Re: Problems with LDAP authorization against OpenLDAP server

[Željko Puškarić]

Hi everyone,

@Martijn
Thanks a lot, ypbind was not mentioned on the page I used, when I
enabled and started ypbind I was able to authenticate against LDAP.

# rcctl enable ypbind
# rcctl start ypbind

@Janne
I made symbolic link in /bin/bash that points to /usr/local/bin/bash so
user shell points to the right place.


-Original Message-
From: Martijn van Duren 
To: Željko Puškarić , misc@openbsd.org
Subject: Re: Problems with LDAP authorization against OpenLDAP server
Date: Fri, 14 Oct 2022 14:36:18 +0200

On Fri, 2022-10-14 at 14:14 +0200, Željko Puškarić wrote:
> Hi Stuart,
> 
> adding all of my users to /etc/master.passwd would be administrative
> burden, I would have to do that on every OpenBSD box and removing
> users would mean I'll have to remove users from all OpenBSD boxes so
> I am trying to avoid that.

The suggestion was to test it out to see if the problem is just in
ypldap(8), or also in login_ldap.

One of the things I see is that you haven't set up ypbind(8), which
might be a big part why things fail for you.

> Since shell is retrieved from LDAP and is used to log in to Linux
> boxes
> too I just set it as is set on Linux (installed bash on OpenBSD prior
> to setting LDAP authentication).
> Why is bash a bad idea on OpenBSD?
> 
> 
> -Original Message-
> From: Stuart Henderson <
> stu.li...@spacehopper.org
> >
> To: 
> misc@openbsd.org
> 
> Subject: Re: Problems with LDAP authorization against OpenLDAP server
> Date: Fri, 14 Oct 2022 11:29:34 - (UTC)
> 
> On 2022-10-14, Željko Puškarić <
> zpuska...@hzhm.hr
> 
> > wrote:
> > I am a seasoned Linux admin and my first forray into the world of
> > OpenBSD confronted me with a problem.
> > What I am trying to achieve is enabling authorization to OpenBSD
> > machine against existing OpenLDAP server (hosted on Linux).
> > I order to achieve that I followed these instructions: 
> > https://blog.obtusenet.com/openbsd-and-ldap/
> > 
> > 
> 
> I would start by adding as master.passwd entry for your user (you
> can just put * as the hashed password) and try to login while using
> login_ldap to handle the password.
> 
> That way you can at least confirm that login_ldap is working while
> investigating ypldap.
> 
> I can't help much with ypldap (I had it working once but decided to
> just build static master.passwd files based on the contents of ldap
> and
> push them out as it was much simpler and login_ldap did most of what
> I wanted), but a couple of quick comments, other than that
> /var/log/authlog might give some clues...
> 
> > attribute passwd maps to "userPassword"
> > #   fixed attribute passwd "*"
> > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DU
> > Bp
> > Zr
> > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
> 
> Since you're using login_ldap you don't need the userPassword->passwd
> map, I think it's simpler to use "fixed attribute *" so it's clear
> that
> the password auth is not being done via yp. (login_ldap does a live
> check
> at login time, whereas if you were authing via the yp map then 1) you
> would need to avoid the {BCRYPT} prefix and 2) caching will get in
> the
> way of password changes etc).
> 
> Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
> 
> > fixed attribute class ""
> 
> I used a separate class for ldap users set ('fixed attribute class
> "ldap"'), and created that class in login.conf with "auth=ldap" (so
> that only the users I expected to come from ldap tried to use ldap
> for
> authentication).
> 
> 
> 
> 
> 

Re: Problems with LDAP authorization against OpenLDAP server

[Jonathan Matthew]

On Fri, Oct 14, 2022 at 12:48:05PM +0200, Željko Puškarić wrote:
> Hi everyone,
> 
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions: 
> https://blog.obtusenet.com/openbsd-and-ldap/
> According to the instructions I changed the line in /etc/login.conf to
> look like: 
> 
> auth-defaults:auth=ldap,passwd,skey:
> 
> than created /etc/login_ldap.conf:
> 
> host=ldap+tls://ldap.example.com
> cacert=/etc/ssl/example.com.crt
> scope=sub
> timeout=15
> basedn=ou=accounts,dc=example,dc=com
> binddn=cn=reader,dc=example,dc=com
> bindpw=secret
> filter=(&(objectClass=posixAccount)(description=active)(uid=%u))
> gbasedn=ou=groups,dc=example,dc=com
> gfilter=(&(objectClass=posixGroup)(memberUid=%u))
> 
> put example.com into /etc/defaultdomain

The domain name written to the file is only applied at boot time.
You can set it without rebooting by running 'domainname example.com'.

> 
> enabled and started portmap service:
> 
> # rcctl enable portmap
> # rcctl start portmap
> 
> After that I configured /var/yp/example.com/ypservers.db file by
> executing.
> 
> # ypinit -m
> 
> defining servers as:
> 
> localhost
> 
> It all got done without any errors.

You don't need to run ypinit to use ypldap.

> 
> After that created /etc/ypldap.conf:
> 
> # $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
> 
> domain"example.com"
> interval  60
> provide map   "passwd.byname"
> provide map   "passwd.byuid"
> provide map   "group.byname"
> provide map   "group.bygid"
> provide map   "netid.byname"
> 
> directory "ldap.example.com" {
>   # directory options
>   binddn "cn=reader,dc=example,dc=com"
>   bindcred "secret"
>   basedn "ou=accounts,dc=example,dc=com"
>   # starting point for groups directory search, default to basedn
>   groupdn "ou=groups,dc=example,dc=com"
> 
>   # passwd maps configuration (RFC 2307 posixAccount object
> class)
>   passwd filter
> "(&(objectClass=posixAccount)(description=active))"
> 
>   attribute name maps to "uid"
>   attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
>   attribute uid maps to "uidNumber"
>   attribute gid maps to "gidNumber"
>   attribute gecos maps to "cn"
>   attribute home maps to "homeDirectory"
>   attribute shell maps to "loginShell"
>   fixed attribute change "0"
>   fixed attribute expire "0"
>   fixed attribute class ""
> 
>   # group maps configuration (RFC 2307 posixGroup object class)
>   group filter "(&(objectClass=posixGroup)(memberUid=%u))"
> 
>   attribute groupname maps to "cn"
>   fixed attribute grouppasswd "*"
>   attribute groupgid maps to "gidNumber"
>   # memberUid returns multiple group members
>   list groupmembers maps to "memberUid"
> }
> 
> and enabled started ypldap service:
> 
> # rcctl enable ypldap
> # rcctl start ypldap
> 
> I also added "+:*" to /etc/master.passwd and updated database:
> 
> # echo '+:*' >> /etc/master.passwd
> # pwd_mkdb -p /etc/master.passwd
> 
> After that I checked if LDAP users would be visible by using:
> 
> # getent passwd
> 
> but LDAP users are not visible.

Is ypbind running?

> 
> In order to check ypldap i stopped the service and run it as:
> 
> # rcctl stop ypldap
> # ypldap -dv
> 
> and got:
> 
> startup [debug mode]
> configuration starting
> applying configuration
> connecting to directories
> starting directory update
> searching password entries
> searching group entries
> updates are over, cleaning up trees now
> flattening trees
> 
> pushing line:
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
> done pushing users
> done pushing groups
> 
> so I deducted that connection to LDAP server is working but when I try
> to log as user ttestic it does not work
> 
> Could the problem be that by default OpenBSD now uses 11 as default
> number of password hashing cost unlike in LDAP where cost is 8?
> 
> If that is not the problem what could I do to troubleshoot my problem?

If the user shows up in the ypldap debug output, but isn't visible with
getent, libc isn't talking to ypldap.  If the domain name isn't set or
ypbind isn't running, libc won't talk to ypldap.

Re: Problems with LDAP authorization against OpenLDAP server

[Martijn van Duren]

On Fri, 2022-10-14 at 14:14 +0200, Željko Puškarić wrote:
> Hi Stuart,
> 
> adding all of my users to /etc/master.passwd would be administrative
> burden, I would have to do that on every OpenBSD box and removing users would 
> mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid 
> that.

The suggestion was to test it out to see if the problem is just in
ypldap(8), or also in login_ldap.

One of the things I see is that you haven't set up ypbind(8), which
might be a big part why things fail for you.

> Since shell is retrieved from LDAP and is used to log in to Linux boxes
> too I just set it as is set on Linux (installed bash on OpenBSD prior
> to setting LDAP authentication).
> Why is bash a bad idea on OpenBSD?
> 
> 
> -Original Message-
> From: Stuart Henderson 
> To: misc@openbsd.org
> Subject: Re: Problems with LDAP authorization against OpenLDAP server
> Date: Fri, 14 Oct 2022 11:29:34 - (UTC)
> 
> On 2022-10-14, Željko Puškarić <
> zpuska...@hzhm.hr
> > wrote:
> > I am a seasoned Linux admin and my first forray into the world of
> > OpenBSD confronted me with a problem.
> > What I am trying to achieve is enabling authorization to OpenBSD
> > machine against existing OpenLDAP server (hosted on Linux).
> > I order to achieve that I followed these instructions: 
> > https://blog.obtusenet.com/openbsd-and-ldap/
> > 
> 
> I would start by adding as master.passwd entry for your user (you
> can just put * as the hashed password) and try to login while using
> login_ldap to handle the password.
> 
> That way you can at least confirm that login_ldap is working while
> investigating ypldap.
> 
> I can't help much with ypldap (I had it working once but decided to
> just build static master.passwd files based on the contents of ldap and
> push them out as it was much simpler and login_ldap did most of what
> I wanted), but a couple of quick comments, other than that
> /var/log/authlog might give some clues...
> 
> > attribute passwd maps to "userPassword"
> > #   fixed attribute passwd "*"
> > ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp
> > Zr
> > SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
> 
> Since you're using login_ldap you don't need the userPassword->passwd
> map, I think it's simpler to use "fixed attribute *" so it's clear that
> the password auth is not being done via yp. (login_ldap does a live
> check
> at login time, whereas if you were authing via the yp map then 1) you
> would need to avoid the {BCRYPT} prefix and 2) caching will get in the
> way of password changes etc).
> 
> Probably /bin/bash is not what you want as a shell for OpenBSD boxes.
> 
> > fixed attribute class ""
> 
> I used a separate class for ldap users set ('fixed attribute class
> "ldap"'), and created that class in login.conf with "auth=ldap" (so
> that only the users I expected to come from ldap tried to use ldap for
> authentication).
> 
> 
> 
> 
> 

Re: Problems with LDAP authorization against OpenLDAP server

[Janne Johansson]

> Why is bash a bad idea on OpenBSD?

Not bash in itself, but having it in /bin. If you installed it from
packages/ports it would end up under /usr/local/bin instead, so the
users shell would point to the wrong place.

-- 
May the most significant bit of your life be positive.

Re: Problems with LDAP authorization against OpenLDAP server

[Željko Puškarić]

Hi Stuart,

adding all of my users to /etc/master.passwd would be administrative
burden, I would have to do that on every OpenBSD box and removing users would 
mean I'll have to remove users from all OpenBSD boxes so I am trying to avoid 
that.
Since shell is retrieved from LDAP and is used to log in to Linux boxes
too I just set it as is set on Linux (installed bash on OpenBSD prior
to setting LDAP authentication).
Why is bash a bad idea on OpenBSD?


-Original Message-
From: Stuart Henderson 
To: misc@openbsd.org
Subject: Re: Problems with LDAP authorization against OpenLDAP server
Date: Fri, 14 Oct 2022 11:29:34 - (UTC)

On 2022-10-14, Željko Puškarić <
zpuska...@hzhm.hr
> wrote:
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions: 
> https://blog.obtusenet.com/openbsd-and-ldap/
> 

I would start by adding as master.passwd entry for your user (you
can just put * as the hashed password) and try to login while using
login_ldap to handle the password.

That way you can at least confirm that login_ldap is working while
investigating ypldap.

I can't help much with ypldap (I had it working once but decided to
just build static master.passwd files based on the contents of ldap and
push them out as it was much simpler and login_ldap did most of what
I wanted), but a couple of quick comments, other than that
/var/log/authlog might give some clues...

>   attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"
> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBp
> Zr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash

Since you're using login_ldap you don't need the userPassword->passwd
map, I think it's simpler to use "fixed attribute *" so it's clear that
the password auth is not being done via yp. (login_ldap does a live
check
at login time, whereas if you were authing via the yp map then 1) you
would need to avoid the {BCRYPT} prefix and 2) caching will get in the
way of password changes etc).

Probably /bin/bash is not what you want as a shell for OpenBSD boxes.

>   fixed attribute class ""

I used a separate class for ldap users set ('fixed attribute class
"ldap"'), and created that class in login.conf with "auth=ldap" (so
that only the users I expected to come from ldap tried to use ldap for
authentication).

Re: Problems with LDAP authorization against OpenLDAP server

[Stuart Henderson]

On 2022-10-14, Željko Puškarić  wrote:
> I am a seasoned Linux admin and my first forray into the world of
> OpenBSD confronted me with a problem.
> What I am trying to achieve is enabling authorization to OpenBSD
> machine against existing OpenLDAP server (hosted on Linux).
> I order to achieve that I followed these instructions: 
> https://blog.obtusenet.com/openbsd-and-ldap/

I would start by adding as master.passwd entry for your user (you
can just put * as the hashed password) and try to login while using
login_ldap to handle the password.

