Re: test tool to load pf rules
Le samedi 14 juin 2014 05:55:19, vous avez écrit : > > If the user doesn't answer, that means for some reason pf has blocked ssh > > connection. > > This shouldn't happen as long as you don't flush your state table. That happened quite often. Obviously I am to blame. Now I take extra precaution. And one of the way is to use / create this tool I am aiming for ! > Load your new rules, then try to ssh from another terminal. If you > can't connect, go back to your original terminal and undo your > changes.
test tool to load pf rules
Hello the list. First, I wish you all a great weekend. Second, I am wondering if someone knows or has written some tool to prevent yourself from being locked out of your online ssh server when writing pf rules. Something like : copy the new pf rules in /tmp, load them, and ask the user if it's ok. If not, reload the previous rules two minutes later. If the user doesn't answer, that means for some reason pf has blocked ssh connection. And at this point, the automatism of the tool has to return to previous state, where connection was ok. If that tool doesn't exist, I am goinng to write a small script for that purpose. Thanks for your answers.
Re: bind port broken
Le mardi 20 mai 2014, 12:41:35 Stuart Henderson a écrit : > Stéphane Guedon 22decembre.eu> writes: > > I don't know if I am doing things ok, but the Bind9 port seems > > broken (in a fresh 5.5 install). > > > > Thanks if someone fix it. > > Is there a particular reason you're not just using the packages > provided? I see no advantage to building it yourself. > > # pkg_add isc-bind yeah, actually it seems to have solved the trick⦠But at the same I have fixed some others⦠All in all, I improved my setup ! Thanks ! [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: bind port broken
Le lundi 19 mai 2014 14:59:54, vous avez écrit : > You provide zero details on what you are doing, how can someone know > what to fix without the minimum bits of information. I was aware of the thing, yet didn't know what to do since I have done really really few. I just placed myself in /usr/ports/net/isc-bind and launched a make clean, then make as explained on the faq page. Then, make produced a lot of compil work which ended at : Error while executing cc -o .libs/named -pthread -I/usr/obj/ports/isc- bind-9.9.3pl1/build-amd64 -I/usr/obj/ports/isc- bind-9.9.3pl1/bind-9.9.3-P1/bin/named/include -I/usr/obj/ports/isc- bind-9.9.3pl1/bind-9.9.3-P1/bin/named/unix/include -I. - I/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/lib/lwres/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/lwres/unix/include -I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/lwres/include - I/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/lib/dns/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/dns/include - I/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/lib/bind9/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/bind9/include - I/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/lib/isccfg/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/isccfg/include - I/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/lib/isccc/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/isccc/include - I/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/lib/isc/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/isc - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/isc/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3-P1/lib/isc/unix/include - I/usr/obj/ports/isc-bind-9.9.3pl1/bind-9.9.3- P1/lib/isc/pthreads/include -I/usr/obj/ports/isc- bind-9.9.3pl1/bind-9.9.3-P1/lib/isc/x86_32/include -D_REENTRANT - DOPENSSL -O2 -pipe -I/usr/local/include/libxml2 -I/usr/local/include - W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat - Wpointer-arith -fno-strict-aliasing builtin.o client.o config.o control.o controlconf.o interfacemgr.o listenlist.o log.o logconf.o main.o notify.o query.o server.o sortlist.o statschannel.o tkeyconf.o tsigconf.o update.o xfrout.o zoneconf.o lwaddr.o lwresd.o lwdclient.o lwderror.o lwdgabn.o lwdgnba.o lwdgrbn.o lwdnoop.o lwsearch.o unix/os.o unix/dlz_dlopen_driver.o -L.libs -llwres -lbind9 -lisccfg - ldns -lcrypto -lisccc -lisc -lpthread -lxml2 -lz -liconv -lm -Wl,- rpath-link,/usr/local/lib *** Error 2 in bin/named (Makefile:559 'named') *** Error 1 in bin (Makefile:100 'subdirs') *** Error 1 in /usr/obj/ports/isc-bind-9.9.3pl1/build-amd64 (Makefile:107 'subdirs') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2659 '/usr/obj/ports/isc-bind-9.9.3pl1/build-amd64/.build_done') *** Error 1 in /usr/ports/net/isc-bind (/usr/ports/infrastructure/mk/bsd.port.mk:2388 'all') The release is bind 9.9.3, I am on amd64 and my openbsd is a 5.5 just upgraded (so I had to rebuild my bind cause it contains the dnssec signer I use). I tried to compil "manually" bind 9.10 from the release available on the isc website and get this error as well : *** Error 1 in lib/samples (Makefile:486 'resolve') *** Error 1 in lib (Makefile:100 'subdirs') *** Error 1 in /usr/local/src/bind-9.10.0-P1 (Makefile:105 'subdirs') hope you get better info now. > > Reading this page http://www.openbsd.org/report.html could help you. > > -luis > > On Mon, May 19, 2014 at 2:53 PM, Stéphane Guedon wrote: > > hello. > > > > I don't know if I am doing things ok, but the Bind9 port seems > > broken (in a fresh 5.5 install). > > > > Thanks if someone fix it. > > > > [demime 1.01d removed an attachment of type > > application/pgp-signature which had a name of signature.asc] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
