) posixAccount
> b) homeDirectory
> c) loginShell
> 
> I've tried following a couple of different options to make it work,
> but right now I'm not sure which option is the correct one eg; (mdb
> config + ldap backend) or (meta + ldap backend ) or ( ldap +  pcache )
> and whether to rewrite or not to rewrite. From my understanding, I am
> looking for something that sounds like a meta setup that combines the
> local and remote data...is my understanding correct?
> 
> I've seen this working at a previous employer but not sure whether
> their AD was modified and that is why it was working there, or whether
> the solution is workable without having to force the IT guys' hand and
> add extra vars..
> 
> I've scouted the openldap mailing list as well for answers but there
> is a plethora of no replies and some replies that somewhat matches
> what I'm trying to do...
> 
> Any guidance would be super appreciated
> 
Create a private schema based on AD attribute types and load this
schema to ldap proxy.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Openldap 2.4.x log details for error 49

[Dieter Klünter]

Am Wed, 11 Sep 2019 12:08:36 +
schrieb François Pernet :

> Hi all,
> 
> We have a solution running on which openldap is the identity
> repository. OpenLDAP 2.4 is installed (on CentOS) also with policy.
> The system is able to send traps when authentication problem occurs,
> based on the slapd generated logs.
> 
> Unfortunatly the log contains such error: "Jun  5 11:27:16 vms
> slapd[32101]: conn=1174 op=0 RESULT tag=97 err=49 text=" when the
> password entered generates an  "invalid crendentials" message. This
> is fine, but the error could mean the following:
> 
>   *   Wrong user or password
>   *   Expired account
>   *   Account locked or disabled
>   *   User must change its password
> 
> Question is : is it possible to find a way to have the details for
> error 49 ? (this error message is far too generic)

No, it is not possible to split ldap-result-code, but you may consider
a password policy, which provides some information on the result of a
slapo-ppolicy(5) operation.  

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: any working documentation?

[Dieter Klünter]

Am Mon, 19 Aug 2019 20:26:28 +0100
schrieb Dmitri Seletski :

> Hello.
> 
> 
> I am new to the list, so if you gonna beat me with your feet - please 
> don't hit me in the face.
> 
> I did not find help/user list. So post here.
> 
> Where can I find working documentation for OpenLDAP?
> 
> Most current i found:
> 
> https://www.openldap.org/doc/admin24/quickstart.html
> 
> It says nothing of TLS encryption. I fail to start service
> 
> See output below:

It seems you use MOZNSS instead of openSSL, check slapd for the
built-in ssl library.

> TLSMC: MozNSS compatibility interception begins.
> tlsmc_intercept_initialization: INFO: entry options follow:
> tlsmc_intercept_initialization: INFO: cacertdir =
> `/etc/openldap/certs' tlsmc_intercept_initialization: INFO: certfile
> = `OpenLDAP Server' tlsmc_intercept_initialization: INFO: keyfile = 
> `/etc/openldap/certs/password'
> tlsmc_convert: INFO: trying to open NSS DB with CACertDir = 
> `/etc/openldap/certs'.
> tlsmc_open_nssdb: INFO: trying to initialize moznss using security
> dir `/etc/openldap` prefix `certs`.
> tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error
> -8015. tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM
> configuration is present.
> tlsmc_intercept_initialization: INFO: altered options follow:
> tlsmc_intercept_initialization: INFO: cacertdir = `/etc/openldap'
> tlsmc_intercept_initialization: INFO: certfile = `OpenLDAP Server'
> tlsmc_intercept_initialization: INFO: keyfile = 
> `/etc/openldap/certs/password'
> tlsmc_intercept_initialization: INFO: successfully intercepted TLS 
> initialization. Continuing with OpenSSL only.
> TLSMC: MozNSS compatibility interception ends.
> TLS: could not use certificate `OpenLDAP Server'.
> TLS: error:02001002:system library:fopen:No such file or directory 
> bss_file.c:402
> TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:404
> TLS: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system
> lib ssl_rsa.c:468
> 5d5af51b main: TLS init def ctx failed: -1
> 5d5af51b slapd destroy: freeing system resources.
> 5d5af51b slapd stopped.
> 5d5af51b connections_destroy: nothing to destroy.
> 
> 
> 
> Where can I submit errata to documentation maintainer?(as quick start 
> clearly doesn't work in my default install of OpenLDAP on CentOS 7)

That is most likely because of MOZNSS in a OpenSSL envirement or vice
versa.

> And how can I start SLAPD without encryption?

Just disable TLS in slapd.conf and ldap.conf
 
{...]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Dynamic ACL in OpenLDAP with set:expand not working

[Dieter Klünter]

Am Wed, 21 Aug 2019 10:50:19 +0200
schrieb Ondřej Kuzník :

> On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote:
> > Dear OpenLDAP technical list,
> > 
> > I‘ve been running into a little problem with my permission
> > structures – and was wondering if you could help me with it.
> > 
> > I want the members of a group to administer a tree structure, the
> > group is member of it. I've tried some acl settings – I'll post my
> > trials below the basic structure.
> >
> > I've tried some different things ... and none Regex was successful
> > :( Since I'll post some fragments, I put every LDIF fragment within
> > such a bash fragment:
> >  
> >> olcAccess: to *
> >>by self write
> >>by dn="cn=admin,dc=example,dc=com" write
> >>by
> >> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user"
> >> write by users read by * none  
> > 
> > trial 1
> >   
> >> olcAccess: to
> >> dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com" by
> >> self write by dn="cn=admin,dc=example,dc=com" write
> >>by
> >> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user"
> >> write by
> >> set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member*
> >> & user" write by set="this/member* & user" read by * none  
> > 
> > The result is, that admin and any member of ldapadminscan edit, the
> > members of specific entity admin subgroups cannot edit.
> > The specific admin subgroups cannot even see the entities subtree.  
> 
> Hi Martin,
> what is the order of the above two olcAccess statements? If they apply
> in the order above, it seems the first one will always apply and
> processing will stop there. In that case you either want to add a
> "break" in the first one or split/move it to be checked later.
> 
> I assume you also know and use the slapacl tool (and loglevel acl) to
> test with? Does it show any additional information that might be
> helpful in diagnosing the issue?

With regard to 'set' here is some basic information.
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: PID file /var/run/openldap/slapd.pid not readable (yet?) after start

[Dieter Klünter]

Am Wed, 14 Aug 2019 15:39:55 + (UTC)
schrieb Paul Pathiakis :

> Hi
> After the previous issue... I went to startup slapd and got the error
> above. I don't even know how to address that.
> Slapd won't even start.  I'm on CentOS 7. :(
> systemctl status slapd.service
> ● slapd.service - OpenLDAP Server Daemon
>    Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled;
> vendor preset: disabled) Active: failed (Result: timeout) since Wed
> 2019-08-14 11:34:15 EDT; 2min 7s ago Docs: man:slapd
>    man:slapd-config
>    man:slapd-hdb
>    man:slapd-mdb
>    file:///usr/share/doc/openldap-servers/guide.html
>   Process: 15117 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS}
> $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 15102
> ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited,
> status=0/SUCCESS) Main PID: 14277 (code=exited, status=0/SUCCESS)
> 
> Aug 14 11:32:45 NewLDAP.hq.boston-engineering.com systemd[1]:
> Starting OpenLDAP Server Daemon... Aug 14 11:32:45
> NewLDAP.hq.boston-engineering.com runuser[15105]:
> pam_unix(runuser:session): session opened for user ldap by (uid=0)
> Aug 14 11:32:45 NewLDAP.hq.boston-engineering.com runuser[15105]:
> pam_unix(runuser:session): session closed for user ldap Aug 14
> 11:32:45 NewLDAP.hq.boston-engineering.com slapd[15117]: @(#)
> $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
> mockbu...@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openlda...s/slapd
> Aug 14 11:32:45 NewLDAP.hq.boston-engineering.com systemd[1]: PID
> file /var/run/openldap/slapd.pid not readable (yet?) after start. Aug
> 14 11:34:15 NewLDAP.hq.boston-engineering.com systemd[1]:
> slapd.service start operation timed out. Terminating. Aug 14 11:34:15
> NewLDAP.hq.boston-engineering.com systemd[1]: Failed to start
> OpenLDAP Server Daemon. Aug 14 11:34:15
> NewLDAP.hq.boston-engineering.com systemd[1]: Unit slapd.service
> entered failed state. Aug 14 11:34:15
> NewLDAP.hq.boston-engineering.com systemd[1]: slapd.service failed.
> Hint: Some lines were ellipsized, use -l to show in full.
> [root@NewLDAP openldap]# systemctl start slapd.service Job for
> slapd.service failed because a timeout was exceeded. See "systemctl
> status slapd.service" and "journalctl -xe" for details.

Run slapd in debug mode in order to identitfy the culprit.

usr/sbin/slapd -h "ldap:///; -u ldap -g ldap -F
/etc/openldap/slapd.d -f /etc/openldap/slapd.conf -d 256

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: where is debuglevel documented ?

[Dieter Klünter]

Am Sun, 21 Jul 2019 22:50:35 +0200
schrieb Michael Ströder :

> On 7/21/19 10:10 PM, Dieter Klünter wrote:
> > Am Sun, 21 Jul 2019 17:27:53 +0200
> > schrieb danielle lampert :  
> >> the ldapsearch man page (
> >> https://www.openldap.org/software//man.cgi?query=ldapsearch=0=1=OpenLDAP+2.4-Release=html
> >> ) says :
> >>
> >> *-d* *debuglevel*
> >>   Set  the LDAP debugging level to *debuglevel*.
> >>
> >> Where can I find the debuglevel values and their meaning ?  
> > 
> > RFC4511, Section 4.1.9. Result Message  
> 
> Dieter, are you referring to ldapsearch setting a return code to the 
> LDAP result code?
> 
> The original poster asked for log levels though.

Sorry my bad. slapd -d? will show  all debug levels, plus undocumeneted
pcache.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: where is debuglevel documented ?

[Dieter Klünter]

Am Sun, 21 Jul 2019 17:27:53 +0200
schrieb danielle lampert :

> hello
> 
> the ldapsearch man page (
> https://www.openldap.org/software//man.cgi?query=ldapsearch=0=1=OpenLDAP+2.4-Release=html
> ) says :
> 
> *-d* *debuglevel*
>  Set  the LDAP debugging level to *debuglevel*.
> 
> 
> Where can I find the debuglevel values and their meaning ?