That way you can at least confirm that login_ldap is working while
investigating ypldap.

I can't help much with ypldap (I had it working once but decided to
just build static master.passwd files based on the contents of ldap and
push them out as it was much simpler and login_ldap did most of what
I wanted), but a couple of quick comments, other than that
/var/log/authlog might give some clues...

>   attribute passwd maps to "userPassword"
> # fixed attribute passwd "*"

> ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
> SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash

Since you're using login_ldap you don't need the userPassword->passwd
map, I think it's simpler to use "fixed attribute *" so it's clear that
the password auth is not being done via yp. (login_ldap does a live check
at login time, whereas if you were authing via the yp map then 1) you
would need to avoid the {BCRYPT} prefix and 2) caching will get in the
way of password changes etc).

Probably /bin/bash is not what you want as a shell for OpenBSD boxes.

>   fixed attribute class ""

I used a separate class for ldap users set ('fixed attribute class
"ldap"'), and created that class in login.conf with "auth=ldap" (so
that only the users I expected to come from ldap tried to use ldap for
authentication).


-- 
Please keep replies on the mailing list.

Problems with LDAP authorization against OpenLDAP server

[Željko Puškarić]

Hi everyone,

I am a seasoned Linux admin and my first forray into the world of
OpenBSD confronted me with a problem.
What I am trying to achieve is enabling authorization to OpenBSD
machine against existing OpenLDAP server (hosted on Linux).
I order to achieve that I followed these instructions: 
https://blog.obtusenet.com/openbsd-and-ldap/
According to the instructions I changed the line in /etc/login.conf to
look like: 

auth-defaults:auth=ldap,passwd,skey:

than created /etc/login_ldap.conf:

host=ldap+tls://ldap.example.com
cacert=/etc/ssl/example.com.crt
scope=sub
timeout=15
basedn=ou=accounts,dc=example,dc=com
binddn=cn=reader,dc=example,dc=com
bindpw=secret
filter=(&(objectClass=posixAccount)(description=active)(uid=%u))
gbasedn=ou=groups,dc=example,dc=com
gfilter=(&(objectClass=posixGroup)(memberUid=%u))

put example.com into /etc/defaultdomain

enabled and started portmap service:

# rcctl enable portmap
# rcctl start portmap

After that I configured /var/yp/example.com/ypservers.db file by
executing.

# ypinit -m

defining servers as:

localhost

It all got done without any errors.

After that created /etc/ypldap.conf:

# $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $

domain  "example.com"
interval60
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
provide map "netid.byname"

directory "ldap.example.com" {
# directory options
binddn "cn=reader,dc=example,dc=com"
bindcred "secret"
basedn "ou=accounts,dc=example,dc=com"
# starting point for groups directory search, default to basedn
groupdn "ou=groups,dc=example,dc=com"

# passwd maps configuration (RFC 2307 posixAccount object
class)
passwd filter
"(&(objectClass=posixAccount)(description=active))"

attribute name maps to "uid"
attribute passwd maps to "userPassword"
#   fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
attribute shell maps to "loginShell"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class ""

# group maps configuration (RFC 2307 posixGroup object class)
group filter "(&(objectClass=posixGroup)(memberUid=%u))"

attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
# memberUid returns multiple group members
list groupmembers maps to "memberUid"
}

and enabled started ypldap service:

# rcctl enable ypldap
# rcctl start ypldap

I also added "+:*" to /etc/master.passwd and updated database:

# echo '+:*' >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd

After that I checked if LDAP users would be visible by using:

# getent passwd

but LDAP users are not visible.

In order to check ypldap i stopped the service and run it as:

# rcctl stop ypldap
# ypldap -dv

and got:

startup [debug mode]
configuration starting
applying configuration
connecting to directories
starting directory update
searching password entries
searching group entries
updates are over, cleaning up trees now
flattening trees

pushing line:
ttestic:{BCRYPT}$2b$08$eL8cupOC/ZqkRSKNjHW1D.0h541GVCf4F3GXTSoMX2DUBpZr
SgBlq:10042:10006::0:0:test testic:/home/ttestic:/bin/bash
done pushing users
done pushing groups

so I deducted that connection to LDAP server is working but when I try
to log as user ttestic it does not work

Could the problem be that by default OpenBSD now uses 11 as default
number of password hashing cost unlike in LDAP where cost is 8?

If that is not the problem what could I do to troubleshoot my problem?

Re: 6.8 openldap and SSL/TLS problem after upgrade

[Kapetanakis Giannis]

On 23/12/2020 03:53, Stuart Henderson wrote:

On 2020-12-22, Kapetanakis Giannis  wrote:

Hi,

After upgrading to 6.8-release I can no longer connect to my ldap server with 
openldap and SSL/TLS.
I'm using a self signed root CA to sign LDAP server's certificate.

/etc/openldap/ldap.conf has:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand

# /usr/local/bin/ldapsearch -d9 -x (openldap client)
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate 
verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Even setting TLS_CACERT does not fix it, only making
TLS_REQCERT never

TLS_CACERTDIR has pem certificates and links with them with hashes

ktrace does not show any reads on TLS_CACERTDIR

bbbf0019.0@ -> My_ROOT_CA.asc
My_ROOT_CA.asc@ -> My_ROOT_CA.pem

Apparently this also breaks freeradius which seems logical.

Thanks,

G



There were big changes in certificate validation in libressl a little
before 6.8 and various problems have been found with them. I added a
workaround for one issue in a -stable packages update to openldap,
some are fixed in libressl in -current, and workarounds for some
ports have been made by changing them to use openssl instead of
libressl.

Your best option is probably to run -current and report back if
there are still problems and then hopefully 6.9 will be better.




Yes, after upgrading to -current both problems where fixed (before 
pkg_add -u)


thanks,

G

Re: 6.8 openldap and SSL/TLS problem after upgrade

[Stuart Henderson]

On 2020-12-22, Kapetanakis Giannis  wrote:
> Hi,
>
> After upgrading to 6.8-release I can no longer connect to my ldap server with 
> openldap and SSL/TLS.
> I'm using a self signed root CA to sign LDAP server's certificate.
>
> /etc/openldap/ldap.conf has:
> TLS_CACERTDIR /etc/openldap/cacerts
> TLS_REQCERT demand
>
> # /usr/local/bin/ldapsearch -d9 -x (openldap client)
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
> /CN=xxx
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
> /CN=xxx
> TLS certificate verification: Error, unable to get local issuer certificate
> TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate 
> verify failed (unable to get local issuer certificate).
> ldap_err2string
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> Even setting TLS_CACERT does not fix it, only making 
> TLS_REQCERT never
>
> TLS_CACERTDIR has pem certificates and links with them with hashes
>
> ktrace does not show any reads on TLS_CACERTDIR
>
> bbbf0019.0@ -> My_ROOT_CA.asc
> My_ROOT_CA.asc@ -> My_ROOT_CA.pem
>
> Apparently this also breaks freeradius which seems logical.
>
> Thanks,
>
> G
>
>

There were big changes in certificate validation in libressl a little
before 6.8 and various problems have been found with them. I added a
workaround for one issue in a -stable packages update to openldap,
some are fixed in libressl in -current, and workarounds for some
ports have been made by changing them to use openssl instead of
libressl.

Your best option is probably to run -current and report back if
there are still problems and then hopefully 6.9 will be better.

Re: 6.8 openldap and SSL/TLS problem after upgrade

[Kapetanakis Giannis]

I'm replying in misc@ since it affects other people as well.

For freeradius (freeradius-2.2.10p1) and ldap communication I had to 
also set

require_cert = "allow"

It didn't respect the setting of /etc/openldap/ldap.conf
Maybe it's now linked against local ldap library and not openldap's ?

G

On 22/12/2020 16:59, Kostya Berger wrote:
Wow, I seem to have the same problem with Freeradius. Fails to connect 
with the same error: unable to get local issuer certificate. And that 
with certificates that work FINE with exactly the same version of 
Freeradius in FreeBSD.

And yes, no additional setting seem to help this.

With kindest regards,
Kostya Berger



On Tuesday, 22 December 2020, 17:52:48 GMT+3, Kapetanakis Giannis 
 wrote:



Hi,

After upgrading to 6.8-release I can no longer connect to my ldap 
server with openldap and SSL/TLS.

I'm using a self signed root CA to sign LDAP server's certificate.

/etc/openldap/ldap.conf has:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand

# /usr/local/bin/ldapsearch -d9 -x (openldap client)
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, 
issuer: /CN=xxx
TLS certificate verification: Error, unable to get local issuer 
certificate
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, 
issuer: /CN=xxx
TLS certificate verification: Error, unable to get local issuer 
certificate

TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14007086:SSL 
routines:CONNECT_CR_CERT:certificate verify failed (unable to get 
local issuer certificate).

ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Even setting TLS_CACERT does not fix it, only making
TLS_REQCERT never

TLS_CACERTDIR has pem certificates and links with them with hashes

ktrace does not show any reads on TLS_CACERTDIR

bbbf0019.0@ -> My_ROOT_CA.asc
My_ROOT_CA.asc@ -> My_ROOT_CA.pem

Apparently this also breaks freeradius which seems logical.

Thanks,

G

6.8 openldap and SSL/TLS problem after upgrade

[Kapetanakis Giannis]

Hi,

After upgrading to 6.8-release I can no longer connect to my ldap server with 
openldap and SSL/TLS.
I'm using a self signed root CA to sign LDAP server's certificate.

/etc/openldap/ldap.conf has:
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT demand

# /usr/local/bin/ldapsearch -d9 -x (openldap client)
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS certificate verification: depth: 1, err: 20, subject: /CN=xxx, issuer: 
/CN=xxx
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14007086:SSL routines:CONNECT_CR_CERT:certificate 
verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Even setting TLS_CACERT does not fix it, only making 
TLS_REQCERT never

TLS_CACERTDIR has pem certificates and links with them with hashes

ktrace does not show any reads on TLS_CACERTDIR

bbbf0019.0@ -> My_ROOT_CA.asc
My_ROOT_CA.asc@ -> My_ROOT_CA.pem

Apparently this also breaks freeradius which seems logical.

Thanks,

G

Re: OpenLDAP under 6.8 - no intermediate certs in chain

[Paul B. Henson]

On 11/16/2020 6:52 AM, Stuart Henderson wrote:


...actually I have now added a workaround to the databases/openldap port
in 6.8-stable to disable TLS 1.3, so either rebuild or wait for -stable
packages and it should fix things.


Cool, I was actually already building from source in order to enable 
modules. I updated my ports tree and rebuilt, looks good now, thanks 
much for the quick fix.


It still does behave a little bit differently; under 6.7 it was 
including the root CA in the chain sent by the server, under 6.8 it is 
only including the intermediate, not the root. Which I actually prefer, 
as sending the root is a waste of time, the client needs to have that 
itself anyway in order to validate the chain in the first place.

Re: OpenLDAP under 6.8 - no intermediate certs in chain

[Paul B. Henson]

On 11/16/2020 2:30 AM, Stuart Henderson wrote:


Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that
commit (or build LibreSSL with TLS 1.3 server support disabled). As far
as I can tell there's no method to disable TLS 1.3 via config.


Hmm, yah, you can disable old versions, but I don't think there is any 
way to disable newer ones.

Re: OpenLDAP under 6.8 - no intermediate certs in chain

[Paul B. Henson]

On 11/15/2020 10:18 PM, Brad Smith wrote:

I remember seeing this commit recently. Not sure if this is your problem 
or not.


https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2


That definitely looks like it, thanks for the pointer.

Re: OpenLDAP under 6.8 - no intermediate certs in chain

[Stuart Henderson]

On 2020-11-16, Stuart Henderson  wrote:
> Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that
> commit (or build LibreSSL with TLS 1.3 server support disabled). As far
> as I can tell there's no method to disable TLS 1.3 via config.

...actually I have now added a workaround to the databases/openldap port
in 6.8-stable to disable TLS 1.3, so either rebuild or wait for -stable
packages and it should fix things. 

Re: OpenLDAP under 6.8 - no intermediate certs in chain

[Stuart Henderson]

On 2020-11-16, Brad Smith  wrote:
> On 11/16/2020 12:08 AM, Paul B. Henson wrote:
>> I just updated one of my servers running 6.7 to 6.8, and am having a
>> problem with openldap. I have the intermediate cert and root CA in a
>> file referenced by the openldap config:
>>
>> TLSCACertificateFile/etc/openldap/cabundle.crt
>>
>> Under 6.7 with the openldap port from that version, this results in the
>> chain being served:
>>
>> Certificate chain
>>   0 s:CN = ldap-netsvc.pbhware.com
>> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>>   1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>> i:O = Digital Signature Trust Co., CN = DST Root CA X3
>>   2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
>> i:O = Digital Signature Trust Co., CN = DST Root CA X3
>>
>> However, under 6.8 with the newer openldap 2.4.53 port, only the server
>> cert itself is being served, not the intermediate or root:
>>
>> Certificate chain
>>   0 s:CN = ldap-netsvc.pbhware.com
>> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>>
>> This of course causes clients to fail to validate the server cert :(.
>>
>> I'm running openldap 2.4.53 on other operating systems and as far as I
>> know there's no change in behavior with it. So I'm guessing there's an
>> interoperability issue between openbsd libressl and openldap that's
>> causing this problem?
>>
>> Do I need to configure something differently? Any other suggestions?
>>
>> Thanks much...
>
>
> I remember seeing this commit recently. Not sure if this is your problem 
> or not.
>
> https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2
>
>

Yes OpenLDAP is broken with TLS 1.3 server-side unless you have that
commit (or build LibreSSL with TLS 1.3 server support disabled). As far
as I can tell there's no method to disable TLS 1.3 via config.