bind port broken
hello. I don't know if I am doing things ok, but the Bind9 port seems broken (in a fresh 5.5 install). Thanks if someone fix it. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
sharing network and address between tables and softwares
I make some use of address tables in pf. Less than some of the great expert we have there, but still. I was wondering if it were possible to share the tables defined in pf to work with other softwares. I think particularely to use the table defined in /etc/pf.cnf in smtpd too, to allow pass directly without auth. Do you understand me ? Thanks in advance. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
how to lauch slapd before ypldap ?
I have a slapd running on my server, and ypldap and ypbind. The problem is to start them in the correct order at boot. For now, ypldap start first and block the whole boot process. How can I make sure slapd start before yp-stuff ? Thanks for advices. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
xbmc
Hello Is there anybody who has successfully set up xbmc on openbsd. I do not see any official port in the port tree, but is there a non official ? Thanks for any answer. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: mysql sock
Le vendredi 4 avril 2014, 08:40:37 Antoine Jacoutot a écrit : > On Thu, Apr 03, 2014 at 10:22:54PM +0200, Stéphane Guedon wrote: > > Hello > > > > I wonder something about my mysql socket... > > > > Mainly, my mysql server is used by my webserver (nginx) which is > > chrooted. So I link the mysql socket from > > /var/run/mysql/mysql.sock to /var/www/var/run/mysql/mysql.sock > > > > is there a way to automate this ? > > > > I think of a small command line to place in the rc script, and the > > same when it stops (it remove the link) or restart (remove the > > link, then recreate it)... > > > > Thanks for your advices. > > Read /usr/local/share/doc/pkg-readmes/mysql-server-* Thanks !
mysql sock
Hello I wonder something about my mysql socket... Mainly, my mysql server is used by my webserver (nginx) which is chrooted. So I link the mysql socket from /var/run/mysql/mysql.sock to /var/www/var/run/mysql/mysql.sock is there a way to automate this ? I think of a small command line to place in the rc script, and the same when it stops (it remove the link) or restart (remove the link, then recreate it)... Thanks for your advices.
Re: pf to redirect local dns traffic to another port
Le samedi 29 mars 2014, 23:55:07 Nick Holland a écrit : > On 03/29/14 17:09, Stéphane Guedon wrote: > > Hello > > > > I am currently trying to run two nameserver on the same Openbsd > > server. > > > > The first one is an autoritative (let's say bind or nsd, no one > > cares). the second will be dnsmasq. > > > > You guess the objective of the construction : give local answers > > from dhcp leases to local requests, and give autoritatives for > > the internet requests. > > you are getting sloppy with terms here. You aren't being > authoritative for Internet requests -- you are doing recursive > resolution. You are authoritative on your internal stuff only. As I speak of my own domain, I think the word autoritative is really correct there > Also... for -current, BIND has been replaced by NSD and Unbound, so > you might wish to run -current for this project to minimize changes > in the near future. That was one of the purpose of this construction : stopping Bind, as its view function is now replaced by this two-sides dns > > That's for the presentation. > > > > I can run dnsmasq on a different port, but how do I give my local > > hosts the idea of interrogating a non standard dns port ? > > Then I though I could drive the traffic from my LAN to the port > > where dnsmasq is running on. > > The easier way is to run your DNS resolver on a different IP > Address, not a different port, than your authoritative DNS. BIND > is something of an address slut, it connects with every address by > default, so you will have to restrict it in the config to just the > ports you want. I don't recall what NSD/Unbound do by default, but > they are at least configurable to not be stupid and connect up with > just the address you want them to connect to. That was what I did first. But Dnsmasq doesn't like it, it doesn't send RA if I restrict adress. > > So...run your resolver on the external port, run the authoritative > on localhost, configure the resolver to query the authoritative (on > 127.0.0.1) for local info, and the general Internet DNS for > everything else. Your DHCP server populates your authoritative > server, your machines query the external address, and all Just > Works. > > And remember: if you wish to get more complicated, you can have lots > of localhosts. (127.0.0.2, 127.0.0.3 ...) and attach different > services to each. > > Nick. Anyway, now it's solved ! I think of writing a blog / tutorial article to document it correctly to the world.