RFC4511, Section 4.1.9. Result Message

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Database problems with OpenIndiana

[Dieter Klünter]

Quanah Gibson-Mount  writes:

> --On Wednesday, July 17, 2019 6:46 PM +0200 Dieter Klünter
>  wrote:
>
>> Hi,
>> I am testing OpenLDAP-2.4.44 on OpenIndiana-Hipster. I have configured
>> two back-mdb databases.For some strange reason a data.mdb and a bdb
>> logfile is created.
>>
>> openldap openldap 45441024 Juli 17 16:45 data.mdb
>> openldap openldap8192 Juli 17 16:57 lock.mdb
>>   root root 10485760 Juli 17 16:57 log.01
>
> A couple of things...
> The log file is created by root?  Sounds like some process (init
> script, etc) is running BDB's db_recover command?  It could also be
> helpful to see your configuration.  Are the backends static or
> dynamic?  Why are you using such an old release? ;)

It seems the log file is created by root. The init script contains some
db_recover lines.

cd ${VARDATADIR}
/usr/bin/db_recover >/dev/null 2>&1
 exec ${SLAPD} 2>&1

You know that I prefer actual releases but the maintainer sticks to
mature packages :-)
I still miss some devel libs and tools to build my own package.
All backends are static built-in, there are no dynamic modules and
backends.

Thank you for your hint on db_recover.

-Dieter

--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E

Database problems with OpenIndiana

[Dieter Klünter]

Hi,
I am testing OpenLDAP-2.4.44 on OpenIndiana-Hipster. I have configured
two back-mdb databases.For some strange reason a data.mdb and a bdb
logfile is created.

openldap openldap 45441024 Juli 17 16:45 data.mdb
openldap openldap8192 Juli 17 16:57 lock.mdb
  root root 10485760 Juli 17 16:57 log.01

After a restart slapd cannot read the data.mdb anymore.


-Dieter


--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E

Re: Switch OpenLDAP backend database from HDB to MDB

[Dieter Klünter]

Am Wed, 10 Jul 2019 11:32:17 +0200 (CEST)
schrieb "sharb...@t-online.de" :

> Hello,
> I can not change my config.ldif file from the HDB backend to the MDB 
> backend. I have changed the following:
[...]

You can not convert a hdb backend into a mdb backend without changing
the underlying database. slapcat(8) the hdb database into a file and
slapadd(8) the file into a mdb backend.

-Dieter  

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Rsyslog stdout and stderr

[Dieter Klünter]

Am Fri, 15 Mar 2019 18:55:36 +0100
schrieb Abdelkader Chelouah :

> Le 10/03/2019 à 00:58, Howard Chu a écrit :
> > Abdelkader Chelouah wrote:  
> >> Hi,
> >>
> >> slapd 2.4.44
> >>
> >> OpenLDAP instance configure as a proxy (back-ldap)
> >>
> >>
> >>  From time to time, bind operations can take more than 5 sec.
> >> These latencies do not seem to come from a CPU or memory problem.
> >> I'm trying to see if the network can be the root cause of the
> >> issue. To debug the fonction ldap_sasl_bind
> >> (libraries/libldap/sasl.c), I activated trace loglevel (logs are
> >> manage by rsyslog). In the definition of ldap_sasl_bind, there is
> >>
> >> Debug( LDAP_DEBUG_TRACE, "ldap_sasl_bind\n", 0, 0, 0 );
> >>
> >> A least the message "ldap_sasl_bind" should appear in logs, which
> >> is not the case. Actually, Debug (which is first defined in
> >> include/ldap_log.h) is redefined in libraries/libldap/ldap-int.h
> >>
> >> ...
> >>
> >> #include "ldap_log.h"
> >>
> >> #undef Debug
> >>
> >> #ifdef LDAP_DEBUG
> >>
> >> #define DebugTest( level ) \
> >>      ( ldap_debug & level )
> >>
> >> #define Debug( level, fmt, arg1, arg2, arg3 ) \
> >>      do { if ( ldap_debug & level ) \
> >>      ldap_log_printf( NULL, (level), (fmt), (arg1), (arg2),
> >> (arg3) ); \ } while ( 0 )
> >>
> >> #define LDAP_Debug( subsystem, level, fmt, arg1, arg2, arg3 )\
> >>      ldap_log_printf( NULL, (level), (fmt), (arg1), (arg2),
> >> (arg3) ) configure
> >> #else
> >>
> >> #define DebugTest( level )    (0
> >> == 1) #define Debug( level, fmt, arg1, arg2,
> >> arg3 ) ((void)0) #define LDAP_Debug( subsystem,
> >> level, fmt, arg1, arg2, arg3 ) ((void)0)
> >>
> >> #endif /* LDAP_DEBUG */
> >>
> >> ...
> >>
> >> A a result, the message is send to standard output. By using
> >> rsyslog, it is not possible to catch any message inside
> >> ldap_sasl_bind.
> >>
> >>
> >> How to get stdout and stderr messages and still use rsyslog to
> >> manage openldap logs ?  
> > syslog is not fast enough to handle the debug traffic.
> >
> > You could use ber_set_option() to override the log output
> > functions, and have them write messages both to rsyslog and stderr.
> > But using syslog on every debug message will slow things down more
> > than 10x. 
> Hello Howard,
> 
> 
> Thanks to your help, I'm now able to send slapd messages both to
> rsyslog and stderr when I use the '*-d*' option of slapd. For
> information, the latencies were due to a DNS resolution problem. In
> detached mode, ie, without the '*-d*' option, messages are redirected
> to /dev/null.
> 
> *$ grep -B 1 dup2 libraries/liblutil/detach.c*
>      /* redirect stdin, stdout, stderr
> to /dev/null */ dup2( sd, STDIN_FILENO );
>      dup2( sd, STDOUT_FILENO );
>      dup2( sd, STDERR_FILENO );
> 
> 
> For debugging purpose, I want to be able to switch back and forth
> from "stats" to "stats trace" log levels, which is not possible when
> slapd starts in background. Is there any way to to this ?

ldapmodify is your friend. Modify cn=config, olcLogLevel.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: setting up openldap to proxy to AD on SUSE ENT 12

[Dieter Klünter]

Am Tue, 26 Feb 2019 09:18:09 -0800
schrieb N6Ghost :

> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
> > Am Mon, 25 Feb 2019 13:34:45 -0800
> > schrieb N6Ghost :
> >  
> >> hi all,
> >>
> >> I am trying to setup an openldap proxy to AD and i need to use SUSE
> >> Enterprise Linux 12.
> >>
> >> Hostname:/etc/openldap # rpm -qa|grep -i openldap
> >> openldap2-2.4.41-18.43.1.x86_64
> >> openldap2-client-2.4.41-18.43.1.x86_64
> >>
> >> what I am trying to do, is proxy an application (with 1000s of
> >> users) from talking directory to AD, to talking to openldap. and
> >> then have openldap talk to AD.
> >> look across the net is a bunch of stuff,  but most of it does not
> >> seem to apply, or work.  look at the offical doc, says use sasl but
> >> you must have an local entry with a {sasl] tag on the user thats
> >> not really ideal and work make a huge problem.  a few of the posts
> >> online just said point to AD via ldap is possible? and this
> >> application also has a group lookup as part of its auth
> >> process...  eg, only member of groupX can access
> >>
> >> any help in this would be huge.
> >>
> >>
> >> seems, i am mixing up a few different ways of doing this whats the
> >> bets way to do this?  
> > I presume you are running slapd with slapd-ldap(5) backend.
> > AD requires non standard attribute types, which openldap does not
> > provide. Include AD schema files into slapd.
> > RFC-4513 requires sasl for strong binds, if your AD is setup as KDC
> > you may include openldap services as kerberos host and service
> > pricipals.
> >
> > -Dieter  
> 
> where do i get the AD schema that's not in the schema directory. yea
> i was working with /etc/sldap.conf, but in openldap 2.4 it seems some 
> stuff has changed, and lots
> of very conflicting information on how to go about getting the proxy
> to AD, lost of posts say you can just have a config in sldap.conf,
> but that not only does not work
> but many of the items in those config dont work, and will not allow
> the service to even start.

There hasn't been changed much since openldap-2.1 with regard to
protocol requirements.
> 
> then there is the matter, where the official docs say you can pass
> thru, but the accounts needs a local openldap account with {sasl}
> taged. which for a large
> domain with 1000s of users is a pain.

That's why i did point to Kerberos. 

> > and it seems openldap is more of a solutions backend that has a 
> bazillion options.  and you build out a design and options, configs
> etc based on your needs.
> and you got to hunt down the how and whats supported etc, and you
> have to deal with the distros packaging

Most of the options you refer to are built-in as default, that is,
only tweak configuration parameters that are required for your setup.

Just as a hint:
 ldapsearch -x -H ldap://path/to/AD -b "" -s base "(objectClass=*)" \
  namingContexts subschemaSubentry

search for subschemaSubentry attribute type.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: setting up openldap to proxy to AD on SUSE ENT 12

[Dieter Klünter]

Am Mon, 25 Feb 2019 13:34:45 -0800
schrieb N6Ghost :

> hi all,
> 
> I am trying to setup an openldap proxy to AD and i need to use SUSE 
> Enterprise Linux 12.
> 
> Hostname:/etc/openldap # rpm -qa|grep -i openldap
> openldap2-2.4.41-18.43.1.x86_64
> openldap2-client-2.4.41-18.43.1.x86_64
> 
> what I am trying to do, is proxy an application (with 1000s of users) 
> from talking directory to AD, to talking to openldap. and then have 
> openldap talk to AD.
> look across the net is a bunch of stuff,  but most of it does not
> seem to apply, or work.  look at the offical doc, says use sasl but
> you must have an local entry with a {sasl] tag on the user thats not
> really ideal and work make a huge problem.  a few of the posts online
> just said point to AD via ldap is possible? and this application also
> has a group lookup as part of its auth process...  eg, only member of
> groupX can access
> 
> any help in this would be huge.
> 
> 
> seems, i am mixing up a few different ways of doing this whats the
> bets way to do this?