Re: OpenLDAP under 6.8 - no intermediate certs in chain

[Brad Smith]

On 11/16/2020 12:08 AM, Paul B. Henson wrote:

I just updated one of my servers running 6.7 to 6.8, and am having a
problem with openldap. I have the intermediate cert and root CA in a
file referenced by the openldap config:

TLSCACertificateFile/etc/openldap/cabundle.crt

Under 6.7 with the openldap port from that version, this results in the
chain being served:

Certificate chain
  0 s:CN = ldap-netsvc.pbhware.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
  2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

However, under 6.8 with the newer openldap 2.4.53 port, only the server
cert itself is being served, not the intermediate or root:

Certificate chain
  0 s:CN = ldap-netsvc.pbhware.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

This of course causes clients to fail to validate the server cert :(.

I'm running openldap 2.4.53 on other operating systems and as far as I
know there's no change in behavior with it. So I'm guessing there's an
interoperability issue between openbsd libressl and openldap that's
causing this problem?

Do I need to configure something differently? Any other suggestions?

Thanks much...



I remember seeing this commit recently. Not sure if this is your problem 
or not.


https://marc.info/?l=openbsd-cvs&m=160511882917510&w=2

OpenLDAP under 6.8 - no intermediate certs in chain

[Paul B. Henson]

I just updated one of my servers running 6.7 to 6.8, and am having a
problem with openldap. I have the intermediate cert and root CA in a
file referenced by the openldap config:

TLSCACertificateFile/etc/openldap/cabundle.crt

Under 6.7 with the openldap port from that version, this results in the
chain being served:

Certificate chain
 0 s:CN = ldap-netsvc.pbhware.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

However, under 6.8 with the newer openldap 2.4.53 port, only the server
cert itself is being served, not the intermediate or root:

Certificate chain
 0 s:CN = ldap-netsvc.pbhware.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

This of course causes clients to fail to validate the server cert :(.

I'm running openldap 2.4.53 on other operating systems and as far as I
know there's no change in behavior with it. So I'm guessing there's an
interoperability issue between openbsd libressl and openldap that's
causing this problem?

Do I need to configure something differently? Any other suggestions?

Thanks much...

Re: cyrus-sasl/openldap question

[Stuart Henderson]

On 2018-10-24, Markus Rosjat  wrote:
> Hi there,
>
> it seems to get sasl working with ldap is a lifetime task. Sad thing I 
> had it working but only after  adding/deleting packages of the specific 
> versions of cyrus-sasl and I dont know which you really need to get it 
> working in a "clean" setup. So to all the people out there who are 
> running service like sendmail, courier with openldap and sasl could you 
> point to the proper package to use or do in need to really install one 
> package then replace it with another so that just the proper libs are 
> present somewere on the system (this seems kind bad)? And docs on 
> cyrus-sasl are a big fk^ in my opinion but thats another story.

I'm not using sendmail+courier here but as a "1-line" install command
it looks like you'd probably want something like

pkg_add courier-authlib-ldap courier-imap cyrus-sasl--ldap sendmail--ldap-sasl

(The package names above including "--" select one of various flavours;
if you leave it out you would usually get to choose from a list presented
instead. The names like "courier-authlib-ldap" are modular packages or
"multipackages" where the extra support is added by pluggable modules

For dovecot and postfix you'd want "pkg_add dovecot-ldap postfix--ldap";
dovecot has its own sasl implementation which is also supported by postfix,
config is easier than with cyrus-sasl.

Re: cyrus-sasl/openldap question

[Allan Streib]

Have you looked at OpenBSD's ldapd(8) instead of openldap?

It supports SASL PLAIN auth, according to the 6.3 man page.

I don't currently use SASL but otherwise have found the config of ldapd
to be much simpler than slapd.

Yes, last time I had set up OpenLDAP with SASL it was fragile and
required a lot of fiddling to get it working. That was on Linux, about
10 years ago.

Allan

cyrus-sasl/openldap question

[Markus Rosjat]

Hi there,

it seems to get sasl working with ldap is a lifetime task. Sad thing I 
had it working but only after  adding/deleting packages of the specific 
versions of cyrus-sasl and I dont know which you really need to get it 
working in a "clean" setup. So to all the people out there who are 
running service like sendmail, courier with openldap and sasl could you 
point to the proper package to use or do in need to really install one 
package then replace it with another so that just the proper libs are 
present somewere on the system (this seems kind bad)? And docs on 
cyrus-sasl are a big fk^ in my opinion but thats another story.


regards

--
Markus Rosjatfon: +49 351 8107224mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: OpenBSDI 6.1 some Warnings when using OpenLDAP Tools

[Paul B. Henson]

On Wed, Aug 09, 2017 at 09:06:19AM +0200, Markus Rosjat wrote:

> this is more an info then a problem though since it seems to work.
> When I use the slap tool like slapcat I get a size mismatch warning like 
> this

Heh, we were just talking about that:

https://marc.info/?l=openbsd-misc&m=150199443929908&w=2

OpenBSDI 6.1 some Warnings when using OpenLDAP Tools

[Markus Rosjat]

Hi there,

this is more an info then a problem though since it seems to work.
When I use the slap tool like slapcat I get a size mismatch warning like 
this


slapcat:/usr/local/lib/libicuuc.so.12.0: 
/usr/local/lib/libicudata.so.12.0 : WARNING: symbol(icudt58_dat) size 
mismatch, relink your program



It's a fresh install from the ports so some of the maintainers might 
like to know that.


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: openldap port mdb support

[Stuart Henderson]

On 2017/08/05 21:39, Paul B. Henson wrote:
> I took a look at the patch in head; you should assign the failure code to rc
> before calling Debug, as it refers to rc...

Thanks, fixed.

On 2017/08/05 21:40, Paul B. Henson wrote:
> On Sat, Aug 05, 2017 at 12:35:24AM +, Stuart Henderson wrote:
> 
> > The ports@ list is a better venue for ports-related queries,
> > please see this: https://marc.info/?l=openbsd-ports&m=150157643516239&w=2
> 
> Ah, ok, thanks for the pointer.
> 
> > This is not preventing programs from running.
> 
> Hmm, I could've sworn I got that message and then slapd failed to start.
> Dunno, maybe I got confused. Once I'm done working with openldap mdb I'll
> start over from scratch and try again and see what happens.
> 
> Thanks for the info...

There have been other problems which occurred at the same time as
the icu warnings resumed (triggered by the switch to clang for base
and all but a very small number of ports) - if you run into it again,
if there's any debug information or backtrace available, that would
be interesting.

Re: openldap port mdb support

[Paul B. Henson]

On Mon, Jul 10, 2017 at 07:34:11AM +, Stuart Henderson wrote:

> Feel free to try it, I believe the required patch to force MDB_WRITEMAP
> is still in there..but I don't think there were any major changes upstream
> since the last attempt so I wouldn't hold out too much hope for it working
> straight off.

Hmm, as you said, trying to use mdb resulted in crashes. My initial debugging
led to the cause of this as a NULL mdb environment, and ironically the
root cause of that turned out to be the OpenBSD specific MDB_WRITEMAP
patch 8-/.

if ( !(flags & MDB_WRITEMAP) ) {
Debug( LDAP_DEBUG_ANY,
LDAP_XSTRING(mdb_db_open) ": database \"%s\" does not 
have writemap. "
"This is required on systems without unified buffer 
cache.\n",
be->be_suffix[0].bv_val, rc, 0 );
goto fail;
}

There are two problems with it; first, it accesses the local flags variable
before it is initialized to mdb->mi_dbenv_flags shortly thereafter, so the
value checked is random and the if block nondeterministically triggers, and
second, it doesn't assign a failure value to rc before it jumps to fail, so
the function returns successfully but with a closed be, and the code keeps
going but later segfaults because of the NULL mdb environment.

I updated the patch and moved the check to be after the flags initialization:

flags = mdb->mi_dbenv_flags;

and added an assignment to rc on failure:

rc = MDB_INCOMPATIBLE;

I then tweaked the mdb test suite to always enable MDB_WRITEMAP, and so far
it's been running for 20 minutes with no errors, crashes, or failures.

Right now it's compiled "-O0 -ggdb", if everything keeps looking good, I'll
recompile it normally and do more testing.

Re: OpenSMTP and OpenLDAP

[Markus Rosjat]

Hey hendrik,
This was a hint I was looking for thought! I will check that out :)
Regards
Markus

 Ursprüngliche Nachricht 
Von: Henrik Friedrichsen  
Datum: 25.07.17  19:15  (GMT+01:00) 
An: misc@openbsd.org 
Cc: ros...@ghweb.de 
Betreff: Re: OpenSMTP and OpenLDAP 

Hey,

On Tue, Jul 25, 2017 at 10:50:32AM +0200, Markus Rosjat wrote:
> I was just wondering if does two work together at all? I saw examples with
> ldapd that ships with the OS but not with OpenLDAP. Since I try to get my
> user table defined, and the man only has options for db and file, whats the
> way to go here if there is a way at all?

The OpenSMTPD-extras package should have an LDAP filter. I have no
experience with it and whether it works with OpenLDAP, but it might be
starting point:

https://github.com/OpenSMTPD/OpenSMTPD-extras/tree/master/extras/tables/table-ldap

Re: OpenSMTP and OpenLDAP

[Henrik Friedrichsen]

Hey,

On Tue, Jul 25, 2017 at 10:50:32AM +0200, Markus Rosjat wrote:
> I was just wondering if does two work together at all? I saw examples with
> ldapd that ships with the OS but not with OpenLDAP. Since I try to get my
> user table defined, and the man only has options for db and file, whats the
> way to go here if there is a way at all?

The OpenSMTPD-extras package should have an LDAP filter. I have no
experience with it and whether it works with OpenLDAP, but it might be
starting point:

https://github.com/OpenSMTPD/OpenSMTPD-extras/tree/master/extras/tables/table-ldap

Re: OpenSMTP and OpenLDAP

[Markus Rosjat]

well it seems no one has an answer to that so while you see always 
examples for ldapd I confused still since man smtpd.conf states you 
should use file:/ or db:/ to define a table and not any other otion like 
ldap:/ is mentioned at all.


So lets refine the question ...

Is LDAP supported in OpenSMTP at all?


And if so, where to find a piece of information how to configure it?

regards

MArkus

Am 25.07.2017 um 10:50 schrieb Markus Rosjat:

Hi there,

I was just wondering if does two work together at all? I saw examples 
with ldapd that ships with the OS but not with OpenLDAP. Since I try to 
get my user table defined, and the man only has options for db and file, 
whats the way to go here if there is a way at all?


Regards



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

OpenSMTP and OpenLDAP

[Markus Rosjat]

Hi there,

I was just wondering if does two work together at all? I saw examples 
with ldapd that ships with the OS but not with OpenLDAP. Since I try to 
get my user table defined, and the man only has options for db and file, 
whats the way to go here if there is a way at all?


Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: openldap port mdb support

[Stuart Henderson]

On 2017-07-10, Paul B. Henson  wrote:
> mdb has been disabled in the openldap port since it looks like
> 2015/02/16, I was wondering if anyone has tried it since then to see if
> maybe the issues with it have been resolved? The other backends are
> deprecated upstream, it would be nice to get mdb working under openbsd.
>
> I'm going to try enabling it and running through the tests and see how
> things turn out but I was just curious if anyone else had worked with it
> in the past couple of years.
>
> Thanks...
>
>

Feel free to try it, I believe the required patch to force MDB_WRITEMAP
is still in there..but I don't think there were any major changes upstream
since the last attempt so I wouldn't hold out too much hope for it working
straight off.

(Without MDB_WRITEMAP, mdb assumes mmap and file access can be intermixed
without syncs, which isn't the case on OpenBSD).

openldap port mdb support

[Paul B. Henson]

mdb has been disabled in the openldap port since it looks like
2015/02/16, I was wondering if anyone has tried it since then to see if
maybe the issues with it have been resolved? The other backends are
deprecated upstream, it would be nice to get mdb working under openbsd.

I'm going to try enabling it and running through the tests and see how
things turn out but I was just curious if anyone else had worked with it
in the past couple of years.

Thanks...

guidelines for migration openldap directory to ldapd ?

[Markus Rosjat]

Hi there,

I was wondering if there is something like that for migration an 
exisiting openLDAP directory to ldapd?


I took a look at he config files and some stuff was basically the same 
information with diffrent syntax.


The aim ist to make working with ldap authentication and opensmtp as 
simple as possible. So since ldapd and smtpd bothe ship with the system 
I thought this would be the way to go.


Since I dont have much experience with both tools I was looking for some 
advice from all the gurus out there :)


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: OpenLDAP and filesystem permission

[Marcus MERIGHI]

hello, 

ros...@ghweb.de (Markus Rosjat), 2017.04.27 (Thu) 12:59 (CEST):
> I basically want to know if its okay to set permission on a file or
> directory for a LDAP user even if there is no local user on this machine.
> 
> Hope someone understand what I mean, background is setting up a mailserver
> with usermanagement over LDAP. The naive way for me would be creating a
> local user with the same name like the one in the LDAP db. So I can set the
> permissions on the Maildirs for the local user.
> This leaves me with maintaining LDAP and Local user but if I could just use
> only the LDAP user this would be nice ( it works at least in my test env)
> but is this considerd secure or should I stick with the LDAP+local User
> approach?

have you seen ypldap(8), might help with your ldap<->local problem by
going yp(8).