Re: pf to redirect local dns traffic to another port
Le samedi 29 mars 2014 17:56:44, vous avez écrit :
> On 29 Mar 2014 at 22:10, Stéphane Guedon wrote:
> > Hello
> >
> > I am currently trying to run two nameserver on the same Openbsd
> > server.
> >
> > The first one is an autoritative (let's say bind or nsd, no one
> > cares).
> > the second will be dnsmasq.
> >
> > You guess the objective of the construction : give local answers
> > from dhcp leases to local requests, and give autoritatives for
> > the internet requests.
> >
> > That's for the presentation.
> >
> > I can run dnsmasq on a different port, but how do I give my local
> > hosts
> > the idea of interrogating a non standard dns port ?
> > Then I though I could drive the traffic from my LAN to the port
> > where dnsmasq is running on.
> >
> > so here is pf conf (obviously expurged) :
> >
> > ###
> >
> > table { local addresses }
> >
> > # common
> > pass in log on egress proto { tcp, udp }from any to re0 port
> > domain
> >
> > # local
> > pass in quick log on re0 inet proto { udp,tcp } from
> > port domain rdr-to 127.0.0.1 port 5353
>
> unless I'm severly mistaken (and someone will correct me), the rule
> as written will match only packets whose SOURCE port is domain ...
> you are missing a "to (self)" or "to any" in front of the port
> specification to achieve your objective.
that solved the thing !
thanks !
>
> > #pass in quick log on re0 proto { udp,tcp } from
port
> > domain divert-packet port 5353
> >
> > ###
> >
> > I first tried to use the divert-packet rule (that way I don't have
> > to care if the traffic is ipv6 or ipv4), then I tried to redirect
> > using rdr-to 127... like most tutorials I found regarding rdr.
> >
> > I move the local rules before or after the common one, place a
> > quick on the common or removed it...
> >
> > Nothing : the common rule is always the one that applies according
> > to the logs.
> > Can you tell me what I am doing wrong ?
pf to redirect local dns traffic to another port
Hello
I am currently trying to run two nameserver on the same Openbsd
server.
The first one is an autoritative (let's say bind or nsd, no one cares).
the second will be dnsmasq.
You guess the objective of the construction : give local answers from
dhcp leases to local requests, and give autoritatives for the internet
requests.
That's for the presentation.
I can run dnsmasq on a different port, but how do I give my local hosts
the idea of interrogating a non standard dns port ?
Then I though I could drive the traffic from my LAN to the port where
dnsmasq is running on.
so here is pf conf (obviously expurged) :
###
table { local addresses }
# common
pass in log on egress proto { tcp, udp }from any to re0 port domain
# local
pass in quick log on re0 inet proto { udp,tcp } from
port domain rdr-to 127.0.0.1 port 5353
#pass in quick log on re0 proto { udp,tcp } from port
domain divert-packet port 5353
###
I first tried to use the divert-packet rule (that way I don't have to
care if the traffic is ipv6 or ipv4), then I tried to redirect using
rdr-to 127... like most tutorials I found regarding rdr.
I move the local rules before or after the common one, place a quick
on the common or removed it...
Nothing : the common rule is always the one that applies according to
the logs.