I presume you are running slapd with slapd-ldap(5) backend.
AD requires non standard attribute types, which openldap does not
provide. Include AD schema files into slapd.
RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
may include openldap services as kerberos host and service pricipals.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: help needed for further investigation

[Dieter Klünter]

Am Wed, 13 Feb 2019 14:41:07 +
schrieb :

> Hello together. I am the heir of a setup based on RHEL 6.10 and
> Openldap 2.4.45 (ltb) A master syncrepls to a slave in
> type=refreshOnly using bindmethod=sasl, saslmech=external.
> 
> The mapped techuser resides in ou=ServiceUser. All Clients also use
> user objects in the same ou to bind to the servers.
> 
> I need to set new acls and decided to include a dedicated acl- and
> limits-configfile. The ACLs checked via slapacl look fine and run
> without problems on the test environment. (Which is based on the same
> 2.4.45 rpms, but the replica runs on RHEL 7.5)
> 
> All slapd configuration make use of database mdb and an explicitly
> set maxsize. (which is sized sufficiently: 12 GB, 49 MB used)
> 
> When implementing the configuration on a running system, the replica
> deletes the ou (that one with all the service user objects). Which is
> not what I want 8-/
> 
> How can I find out more about the reason for this peculiar result?
> I set the loglevel to 'stats sync' on the replica and 'sync' on the
[..]

Run slapd in debugging mode and use acl sny stats. That is something
like 

./slapd -d acl -h ldap://:9007/ and further options.

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: authz-regexp failures

[Dieter Klünter]

Am Tue, 29 Jan 2019 09:12:56 +0100
schrieb Hallvard Breien Furuseth :

> On 1/28/19 10:35 PM, Dieter Klünter wrote:
> > authz-regexp
> > "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth"
> > "cn=config"  
> 
> Probably something swallows a backslash, maybe the slapd.conf parser.
> Try "\\+".  Or better, "[+]" so you won't need to worry about how many
> of them you need.

bingo, thanks Hallvard.

-Dieter 

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

authz-regexp failures

[Dieter Klünter]

Hi,
I am facing some problems with authz-regexp configurations. These
configurations run for ages on several systems. I only discovered
recently, that some errors occured:

 # ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

The appropriate lines in slapd.conf:

authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" 
 "cn=config"

There are still a few more authz-regexp rules that don't work anymore.
Any ideas?

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: openldap proxy with uid/gid lookup cache

[Dieter Klünter]

Am Fri, 25 Jan 2019 21:04:42 -0500
schrieb vad...@gmail.com:

> How do I include uid/gid lookup caching to my openldap proxy server?
> 
> $ cat slapd.conf
> ### Schema includes
> ###
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/nis.schema
> 
> ## Module paths
> ##
> modulepath  /usr/lib64/openldap/ moduleload
> back_ldap
> 
> # Main settings
> ###
> pidfile /var/run/openldap/slapd.pid
> argsfile/var/run/openldap/slapd.args
> sizelimit   unlimited
> 
> TLSCertificateFile  /root/data/certs/ldap.crt
> TLSCertificateKeyFile   /root/data/certs/ldap.key
> 
> ### Database definition (Proxy to AD)
> # databaseldap
> readonlyyes
> protocol-version3
> rebind-as-user  yes
> uri "ldaps://ldap.example.com:1636"
> suffix  "ou=People,dc=example,dc=net"
> ### Logging
> ###
> loglevel0

Did you read slapo-pcache(5) ?
For debugging use debug level pcache.
Try something like:

database ldap
...
overlay pcache
pcache mdb 5000 2 500 3600
pcacheAttrset 0 uid gid 
pcacheTemplate (uid=) 0 10800 7200
directory /path/to/database
index uid,gid eq

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: openldap proxy to kerberos

[Dieter Klünter]

Am Tue, 8 Jan 2019 15:15:39 -0500
schrieb vad...@gmail.com:

> On Tue, Jan 8, 2019 at 3:27 AM Dieter Klünter 
> wrote:
> 
> > Am Mon, 7 Jan 2019 16:18:36 -0500
> > schrieb vad...@gmail.com:
> >  
> > > I am using openldap proxy today with ldap backend.
> > >
> > > Any suggestions on how to use kerberos as the backend?
> > >  
> > [...]
> >
> > Put it the other way round, use slapd as database backend to
> > kerberos.
> > https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
> >
> >  
> 
> OK, may be then what I am really looking for is a kerberos proxy.
> 
> All my servers today sending ldap auth request to this ldap proxy and
> we want to switch to kerberos auth instead.
[...]

You may try to configure a passthrough authentication, using saslauthd.
There are some configuration examples online. Note that this requires
slapd to be compiled with '--enable-spasswd'

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: openldap proxy to kerberos

[Dieter Klünter]

Am Mon, 7 Jan 2019 16:18:36 -0500
schrieb vad...@gmail.com:

> I am using openldap proxy today with ldap backend.
> 
> Any suggestions on how to use kerberos as the backend?
> 
[...]

Put it the other way round, use slapd as database backend to kerberos. 
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Unable to start up the ldap server after reboot

[Dieter Klünter]

Am Wed, 2 Jan 2019 14:00:19 +
schrieb "Bharath, Basutkar (TR Tech, Content & Ops)"
:

> HI Team,
> 
> Am unable to start up the ldap server on solaris 10, could you please
> help us with the below error;
> 
> bash-3.2# /usr/local/openldap/libexec/slapd -d 384 -u ldap -g ldap -h
> "ldap:/// "& >/dev/null 2>&1 [1] 8686
> bash-3.2# @(#) $OpenLDAP: slapd 2.2.15 (Nov 10 2014 13:34:11) $
> @opusldap1:/usr/local/sftw/openldap-2.2.15/servers/slapd
[..]
> bdb_db_destroy: txn_checkpoint failed: Invalid argument (22)
> slapd stopped.
> connections_destroy: nothing to destroy.
[...]
The errors are BerkeleyDB based, bdb has been deprecated. don't use it. 

Do not expect support on 15 years old source code versions.  
If you want to run openldap on solaris, try openIndiana, which
provides openldap-2.4.46. 

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Q: "deferring operation: too many executing" / "deferring operation: pending operations"

[Dieter Klünter]

Am Mon, 10 Dec 2018 10:16:54 +0100
schrieb "Ulrich Windl" :

> Hi!
> 
> I have a question for the following log messages:
> slapd[2215]: connection_input: conn=144871 deferring operation: too
> many executing slapd[2215]: connection_input: conn=144871 deferring
> operation: pending operations slapd[2215]: connection_input:
> conn=144871 deferring operation: pending operations
> 
> What is "too many", i.e. where is that limit configured?
> Is it possible to tell how many "pending operations" there are?

In fact bash(1) is the culprit, read bash(1) on ulimit.
The reason most likely is too many filesystem I/O's requested, bad
search filter design, too many operations on the same index database,
etc.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Check synchro : access only to contextcsn

[Dieter Klünter]

Am Thu, 18 Oct 2018 09:48:22 +0200
schrieb Lirien Maxime :

> Damn ! my ACL don't work despites your help :-/

Run slapd in debugging mode 'acl' or test with slapacl(8)
note that contextCSN is stored in root entry.

-Dieter

> 
> In the log it seems that "supervision" can't access dc=fr, it starts
> from dc=gouv,dc=fr.
> Without rule#3, it's ok because of rule #5.
> But with rule#3 it's supposed to match contextCSN
> 
> Thanks guys.
> 
> Here are my ACL  :
> 
> # 1) Admin's branch
> access to dn.subtree="ou=Comptes Admin,dc=fr"
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by self auth
> by users auth
> by anonymous auth
> 
> # 2) userPassword accessible by all
> access to * attrs=userPassword
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by users auth
> by anonymous auth
> by * none
> 
> 
> *# 3) * CONTEXTCSN **
> 
> *access to dn.base="dc=fr" attrs=entry,children,contextcsn*
> 
> 
> *   by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read   by
> dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read   by * none*
> 
> # 4) Certificate
> access to *
> attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
>   by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by * none
> 
> 
> # 5) Branch  dc=gouv,dc=fr
> access to dn.subtree="dc=gouv,dc=fr"
> by dn.subtree="ou=Comptes Clients,dc=fr" read
> by dn.subtree="ou=Comptes Admin,dc=fr" write
> by * none
> 
> 
> # 6) All the tree
> access to *
> by dn.exact="cn=root,dc=fr" write
> by dn.subtree="ou=Comptes Admin,dc=fr" read
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by self none
> by users none
> by anonymous none
> by * none
> 
> 
> On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount 
> wrote:
> 
> > --On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
> >  wrote:
> >  
> > > Am Tue, 16 Oct 2018 15:51:50 +0200
> > > schrieb Lirien Maxime :
> > >  
> > >> Hi all,
> > >> thanks for reading.
> > >> I have a "supervision" account on all my ldap servers. With the
> > >> plugin nagios , it check the synchro.  I would like this account
> > >> read only contextcsn to check synchro. And only contextcsn not
> > >> the other entries. (plugin check nagios).
> > >> Can someone help me to write the right ACL ?
> > >>
> > >> Here what I tried but not really right :-/
> > >> # ContextCSN
> > >> access to dn.subtree="dc=fr" attrs=contextCSN
> > >>  by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
> > >>  by * none  
> > >
> > > access to dn.base=dc=fr
> > >attrs=entry,children,contextCSN read  
> >
> > I'd also be careful of doing "by * none" to the contextCSN, etc, as
> > that can break replication depending on the DN that binds to the
> > master(s), since the replication DN must be able to read the
> > contextCSN.
> >
> > --Quanah
> >
> >
> >
> > --
> >
> > Quanah Gibson-Mount
> > Product Architect
> > Symas Corporation
> > Packaged, certified, and supported LDAP solutions powered by
> > OpenLDAP: <http://www.symas.com>
> >
> >  



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OpenLDAP and Google Cloud Directory Sync

[Dieter Klünter]

Am Tue, 16 Oct 2018 15:10:16 -0700
schrieb Brian Hill :

> I would like to get OpenLDAP to trigger a GCDS sync whenever either 
> certain attributes are modified or even anything the DB, if it isn't 
> possible to limit it to certain attributes.
> 
> I am thinking along the lines of OpenLDAP calling some external
> program after a modification, but if there is another way to do this
> that I am missing,  I am all ears. I have looked at the various
> overlays but none seem relevant.
> 
> Has anyone done this or have general suggestions?