Marcus

> regards
> 
> -- 
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> 
> G+H Webservice GbR Gorzolla, Herrmann
> K??nigsbr??cker Str. 70, 01099 Dresden
> 
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
> 
> Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
> 
> 
> !DSPAM:5901cf1b9705213319748!
> 

OpenLDAP and filesystem permission

[Markus Rosjat]

Hi there,

I basically want to know if its okay to set permission on a file or 
directory for a LDAP user even if there is no local user on this machine.


Hope someone understand what I mean, background is setting up a 
mailserver with usermanagement over LDAP. The naive way for me would be 
creating a local user with the same name like the one in the LDAP db. So 
I can set the permissions on the Maildirs for the local user.
This leaves me with maintaining LDAP and Local user but if I could just 
use only the LDAP user this would be nice ( it works at least in my test 
env) but is this considerd secure or should I stick with the LDAP+local 
User approach?


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Dovecot with OpenLDAP

[Stuart Henderson]

On 2015-05-03, Markus Rosjat  wrote:
> Am 03.05.2015 um 10:32 schrieb Stuart Henderson:
>> On 2015-05-02, Markus Rosjat  wrote:
>>> okay it seems dovecot runs root and not as the _dovecot user so applying
>>> a login class for the dovecote group only helps if you add root to it
>>> and nor it seems to start properly.
>> How are you starting Dovecot? The login class mechanism is only used
>> when started with rcctl or /etc.rc.d/dovecot.
> I enabled it with rcctl but like I said when I ps -aux use I get the 
> info that the process is owned by root. So to fix the problem with teh 
> open files I had to add root to _dovecot group to add the login class 
> behaviour.

This doesn't make sense. The rc.d script (via rc.subr) uses su -c (class)
when starting a daemon, it doesn't matter which uid is running it...
The only time where I think root's login class should make a difference
is if you start it by hand without using -c ("sudo dovecot" or similar).

Re: Dovecot with OpenLDAP

[Markus Rosjat]

okay openLDAP seems to be more tricky then expected ...

I get the slapd running and with slapcat I can get information for a 
user but when I try to
modify stuff with ldapmodify slapd instantly dies with a cant connect to 
server even the log

shows I was connected befor I try to submit the changes.

Like I said I just copied the openldap files from one machine to another 
and changed the config to fit the config of the old config. I tried some 
stuff from the net with recover and rebuild but this doesnt seem to work 
at all.


does someone out there has another clue ?


Am 03.05.2015 um 11:42 schrieb Markus Rosjat:

Am 03.05.2015 um 10:32 schrieb Stuart Henderson:

On 2015-05-02, Markus Rosjat  wrote:
okay it seems dovecot runs root and not as the _dovecot user so 
applying

a login class for the dovecote group only helps if you add root to it
and nor it seems to start properly.

How are you starting Dovecot? The login class mechanism is only used
when started with rcctl or /etc.rc.d/dovecot.
I enabled it with rcctl but like I said when I ps -aux use I get the 
info that the process is owned by root. So to fix the problem with teh 
open files I had to add root to _dovecot group to add the login class 
behaviour.

So lets see how far we get to configure ldap with it.

This is the same as on other OS.
well I want to use existing database and a simple approach to copy the 
old db to the new installation seems to work beside some warnings I 
get for now but I think thats something I have to figure out

2. is it worth the effort trying to get sendmail (the ldap flavour)
installed or should I just skip it for
 a different program?
Use whichever MTA works best for you, there are several with LDAP 
support.


well Im a bit scared when I see the sendmail setup from a old system I 
use as reference  so I was just wondering if its worth to go the 
painful way to in trying to get it to work on a testsystem :-P




--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: Dovecot with OpenLDAP

[Markus Rosjat]

Am 03.05.2015 um 10:32 schrieb Stuart Henderson:

On 2015-05-02, Markus Rosjat  wrote:

okay it seems dovecot runs root and not as the _dovecot user so applying
a login class for the dovecote group only helps if you add root to it
and nor it seems to start properly.

How are you starting Dovecot? The login class mechanism is only used
when started with rcctl or /etc.rc.d/dovecot.
I enabled it with rcctl but like I said when I ps -aux use I get the 
info that the process is owned by root. So to fix the problem with teh 
open files I had to add root to _dovecot group to add the login class 
behaviour.

So lets see how far we get to configure ldap with it.

This is the same as on other OS.
well I want to use existing database and a simple approach to copy the 
old db to the new installation seems to work beside some warnings I get 
for now but I think thats something I have to figure out

2. is it worth the effort trying to get sendmail (the ldap flavour)
installed or should I just skip it for
 a different program?

Use whichever MTA works best for you, there are several with LDAP support.

well Im a bit scared when I see the sendmail setup from a old system I 
use as reference  so I was just wondering if its worth to go the painful 
way to in trying to get it to work on a testsystem :-P


--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: Dovecot with OpenLDAP

[Stuart Henderson]

On 2015-05-02, Markus Rosjat  wrote:
> okay it seems dovecot runs root and not as the _dovecot user so applying 
> a login class for the dovecote group only helps if you add root to it 
> and nor it seems to start properly.

How are you starting Dovecot? The login class mechanism is only used
when started with rcctl or /etc.rc.d/dovecot.

> So lets see how far we get to configure ldap with it.

This is the same as on other OS.

>> 2. is it worth the effort trying to get sendmail (the ldap flavour) 
>> installed or should I just skip it for
>> a different program?

Use whichever MTA works best for you, there are several with LDAP support.

Re: Dovecot with OpenLDAP

[Markus Rosjat]

just a little update, dont know if it's the right approach

Am 02.05.2015 um 19:37 schrieb Markus Rosjat:

Hi there,

once again some stupid questions :)

1. is there a sane example out there to configure dovecot with 
openldap on openbsd?
- I try to get things running for hours now all I get is a nice 
log that tells me that to many files
  are open. And reading around point to some codesnippet which I 
cant even find in the config

  files.
okay it seems dovecot runs root and not as the _dovecot user so applying 
a login class for the dovecote group only helps if you add root to it 
and nor it seems to start properly. So lets see

how far we get to configure ldap with it.

2. is it worth the effort trying to get sendmail (the ldap flavour) 
installed or should I just skip it for

a different program?

regards



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Dovecot with OpenLDAP

[Markus Rosjat]

Hi there,

once again some stupid questions :)

1. is there a sane example out there to configure dovecot with openldap 
on openbsd?
- I try to get things running for hours now all I get is a nice log 
that tells me that to many files
  are open. And reading around point to some codesnippet which I 
cant even find in the config

  files.
2. is it worth the effort trying to get sendmail (the ldap flavour) 
installed or should I just skip it for

a different program?

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

openldap verver problem

[Markus Rosjat]

hi there

I'm running a 5.7 and installed openldap-server but I didn't noticed 
that Ineed a special package for cyrus-sasl for ldap. So I deleted the 
package and installed the right one. So now I got the problem that I 
always get  complains regarding /usr/local/lib/libldap-2.4.so.13.0


for example a slapcat:

# /usr/local/sbin/slapcat -a uid=2236
/usr/local/sbin/slapcat:/usr/local/lib/libldap-2.4.so.13.0: 
/usr/local/sbin/slapcat : WARNING: symbol(ldap_int_global_options) size 
mismatch, relink your program
5544d44d bdb_monitor_db_open: monitoring disabled; configure monitor 
database to enable



okay the monitoring thing I need to figure out too but for now I would 
like to just get rid of the mismatch msg.


Is there any sane solution or is this the point where I just throw away 
this vm and install a fresh system ?


btw I used the packages and dodnt compile it from source. So is it 
better to just get the source and make it from scratch (regarding the 
monitoring stuff too )?


regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: upgrade 5.4 -> 5.5 -- openldap bdb database

[LEVAI Daniel]

On sze, máj 07, 2014 at 13:06:07 -0700, Philip Guenther wrote:
> On Fri, May 2, 2014 at 1:27 AM, LEVAI Daniel  wrote:
> 
> > I've recently upgraded one of my systems to 55 from 54 (btw, for me, the
> > most painful upgrade since ~3.9; I don't know what happened but
> > everything was against me), and one of the obstacles was the openldap
> > upgrade. I was using openldap-2.4 with bdb on 5.4 also, so I thought it
> > would be a clean cut. After trying to start slapd, it barked about the
> > bdb's consistency:
> >
> > __db.001: unable to find environment
> > txn_checkpoint interface requires an environment configured for the
> > transaction subsystem
> > ... etc ... (the precise error message would require the restore of the
> > old db files, but what's important is there)
> >
> 
> Ah yes.  The __db.0* 'environment' files are just the backing-store for the
> shared memory images.  As a result, their internal layouts are dependent on
> the sizes of many system types, as well as on bdb's compile time debugging
> flags.  As a result, they can be removed without loss of data whenever the
> database isn't open in any process.

Ah, wow, thanks Philip. I didn't know much about bdb... I would have
never dared to delete those files, given that one of them is more than
320MiB (I mean, look at that size; there has to be *something* important
there :D ). But you are of course absolutely right, and simply deleting
th __db files and starting slapd would have sufficed during the upgrade
process.

> If closed cleanly, then it can be opened again without having to
> perform recovery, though many application just always perform recovery
> on the first open, to make sure.  (So performing transaction
> checkpoints regularly and just before closing is good.)
> 
> So: when upgrading, you should be removing the __db.* files for openldap.

Right, simple as that. If only I had even a little knowledge about BDB
beforehand... :)

> (That's *not* the case with the actual database file formats (btree, hash,
> queue, recno): those use fixed-size types internally.  On the gripping
> hand, the actual data that the application is storing in the databases'
> keys and values *may* be dependent on the system types!)

So, is this a good start (I've tried to reproduce Philip's technical
insight by copying his relevant sentences):

--- upgrade55.html  2014-05-08 15:13:33.541722106 +0200
+++ upgrade55.html.new  2014-05-08 15:21:12.922729991 +0200
@@ -843,6 +843,19 @@ This is in addition to the database sche
 usual for Icinga-web/NDOUtils users (see the pkg-readme for more
 information).
 
+
+openldap-bdb:
+The __db.* 'environment' files are the backing-store for the shared memory
+images. As a result, their internal layouts are dependent on the size of many
+system types, and  the __db.* file format on 32-bit architectures will not be
+compatible.
+
+After upgradeing bdb (along with OpenLDAP), the __db.* files must
+be removed from the openldap-data directory, to be able to start slapd. This is
+a safe procedure, and can be done without loss of data, but only if the
+database is not open in any process.
+
+This is not necessary on 64-bit architectures (amd64, sparc64, etc).
 
 
 




-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: upgrade 5.4 -> 5.5 -- openldap bdb database

[Philip Guenther]

On Fri, May 2, 2014 at 1:27 AM, LEVAI Daniel  wrote:

> I've recently upgraded one of my systems to 55 from 54 (btw, for me, the
> most painful upgrade since ~3.9; I don't know what happened but
> everything was against me), and one of the obstacles was the openldap
> upgrade. I was using openldap-2.4 with bdb on 5.4 also, so I thought it
> would be a clean cut. After trying to start slapd, it barked about the
> bdb's consistency:
>
> __db.001: unable to find environment
> txn_checkpoint interface requires an environment configured for the
> transaction subsystem
> ... etc ... (the precise error message would require the restore of the
> old db files, but what's important is there)
>

Ah yes.  The __db.0* 'environment' files are just the backing-store for the
shared memory images.  As a result, their internal layouts are dependent on
the sizes of many system types, as well as on bdb's compile time debugging
flags.  As a result, they can be removed without loss of data whenever the
database isn't open in any process.  If closed cleanly, then it can be
opened again without having to perform recovery, though many application
just always perform recovery on the first open, to make sure.  (So
performing transaction checkpoints regularly and just before closing is
good.)

So: when upgrading, you should be removing the __db.* files for openldap.

(That's *not* the case with the actual database file formats (btree, hash,
queue, recno): those use fixed-size types internally.  On the gripping
hand, the actual data that the application is storing in the databases'
keys and values *may* be dependent on the system types!)


Philip Guenther

Re: upgrade 5.4 -> 5.5 -- openldap bdb database

[Dorian Büttner]

maybe related?
http://marc.info/?l=openbsd-cvs&m=138183876907016&w=2

I also stumbled over an old nawk short after, no clue if that could have 
been invoked.


On 07.05.2014 04:21, Stuart Henderson wrote:

What arch is this Daniel? I've done multiple 5.4->5.5 upgrades
with OpenLDAP/bdb without need for additional steps, but they were
all on amd64.


On 2014-05-02, LEVAI Daniel  wrote:

Hi!