Can you tell me what I am doing wrong ?
dnssec on openbsd domains
As openbsd has a great reputation for security, I wonder if there's a plan to setup dnssec on all domains (I have checked www.openbsd.org and www.opensmtpd.org and no good result from now) ? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
dnsmasq + nsd ?
As I have seen openbsd is removing bind from base (which point I don't discuss), has anyone successfully used dnsmasq + nsd ? Dnsmasq can act as dhcp + dhcpv6 + radvd + dns caching server. So it's pretty good to replace many different softwares. And it would allow to implement "bind views" as request from the lan would be addressed to dnsmasq, resolving also ipv6 if well setup, and request coming from the rest of the internet would go to nsd (which serves also dnssec keys...). [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: smtpd, lmtp and unix socket problem
Le dimanche 9 mars 2014, 10:06:43 Adam Thompson a écrit :
> I'm trying to use Dovecot as the LDA for local mail delivery out of
> SMTPD in 5.4-RELEASE, but I'm having some difficulty. (I want Sieve
> support, which smtpd doesn't have natively.)
>
> smtpd is willing todeliver mail to mboxes, maildirs, other smtp
> servers, and the dovecot LDA, so the problem appears isolated to
> LMTP.
>
> Firstly, although the smtpd.conf manpage documents "deliver to lmtp
> [host:port | socket]", there's no documentation on the URI format
> for the socket option. Through trial and error, it appears to be
> "socket:///absolute/path/to/socket", but this still doesn't
> actually work for me.
>
> Secondly, the only way I can see ANY information whatsoever about
> MDA failures appears to be if I run "smtpd -d -v" at the
> command-line. Even with syslog reconfigured to log mail.* events,
> smtpd doesn't appear to log anything about MDA/LDA/LMTP failures.
>
> Thirdly, with "deliver to lmtp socket:/var/dovecot/lmtp", I get this
> error: delivery: TempFail for fa75e116051e0c9b:
> from=, to=,
> user=notroot, method=lmtp, delay=18m45s, stat=Error ("smtpd: service
> not supported for ai_socktype")
>
>
> I finally got "deliver to mda" with dovecot-lda working so I'm in
> reasonable shape for now, but I'm baffled by what I did wrong with
> LMTP configuration.
>
> Any ideas on what the correct syntax might be, or if this is just a
> bug?
>
> Thanks,
> -Adam
I have the same will as you (sieve, dovecot, smtpd) and everything
works perfect now concerning this different points.
here is my smtpd conf line :
accept from any for domain "22decembre.eu" alias
deliver to lmtp "/var/dovecot/lmtp"
As you can see, you don't use a "socket://" but just the path.
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: openldap password fails to update
Le samedi 8 mars 2014, 14:20:23 Matthew Weigel a écrit : > On 03/08/2014 12:16 PM, Stéphane Guedon wrote: > >> I am looking through logs and config since the beginning of the > >> day... Actually, asking help on forums or mailing lists is always > >> my last step in solving problems... > > We try to help. > > But... giving detailed descriptions of the problem, and showing > relevant configs and logs the first time, goes a long way to > helping people help you. > > Reading manuals helps too. Among others, ypldap(8), ypldap.conf(5), > login.conf(5), login_ldap(8) from ports, and whatever manuals for > OpenLDAP. > > But why can't I authenticate (using ssh or login) on the system ? > > Do I really have to go through ypldap ? Sounds not efficient to > > have an intermediate ! > > There are two separate mechanisms: how user information is looked > up, and how users are authenticated. You provide zero details on > how ypldap or login_ldap are configured, so it's hard to guess > whether you have some configuration wrong. I can say it works for > me. Because when beginning, I just tried to auth with ldap alone ! Now that I try with ldap + ypldap, it works. Thanks Guys ! I solved it... > > The user lookup is configured (via +:: entries in /etc/passwd and > /etc/group) to use YP routines. Thus the user is looked up in ypldap > when they attempt to login, which is configured to identify the > user's login class as ldap. The ldap login class is configured in > login.conf to authenticate via login_ldap talking to the LDAP > server, which is configured to have the appropriate users. > > This is what I meant by "that's a lot more moving parts than just > passwords in LDAP." [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: openldap password fails to update
Le samedi 8 mars 2014, 16:14:53 Matthew Weigel a écrit : > On 03/08/2014 03:11 PM, Stéphane Guedon wrote: > > when I use 127.0.0.1 in php scripts, I can use ldap. > > if the script is running with 'localhost' then, no ldap data... > > > > Any idea why ? > > I have checked host resolution... > > telnet localhost ldap gives the good behavior > > Is PHP running inside a chroot? Does that chroot have an /etc/hosts > with an entry for localhost? you get it ! By copying the hosts system file in the nginx/php chroot, I am now able to log in. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: openldap password fails to update
Le samedi 8 mars 2014, 19:16:07 Stéphane Guedon a écrit :
> Le samedi 8 mars 2014, 17:21:26 Stéphane Guedon a écrit :
> > Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> > > On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
> >
> > wrote:
> > > > Notably, the user fails to auth and do login (with openbsd
> > > > login
> > > > system AND webpages) eventhough password is correct according
> > > > to
> > > > ldap itself !