Based on perldoc Net::LDAP::Control::SyncRequest i built a script that
monitors modifications to the database.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Check synchro : access only to contextcsn

[Dieter Klünter]

Am Tue, 16 Oct 2018 15:51:50 +0200
schrieb Lirien Maxime :

> Hi all,
> thanks for reading.
> I have a "supervision" account on all my ldap servers. With the plugin
> nagios , it check the synchro.  I would like this account read only
> contextcsn to check synchro. And only contextcsn not the other
> entries. (plugin check nagios).
> Can someone help me to write the right ACL ?
> 
> Here what I tried but not really right :-/
> # ContextCSN
> access to dn.subtree="dc=fr" attrs=contextCSN
>  by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
>  by * none

access to dn.base=dc=fr 
   attrs=entry,children,contextCSN read

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: A couple of questions regarding replication and user mapping

[Dieter Klünter]

Am Thu, 20 Sep 2018 22:29:11 +0200
schrieb Karsten Heymann :

> Hi,
> 
> I'm having a rough week as a long planned ldap migration this week
> went semi-bad, in that we noticed a good day after the new cluster
> went productive that both masters and both clients started to diverge
> data-wise. I'm still sorting out the details, but while
> troubleshooting some questions arose already.
> 
> (I'm running 2.4.46+dfsg-5~bpo9+1 on debian 9 with two masters
> (syncrepl, mirror mode) behind a load balancer and two slaves, also
> behind a load balancer. I was authenticating the replication with
> client certificates, but had to switch back to simple bind usind
> rootdn/rootpw als sync credentials to rule out any acl problems
> causing our problems.)
> 
> 1. I've read in an older debian bug report, that changing
> olcAuthRegexp requires a slapd restart in order to be effective. Is
> that still the case? If yes, could this *please* be added to the
> manpage and the documentation? Pretty please?
> 
> 2. Is ldapwhoami supposed to also print out the result of a
> authz-regexp mapping?

Yes
> 
> 3. The slapd.conf manpage mentions: "The replaced name can be either a
> DN, i.e. a string prefixed by "dn:", or an LDAP URI." Is prepending
> dn: really required? The examples on
> https://www.openldap.org/doc/admin24/sasl.html don't have it.

No

> 4. What happens when a lot of concurrent writes happen to two masters
> configured in mirror mode? We had a loadbalancer misconfiguration and
> the loadbalancers were using simple round robin to write to the
> masters. Can this result in diverging content on the two masters?

First write should win, depending on timestamp
 
> 5. At one time we had diverging content on both masters for the same
> entries, probably due to a broken acl config that did not allow the
> sync user to see all alltributes on the other master. Is there any way
> to cause a "re-sync" of an entry without actually changing data on the
> entry? The only way I found was to use slapd -c, but

If you have a log database with sufficient old data and matching
timestamps and csn's it might be possible. But a slapcat and slapdadd
would be easier. 

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: How to make ldap evaluate clear text password vs DES stored password

[Dieter Klünter]

Am Fri, 21 Sep 2018 09:09:40 +0700
schrieb Olivier :

> Hi,
> 
> >LDAP’s userPassowrd stored in the RDB has been already DES hashed by
> >original app. On the other hand, input password from ldapseach
> >command line is CREARTEXT.
> >  
> >I’d like to change certification process of LDAP source file to make
> >input password into DES hashed by using 2 characters of userPassword
> >as its SALT.  
> 
> That is how LDAP works if it knows that your passwrd is DES.
> 
> But the encoding for DES by LDAP may be slightly different from the
> encoding for DES by your original app.
> 
> For a DES encrypted password, LDAP expects to see:
> userpassword: {CRYPT}6FgwLHWxQzlgA
> where 6F is the salt (LDAP knows that the 6F is the salt)
> 
> So if your RDB only contains 6FgwLHWxQzlgA, you may have to modify
> that.
[...]
slappasswd(8) provides some information on password hashing and salting.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: help to get our openldap updated and replicated

[Dieter Klünter]

Am Tue, 21 Aug 2018 15:50:49 -0700
schrieb ad...@genome.arizona.edu:

> Hi all, I am about the 4th sysadmin for our organization, and our 
> openldap is old, 2.4.40 system version for CentOS 6.9.  Also there
> might have been incorrect modifications to the slapd.d files since it
> was really difficult to update things.  The olcRootDN was set to
> "cn=config" somehow so I had to manually update that to the Manager
> account and figure out the CRC32 and everything, but at least I could
> make some updates now.

The cn=config rootDN is correct, if this is bound to a config database.

> Anyway, I would like to get our installation updated to a current 
> version, as well as set up some sort of replication with our other 
> server, in case one goes down then our users could still login and
> use our applications, or I could still add/delete users.  Perhaps a 
> multi-master config would be best?  (Also maybe update the databases
> too since they are using bdb format?  but maybe that is just
> unnecessary extra work)  I tried to setup replication by following a
> guide, but was not successful and actually made things worse for our
> demon, so had to undo the changes for now.  I guess 2.4.40 has some
> problems with replication anyway from what I've heard.

A simple mirror mode schould work anyhow.

> First, to get openldap updated, would it be as simple as compiling
> the new version and then updating the init script /etc/init.d/slapd
> to point to the new binaries?  I would stop slapd and get a backup of 
> /etc/openldap and /var/lib/ldap.  Then I could just leave our current 
> config in /etc/openldap and databases in /var/lib/ldap?  I've already 
> built the new version and "make test" was successful so am ready to 
> proceed from there with your assistance and suggestions.

1. slapcat(8) the old database to a file,
2. install libraries and binaries
3. setup a new config database, that is: creat a slapd.conf file to
   your requirements, configure a slapd-mdb(5) database, load the
   database file by slapadd(8), slaptest(8) will create a config
   database.


-Dieter  

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Search memberOf

[Dieter Klünter]

As I mentioned, memberOf is a operational attribute type, syntax is
'distinguishedName'.
Are there any modifiable operational attributetypes in your sql
database at all? Is rootDN able to write and modify attribute types?

-Dieter

Am Thu, 9 Aug 2018 12:22:55 +0200
schrieb Arianna Milazzo :

> I have a "member" table defined as:
> id (= id record) - gid (= group id) - pers_id (= person id)
> 
> the others table involved are "groups" table (gid - name - cn - dn)
> and persons (id - name - surname - .) [where id is same of keyval
> in ldap_entries]
> 
> 
> 
> 2018-08-08 19:20 GMT+02:00 Dieter Klünter :
> 
> > Am Wed, 8 Aug 2018 15:19:23 +0200
> > schrieb Arianna Milazzo :
> >  
> > > Ok, I understand that it isn't supported, but at the moment I
> > > can't try other solutions.
> > > And since that aside from that filter, the rest works, I don't
> > > want to give up like that.
> > >
> > > Infact if I look for the following values (then on the groups)
> > > Search base: cn=groupname,ou=group,dc=pigreco,dc=it
> > > Filter: (member=cn=Name Surname,ou=people,dc=pigreco,dc=it)
> > > I get if Name Surname is part of the groupname group
> > >
> > > If I search
> > > Search base: dc=pigreco,dc=it
> > > Filter: (member=cn=Name Surname,ou=people,dc=pigreco,dc=it)
> > > I get the list of which groups Name Surname belongs
> > >
> > > *But with this (then on the people)*
> > > Search base: dc=pigreco,dc=it
> > > Filter: (memberOf=cn=groupname,ou=group,dc=pigreco,dc=it)
> > >
> > >
> > > *I have no result and in the log I read:get_ava: illegal value for
> > > attributeType memberof*  
> >
> > please note that memberOf attributetype is defined as:
> >
> > ( 1.2.840.113556.1.2.102 "
> > "NAME 'memberOf' "
> > "DESC 'Group that the entry belongs to' "
> >         "SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' "
> > "EQUALITY distinguishedNameMatch "
> > "USAGE dSAOperation "
> > "NO-USER-MODIFICATION "
> > )
> > do you have defined any table for this sort of operational
> > attributes.
> >
> > -Dieter
> >
> > --
> > Dieter Klünter | Systemberatung
> > http://sys4.de
> > GPG Key ID: E9ED159B
> > 53°37'09,95"N
> > 10°08'02,42"E
> >
> >  



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Search memberOf

[Dieter Klünter]

Am Wed, 8 Aug 2018 15:19:23 +0200
schrieb Arianna Milazzo :

> Ok, I understand that it isn't supported, but at the moment I can't
> try other solutions.
> And since that aside from that filter, the rest works, I don't want
> to give up like that.
> 
> Infact if I look for the following values (then on the groups)
> Search base: cn=groupname,ou=group,dc=pigreco,dc=it
> Filter: (member=cn=Name Surname,ou=people,dc=pigreco,dc=it)
> I get if Name Surname is part of the groupname group
> 
> If I search
> Search base: dc=pigreco,dc=it
> Filter: (member=cn=Name Surname,ou=people,dc=pigreco,dc=it)
> I get the list of which groups Name Surname belongs
> 
> *But with this (then on the people)*
> Search base: dc=pigreco,dc=it
> Filter: (memberOf=cn=groupname,ou=group,dc=pigreco,dc=it)
> 
> 
> *I have no result and in the log I read:get_ava: illegal value for
> attributeType memberof*

please note that memberOf attributetype is defined as:

( 1.2.840.113556.1.2.102 "
"NAME 'memberOf' "
"DESC 'Group that the entry belongs to' "
"SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' "
"EQUALITY distinguishedNameMatch "  
"USAGE dSAOperation "  
"NO-USER-MODIFICATION " 
)
do you have defined any table for this sort of operational attributes. 

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: root server and subtree server replicate.

[Dieter Klünter]

Am Fri, 3 Aug 2018 09:54:22 +0800
schrieb "Tian Zhiying" :

> Dear all,
> 
>  
> 
>  
> 
> I'd like to have a subtree managed by a second LDAP server and its
> contents replicated to the "upper" root server.
> 
> server A(root server): suffix="dc=domain,dc=org"
> 
> server B(subtree server): suffix="ou=people,dc=domain,dc=org"
> 
> B's subtree should be replicated to A and should be searchable on A.
> 
>  
> 
> Is there any solutions can fix this case? 

You may consider on server A a slapd-ldap(5) database attached to a
slapd-relay(5) database, relaying subtree from server B.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: ldap server stops responding periodically?