I've recently upgraded one of my systems to 55 from 54 (btw, for me, the
most painful upgrade since ~3.9; I don't know what happened but
everything was against me), and one of the obstacles was the openldap
upgrade. I was using openldap-2.4 with bdb on 5.4 also, so I thought it
would be a clean cut. After trying to start slapd, it barked about the
bdb's consistency:

__db.001: unable to find environment
txn_checkpoint interface requires an environment configured for the transaction 
subsystem
... etc ... (the precise error message would require the restore of the
old db files, but what's important is there)

db4_verify of course told me the same, and db4_recover, or slapcat and
the likes were futile. So I just shrugged and went about to restore my
backups, but even the one week old backup did seem to be corrupt :-/

Long story short, I had to install a 5.4 OpenBSD, pkg_add
openldap-server, copy over the openldap-data directory, slapcat to an
ldif file then slapadd on the server to a clean and fresh openldap data
directory.
The logic is the same as for the rrdtool upgrade, but that is at least
mentioned in the upgrade faq ;-P

So if it seems this is a real upgrade issue for someone else also, and
not a PEBKAC, then I think it would be fair to mention this on
upgrade55.html. I could cook up a diff, if it turns out I was not
hallucinating.


Daniel

Re: upgrade 5.4 -> 5.5 -- openldap bdb database

[LEVAI Daniel]

On sze, máj 07, 2014 at 02:21:38 +, Stuart Henderson wrote:
> What arch is this Daniel? I've done multiple 5.4->5.5 upgrades
> with OpenLDAP/bdb without need for additional steps, but they were
> all on amd64.
[...]

Oh, this was i386.


Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: upgrade 5.4 -> 5.5 -- openldap bdb database

[Stuart Henderson]

What arch is this Daniel? I've done multiple 5.4->5.5 upgrades
with OpenLDAP/bdb without need for additional steps, but they were
all on amd64.


On 2014-05-02, LEVAI Daniel  wrote:
> Hi!
>
> I've recently upgraded one of my systems to 55 from 54 (btw, for me, the
> most painful upgrade since ~3.9; I don't know what happened but
> everything was against me), and one of the obstacles was the openldap
> upgrade. I was using openldap-2.4 with bdb on 5.4 also, so I thought it
> would be a clean cut. After trying to start slapd, it barked about the
> bdb's consistency:
>
> __db.001: unable to find environment
> txn_checkpoint interface requires an environment configured for the 
> transaction subsystem
> ... etc ... (the precise error message would require the restore of the
> old db files, but what's important is there)
>
> db4_verify of course told me the same, and db4_recover, or slapcat and
> the likes were futile. So I just shrugged and went about to restore my
> backups, but even the one week old backup did seem to be corrupt :-/
>
> Long story short, I had to install a 5.4 OpenBSD, pkg_add
> openldap-server, copy over the openldap-data directory, slapcat to an
> ldif file then slapadd on the server to a clean and fresh openldap data
> directory.
> The logic is the same as for the rrdtool upgrade, but that is at least
> mentioned in the upgrade faq ;-P
>
> So if it seems this is a real upgrade issue for someone else also, and
> not a PEBKAC, then I think it would be fair to mention this on
> upgrade55.html. I could cook up a diff, if it turns out I was not
> hallucinating.
>
>
> Daniel

upgrade 5.4 -> 5.5 -- openldap bdb database

[LEVAI Daniel]

Hi!

I've recently upgraded one of my systems to 55 from 54 (btw, for me, the
most painful upgrade since ~3.9; I don't know what happened but
everything was against me), and one of the obstacles was the openldap
upgrade. I was using openldap-2.4 with bdb on 5.4 also, so I thought it
would be a clean cut. After trying to start slapd, it barked about the
bdb's consistency:

__db.001: unable to find environment
txn_checkpoint interface requires an environment configured for the transaction 
subsystem
... etc ... (the precise error message would require the restore of the
old db files, but what's important is there)

db4_verify of course told me the same, and db4_recover, or slapcat and
the likes were futile. So I just shrugged and went about to restore my
backups, but even the one week old backup did seem to be corrupt :-/

Long story short, I had to install a 5.4 OpenBSD, pkg_add
openldap-server, copy over the openldap-data directory, slapcat to an
ldif file then slapadd on the server to a clean and fresh openldap data
directory.
The logic is the same as for the rrdtool upgrade, but that is at least
mentioned in the upgrade faq ;-P

So if it seems this is a real upgrade issue for someone else also, and
not a PEBKAC, then I think it would be fair to mention this on
upgrade55.html. I could cook up a diff, if it turns out I was not
hallucinating.


Daniel

-- 
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

Re: openldap password fails to update

[Stéphane Guedon]

Le samedi 8 mars 2014, 14:20:23 Matthew Weigel a écrit :
> On 03/08/2014 12:16 PM, Stéphane Guedon wrote:
> >> I am looking through logs and config since the beginning of the
> >> day... Actually, asking help on forums or mailing lists is always
> >> my last step in solving problems...
>
> We try to help.
>
> But... giving detailed descriptions of the problem, and showing
> relevant configs and logs the first time, goes a long way to
> helping people help you.
>
> Reading manuals helps too. Among others, ypldap(8), ypldap.conf(5),
> login.conf(5), login_ldap(8) from ports, and whatever manuals for
> OpenLDAP.
> > But why can't I authenticate (using ssh or login) on the system ?
> > Do I really have to go through ypldap ? Sounds not efficient to
> > have an intermediate !
>
> There are two separate mechanisms: how user information is looked
> up, and how users are authenticated. You provide zero details on
> how ypldap or login_ldap are configured, so it's hard to guess
> whether you have some configuration wrong. I can say it works for
> me.

Because when beginning, I just tried to auth with ldap alone !
Now that I try with ldap + ypldap, it works.

Thanks Guys ! I solved it...

>
> The user lookup is configured (via +:: entries in /etc/passwd and
> /etc/group) to use YP routines. Thus the user is looked up in ypldap
> when they attempt to login, which is configured to identify the
> user's login class as ldap. The ldap login class is configured in
> login.conf to authenticate via login_ldap talking to the LDAP
> server, which is configured to have the appropriate users.
>
> This is what I meant by "that's a lot more moving parts than just
> passwords in LDAP."

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: openldap password fails to update

[Stéphane Guedon]

Le samedi 8 mars 2014, 16:14:53 Matthew Weigel a écrit :
> On 03/08/2014 03:11 PM, Stéphane Guedon wrote:
> > when I use 127.0.0.1 in php scripts, I can use ldap.
> > if the script is running with 'localhost' then, no ldap data...
> >
> > Any idea why ?
> > I have checked host resolution...
> > telnet localhost ldap gives the good behavior
>
> Is PHP running inside a chroot?  Does that chroot have an /etc/hosts
> with an entry for localhost?

you get it ! By copying the hosts system file in the nginx/php chroot,
I am now able to log in.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: openldap password fails to update

[Matthew Weigel]

On 03/08/2014 03:11 PM, Stéphane Guedon wrote:

> when I use 127.0.0.1 in php scripts, I can use ldap.
> if the script is running with 'localhost' then, no ldap data...
> 
> Any idea why ?
> I have checked host resolution...
> telnet localhost ldap gives the good behavior

Is PHP running inside a chroot?  Does that chroot have an /etc/hosts
with an entry for localhost?

-- 
 Matthew Weigel
 hacker
 unique & idempot . ent

Re: openldap password fails to update

[Stéphane Guedon]

t; > user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
> > reject
>
> when using the one in /usr/libexec/auth/login_... instead of
> /usr/local/libexec... it works !
>
> and I can start ypldap !
>
> But why can't I authenticate (using ssh or login) on the system ? Do
> I really have to go through ypldap ? Sounds not efficient to have
> an intermediate !
>
> And still having problem with my php scripts, which I am debugging
> now.

found the thing...

when I use 127.0.0.1 in php scripts, I can use ldap.
if the script is running with 'localhost' then, no ldap data...

Any idea why ?
I have checked host resolution...
telnet localhost ldap gives the good behavior

# netstat -at|grep ldap
tcp  0  0  localhost.29434localhost.ldap
TIME_WAIT
tcp  0  0  *.ldap *.*
LISTEN
tcp  0  0  localhost.ldap *.*
LISTEN
tcp6 0  0  *.ldap *.*
LISTEN
tcp6 0  0  localhost.ldap *.*
LISTEN
0xfe812e35d938 dgram   0  0 0xfe812de95288
0x00x00x0 /var/openldap-data/dev/log


>
> Thanks for your help and answers. Please continue if you have any
> idea ! :D
>
> > > I am using ypldap from base and login_ldap from ports; your
> > > mileage
> > > may vary.
> > >
> > > > By the way, anybody use the light ldapd daemon included in
> > > > base
> > > > ?
> > > > can we update password with it ?
> > >
> > > I use it. It does not currently support the modify password
> > > extended operation (what ldappasswd relies on). I am working on
> > > a
> > > patch for it but I haven't finished it and it requires a bit
> > > more
> > > refactoring than just processing one new request.
> >
> > Ok, so I think I will check ldapd from time to time...
> >
> > > --
> > > Matthew Weigel

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: openldap password fails to update

[Stuart Henderson]

On 2014-03-08, Stéphane Guedon  wrote:
> Notably, the user fails to auth and do login (with openbsd login
> system AND webpages) eventhough password is correct according to ldap
> itself !

How are you doing ldap authentication? (i.e. what software are you
using, and how does it authenticate? attempt binding as the user trying
to login, or looking up the password via a high-privileged account?

I'm using login-ldap from packages for ldap password auth, this works
fine for me against passwords stored in openldap.

I have this in login.conf:

ldap:\
:auth=-ldap:\
:x-ldap-server=127.0.0.1:\
:x-ldap-timeout=5:\
:x-ldap-basedn=ou=user,dc=exaple,dc=com:\
:x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
:tc=default:

and set the login class to "ldap" on accounts which should use this as their
password source (e.g. class is the 5th field in master.passwd if using
statically configured accounts with ldap passwords, or 'fixed attribute
class "ldap"' in ypldap.conf if doing it that way).

Re: openldap password fails to update

[Matthew Weigel]

On 03/08/2014 12:16 PM, Stéphane Guedon wrote:

>> I am looking through logs and config since the beginning of the
>> day... Actually, asking help on forums or mailing lists is always
>> my last step in solving problems...

We try to help.

But... giving detailed descriptions of the problem, and showing relevant
configs and logs the first time, goes a long way to helping people help you.

Reading manuals helps too. Among others, ypldap(8), ypldap.conf(5),
login.conf(5), login_ldap(8) from ports, and whatever manuals for OpenLDAP.

> But why can't I authenticate (using ssh or login) on the system ? Do I 
> really have to go through ypldap ? Sounds not efficient to have an 
> intermediate !

There are two separate mechanisms: how user information is looked up,
and how users are authenticated. You provide zero details on how ypldap
or login_ldap are configured, so it's hard to guess whether you have
some configuration wrong. I can say it works for me.

The user lookup is configured (via +:: entries in /etc/passwd and
/etc/group) to use YP routines. Thus the user is looked up in ypldap
when they attempt to login, which is configured to identify the user's
login class as ldap. The ldap login class is configured in login.conf to
authenticate via login_ldap talking to the LDAP server, which is
configured to have the appropriate users.

This is what I meant by "that's a lot more moving parts than just
passwords in LDAP."
-- 
 Matthew Weigel
 hacker
 unique & idempot . ent

Re: openldap password fails to update

[Stéphane Guedon]

Le samedi 8 mars 2014, 17:21:26 Stéphane Guedon a écrit :
> Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> > On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
> 
>  wrote:
> > > Notably, the user fails to auth and do login (with openbsd login
> > > system AND webpages) eventhough password is correct according to
> > > ldap itself !
> > 
> > That's a lot more moving parts than just passwords in LDAP.
> 
> Yes, but passwords are the first things to change to secure your
> users/install.
> 
> I am currently working on  a little webpage in python to allow easy
> ldap management (add/remove users and groups, passwords update).
> 
> > Have you
> > checked your configuration of all those moving parts? Looked at
> > logs? You don't even mention what else you're using, much less how
> > they've been configured or what their logs report.
> 
> I am looking through logs and config since the beginning of the
> day... Actually, asking help on forums or mailing lists is always
> my last step in solving problems...
> 
> here is my config :
> 
> 
> include schema/core.schema
> include schema/cosine.schema
> include schema/inetorgperson.schema
> include schema/misc.schema
> include schema/nis.schema
> include schema/openldap.schema
> 
> loglevel256
> 
> pidfile run/slapd.pid
> argsfilerun/slapd.args
> allow   bind_v2
> password-hash   {SHA}
> 
> 
> ### # BDB database definitions
> 
> ###
> 
> databasebdb
> suffix  "dc=22decembre,dc=eu"
> rootdn  "cn=admin,dc=22decembre,dc=eu"
> 
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> 
> #access to attrs=userpassword
> #  by self   write
> #   by anonymous  auth
> #  by *  none
> 
> #rootpw secret
> rootpw  {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+
> 
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory   data
> # Indices to maintain
> index   objectClass eq
> index   uid eq
> index   uidNumber   eq
> index   gidNumber   eq
> index   memberUid   eq
> index   homeDirectory   eq
> index   loginShell  eq
> index   cn,gn,mail  pres,eq,sub
> 
> ##
> 
> I have tried to disable all acl (so default policy : everything
> readable). But still no possible to logon.
> 
> Here is what I get when trying to using the login_ldap with
> debugging
> 
> 
> # /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
> Password:
> load_ssl_certs says:
> cacert none
> cacertdir none
> usercert none
> userkey none
> parse_server_line buf = localhost
> parse_server_line port == NULL, will use default
> parse_server_line mode == NULL, will use default
> host localhost, port 389, version 3
> setting cert info
> clearing ssl set
> connect success!
> set version to 3
> defaults:
> basedn ou=users,dc=22decembre,dc=eu
> binddn none
> bindpw none
> set timeout sec 60, usec 6
> set noref 0
> set keepcreds 0
> bind success!
> usearch:
> ufilter (&(objectclass=posixAccount)(uid=stephane))
> scope: sub
> 0: search (ou=users,dc=22decembre,dc=eu,
> (&(objectclass=posixAccount) (uid=stephane)))
> 1: msgid 0, type 64
> 1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> 1: msgid 1, type 65
> 1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
> userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
> reject

when using the one in /usr/libexec/auth/login_... instead of 
/usr/local/libexec... it works !

and I can start ypldap !