> > >
> > > That's a lot more moving parts than just passwords in LDAP.
> >
> > Yes, but passwords are the first things to change to secure your
> > users/install.
> >
> > I am currently working on a little webpage in python to allow
> > easy
> > ldap management (add/remove users and groups, passwords update).
> >
> > > Have you
> > > checked your configuration of all those moving parts? Looked at
> > > logs? You don't even mention what else you're using, much less
> > > how
> > > they've been configured or what their logs report.
> >
> > I am looking through logs and config since the beginning of the
> > day... Actually, asking help on forums or mailing lists is always
> > my last step in solving problems...
> >
> > here is my config :
> >
> >
> > include schema/core.schema
> > include schema/cosine.schema
> > include schema/inetorgperson.schema
> > include schema/misc.schema
> > include schema/nis.schema
> > include schema/openldap.schema
> >
> > loglevel256
> >
> > pidfile run/slapd.pid
> > argsfilerun/slapd.args
> > allow bind_v2
> > password-hash {SHA}
> >
> > ##
> > ## ### # BDB database definitions
> > ##
> > ## ###
> >
> > databasebdb
> > suffix "dc=22decembre,dc=eu"
> > rootdn "cn=admin,dc=22decembre,dc=eu"
> >
> > access to dn.base="" by * read
> > access to dn.base="cn=Subschema" by * read
> >
> > #access to attrs=userpassword
> > # by self write
> > # by anonymous auth
> > # by * none
> >
> > #rootpw secret
> > rootpw {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+
> >
> > # The database directory MUST exist prior to running slapd AND
> > # should only be accessible by the slapd and slap tools.
> > # Mode 700 recommended.
> > directory data
> > # Indices to maintain
> > index objectClass eq
> > index uid eq
> > index uidNumber eq
> > index gidNumber eq
> > index memberUid eq
> > index homeDirectory eq
> > index loginShell eq
> > index cn,gn,mail pres,eq,sub
> >
> > ##
> >
> > I have tried to disable all acl (so default policy : everything
> > readable). But still no possible to logon.
> >
> > Here is what I get when trying to using the login_ldap with
> > debugging
> >
> >
> > # /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
> > Password:
> >
> > load_ssl_certs says:
> > cacert none
> > cacertdir none
> > usercert none
> > userkey none
> >
> > parse_server_line buf = localhost
> > parse_server_line port == NULL, will use default
> > parse_server_line mode == NULL, will use default
> > host localhost, port 389, version 3
> > setting cert info
> > clearing ssl set
> > connect success!
> > set version to 3
> >
> > defaults:
> > basedn ou=users,dc=22decembre,dc=eu
> > binddn none
> > bindpw none
> >
> > set timeout sec 60, usec 6
> > set noref 0
> > set keepcreds 0
> > bind success!
> >
> > usearch:
> > ufilter (&(objectclass=posixAccount)(uid=stephane))
> > scope: sub
> >
> > 0: search (ou=users,dc=22decembre,dc=eu,
> > (&(objectclass=posixAccount) (uid=stephane)))
> > 1: msgid 0, type 64
> > 1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> > 1: msgid 1, type 65
> > 1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
> > userdn uid=stephane,ou=users,dc=22decembre,dc=eu
&g
Re: openldap password fails to update
Le samedi 8 mars 2014, 17:21:26 Stéphane Guedon a écrit :
> Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> > On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
>
> wrote:
> > > Notably, the user fails to auth and do login (with openbsd login
> > > system AND webpages) eventhough password is correct according to
> > > ldap itself !