[Dieter Klünter]

Am Tue, 17 Jul 2018 13:21:58 -0400
schrieb John Jasen :

> Summary: an openldap 2.4.4 (CentOS7 stock RPM) replication consumer
> slapd server stops responding to requests for a period of up to
> fifteen minutes.
[...]
If that really is 2.4.4 the package is from 2006 and has never been a
stable release. The initial release for 2.4 series is OpenLDAP 2.4.6
Release (2007/10/31)
If you face problems you must update to the current release 2.4.46

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N,
10°08'02,42"E

Re: permissions replication

[Dieter Klünter]

Am Sun, 1 Jul 2018 14:35:27 +0200
schrieb Miroslav Misek :

> Hi,
> 
> I am setting up master-slave replication for our off-site office, so
> it can use authentication against ldap even with internet
> connectivity issues. Replication itself is working without problems.
> But it replicates only data and not olcAccess attributes on database.
> So I have to set them manually.
> 
> Please is there any way to replicate those attributes too?
> 
> I found only one way, and it is master-master replication of
> cn=config database.
> And it is not usable in our environment. Off-site office don`t have 
> public ip. And it is better for me to have this ldap instance
> read-only.

You may consider the experimental aci model instead of stadard acl
model, as defined in slapd.access(5)
http://www.openldap.org/faq/data/cache/634.html

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Logging Region out of memory

[Dieter Klünter]

Am Tue, 12 Jun 2018 11:56:23 -0500
schrieb Scott Mayo :

> I just started getting this early this morning.  I set this server up
> a number of years ago.  I am getting ready to put a new one in place,
> but need to get this back up and going in the mean time.
> 
> Openldap version is 2.4.12
> 
> /sbin/service ldap start
> 
> Checking configuration files for slapd:[FAILED]
> Logging region out of memory; you may need to increase its size
> db_open(/var/lib/ldap/id2entry.bdb) failed: Cannot allocate memory
> (12). backend_startup_one: bi_db_open failed! (12)
> slap_startup failed (test would succeed using the -u switch)
> stale lock files may be present in /var/lib/ldap   [WARNING]
> 
> Any ideas on what I need to check there?  Thanks.

The reference to -u switch leads to the impression that filesystem
owwnership of slapd.conf and bdb database files is not appropriate.
In addition you may check the database with BerkeleyDB tools, i.e.
db_stat.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Referrals, Chains, and Subordinate confusion

[Dieter Klünter]

Am Fri, 8 Jun 2018 19:44:31 +0200
schrieb Chris :

> Hello,
> 
> We're in the process of setting up a new DIT divided up by a handful
> of (o) organizations. We would like to split the DIT up so that each
> organization will sysadmin their own ldap provider containing their
> branch of the DIT.
> 
> There are some examples on the Net on how to use referrals and chains
> and the set up seems to be what we want, and relatively straight
> forward to implement.

You could define a handful independent databases, something like

database o=A

database o=B

all databases controlled by 1 slapd process
man slapd.conf(5) and slapd-mdb(5) 

> 
> But before we begin, I'd like to check. The documentation here is
> confusing. http://www.openldap.org/doc/admin24/referrals.html At the
> bottom of the page, the 2nd Note says "A better approach would be to
> use explicitly defined local and proxy databases in /subordinate/
> configurations to provide a seamless view of the Distributed
> Directory."
> 
> I've scoured the Net for some clues/examples to what this means but
> haven't found anything that helps us much to understand. The same page
> http://www.openldap.org/doc/admin24/referrals.htm says "Subordinate
> knowledge information is maintained in the directory as a special
> /referral/ object" but that seems to enter into conflict with the 2nd
> Note. ??

No.
> There also seems to be a "olcSubordinate" attribute that I can't find
> any information about.
> How does the "local and proxy databases in /subordinate/
> configurations" configuration work? Is it documented anywhere?
> 
> Any pointers or suggestions would be greatly appreciated.

As a start you should get acquainted with RFC4512
https://www.rfc-editor.org/pdfrfc/rfc4512.txt.pdf
and X.500
https://www.itu.int/rec/T-REC-X.500/en


-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: LDAPS Support

[Dieter Klünter]

Am Tue, 05 Jun 2018 03:36:11 +0100
schrieb w...@tomjay.co.uk:

> Hello,
> 
> I'm under the impression that LDAPS (and not StartTLS) has been 
> depreciated in OpenLDAP, but I can't find anything on the OpenLDAP 
> website that says this. Is this the case, and is there a reference
> for it?

RFC 4511 and 4513 are quite clear about this. While start TLS is defined
in RFC 2830, there is no formal specification for ldaps, furthermore
read on ldaps in /etc/services.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: ldapdelete: Invalid DN on an Accesslog generated DN

[Dieter Klünter]

Am Tue, 15 May 2018 10:02:18 +0200
schrieb Giuseppe Civitella <giuseppe.civite...@gmail.com>:

> Hi all,
> 
> while doing some tests to enable accesslog in my directory, I did
> enable the overlay and then disabled it because of login problems.
> Once restored the directory, I found a few entries like this:
> 
> dn: reqStart=20180509102412.00Z,BASEDN
> objectClass: auditModify
> structuralObjectClass: auditModify
> REQSTART: 20180509102412.00Z
> REQEND: 20180509102412.01Z
> REQTYPE: modify
> REQSESSION: 1679
> REQAUTHZID: cn=admin,BASEDN
> REQDN: cn=gcivitella,ou=users,BASEDN
> REQRESULT: 0
> REQMOD: description:= description utente gcivitella (update check
> accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#00#000#00
> REQMOD: modifiersName:= cn=admin,BASEDN
> REQMOD: modifyTimestamp:= 20180509102412Z
> REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b
> entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3
> creatorsName: cn=admin,BASEDN
> createTimestamp: 20180509102412Z
> entryCSN: 20180509102412.246481Z#00#000#00
> modifiersName: cn=admin,BASEDN
> modifyTimestamp: 20180509102412Z
> 
> Now I'm unable to delete them. I get an "invalid DN" error:
> 
> ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v 
> "reqStart=20180509102412.00Z,BASEDN"
> 
> ldap_initialize( ldap://127.0.0.1:389/??base )
> Enter LDAP Password: 
> deleting entry "reqStart=20180509102412.00Z,BASEDN"
> ldap_delete: Invalid DN syntax (34)
> additional info: invalid DN
> 
> Is there a way to force the deletion or temporary disable the schema
> check?

It seems that $BASEDN is not a valid DN, check 
https://ldap.com/ldap-dns-and-rdns
read man slapo-accesslog(5) on logpurge

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OTP or 2FA for Manager Account?

[Dieter Klünter]

Am Wed, 16 May 2018 08:24:06 -0400
schrieb Dave Macias <dav...@gmail.com>:

> I too have been wondering about TOTP with openldap but always found
> it hard to find documentation on it. Any chance to have this
> documented? Dont see it in the site
[...]

I have written an article an TOTP
https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Search only few subtrees under baseDN

[Dieter Klünter]

Am Sun, 13 May 2018 09:42:22 +0200
schrieb Ervin Hegedüs <airw...@gmail.com>:

> Hi,
> 
> On Thu, May 10, 2018 at 06:02:48PM +0200, Ervin Hegedüs wrote:
> > Hi again,
> > 
> > On Wed, May 09, 2018 at 01:00:05PM +0200, Ervin Hegedüs wrote:  
> > > Hi,
> > >   
> > [...]
> >
> > > 
> > > Is there any way to set up one or more ACL's, where admin1 user
> > > can set up the dc=sub-company21,dc=company2,dc=hu as baseDN, and
> > > can start to search from there, but he will see the entries only
> > > from ou=orgunit1 and ou=orgunit2?  
> > 
> > if there isn't any solution with ACL, can I make it some other
> > way? I mean, back_meta, rewrite, or other overlay solutions...?
> >   
> 
> 
> I'm playing with aliases, thought I can make it with it.
> 
> The tree:
> 
> dn: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu
> dn: ou=orgunit2,dc=sub-company21,dc=company2,dc=hu
> dn: ou=orgunit3,dc=sub-company21,dc=company2,dc=hu
> 
> and the new "collection":
> dn: ou=collection1,dc=sub-company21,dc=company2,dc=hu
> 
> I'ld like to add an alias from ou=orgunit1 under ou=collection1:
> 
> dn: ou=orgunit1,dc=sub-company21,dc=company2,dc=hu
> changetype: add
> objectClass: alias
> objectClass: top
> objectClass: organizationalUnit
> aliasedObjectName:
> ou=orgunit1,ou=collection1,dc=sub-company21,dc=company2,dc=hu
> 
> but the ldapadd gives:
> 
> invalid structural object class chain (alias/organizationalUnit)
> 
> I've tried to add the alias as dn=aliased_name, and
> aliasedObjectName is the original, but same result.
> 
> 
> How can I add the OU alias, with all children?

Objectclasses aliasedObjectName and organizationalUnit are both
structural Objectclasses, try to add auxiliary object classes, or
create your own classes. Some documentation include extensibleObject
class, but this would create additional security questions.

-Dieter
  



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OpenLDAP & Mysql backend

[Dieter Klünter]

Am Mon, 30 Apr 2018 10:54:52 +0200
schrieb Arianna Milazzo <aria...@ariannamicrochip.it>:

> Hello!
> I already read the docs.
> I did as described in the documentation that I found here:
> https://github.com/openldap/openldap/tree/master/servers/slapd/back-sql/docs
> and here:
> https://github.com/openldap/openldap/tree/master/servers/slapd/back-sql/rdbms_depend

[...]
> 
> 2018-04-30 10:21 GMT+02:00 Dieter Klünter <die...@dkluenter.de>:
> 
> > Am Thu, 26 Apr 2018 18:48:00 +0200
> > schrieb Arianna Milazzo <aria...@ariannamicrochip.it>:
> >  
> > > Hello!
> > > I installed openLDAP on Debian 9 with mysql backend. I followed
> > > the guide and I used example database
> > > (http://www.openldap.org/faq/data/cache/978.html )
> > >
> > > Now, I can connect to openldap with root credential (in
> > > slapd.conf) or with a "person" present in ldap_entries, but I
> > > don't see nothing: no search result.
> > > With Apache Directory Studio I see only organization.
> > >
> > > Even it's impossible add something: ldap_add: Server is unwilling
> > > to perform (53)
> > > additional info: operation not permitted within
> > > namingContext
> > >
> > > Please, someone can tell me why?  
[...]

1. with regard to 'no search result'
   check with mysql if you can read the sql-database
   check your myODBC and unixODBC configuration,
   run slapd in debugging mode

2. with regard to 'error 53: AFAIK write operations
   can't performed.