But why can't I authenticate (using ssh or login) on the system ? Do I 
really have to go through ypldap ? Sounds not efficient to have an 
intermediate !

And still having problem with my php scripts, which I am debugging 
now.

Thanks for your help and answers. Please continue if you have any idea 
! :D

> 
> > I am using ypldap from base and login_ldap from ports; your
> > mileage
> > may vary.
> > 
> > > By the way, anybody use the light ldapd daemon included in base
> > > ?
> > > can we update password with it ?
> > 
> > I use it. It does not currently support the modify password
> > extended operation (what ldappasswd relies on). I am working on a
> > patch for it but I haven't finished it and it requires a bit more
> > refactoring than just processing one new request.
> 
> Ok, so I think I will check ldapd from time to time...
> 
> > --
> > Matthew Weigel

Re: openldap password fails to update

[Stéphane Guedon]

Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
 wrote:
> > Notably, the user fails to auth and do login (with openbsd login
> > system AND webpages) eventhough password is correct according to
> > ldap itself !
>
> That's a lot more moving parts than just passwords in LDAP.

Yes, but passwords are the first things to change to secure your
users/install.

I am currently working on  a little webpage in python to allow easy
ldap management (add/remove users and groups, passwords update).

> Have you
> checked your configuration of all those moving parts? Looked at
> logs? You don't even mention what else you're using, much less how
> they've been configured or what their logs report.

I am looking through logs and config since the beginning of the day...
Actually, asking help on forums or mailing lists is always my last
step in solving problems...

here is my config :


include schema/core.schema
include schema/cosine.schema
include schema/inetorgperson.schema
include schema/misc.schema
include schema/nis.schema
include schema/openldap.schema

loglevel256

pidfile run/slapd.pid
argsfilerun/slapd.args
allow   bind_v2
password-hash   {SHA}

###
# BDB database definitions
###

databasebdb
suffix  "dc=22decembre,dc=eu"
rootdn  "cn=admin,dc=22decembre,dc=eu"

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

#access to attrs=userpassword
#  by self   write
#   by anonymous  auth
#  by *  none

#rootpw secret
rootpw  {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   data
# Indices to maintain
index   objectClass eq
index   uid eq
index   uidNumber   eq
index   gidNumber   eq
index   memberUid   eq
index   homeDirectory   eq
index   loginShell  eq
index   cn,gn,mail  pres,eq,sub

##

I have tried to disable all acl (so default policy : everything
readable). But still no possible to logon.

Here is what I get when trying to using the login_ldap with debugging
:

# /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
Password:
load_ssl_certs says:
cacert none
cacertdir none
usercert none
userkey none
parse_server_line buf = localhost
parse_server_line port == NULL, will use default
parse_server_line mode == NULL, will use default
host localhost, port 389, version 3
setting cert info
clearing ssl set
connect success!
set version to 3
defaults:
basedn ou=users,dc=22decembre,dc=eu
binddn none
bindpw none
set timeout sec 60, usec 6
set noref 0
set keepcreds 0
bind success!
usearch:
ufilter (&(objectclass=posixAccount)(uid=stephane))
scope: sub
0: search (ou=users,dc=22decembre,dc=eu, (&(objectclass=posixAccount)
(uid=stephane)))
1: msgid 0, type 64
1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
1: msgid 1, type 65
1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
userdn uid=stephane,ou=users,dc=22decembre,dc=eu
user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
reject



> I am using ypldap from base and login_ldap from ports; your mileage
> may vary.
> > By the way, anybody use the light ldapd daemon included in base ?
> > can we update password with it ?
>
> I use it. It does not currently support the modify password extended
> operation (what ldappasswd relies on). I am working on a patch for
> it but I haven't finished it and it requires a bit more refactoring
> than just processing one new request.

Ok, so I think I will check ldapd from time to time...

> --
> Matthew Weigel

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: openldap password fails to update

[Matthew Weigel]

On Mar 8, 2014, at 6:29 AM, Stéphane Guedon  wrote:
>
> Notably, the user fails to auth and do login (with openbsd login
> system AND webpages) eventhough password is correct according to ldap
> itself !

That's a lot more moving parts than just passwords in LDAP. Have you checked
your configuration of all those moving parts? Looked at logs? You don't even
mention what else you're using, much less how they've been configured or what
their logs report.

I am using ypldap from base and login_ldap from ports; your mileage may vary.

> By the way, anybody use the light ldapd daemon included in base ? can
> we update password with it ?

I use it. It does not currently support the modify password extended operation
(what ldappasswd relies on). I am working on a patch for it but I haven't
finished it and it requires a bit more refactoring than just processing one
new request.

Until that's done I rely on a short Perl script I wrote. It's a pretty simple
kind of thing to do; it is more a codification of a particular policy than a
technically challenging problem.
--
Matthew Weigel

Re: openldap password fails to update

[Stéphane Guedon]

Le samedi 8 mars 2014, 12:23:19 Stuart Henderson a écrit :
> On 2014-03-07, Stéphane Guedon  wrote:
> > But when I try to change this user password it fails :
> >
> > # ldappasswd  -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \
> > -w somesecret -s anothersec
> > ldap_initialize(  )
> > Result: Other (e.g., implementation specific) error (80)
> > Additional info: password hash failed
>
> What is "password-hash" set to in slapd.conf on the server?
>
> I think there is a bug with "password-hash {CRYPT}", if you use this
> you can try "password-hash {SSHA}" for now, or (probably better)
> encrypt the password locally and change it using ldapmodify (or
> ldapvi, etc).
>
> > slappasswd never gives the same result !
>
> That's expected for salted hashes.
>
> > Does any of you can suggest what's wrong ? Do you need other
> > information ?
>
> It won't necessarily help, but you should always mention versions
> (or dates if building from source) of any relevant software and
> what machine architecture you use in any problem report.

Thanks everybody from the list...
I changed the standard hash yesterday and now, password update works.
But I am still having problems with other parts of the ldap...

Notably, the user fails to auth and do login (with openbsd login
system AND webpages) eventhough password is correct according to ldap
itself !

By the way, anybody use the light ldapd daemon included in base ? can
we update password with it ?

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: OBSD 5.4 and OpenLDAP

[Stuart Henderson]

On 2014-03-07, Friedrich Locke  wrote:
> Hi folks!
>
> I would like to setup a OpenLDAP server using OpenBSD and the ports
> collection.
> I wonder if the current OpenLDAP  in the ports is still broken ?
> Do it supports mdb/hdb/bdb ?
>
> Thanks a lot.
>
> gustavo.
>
>

OpenLDAP 2.3 and 2.4 servers are in ports. 2.3 uses ldbm, 2.4 uses bdb.

mdb is not enabled as the default settings for mdb require that the
buffer cache and mmap are coherent which is not the case on OpenBSD.

According to Howard Chu this requirement is relaxed if MDB_WRITEMAP
is used so I am tempted to change the port to A) enable it and B)
add a check to refuse use of mdb unless writemap is set.

Re: openldap password fails to update

[Stuart Henderson]

On 2014-03-07, Stéphane Guedon  wrote:
> But when I try to change this user password it fails :
>
> # ldappasswd  -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \
> -w somesecret -s anothersec
> ldap_initialize(  )
> Result: Other (e.g., implementation specific) error (80)
> Additional info: password hash failed

What is "password-hash" set to in slapd.conf on the server?

I think there is a bug with "password-hash {CRYPT}", if you use this
you can try "password-hash {SSHA}" for now, or (probably better)
encrypt the password locally and change it using ldapmodify (or
ldapvi, etc).

> slappasswd never gives the same result !

That's expected for salted hashes.

> Does any of you can suggest what's wrong ? Do you need other 
> information ?

It won't necessarily help, but you should always mention versions (or
dates if building from source) of any relevant software and what machine
architecture you use in any problem report.

Re: openldap password fails to update

[Matthew Weigel]

On 03/07/2014 04:22 AM, Stéphane Guedon wrote:


# ldappasswd  -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \
-w somesecret -s anothersec
ldap_initialize(  )
Result: Other (e.g., implementation specific) error (80)
Additional info: password hash failed


I'm sorry, it's not clear that this is an OpenBSD problem.  See, for 
example, 
http://www.openldap.org/lists/openldap-technical/200902/msg00186.html



There's another thing strange, maybe related to the problem :
slappasswd never gives the same result !

# slappasswd
New password:
Re-enter new password:
{SSHA}8ip4+k3gVAN6Gggf2szhJxo052sI3Fyc
# slappasswd
New password:
Re-enter new password:
{SSHA}JvduTI/JAX1G9AhtlCYEjNHl/6DbE6hs


The whole point of salting is to make the hash different each time.  A 
random salt is used to alter the hash and then that salt is added to the 
end of the hashed string before being base64-encoded to give you the 
hash you see.

--
 Matthew Weigel
 hacker
 unique & idempot . ent

openldap password fails to update

[Stéphane Guedon]

Hello everybody.

I am currently finishing my openbsd server. Most of installation gone 
pretty well :-).

I run now in openldap. I successfully installed the server and 
launched it in chroot for security.

My problem is weird : using ldapadd, I can add peoples and stuff.

ldapadd -x -D "cn=admin,dc=22decembre,dc=eu" -w secret -f stef.ldif 


adding new entry "uid=test,ou=users,dc=22decembre,dc=eu"

But when I try to change this user password it fails :

# ldappasswd  -x -v -D "uid=test,ou=users,dc=22decembre,dc=eu" \
-w somesecret -s anothersec
ldap_initialize(  )
Result: Other (e.g., implementation specific) error (80)
Additional info: password hash failed


and when looking in logs I don't see why it fails !

Mar  7 10:29:35 blackblock slapd[26351]: => slap_access_allowed: auth 
access granted by auth(=xd) 
Mar  7 10:29:35 blackblock slapd[26351]: => access_allowed: auth 
access granted by auth(=xd) 
Mar  7 10:29:35 blackblock slapd[26351]: conn=1014 op=0 BIND 
dn="uid=test,ou=users,dc=22decembre,dc=eu" mech=SIMPLE ssf=0 
Mar  7 10:29:35 blackblock slapd[26351]: do_bind: v3 bind: 
"uid=test,ou=users,dc=22decembre,dc=eu" to 
"uid=test,ou=users,dc=22decembre,dc=eu" 
Mar  7 10:29:35 blackblock slapd[26351]: send_ldap_result: conn=1014 
op=0 p=3 
Mar  7 10:29:35 blackblock slapd[26351]: send_ldap_result: err=0 
matched="" text="" 
Mar  7 10:29:35 blackblock slapd[26351]: send_ldap_response: msgid=1 
tag=97 err=0 
Mar  7 10:29:35 blackblock slapd[26351]: conn=1014 op=0 RESULT tag=97 
err=0 text= 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: activity on 1 
descriptor 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: activity on:
Mar  7 10:29:35 blackblock slapd[26351]:  22r
Mar  7 10:29:35 blackblock slapd[26351]:  
Mar  7 10:29:35 blackblock slapd[26351]: daemon: read activity on 22 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: connection_get(22) 
Mar  7 10:29:35 blackblock slapd[26351]: connection_get(22): got 
connid=1014 
Mar  7 10:29:35 blackblock slapd[26351]: connection_read(22): checking 
for input on id=1014 
Mar  7 10:29:35 blackblock slapd[26351]: op tag 0x77, time 1394184575 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: activity on 1 
descriptor 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: waked 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 do_extended 
Mar  7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 EXT 
oid=1.3.6.1.4.1.4203.1.11.1 
Mar  7 10:29:35 blackblock slapd[26351]: do_extended: 
oid=1.3.6.1.4.1.4203.1.11.1 
Mar  7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 PASSMOD new 
Mar  7 10:29:35 blackblock slapd[26351]: 
bdb_dn2entry("uid=test,ou=users,dc=22decembre,dc=eu") 
Mar  7 10:29:35 blackblock slapd[26351]: send_ldap_extended: err=80 
oid= len=0 
Mar  7 10:29:35 blackblock slapd[26351]: send_ldap_response: msgid=2 
tag=120 err=80 
Mar  7 10:29:35 blackblock slapd[26351]: conn=1014 op=1 RESULT oid= 
err=80 text=password hash failed 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: activity on 1 
descriptor 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: activity on:
Mar  7 10:29:35 blackblock slapd[26351]:  22r
Mar  7 10:29:35 blackblock slapd[26351]:  
Mar  7 10:29:35 blackblock slapd[26351]: daemon: read activity on 22 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: connection_get(22) 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: connection_get(22): got 
connid=1014 
Mar  7 10:29:35 blackblock slapd[26351]: connection_read(22): checking 
for input on id=1014 
Mar  7 10:29:35 blackblock slapd[26351]: op tag 0x42, time 1394184575 
Mar  7 10:29:35 blackblock slapd[26351]: ber_get_next on fd 22 failed 
errno=0 (Undefined error: 0) 
Mar  7 10:29:35 blackblock slapd[26351]: connection_read(22): input 
error=-2 id=1014, closing. 
Mar  7 10:29:35 blackblock slapd[26351]: connection_closing: readying 
conn=1014 sd=22 for close 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: activity on 1 
descriptor 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: waked 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=6 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: daemon: select: listen=7 
active_threads=0 tvp=NULL 
Mar  7 10:29:35 blackblock slapd[26351]: 

Re: OBSD 5.4 and OpenLDAP

[Vijay Sankar]

Why do you say it is still broken?