> >
> > That's a lot more moving parts than just passwords in LDAP.
>
> Yes, but passwords are the first things to change to secure your
> users/install.
>
> I am currently working on a little webpage in python to allow easy
> ldap management (add/remove users and groups, passwords update).
>
> > Have you
> > checked your configuration of all those moving parts? Looked at
> > logs? You don't even mention what else you're using, much less how
> > they've been configured or what their logs report.
>
> I am looking through logs and config since the beginning of the
> day... Actually, asking help on forums or mailing lists is always
> my last step in solving problems...
>
> here is my config :
>
>
> include schema/core.schema
> include schema/cosine.schema
> include schema/inetorgperson.schema
> include schema/misc.schema
> include schema/nis.schema
> include schema/openldap.schema
>
> loglevel256
>
> pidfile run/slapd.pid
> argsfilerun/slapd.args
> allow bind_v2
> password-hash {SHA}
>
>
> ### # BDB database definitions
>
> ###
>
> databasebdb
> suffix "dc=22decembre,dc=eu"
> rootdn "cn=admin,dc=22decembre,dc=eu"
>
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
>
> #access to attrs=userpassword
> # by self write
> # by anonymous auth
> # by * none
>
> #rootpw secret
> rootpw {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory data
> # Indices to maintain
> index objectClass eq
> index uid eq
> index uidNumber eq
> index gidNumber eq
> index memberUid eq
> index homeDirectory eq
> index loginShell eq
> index cn,gn,mail pres,eq,sub
>
> ##
>
> I have tried to disable all acl (so default policy : everything
> readable). But still no possible to logon.
>
> Here is what I get when trying to using the login_ldap with
> debugging
>
>
> # /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
> Password:
> load_ssl_certs says:
> cacert none
> cacertdir none
> usercert none
> userkey none
> parse_server_line buf = localhost
> parse_server_line port == NULL, will use default
> parse_server_line mode == NULL, will use default
> host localhost, port 389, version 3
> setting cert info
> clearing ssl set
> connect success!
> set version to 3
> defaults:
> basedn ou=users,dc=22decembre,dc=eu
> binddn none
> bindpw none
> set timeout sec 60, usec 6
> set noref 0
> set keepcreds 0
> bind success!
> usearch:
> ufilter (&(objectclass=posixAccount)(uid=stephane))
> scope: sub
> 0: search (ou=users,dc=22decembre,dc=eu,
> (&(objectclass=posixAccount) (uid=stephane)))
> 1: msgid 0, type 64
> 1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> 1: msgid 1, type 65
> 1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
> userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
> reject
when using the one in /usr/libexec/auth/login_... instead of
/usr/local/libexec... it works !
and I can start ypldap !
But why can't I authenticate (using ssh or login) on the system ? Do I
really have to go through ypldap ? Sounds not efficient to have an
intermediate !
And still having problem with my php scripts, which I am debugging
now.
Thanks for your help and answers. Please continue if you have any idea
! :D
>
> > I am using ypldap from base and login_ldap from ports; your
> > mileage
> > may vary.
> >
> > > By the way, anybody use the light ldapd daemon included in base
> > > ?
> > > can we update password with it ?
> >
> > I use it. It does not currently support the modify password
> > extended operation (what ldappasswd relies on). I am working on a
> > patch for it but I haven't finished it and it requires a bit more
> > refactoring than just processing one new request.
>
> Ok, so I think I will check ldapd from time to time...
>
> > --
> > Matthew Weigel
Re: openldap password fails to update
Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
wrote:
> > Notably, the user fails to auth and do login (with openbsd login
> > system AND webpages) eventhough password is correct according to
> > ldap itself !
>
> That's a lot more moving parts than just passwords in LDAP.
Yes, but passwords are the first things to change to secure your
users/install.
I am currently working on a little webpage in python to allow easy
ldap management (add/remove users and groups, passwords update).