3. provide your database sql configuration of slapd.conf

4. read slapd-sql(5) carefully

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Separate trees openldap

[Dieter Klünter]

Am Thu, 26 Apr 2018 09:33:56 -0300
schrieb seguranca informacao <cerberus.segi...@gmail.com>:

>  Hi guys,
> 
> I'm trying to accomplish a configuration that I'm not aware of. I
> need to replicate several directories (AD, openldap, etc) to a unique
> repository (my openldap). The thing is I need to have completely
> separate trees for each domain (client). Any ideas in how to do that?
> bellow is an example what I'm thinking of:
> 
> 
> dc=example,dc=com
>  cn=users
>  cn=groups
> 
> -- complete separation
> dc=domain,dc=com
>  cn=users
>  cn=groups
> 
> -- complete separation
> dc=test,dc=ca
>  cn=users
>  cn=groups
> 
> -- complete separation

make use of slapd-ldap(5), slapd-relay(5) and slapo-rwm(5)
something like:

database ldap
suffix dc=test,dc=ca
...
database relay
suffix dc=test,dc=example,dc=com
relay dc=test,dc=ca
overlay rw
rwm-suffixmassage  "dc=test,dc=example,dc=com" "dc=test,dc=ca"
subordinate

database mdb
suffix dc=example,dc=com

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Error Loading Schema

[Dieter Klünter]

Am Mon, 16 Apr 2018 14:58:48 -0300
schrieb Net Warrior <netwarrior...@gmail.com>:

> Hello there.
> Im trying to load this schema
> http://pig.made-it.com/ldap-openssh.html
> 
> And I get this error.
> ldapmodify: invalid format (line 1) entry: ""
> 
> Googling around I found that I need to add ( : ) after the attribute
> and that's wha I did, now Im getting the error in line 3 but adding
> the (: ) in the objectclass: did not help
> 
> ldapmodify: invalid format (line 3) entry: ""

- How did you load this schema?
- do you maintain a slapd.conf file oder a slapd.d database?

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Introduction of openldapjs

[Dieter Klünter]

Hi,
due to the fact that some software libraries are lacking full support
of Lightweight Directory Access Protocol according to RFC-4510 and that
there is a need to implement full ldap support in JavaScript,
openLDAP.js, a wrapper of libldap, has been developed.
The library has been published under MIT-Licence and is available at
https://github.com/6labs/openldapjs

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Missing contextCSN on ldap cluster

[Dieter Klünter]

Am Thu, 15 Mar 2018 09:00:48 +
schrieb "Abel FERNANDEZ" <abel.fernan...@consertotech.pro>:

> Hello,
> 
>  I have a two actifs nodes LDAP cluster with replication stablished
> and working properly. The problem is when trying to check replication
> status I have no contextCSN returned in any of the nodes. This is the
> command executed to get replication status and that should return
> contextCSN values if executed in both nodes (but it returns
> nothing) : 
> 
>ldapsearch -x -LLL -H ldaps:// -s base -b 'dc=domain,dc=com'
> contextCSN dn: dc=domain,dc=com This is the replication configuration
> in node1 (is the same in node 2 excepting the rid and the hostname: 

you may search for all operational attributes of the base entry.
ldapsearch -x -H ldaps:// -b dc=domain,dc=com -s base +

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Acl on a replicated tree: unable to bind as user

[Dieter Klünter]

Am Tue, 27 Feb 2018 09:42:12 +0100
schrieb Giuseppe Civitella <gcivite...@enter.eu>:

> Hi all,
> 
> I've got a master / slave replica setup. I did use this tutorial to
> set up the replica:
> 
> https://wiki.debian.org/LDAP/OpenLDAPSetup
> 
> My ldap tree is something like: Root -> o=(first level local branch),
> o=(first level replicated branch).
> 
> The local branch is just a cut and paste of the replicated branch.
> 
> On the slave server I can use the replicated branch to authenticate
> against a Radius server.
> 
> On the master server I realized I cannot let web users authenticate
> against the replicated branch.
> 
> If I try to bind as a user from the replicated branch, on both the
> master and the slave, I get:
> 
> ldapwhoami -H ldap://localhost -D
> "uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W
> 
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> 
> On the master, on the local branch, I get:
> 
> ldapwhoami -H ldap://localhost -D
> "cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W
> 
> Enter LDAP Password:
> dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is
> 
> 
> I did try to configure the acl on the server to disallow anonymous
> bind.
> 
> And, once found this problem, I did try to create a bind user
> (uid=read_only) able to read the replicated branch, userPassword attrs
> included.
> 
> Unfortunately this did not solve the problem.
> 
> My acl on the master are:
> 
> dn: olcDatabase={1}mdb
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {1}mdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=who,dc=is
> olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by
> dn="uid=read_only,ou =binds,dc=who,dc=is" read
> olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by
> dn="uid=isi_replica, ou=binds,dc=who,dc=is" read
> olcAccess: {2}to attrs=userPassword by self write by anonymous auth
> by * non e
> olcAccess: {3}to attrs=shadowLastChange by self write by * read
> olcAccess: {4}to * by users read
> 
> 
> I'm quite new to this kind of setup, is this something to be expected?
> Is there a way to bind directly on the replicated branch?

Run slapd(8) in debug mode acl. Note debuging is not equal to loging!

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: dynamic config replication

[Dieter Klünter]

Am Fri, 9 Feb 2018 15:26:20 +0100
schrieb Gerard Ranke <gerard.ra...@hku.nl>:

> Hello list,
> 
> Openldap 2.4.45 here, on 1 producer and 4 consumers. ( I'll attach
> relevant parts of the configuration at the end of this message. )
> Following the scripts from test059, I configured the producer to serve
> up a cn=config backend for the consumers. This seems to work nicely at
> first: When you start a consumer from a minimal config, it loads the
> producers schemafiles and the cn=config, and replication of the main
> database is fine. Also, when fi. changing the loglevel on the
> producers cn=config,cn=slave, the consumers pick up this change in
> their cn=config. However, when I modify an olcAccess line on the
> producers cn=config,cn=slave database, I get these errors on the
> consumer:
> 
> slapd[26324]: syncrepl_message_to_entry: rid=002 DN:
> olcDatabase={1}mdb,cn=config,cn=slave, UUID:
  ^

> 7cff5ef6-90b1-1037-9d95-6dfd3149c2dc
> slapd[26324]: syncrepl_entry: rid=002
> LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) slapd[26324]: syncrepl_entry:
> rid=002 inserted UUID 7cff5ef6-90b1-1037-9d95-6dfd3149c2dc
> slapd[26324]: syncrepl_entry: rid=002 be_search (0)
> slapd[26324]: syncrepl_entry: rid=002 olcDatabase={1}mdb,cn=config



> slapd[26324]: null_callback : error code 0x43
> slapd[26324]: syncrepl_entry: rid=002 be_modify
> olcDatabase={1}mdb,cn=config (67)
  

> slapd[26324]: syncrepl_entry: rid=002 be_modify failed (67)
> slapd[26324]: do_syncrepl: rid=002 rc 67 retrying
> 
> From the error code ox43, it seems that the replication is somehow
> trying to change the rdn, olcDatabase{1}mdb, on the consumer, which
> makes no sense to me.
> 
> From the producer, cn=config,cn=slave:
> ( This is identical to the consumer's cn=config )
> 
> dn: cn=config,cn=slave
> objectClass: olcGlobal
> objectClass: olcConfig
> objectClass: top
> cn: slaveconfig
> cn: config
> olcArgsFile: /var/run/slapd/slapd.args
> olcAttributeOptions: lang-
> olcAuthzPolicy: none
> olcConcurrency: 0
> olcConfigDir: slapd.d/
> olcConnMaxPending: 100
> olcConnMaxPendingAuth: 1000
> olcGentleHUP: FALSE
> olcIdleTimeout: 0
> olcIndexIntLen: 4
> olcIndexSubstrAnyLen: 4
> olcIndexSubstrAnyStep: 2
> olcIndexSubstrIfMaxLen: 4
> olcIndexSubstrIfMinLen: 2
> olcLocalSSF: 71
> olcLogFile: none
> olcLogLevel: none
> olcPidFile: /var/run/slapd/slapd.pid
> olcReadOnly: FALSE
> olcSaslSecProps: noplain,noanonymous
> olcSizeLimit: 2
> olcSockbufMaxIncoming: 262143
> olcSockbufMaxIncomingAuth: 16777215
> olcThreads: 16
> olcTLSCACertificatePath: /etc/ssl/certs
> olcTLSCertificateFile: /etc/ssl/certs/hkuwildcardcacert.cert
> olcTLSCertificateKeyFile: /etc/ssl/private/hkuwildcardcacert.key
> olcTLSCRLCheck: none
> olcTLSVerifyClient: never
> olcToolThreads: 2
> 
> I'll leave the rest PM, except for:
> 
> dn: olcDatabase={0}config,cn=config,cn=slave
> objectClass: olcDatabaseConfig
> objectClass: olcConfig
> objectClass: top
> olcDatabase: {0}config
^^^ 
[...]
> 
> Hopefully somebody can point me in the right direction!
> Many thanks in advance,

check your configuration, distinguished names differ.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: IETF opinion change on "implicit TLS" vs. StartTLS

[Dieter Klünter]

Am Mon, 12 Feb 2018 18:10:29 -0800
schrieb Quanah Gibson-Mount <qua...@symas.com>:

> --On Tuesday, February 13, 2018 9:31 AM +1000 William Brown 
> <wibr...@redhat.com> wrote:
> 
> > On Mon, 2018-02-12 at 14:30 +0100, Michael Ströder wrote:  
> >> HI!
> >>
> >> To me this rationale for SMTP submission with implicit TLS seems
> >> also applicable to LDAPS vs. StartTLS:
> >>
> >> https://tools.ietf.org/html/rfc8314#appendix-A
> >>
> >> So LDAPS should not be considered deprecated. Rather it should be
> >> recommended and the _optional_ use of StartTLS should be strongly
> >> discouraged.  
> >
> > Yes, I strongly agree with this. I have evidence to this fact and
> > can provide it if required,  
> 
> Personally, I'm all for it.  I'd suggest using the above RFC as a
> template for one formalizing port 636, so it's finally a documented
> standard.