I am running

openldap-client-2.4.35p1 open-source LDAP software (client)
openldap-server-2.4.35p2 open-source LDAP software (server)

on OpenBSD 5.4 without any problems. The package works beautifully,  
works with samba, horde, etc., far better than anything else out  
there. I am using the following:


# Load dynamic backend modules:
modulepath  /usr/local/libexec/openldap
moduleload  back_bdb.la

Quoting Friedrich Locke :


Hi folks!

I would like to setup a OpenLDAP server using OpenBSD and the ports
collection.
I wonder if the current OpenLDAP  in the ports is still broken ?
Do it supports mdb/hdb/bdb ?

Thanks a lot.

gustavo.






Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

-
This message was sent using ForeTell-POST 4.9

OBSD 5.4 and OpenLDAP

[Friedrich Locke]

Hi folks!

I would like to setup a OpenLDAP server using OpenBSD and the ports
collection.
I wonder if the current OpenLDAP  in the ports is still broken ?
Do it supports mdb/hdb/bdb ?

Thanks a lot.

gustavo.

Re: openldap-2.4.36 server

[Stuart Henderson]

On 2013-11-10, Predrag Punosevac  wrote:
> Hi Misc,
>
> I am playing with OpenLDAP and I have a question about OpenLDAP server.
> I see in ports OpenLDAP server version 2.3.43 and the client version
> 2.4.36 even though current release is 2.4.37. Is there a particular
> reason besides lack of man power and interest why the server is not
> updated to 2.4.36 or newer? I have hard time believing that 2.4.36 in
> the base due to licensing. Am I missing something obvious as usual?
>
> Predrag
>
>

Both the 2.3.x and 2.4.x servers are available, the old one is because
some people had big problems with the bdb database backend.

As far as the client is concerned, only 2.4.x is available; there
haven't been any complaints about this client version, and many ports
depend on it, so carrying 2 versions would cause a lot of problems
in ports.

2.4.x is at 2.4.36 because 2.4.37 has only been out for 2 weeks and it 
takes time for people to notice the release, prepare the update, and test
it.

Re: openldap-2.4.36 server

[Predrag Punosevac]

j...@wxcvbn.org (J??r??mie Courr??ges-Anglas) wrote:

> Predrag Punosevac  writes:
>
> > Hi Misc,
>
> Hi,
>
> this is a question for ports@.
>

I was not sure but I didn't want to cross post.

> > I am playing with OpenLDAP and I have a question about OpenLDAP server.
> > I see in ports OpenLDAP server version 2.3.43 and the client version
> > 2.4.36 even though current release is 2.4.37. Is there a particular
> > reason besides lack of man power and interest why the server is not
> > updated to 2.4.36 or newer?
>
> On -current i386:
> $ pkg_info -Q openldap
> openldap-client-2.4.36 (installed)
> openldap-server-2.3.43p13
> openldap-server-2.4.36
> openldap-server-2.4.36-aci
>
> > I have hard time believing that 2.4.36 in
> > the base due to licensing.
>
> There's ldapd in base if you want to give it a try.
>

I just came across Stuard's answer to somebody and wanted to apologize
for the noise. I should have better investigate the license instead of
making assumption. I do appreciate your quick pointers though. 

Most Kind Regards,
Predrag

> > Am I missing something obvious as usual?
>
> Well... ;)
>
> -- 
> jca | PGP : 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

Re: openldap-2.4.36 server

[Jérémie Courrèges-Anglas]

Predrag Punosevac  writes:

> Hi Misc,

Hi,

this is a question for ports@.

> I am playing with OpenLDAP and I have a question about OpenLDAP server.
> I see in ports OpenLDAP server version 2.3.43 and the client version
> 2.4.36 even though current release is 2.4.37. Is there a particular
> reason besides lack of man power and interest why the server is not
> updated to 2.4.36 or newer?

On -current i386:
$ pkg_info -Q openldap
openldap-client-2.4.36 (installed)
openldap-server-2.3.43p13
openldap-server-2.4.36
openldap-server-2.4.36-aci

> I have hard time believing that 2.4.36 in
> the base due to licensing.

There's ldapd in base if you want to give it a try.

> Am I missing something obvious as usual?

Well... ;)

-- 
jca | PGP : 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

openldap-2.4.36 server

[Predrag Punosevac]

Hi Misc,

I am playing with OpenLDAP and I have a question about OpenLDAP server.
I see in ports OpenLDAP server version 2.3.43 and the client version
2.4.36 even though current release is 2.4.37. Is there a particular
reason besides lack of man power and interest why the server is not
updated to 2.4.36 or newer? I have hard time believing that 2.4.36 in
the base due to licensing. Am I missing something obvious as usual?

Predrag

Re: obsd 5.3 and openldap

[Stuart Henderson]

On 2013-06-12, Friedrich Locke  wrote:
> Hi folks,
>
> may someone in the list tell me if with obsd5.3 openldap supports hdb or
> even bdb.
> As far as i know, openldap in openbsd ports is broken.
>
> Thanks you all.
>
> gustavo.
>
>

OpenBSD 5.3 ships with OpenLDAP 2.3.43 (with ldbm only) and 2.4.33 (hdb
and bdb). I use 2.4.33 (including replication) in production, works fine here.

You asked about mdb before, I sent a diff out when you asked about that,
but you didn't test/reply.

Re: obsd 5.3 and openldap

[Vijay Sankar]

Quoting Friedrich Locke :


Hi folks,

may someone in the list tell me if with obsd5.3 openldap supports hdb or
even bdb.
As far as i know, openldap in openbsd ports is broken.

Thanks you all.

gustavo.




Hi,

I am running 2.4.35 on a -current system and it is not broken  
(replication etc. all work great)


Anyways I had sent you a bunch of messages early this year on the same  
topic -- most of them were copied to misc@ as well. Not sure whether  
any of that was of any help. Just in case it is, this was one of the  
threads from me:


http://marc.info/?l=openbsd-misc&m=135820160219059

The following is more useful than what I wrote

http://marc.info/?l=openbsd-misc&m=135821142622739&w=2

Hope this helps,


Vijay


Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

-
This message was sent using ForeTell-POST 4.9

Re: obsd 5.3 and openldap

[Jérémie Courrèges-Anglas]

Friedrich Locke  writes:

> Hi folks,

Hi,

> may someone in the list tell me if with obsd5.3 openldap supports hdb or
> even bdb.

Weren't you the one that requested adding support for mdb on ports,
a while ago?  I thought you knew. :)

  Since i do need to get a directory service and have no knownledge on
  openldap internals, i come to you
  in order to suggest how could i help in order to get mdb supported by
  OpenBSD Ports OpenLDAP.

As far as I understand it, I can see three possible solutions:
- switch to ldapd(8)
- fix the bdb/hdb code in OpenLDAP so that it works on OpenBSD
- nag the OpenBSD developers so that they implement "Unified Buffer
  Cache", or even better, just do it.  I don't understand that stuff but
  I'm sure that isn't easy...

> As far as i know, openldap in openbsd ports is broken.

Can't really answer this.  Do you mean anything openldap, or just slapd
/ the slap* tools?

> Thanks you all.
>
> gustavo.

-- 
Jérémie Courrèges-Anglas
PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

obsd 5.3 and openldap

[Friedrich Locke]

Hi folks,

may someone in the list tell me if with obsd5.3 openldap supports hdb or
even bdb.
As far as i know, openldap in openbsd ports is broken.

Thanks you all.

gustavo.

Re: openldap on OBSD amd64 5.2

[Stuart Henderson]

On 2013-01-14, Claudio Jeker  wrote:
> On Mon, Jan 14, 2013 at 05:41:36PM -0200, Friedrich Locke wrote:
>> Hi,
>> 
>> i am trying to get openldap running, but my experience has been not that
>> good.
>> I have built and installed from ports. I can get it up and running but as
>> soon as qmail tries to bind into it, it begins to consume memory up to all
>> my available memory.
>> 
>> I asked for help in the openldap mailing list and they got baffled, pretty
>> baffled.
>> I was told that in linux some special flags need to be supplied to BDB in
>> order to get it working well.
>> What about OpenBSD ? Have you tryied qmail-ldap + openldap on OBSD ? Faced
>> anything similar ?
>> I am aware that this problem persist from about two years ago, when i tried
>> to get them working and the same problem arose.
>> I waited beleving it would be fixed in a near future ...
>> 
>> I am really interested in get it solved, although i have no knownledge on
>> BDB internals ..
>> 
>> I am willing to hear 
>> 
>
> Install openldap-server-2.3.43 and use LDBM. BDB on 64bit archs is borked.
> We have the old version exactly for that around.
>

I'm running 2.4.33 with BDB on amd64 and haven't seen this problem but
my current use of it is not exactly heavyweight though, just mail routing,
password, antispam config for a few hundred user accounts (using
dovecot/postfix/amavis).

I haven't run qmail-ldap for at least 10 years but your description
"as soon as qmail tries to bind into it, it begins to consume memory"
suggests that maybe it works with other clients - is that correct?
any idea what qmail-ldap is doing differently?

If you haven't already got reasonable logs you can add
'local4.* /var/log/ldap' to /etc/syslog.conf, touch /var/log/ldap,
/etc/rc.d/syslogd reload - iirc this is enough to get binds/queries
logged and might help shed some light.

Re: openldap on OBSD amd64 5.2

[Vijay Sankar]

I am using db-4.6.21p4

Quoting Friedrich Locke :


Hi,

sounds strange. Claudio said it was borked for amd64.
Are you using BDB ? Which version ?

On Mon, Jan 14, 2013 at 8:10 PM, Vijay Sankar  wrote:


Quoting Friedrich Locke :

 Hi,


i am trying to get openldap running, but my experience has been not that
good.
I have built and installed from ports. I can get it up and running but as
soon as qmail tries to bind into it, it begins to consume memory up to all
my available memory.

I asked for help in the openldap mailing list and they got baffled, pretty
baffled.
I was told that in linux some special flags need to be supplied to BDB in
order to get it working well.
What about OpenBSD ? Have you tryied qmail-ldap + openldap on OBSD ? Faced
anything similar ?
I am aware that this problem persist from about two years ago, when i
tried
to get them working and the same problem arose.
I waited beleving it would be fixed in a near future ...

I am really interested in get it solved, although i have no knownledge on
BDB internals ..

I am willing to hear 

Thanks in advance.




I have been using OpenLDAP on OpenBSD (OpenLDAP 2.4.12 on OpenBSD 4.7 i386
as well as OpenLDAP 2.4.26 on OpenBSD 4.9 amd64) without any problems for a
few years now.

I use sendmail as MTA and use the LDAP database for vacation, address
books, distribution lists, etc. OpenLDAP also is used to authorize Windows
users. dovecot users, iphone and blackberry users etc. I use BDB so that
syncrepl etc. works well.

Since knowledgeable people have mentioned that there are problems with
newer versions of LDAP, I wonder if it is advisable for you to use the
older versions on OpenBSD to run OpenLDAP. Not sure, just a thought. Since
the ports.tar.gz file is on the CD, you may be able to build the older
packages even though they are obsolete and not available at the OpenBSD FTP
site.

Vijay


Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

--**---
This message was sent using ForeTell-POST 4.9







Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

-
This message was sent using ForeTell-POST 4.9

Re: openldap on OBSD amd64 5.2

[Friedrich Locke]

Hi,

sounds strange. Claudio said it was borked for amd64.
Are you using BDB ? Which version ?

On Mon, Jan 14, 2013 at 8:10 PM, Vijay Sankar  wrote:

> Quoting Friedrich Locke :
>
>  Hi,
>>
>> i am trying to get openldap running, but my experience has been not that
>> good.
>> I have built and installed from ports. I can get it up and running but as
>> soon as qmail tries to bind into it, it begins to consume memory up to all
>> my available memory.
>>
>> I asked for help in the openldap mailing list and they got baffled, pretty
>> baffled.
>> I was told that in linux some special flags need to be supplied to BDB in
>> order to get it working well.
>> What about OpenBSD ? Have you tryied qmail-ldap + openldap on OBSD ? Faced
>> anything similar ?
>> I am aware that this problem persist from about two years ago, when i
>> tried
>> to get them working and the same problem arose.
>> I waited beleving it would be fixed in a near future ...
>>
>> I am really interested in get it solved, although i have no knownledge on
>> BDB internals ..
>>
>> I am willing to hear 
>>
>> Thanks in advance.
>>
>>
>>
> I have been using OpenLDAP on OpenBSD (OpenLDAP 2.4.12 on OpenBSD 4.7 i386
> as well as OpenLDAP 2.4.26 on OpenBSD 4.9 amd64) without any problems for a
> few years now.
>
> I use sendmail as MTA and use the LDAP database for vacation, address
> books, distribution lists, etc. OpenLDAP also is used to authorize Windows
> users. dovecot users, iphone and blackberry users etc. I use BDB so that
> syncrepl etc. works well.
>
> Since knowledgeable people have mentioned that there are problems with
> newer versions of LDAP, I wonder if it is advisable for you to use the
> older versions on OpenBSD to run OpenLDAP. Not sure, just a thought. Since
> the ports.tar.gz file is on the CD, you may be able to build the older
> packages even though they are obsolete and not available at the OpenBSD FTP
> site.
>
> Vijay
>
>
> Vijay Sankar, M.Eng., P.Eng.
> ForeTell Technologies Limited
> vsan...@foretell.ca
>
> --**---
> This message was sent using ForeTell-POST 4.9

Re: openldap on OBSD amd64 5.2

[Vijay Sankar]

Quoting Friedrich Locke :


Hi,

i am trying to get openldap running, but my experience has been not that
good.
I have built and installed from ports. I can get it up and running but as
soon as qmail tries to bind into it, it begins to consume memory up to all
my available memory.