> Have you
> checked your configuration of all those moving parts? Looked at
> logs? You don't even mention what else you're using, much less how
> they've been configured or what their logs report.
I am looking through logs and config since the beginning of the day...
Actually, asking help on forums or mailing lists is always my last
step in solving problems...
here is my config :
include schema/core.schema
include schema/cosine.schema
include schema/inetorgperson.schema
include schema/misc.schema
include schema/nis.schema
include schema/openldap.schema
loglevel256
pidfile run/slapd.pid
argsfilerun/slapd.args
allow bind_v2
password-hash {SHA}
###
# BDB database definitions
###
databasebdb
suffix "dc=22decembre,dc=eu"
rootdn "cn=admin,dc=22decembre,dc=eu"
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
#access to attrs=userpassword
# by self write
# by anonymous auth
# by * none
#rootpw secret
rootpw {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory data
# Indices to maintain
index objectClass eq
index uid eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index homeDirectory eq
index loginShell eq
index cn,gn,mail pres,eq,sub
##
I have tried to disable all acl (so default policy : everything
readable). But still no possible to logon.
Here is what I get when trying to using the login_ldap with debugging
:
# /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
Password:
load_ssl_certs says:
cacert none
cacertdir none
usercert none
userkey none
parse_server_line buf = localhost
parse_server_line port == NULL, will use default
parse_server_line mode == NULL, will use default
host localhost, port 389, version 3
setting cert info
clearing ssl set
connect success!
set version to 3
defaults:
basedn ou=users,dc=22decembre,dc=eu
binddn none
bindpw none
set timeout sec 60, usec 6
set noref 0
set keepcreds 0
bind success!
usearch:
ufilter (&(objectclass=posixAccount)(uid=stephane))
scope: sub
0: search (ou=users,dc=22decembre,dc=eu, (&(objectclass=posixAccount)
(uid=stephane)))
1: msgid 0, type 64
1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
1: msgid 1, type 65
1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
userdn uid=stephane,ou=users,dc=22decembre,dc=eu
user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
reject
> I am using ypldap from base and login_ldap from ports; your mileage
> may vary.
> > By the way, anybody use the light ldapd daemon included in base ?
> > can we update password with it ?
>
> I use it. It does not currently support the modify password extended
> operation (what ldappasswd relies on). I am working on a patch for
> it but I haven't finished it and it requires a bit more refactoring
> than just processing one new request.
Ok, so I think I will check ldapd from time to time...
> --
> Matthew Weigel
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: openldap password fails to update
Le samedi 8 mars 2014, 12:23:19 Stuart Henderson a écrit :
> On 2014-03-07, Stéphane Guedon wrote:
> > But when I try to change this user password it fails :
> >
> > # ldappasswd -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \
> > -w somesecret -s anothersec
> > ldap_initialize( )
> > Result: Other (e.g., implementation specific) error (80)
> > Additional info: password hash failed
>
> What is "password-hash" set to in slapd.conf on the server?
>
> I think there is a bug with "password-hash {CRYPT}", if you use this
> you can try "password-hash {SSHA}" for now, or (probably better)
> encrypt the password locally and change it using ldapmodify (or
> ldapvi, etc).
>
> > slappasswd never gives the same result !
>
> That's expected for salted hashes.
>
> > Does any of you can suggest what's wrong ? Do you need other
> > information ?
>
> It won't necessarily help, but you should always mention versions
> (or dates if building from source) of any relevant software and
> what machine architecture you use in any problem report.
Thanks everybody from the list...
I changed the standard hash yesterday and now, password update works.
But I am still having problems with other parts of the ldap...
Notably, the user fails to auth and do login (with openbsd login
system AND webpages) eventhough password is correct according to ldap
itself !
By the way, anybody use the light ldapd daemon included in base ? can
we update password with it ?
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
openldap password fails to update
Hello everybody.
I am currently finishing my openbsd server. Most of installation gone
pretty well :-).
I run now in openldap. I successfully installed the server and
launched it in chroot for security.
My problem is weird : using ldapadd, I can add peoples and stuff.
ldapadd -x -D "cn=admin,dc=22decembre,dc=eu" -w secret -f stef.ldif
adding new entry "uid=test,ou=users,dc=22decembre,dc=eu"
But when I try to change this user password it fails :
# ldappasswd -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \
-w somesecret -s anothersec
ldap_initialize( )
Result: Other (e.g., implementation specific) error (80)
Additional info: password hash failed
and when looking in logs I don't see why it fails !