We have had discussed this topic some 10 years ago, at that time Kurt
had some concerns with regard to ldaps and port 636. Unfortunately I
can't remember details.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Error in dnx509Normalize when adding userCertificate value

[Dieter Klünter]

Am Wed, 27 Dec 2017 12:58:13 +0100
schrieb Cédric Couralet <cedric.coura...@gmail.com>:

> Hello all,
> 
> I encountered a problem when importing several client certificate in
> usercertificate attribute.
> 
> The error was :
> 
> [15362]: >>> certificateExactNormalize: <0x7f07019a9100, 1745>
> [15362]: dnX509Normalize: <(null)> (21)
> [15362]: <<< certificateExactNormalize: <0x7f07019a9100, 1745> =>
> <(err)> [15362]: <= str2entry NULL (ssyn_normalize 21)
> [15362]: conn=1591 op=17 RESULT tag=103 err=21
> text=userCertificate;binary: value #0 normalization failed
> 
> Looking through the certificateExactNormalize in sourcecode, it seems
> the problem comes from the normalization of IssuerDn. Sure enough, in
> my case the issuer dn is :
> 
> CN = Certigna Services CA
> 2.5.4.97 = NTRFR-48146308100036
> OU = 0002 48146308100036
> O = DHIMYOTIS
> C = FR
> 
> Openldap has problem with the "2.5.4.97 = NTRFR-48146308100036" part,
> it is declared as organizationIdentifier but don't appear in openldap
> core schema (yet ?).
> 
> 
> I managed to avoid the error by adding an attribute to schema but I'm
> wondering if there is not a better way to do it, and why is the
> normalize called here ?
> 
> My ldap version is the debian one :
> # slapd -V
> @(#) $OpenLDAP: slapd  (Apr 23 2013 12:16:04) $
> root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
> 
> Is an update sufficient?
> 
> Thank you for your answers,
> Cédric Couralet
> 

The attribute type organizationIdentifier (2.5.4.97) has been introduced
in X.520 only in 2012. It has not been made it's way into LDAP yet. It
has been introduced into openssl source code only in May 2017.
You should create a private schema which includes organizationIdentifer.

-Dieter
 
-- 
Dieter Klünter | Systemberatung
https://sys4.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E

Re: Database limit(s)

[Dieter Klünter]

Am Wed, 13 Dec 2017 15:11:46 +0100
schrieb Ervin Hegedüs <airw...@gmail.com>:

> Hi there,
> 
> I'ld like to ask, is there any hard or soft limit in database? I
> mean, how many object canbe stored in the DB? Or how many children
> object could under a parent?
> 
> I've read the docs about the limits (
> http://www.openldap.org/doc/admin24/limits.html), but there are only
> the sizelimit and timelimit (which aren't affected me now).
> 
> In other words, which parameters do I check before I start to design a
> database (LDAP/non-LDAP (eg. OS) parameters)?

This presentation might give you some hints

https://www.slideshare.net/ldapcon/benchmarks-on-ldap-directories

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Too Much LDAP Log Activity?

[Dieter Klünter]

Am Wed, 22 Nov 2017 13:35:03 -0500
schrieb Douglas Duckworth <dod2...@med.cornell.edu>:

> Hi
> 
> Thanks to several users on this list I have our cluster up and
> running. The databases look good as does performance.
> 
> However, logs are increasing about 1MB every few minutes.
> 
> Does everyone typically send all of local4 to a file or only filter
> out for example warning and above?

What type of logs are you referring to? Is this berkeleyDB log or
syslog?
If syslog, just modify slapd loglevel to you liking.

-Dieter 

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Ensure uniqueness over multiple attributes?

[Dieter Klünter]

Am Fri, 13 Oct 2017 14:44:09 +0200
schrieb Karsten Heymann <karsten.heym...@gmail.com>:

> Hi,
> 
> does the unique overlay support checking multiple values for a single
> uniqueness check? Our clients can use emails in two attributes (think
> mail and mailAlias) and addresses have to be unique in regard to both
> fields, which means an address that is used in either of them cannot
> be used in any other of them. Is that possible?

slapo-unique(5) plus slapo-constraint(5)

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: country attribute

[Dieter Klünter]

Am Sat, 30 Sep 2017 20:34:51 +0200
schrieb richard lucassen <mailingli...@lucassen.org>:

> On Sat, 30 Sep 2017 15:30:07 +0200
> Michael Ströder <mich...@stroeder.com> wrote:
> 
> > > BTW: I tried to use the "c" attribute in my AUXILIARY objectclass,
> > > but slapd complains that it conflicts with the existing "c". I
> > > suppose this is because I applied different properties to it?  
> > 
> > Do not re-define attribute type "c".
> > 
> > Simply define your own object class referencing _existing_ attribute
> > type description "c".  
> 
> But I have to give it a different name (e.g. "cty") though, right or
> wrong? Something like this:
> 
> attributetype ( 1.3.6.1.4.1.10624.1.50
>   NAME 'cty'
>   DESC 'Country'
>   SUP c )
> 
> I now defined an independend "cty":
> 
> attributetype ( 1.3.6.1.4.1.10624.1.50
> NAME 'cty'
> DESC 'country'
> EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
> 
> It works, but I have no idea if this is dirty or not.

As Michael mentioned, define an auxiliary object class and attribute
type countryName, c as a MUST. 

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Thu, 21 Sep 2017 10:01:48 -0400 (EDT)
schrieb Robert Heller <hel...@deepsoft.com>:
[...]

> Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]: <= acl_mask: [1]
> mask: write(=wrscxd) Sep 21 09:50:01 c764guest.deepsoft.com
> slapd[17535]: => slap_access_allowed: search access granted by
> write(=wrscxd) Sep 21 09:50:01 c764guest.deepsoft.com slapd[17535]:
> => access_allowed: search access granted by write(=wrscxd) Sep 21
> 09:50:01 c764guest.deepsoft.com slapd[17535]: conn=1000 op=11 SEARCH
> RESULT tag=101 err=0 nentries=0 text=
[...]

You should find out why operation 11 results in 0 entries.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Wed, 20 Sep 2017 14:20:54 -0400 (EDT)
schrieb Robert Heller <hel...@deepsoft.com>:

> At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?=
> <die...@dkluenter.de> wrote:
> 
> > 
> > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
> > schrieb Robert Heller <hel...@deepsoft.com>:
{...]
> I added:
> 
> logLevel: 128
> 
> to the end of /etc/openldap/slapd.d/cn=config.ldif
> 
> But it does not like it:
> 
> Sep 20 13:59:47 c764guest.deepsoft.com slapd[32362]: UNKNOWN
> attributeDescription "LOGLEVEL" inserted.
> 
> The documentaion talks about loglevel in slapd.conf, but I am not
> using slapd.conf...

I am not talking about logging and loglevel, I am talkling about
debugging and debug level.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Wed, 20 Sep 2017 14:20:54 -0400 (EDT)
schrieb Robert Heller <hel...@deepsoft.com>:

> At Wed, 20 Sep 2017 19:30:17 +0200 Dieter =?UTF-8?B?S2zDvG50ZXI=?=
> <die...@dkluenter.de> wrote:
> 
> > 
> > Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
> > schrieb Robert Heller <hel...@deepsoft.com>:
> >   
> > > OK, I fixed the ACLs (I think), but it is still not working.  I
> > > turned on verbose debugging for sssd[pam] and moderate debugging
> > > for slapd.
> > >=20
> > > Here are my ACLs
> > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{2}hdb.ldif:
> > >=20
> > > olcAccess: {0}to attrs=3DuserPassword
> > >   by self write
> > >   by anonymous auth
> > >   by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write
> > >   by * none
> > > olcAccess: {1}to *
> > >   by dn=3Duid=3Dheller,ou=3DPeople,dc=3Ddeepsoft,dc=3Dcom write
> > >   by * read
> > >=20
> > > There are also these olcAccess entries:
> > >=20
> > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{0}config.ldif:
> > >=20
> > > olcAccess: {0}to * by
> > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern
> > > al,cn=3D=  
> > auth"  
> > > manage by * none
> > >=20
> > > and
> > > in /etc/openldap/slapd.d/cn\=3Dconfig/olcDatabase\=3D{1}monitor.ldif:
> > >=20
> > > olcAccess: {0}to * by
> > > dn.base=3D"gidNumber=3D0+uidNumber=3D0,cn=3Dpeercred,cn=3Dextern
> > > al,cn=3D=  
> > auth"  
> > > read by dn.base=3D"cn=3DManager,dc=3Ddeepsoft,dc=3Dcom" read by *
> > > none  
> > [...]
> > 
> > You may run slapd in debugging mode 128.  
> 
> How do I do that using the "new" configuration method in 
> /etc/openldap/slapd.d?
> 
> I added:
> 
> logLevel: 128
> 
> to the end of /etc/openldap/slapd.d/cn=config.ldif
> 
> But it does not like it:
[...]

man slapd(8),
$(EXECDIR)/slapd -h ldap:/// -F $(CONFIGDIR)/slapd.d -u $USER -g
$GROUP -d 128

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Dieter Klünter]

Am Wed, 20 Sep 2017 12:32:37 -0400 (EDT)
schrieb Robert Heller <hel...@deepsoft.com>:

> OK, I fixed the ACLs (I think), but it is still not working.  I
> turned on verbose debugging for sssd[pam] and moderate debugging for
> slapd.
> 
> Here are my ACLs
> in /etc/openldap/slapd.d/cn\=config/olcDatabase\={2}hdb.ldif:
> 
> olcAccess: {0}to attrs=userPassword
>   by self write
>   by anonymous auth
>   by dn=uid=heller,ou=People,dc=deepsoft,dc=com write
>   by * none
> olcAccess: {1}to *
>   by dn=uid=heller,ou=People,dc=deepsoft,dc=com write
>   by * read
> 
> There are also these olcAccess entries:
> 
> in /etc/openldap/slapd.d/cn\=config/olcDatabase\={0}config.ldif:
> 
> olcAccess: {0}to * by
> dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth"
> manage by * none
> 
> and in /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}monitor.ldif:
> 
> olcAccess: {0}to * by
> dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth"
> read by dn.base="cn=Manager,dc=deepsoft,dc=com" read by * none
[...]

You may run slapd in debugging mode 128.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Olc deployment vs slapd.conf based deployment

[Dieter Klünter]

Am Mon, 18 Sep 2017 10:12:23 -0400
schrieb Brian Reichert <reich...@numachi.com>:

> On Sat, Sep 16, 2017 at 04:24:36PM +0200, Daniel Pluta wrote:
> > On 16.09.2017 09:04, Michael Str??der wrote:  
> > >Daniel Pluta wrote:  
> > >>Call it strange, useless, insane, fine or whatever, but my
> > >>customers (also anybody who's interested in using a distinct
> > >>service) should be able to get a chance for a detailed view into
> > >>the running configuration of each service - before and while
> > >>using it. slapd's cn=config supports this, not perfectly but
> > >>better than any other service I'm aware of. For further details
> > >>see our paper from LDAPcon2011.  
> 
> I'm jumping in late here.  I'm curious about this talk.  I see a
> YouTube playlist of LDAPCon 2011 talkshere; which one should I look
> at for these details?