Mar 7 10:29:35 blackblock slapd[26351]: => slap_access_allowed: auth
access granted by auth(=xd)
Mar 7 10:29:35 blackblock slapd[26351]: => access_allowed: auth
access granted by auth(=xd)
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=0 BIND
dn="uid=test,ou=users,dc=22decembre,dc=eu" mech=SIMPLE ssf=0
Mar 7 10:29:35 blackblock slapd[26351]: do_bind: v3 bind:
"uid=test,ou=users,dc=22decembre,dc=eu" to
"uid=test,ou=users,dc=22decembre,dc=eu"
Mar 7 10:29:35 blackblock slapd[26351]: send_ldap_result: conn=1014
op=0 p=3
Mar 7 10:29:35 blackblock slapd[26351]: send_ldap_result: err=0
matched="" text=""
Mar 7 10:29:35 blackblock slapd[26351]: send_ldap_response: msgid=1
tag=97 err=0
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=0 RESULT tag=97
err=0 text=
Mar 7 10:29:35 blackblock slapd[26351]: daemon: activity on 1
descriptor
Mar 7 10:29:35 blackblock slapd[26351]: daemon: activity on:
Mar 7 10:29:35 blackblock slapd[26351]: 22r
Mar 7 10:29:35 blackblock slapd[26351]:
Mar 7 10:29:35 blackblock slapd[26351]: daemon: read activity on 22
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: connection_get(22)
Mar 7 10:29:35 blackblock slapd[26351]: connection_get(22): got
connid=1014
Mar 7 10:29:35 blackblock slapd[26351]: connection_read(22): checking
for input on id=1014
Mar 7 10:29:35 blackblock slapd[26351]: op tag 0x77, time 1394184575
Mar 7 10:29:35 blackblock slapd[26351]: daemon: activity on 1
descriptor
Mar 7 10:29:35 blackblock slapd[26351]: daemon: waked
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 do_extended
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Mar 7 10:29:35 blackblock slapd[26351]: do_extended:
oid=1.3.6.1.4.1.4203.1.11.1
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 PASSMOD new
Mar 7 10:29:35 blackblock slapd[26351]:
bdb_dn2entry("uid=test,ou=users,dc=22decembre,dc=eu")
Mar 7 10:29:35 blackblock slapd[26351]: send_ldap_extended: err=80
oid= len=0
Mar 7 10:29:35 blackblock slapd[26351]: send_ldap_response: msgid=2
tag=120 err=80
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 RESULT oid=
err=80 text=password hash failed
Mar 7 10:29:35 blackblock slapd[26351]: daemon: activity on 1
descriptor
Mar 7 10:29:35 blackblock slapd[26351]: daemon: activity on:
Mar 7 10:29:35 blackblock slapd[26351]: 22r
Mar 7 10:29:35 blackblock slapd[26351]:
Mar 7 10:29:35 blackblock slapd[26351]: daemon: read activity on 22
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: connection_get(22)
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: connection_get(22): got
connid=1014
Mar 7 10:29:35 blackblock slapd[26351]: connection_read(22): checking
for input on id=1014
Mar 7 10:29:35 blackblock slapd[26351]: op tag 0x42, time 1394184575
Mar 7 10:29:35 blackblock slapd[26351]: ber_get_next on fd 22 failed
errno=0 (Undefined error: 0)
Mar 7 10:29:35 blackblock slapd[26351]: connection_read(22): input
error=-2 id=1014, closing.
Mar 7 10:29:35 blackblock slapd[26351]: connection_closing: readying
conn=1014 sd=22 for close
Mar 7 10:29:35 blackblock slapd[26351]: daemon: activity on 1
descriptor
Mar 7 10:29:35 blackblock slapd[26351]: daemon: waked
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7
active_threads=0 tvp=NULL
Mar 7 10:29:35 blackblock slapd[26351]: connection_close: deferring
conn=1014 sd=22
Mar 7 10:29:35 blackblock slapd[26351]: conn=1014 op=2 do_unbin