There is no video, but you may read the papers.
https://ldapcon.org/2011/downloads/plutahommelweinert-paper.pdf

[...]

>   https://www.youtube.com/playlist?list=PLXuMrj-t1hqGdOJvswPFvNtwZFHD5SODK
> 
> > >
> > >I very well remember your interesting talk and that you give read
> > >access to olcRootDN to prove it's not set.  
> > 
> > 
> > It was olcRootPw: to prove that it's not present and thus there is
> > no slapd-BOFH (aka administrative man-in-the-middle).
> > 
> > I very well remember the shocked/laughing faces of (parts of) the 
> > audience right after I switched to the slide containing this at
> > first surely suicidal seeming ACL.
> > 
> > Forget about it. It's sufficient to keep in mind that the future
> > lies in cn=config. ;-)

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: When does logpurge run ?

[Dieter Klünter]

Am Tue, 5 Sep 2017 05:33:55 +
schrieb ping-shin ching <ping...@hotmail.com>:

> Hi Folks,
> 
> 
> When does the logpurge (for accesslog)  run? Can we control the time
> this process runs?

You can control purging, see man slapo-accesslog(5)

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: OpenLDAP Replication Error

[Dieter Klünter]

Am Thu, 24 Aug 2017 15:08:44 +
schrieb "Zpyro ." <jason.hersh...@outlook.com>:

> Hi All - I am trying to setup replication between a Centos 5 (2.3)
> and Centos 7 (2.4) server.
> 
> Partial replication is working - however it has not fully replicated.
> I am receiving an error of "syncrepl_message_to_entry: rid=123 mods
> check (postalAddress: value #0 invalid per syntax)" in the logs.
> 
> From the research I was doing, it looks like this is a reference to a
> missing schema - however I am pretty sure they are all in place.
> 
> Below are the results from querying the schemas  on both - ldapsearch
> -H ldap://localhost -x -s base -b "cn=subschema" objectclasses as
> well as the slapd.conf files from both hosts.
> 
> 
> Any insight into what I am missing would be greatly appreciated!!
> 
> Please let me know if you need any more information.
[...]

your atribute value of postalAddress seems not to be conforming to
rfc-4517, section 3.3.28.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Search against multiple databases under

[Dieter Klünter]

Am Thu, 10 Aug 2017 12:54:38 -0400
schrieb JOSE L MARTINEZ-AVIAL <jlm...@gmail.com>:

> Hello,
>   I'm trying to combine my test openldap (MDB database) with my
> production AD installation, so I can have the production users access
> my test systems. In order to do that I've created two databases in my
> slapd.conf, as follows:
> 
> ###
> # database definitions
> ###
> include /usr/local/etc/openldap/slapd-meta-ad-prd.conf
> include /usr/local/etc/openldap/slapd-mdb.conf
> 
> The configuration file for the AD connection is as follows:
> 
> databasemeta
> suffix "dc=bsi,dc=test,dc=com"
> uri "ldap://miadc01.mia.usa.sinvest/dc=bsi,dc=test,dc=com;
> suffixmassage   "dc=bsi,dc=test,dc=com" "dc=mia,dc=usa,dc=sinvest"
> idassert-bind bindmethod=simple binddn="cn=Test
> User,cn=users,dc=mia,dc=usa,dc=sinvest" credentials=x
> 
> 
> The configurtion file for the MDB is:
> databasemdb
> maxsize 1073741824
> 
> suffix  "dc=test,dc=com"
> rootdn  "cn=Manager,dc=test,dc=com"
> 
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # Added by pplu to support root authentication
> rootpw  xxx
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory   /usr/local/var/openldap-data/mdb
> # Indices to maintain
> index   objectClass eq
> overlay memberof
> memberof-group-oc groupOfUniqueNames
> memberof-member-ad uniquemember
> 
> So the first database uses the sufix "dc=bsi,dc=test,dc=com", and the
> second one uses "dc=test,dc=com". The idea is that the AD would
> appear as a branch of the development database. I've found that I can
> search the AD by using the search DN "dc=bsi,dc=test,dc=com", but if
> I try to look with DN "dc=test,dc=com", only the test database is
> searched. The search does not combine both databases. How can I do it?

You may consider to glue both databases to a single namingContext by
declaring "dc=bsi,dc=test,dc=com" as subordinate database, see man
slapd.conf(5). But this requires a single rootDN.

-Dieter



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: LDAP Issue: Logging region out of memory; you may need to increase its size

[Dieter Klünter]

Am Fri, 9 Jun 2017 11:27:32 +
schrieb Gurjot Kaur <gurjot.k...@aricent.com>:

> Hello,
> 
> On an already running setup of OpenLDAP 2.4 on Linux (Linux GURKES015
> 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64
> x86_64 GNU/Linux) platform, one day I start getting following error
> when I execute the slapcat command:
> 
> bdb_db_open: warning - no DB_CONFIG file found in
> directory 
> /opt/proxy/HostedDirectoryLDAPMultiMaster/instances/LdapServers_1/var/openldap-data:
> (2). Expect poor performance for suffix
> "dc=ORG,dc=COM".bdb(dc=ORG,dc=COM): Logging region out of memory; you
> may need to increase its size bdb_db_open: database "dc=ORG,dc=COM":
> db_open(/opt/proxy/HostedDirectoryLDAPMultiMaster/instances/LdapServers_1/var/openldap-data/id2entry.bdb)
> failed: Cannot allocate memory (12). backend_startup_one: bi_db_open
> failed! (12) slap_startup failed
> 
> 
> Following are the system RAM  and disk space usage.
Ram and disk space are irrelvant here, the configuration of a database
cache size is relevant. This should be configured in a DB_CONFIG file
within the database directory. 
Your OS distribution may have provided a sample DB_CONFIG file.
> 
> I have removed some log.x files
> from 
> /opt/proxy/HostedDirectoryLDAPMultiMaster/instances/LdapServers_1/var/openldap-data
> which are not in use. But still the same error persist while
> executing slapcat command.

The referenced log files document the database transactions and are
vital for database operations. You may read on db_config tools and how
to manage transaction logs. For more information see
http://www.openldap.org/faq/data/cache/1072.html
http://www.openldap.org/faq/data/cache/1075.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Can I do this with openldap ?

[Dieter Klünter]

Am Tue, 23 May 2017 17:16:22 +
schrieb Roelof Wobben <rwob...@hotmail.com>:

> Hello,
> 
> 
> My boss wants to run everything from a server.
> 
> But he wants also that I can take care of that some of the software
> is only used by some people.  So the cad software is only used by the
> drawers and not by the financial people.
> 
> 
> Can I do this with openldap or if it cannot be done , which software
> can I then use the best.

In fact that depends on the software in question. If the software,
or some controlling tool, is able to require authentication and
authorization via ldap, you may go ahead.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: ldapcompare vs ldapsearch

[Dieter Klünter]

Am Wed, 17 May 2017 18:32:29 +0800
schrieb Roger Szabo <roger.sz...@web.de>:

> Hi,
> 
> The goal is to perform frequent periodic calls to check the health of
> OpenLDAP using anonymous bind.
> 
> Someone at
> http://stackoverflow.com/questions/16077473/ldap-bind-vs-search
> suggested that a ldapcompare would perform better than a ldapsearch
> because "there is only a single response per entry (a compare result)
> rather than two (a search result entry and a search result done)".
> 
> This explanation makes sense but it would be really great to hear the
> opinion of an expert on this, thank you very much :)

Indeed, a compare operation requires less time and server load than a
search operation. In order to reduce server load you may search the
monitor backend base object.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Manual LDAP 2.4.44 Installation

[Dieter Klünter]

Am Fri, 21 Apr 2017 17:35:34 + (UTC)
schrieb Alexandre Vilarinho <vilarinhomail-...@yahoo.com.br>:

> Hello all,
> Recently I've installed LDAP - version 2.4.44 Manually in a Ubuntu
> 16.04 TLS server. root@Linux-LDAP-SERVER:~# lsb_release -aNo LSB
> modules are available.Distributor ID: UbuntuDescription: Ubuntu
> 16.04.2 LTSRelease: 16.04Codename: xenialroot@Linux-LDAP-SERVER:~# I
> followed every step in the official Quick-Start Quide
> (http://www.openldap.org/doc/admin24/quickstart.html) But from step 9
> forward it practically didn't work: 9.Import the configuration
> database You are now ready to import your configration database for
> use by slapd(8), by running the command:su root
> -c /usr/local/sbin/slapadd -F /usr/local/etc/cn=config
> -l /usr/local/etc/openldap/slapd.ldif
> root@Linux-LDAP-SERVER:~# /usr/local/sbin/slapadd
> -F /usr/local/etc/cn=config
> -l /usr/local/etc/openldap/slapd.ldif58fa3f94 invalid config
> directory /usr/local/etc/cn=config, error 2slapadd: bad configuration
> directory! root@Linux-LDAP-SERVER:~# 10. Start SLAPD. You are now
> ready to start the Standalone LDAP Daemon, slapd(8), by running the
> command:su root -c /usr/local/libexec/slapd
> -F /usr/local/etc/cn=config To check to see if the server is running
> and configured correctly, you can run a search against it with
> ldapsearch(1). By default, ldapsearch is installed
> as /usr/local/bin/ldapsearch:ldapsearch -x -b '' -s base
> '(objectclass=*)' namingContexts Note the use of single quotes around
> command parameters to prevent special characters from being
> interpreted by the shell. This should return:dn: namingContexts:
> dc=example,dc=com root@Linux-LDAP-SERVER:~# /usr/local/libexec/slapd
> -F /usr/local/etc/cn=configroot@Linux-LDAP-SERVER:~# ldapsearch -x -b
> 'dc=example,dc=com' '(objectclass=*)'ldap_sasl_bind(SIMPLE): Can't
> contact LDAP server (-1)root@Linux-LDAP-SERVER:~# What am i doing
> wrong? Why can't it contact the server, if the installation was ok,
> with no errors ou warnings... Regards

man slapd(8), run slapd in debugging mode.

--Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E