I asked for help in the openldap mailing list and they got baffled, pretty
baffled.
I was told that in linux some special flags need to be supplied to BDB in
order to get it working well.
What about OpenBSD ? Have you tryied qmail-ldap + openldap on OBSD ? Faced
anything similar ?
I am aware that this problem persist from about two years ago, when i tried
to get them working and the same problem arose.
I waited beleving it would be fixed in a near future ...

I am really interested in get it solved, although i have no knownledge on
BDB internals ..

I am willing to hear 

Thanks in advance.




I have been using OpenLDAP on OpenBSD (OpenLDAP 2.4.12 on OpenBSD 4.7  
i386 as well as OpenLDAP 2.4.26 on OpenBSD 4.9 amd64) without any  
problems for a few years now.


I use sendmail as MTA and use the LDAP database for vacation, address  
books, distribution lists, etc. OpenLDAP also is used to authorize  
Windows users. dovecot users, iphone and blackberry users etc. I use  
BDB so that syncrepl etc. works well.


Since knowledgeable people have mentioned that there are problems with  
newer versions of LDAP, I wonder if it is advisable for you to use the  
older versions on OpenBSD to run OpenLDAP. Not sure, just a thought.  
Since the ports.tar.gz file is on the CD, you may be able to build the  
older packages even though they are obsolete and not available at the  
OpenBSD FTP site.


Vijay


Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
vsan...@foretell.ca

-
This message was sent using ForeTell-POST 4.9

Re: openldap on OBSD amd64 5.2

[Claudio Jeker]

On Mon, Jan 14, 2013 at 05:41:36PM -0200, Friedrich Locke wrote:
> Hi,
> 
> i am trying to get openldap running, but my experience has been not that
> good.
> I have built and installed from ports. I can get it up and running but as
> soon as qmail tries to bind into it, it begins to consume memory up to all
> my available memory.
> 
> I asked for help in the openldap mailing list and they got baffled, pretty
> baffled.
> I was told that in linux some special flags need to be supplied to BDB in
> order to get it working well.
> What about OpenBSD ? Have you tryied qmail-ldap + openldap on OBSD ? Faced
> anything similar ?
> I am aware that this problem persist from about two years ago, when i tried
> to get them working and the same problem arose.
> I waited beleving it would be fixed in a near future ...
> 
> I am really interested in get it solved, although i have no knownledge on
> BDB internals ..
> 
> I am willing to hear 
> 

Install openldap-server-2.3.43 and use LDBM. BDB on 64bit archs is borked.
We have the old version exactly for that around.

-- 
:wq Claudio

openldap on OBSD amd64 5.2

[Friedrich Locke]

Hi,

i am trying to get openldap running, but my experience has been not that
good.
I have built and installed from ports. I can get it up and running but as
soon as qmail tries to bind into it, it begins to consume memory up to all
my available memory.

I asked for help in the openldap mailing list and they got baffled, pretty
baffled.
I was told that in linux some special flags need to be supplied to BDB in
order to get it working well.
What about OpenBSD ? Have you tryied qmail-ldap + openldap on OBSD ? Faced
anything similar ?
I am aware that this problem persist from about two years ago, when i tried
to get them working and the same problem arose.
I waited beleving it would be fixed in a near future ...

I am really interested in get it solved, although i have no knownledge on
BDB internals ..

I am willing to hear 

Thanks in advance.

openldap

[Friedrich Locke]

Hi,

i remenber when installing (after building it from
/usr/ports/database/opendap) openldap the scripts in patch directory create
user _openldap and the group too.
Now i cannot see any reference to the user/group openldap server process
will run as ?

Isn't it necessary anymore ? I mean, doesn't the installing procedure
create user/group entries anymore ?

Thanks a lot.

OBSD 4.9 and OpenLDAP 2.4.23

[Friedrich Locke]

Hi,

does anybody here uses openldap 2.4.23 with OBSD 4.9 ?
are you having any problem related to memory usage by slapd ?

Thanks for your time and cooperation,

best regards.

fried

Re: openldap and openbsd

[Stuart Henderson]

On 2011-06-29, Stuart Henderson  wrote:
> On 2011-06-29, Remco  wrote:
>>
>> Apart from the other advise you got I think you need to set the KRB5_KTNAME
>> environment variable to tell slapd where to find your LDAP keytab, e.g.:
>> (yeah, I edited the default slapd rc script, I don't know if there's a
>> better way)
>
> this will cause you hassle when you update the packages.
>
> see rc.d(8) for the correct way to handle this.

ah, sorry I thought you were changing flags not environment.
even so, editing the rc script provided by the package will
cause problems, you could copy it under another name though...

openbsd/ypserv/openldap

[Friedrich Locke]

Hi folks,

how should i add an entry to openldap that ypserv will use it for binding ?
This entry will need to have a password and should not be confused
with a valid posix user entry.

How have you done on your ypldap/openldap implementation ?

Thanks in advance.

Re: openldap and openbsd

[Remco]

Stuart Henderson wrote:

> On 2011-06-29, Remco  wrote:
>>
>> Apart from the other advise you got I think you need to set the
>> KRB5_KTNAME environment variable to tell slapd where to find your LDAP
>> keytab, e.g.: (yeah, I edited the default slapd rc script, I don't know
>> if there's a better way)
> 
> this will cause you hassle when you update the packages.
> 
> see rc.d(8) for the correct way to handle this.

Thanks for the pointer though I'm not sure what you were hinting at. On my
4.9 system I couldn't really find a way to override the daemon line in a rc
script. However, I found out that it's possible to define a class in
login.conf named after the script, and the script will pick that up, e.g.:
#
# OpenLDAP
#
slapd:\
:setenv=KRB5_KTNAME=/some_path/ldap.keytab:\
:tc=daemon:

Hopefully this is useful to the OP (and others as well).

Re: openldap and openbsd

[Stuart Henderson]

On 2011-06-29, Remco  wrote:
>
> Apart from the other advise you got I think you need to set the KRB5_KTNAME
> environment variable to tell slapd where to find your LDAP keytab, e.g.:
> (yeah, I edited the default slapd rc script, I don't know if there's a
> better way)

this will cause you hassle when you update the packages.

see rc.d(8) for the correct way to handle this.

Re: openldap and openbsd

[Remco]

Friedrich Locke wrote:

> Dear list members,
> 
> i have just installed openldap from ports (OpenBSD 4.9/amd64) and i am
> testing it. My doubt is:
> 
> It seems to me that openldap should be run as user "x" and group "y"
> accordingly the ports collection. The problem is that i want to use
> kerberos authentication. The system (OS context) is just doing
> kerberos, but the keytab file is permited acess only to root.
> 
> How could i run openldap as another user not root and provide it with
> a ldap/x.y.z ticket?
> 
> How have you done so?
> 
> Thanks for sharing you experience.
> 
> Best regards.

Apart from the other advise you got I think you need to set the KRB5_KTNAME
environment variable to tell slapd where to find your LDAP keytab, e.g.:
(yeah, I edited the default slapd rc script, I don't know if there's a
better way)

gw:~# cat /etc/rc.d/slapd
#!/bin/sh
#
# $OpenBSD: slapd.rc,v 1.3 2011/01/13 15:41:40 pea Exp $

daemon="env KRB5_KTNAME=/some_path/ldap.keytab /usr/local/libexec/slapd"
daemon_flags="-u _openldap"

 /etc/rc.d/rc.subr

rc_reload=NO

rc_pre() {
/usr/bin/install -d -o _openldap /var/run/openldap
}

rc_cmd $1

Re: openldap and openbsd

[Janne Johansson]

2011/6/28 Friedrich Locke 

> Dear list members,
>
> i have just installed openldap from ports (OpenBSD 4.9/amd64) and i am
> testing it. My doubt is:
>
> It seems to me that openldap should be run as user "x" and group "y"
> accordingly the ports collection. The problem is that i want to use
> kerberos authentication. The system (OS context) is just doing
> kerberos, but the keytab file is permited acess only to root.
>
> How could i run openldap as another user not root and provide it with
> a ldap/x.y.z ticket?
>
> How have you done so?
>
>
You make a specific keytab for openldap, of course readable by the ldap
daemon user.
There is no need to stick all keytabs in the host keytab file.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: openldap and openbsd

[Jeremie Courreges-Anglas]

Friedrich Locke  writes:

> How could i run openldap as another user not root and provide it with
> a ldap/x.y.z ticket?

Use kadmin and ktadd -k.
Remember that openldap (and only openldap) should only
have read access to the new keytab.

openldap and openbsd

[Friedrich Locke]

Dear list members,

i have just installed openldap from ports (OpenBSD 4.9/amd64) and i am
testing it. My doubt is:

It seems to me that openldap should be run as user "x" and group "y"
accordingly the ports collection. The problem is that i want to use
kerberos authentication. The system (OS context) is just doing
kerberos, but the keytab file is permited acess only to root.

How could i run openldap as another user not root and provide it with
a ldap/x.y.z ticket?

How have you done so?

Thanks for sharing you experience.

Best regards.

Re: OpenBSD + OpenLDAP

[Devin Reade]

--On Sunday, May 29, 2011 04:22:07 PM -0300 Friedrich Locke
 wrote:

> i am planning on migrating from tradicional unix password files to LDAP.
> But i have one question: what about uid definition? 

Although I've not tried it under OpenBSD, I've used CPU
 to manage LDAP provisioning from the
command line under CentOS, and it claims to work under FreeBSD.

Devin

Re: OpenBSD + OpenLDAP

[Martin Pelikan]

On Sun, May 29, 2011 at 04:22:07PM -0300, Friedrich Locke wrote:
> Dear list users,
> 
> i am planning on migrating from tradicional unix password files to LDAP.
> But i have one question: what about uid definition? Does ldap will
> (for instance) auto increment it?
> If not, how will ldap manage uid alocation?
> 
> Thanks in advance.
> 

Hi!

You have to manage that for yourself; this might help your tools written
in C. And note that in most schemas it's not 'uid', but 'uidNumber'.

--
Martin Pelikan


unsigned
find_lowest_uidnum(LDAP *l, const char *bdn)
{
static char uidNumber[] = "uidNumber";
static char *attrs[] = { uidNumber, NULL };
int error, cur, i;
u_int8_t used[UIDNUMBER_MAX - UIDNUMBER_MIN];
LDAPMessage *e;
LDAPMessage *res;
struct berval **vals;

if ((error = ldap_search_ext_s(l, bdn, LDAP_SCOPE_ONELEVEL, NULL,
attrs, 0, NULL, NULL, NULL, 0, &res)) != LDAP_SUCCESS)
errx(1, "find_lowest_uidnum: synchronous search: %s",
ldap_err2string(error));

memset(used, 0, sizeof used);

for (e = ldap_first_entry(l, res); e; e = ldap_next_entry(l, e)) {
vals = ldap_get_values_len(l, e, uidNumber);
if (ldap_count_values_len(vals) != 1) {
warnx("Weird amount of UID numbers!");
ldap_value_free_len(vals);
continue;
}

cur = atoi(vals[0]->bv_val) - UIDNUMBER_MIN;
if (cur >= 0 && cur < (UIDNUMBER_MAX - UIDNUMBER_MIN)) {
used[cur]++;
}

ldap_value_free_len(vals);
}

ldap_msgfree(res);

for (i = 0; i < (UIDNUMBER_MAX - UIDNUMBER_MIN); ++i) {
if (used[i] == 0) {
return (i + UIDNUMBER_MIN);
}
}
return (-1);
}

Re: OpenBSD + OpenLDAP

[Matt S]

OpenLDAP itself does not automatically increment the uid.  You might look into
using ypldap but if you don't want to do that, you would have to script your
own tool.



To: misc@openbsd.org
Sent:
Sunday, May 29, 2011 12:22 PM
Subject: OpenBSD + OpenLDAP

Dear list users,

i
am planning on migrating from tradicional unix password files to LDAP.
But i
have one question: what about uid definition? Does ldap will
(for instance)
auto increment it?
If not, how will ldap manage uid alocation?

Thanks in
advance.

OpenBSD + OpenLDAP

[Friedrich Locke]

Dear list users,

i am planning on migrating from tradicional unix password files to LDAP.
But i have one question: what about uid definition? Does ldap will
(for instance) auto increment it?
If not, how will ldap manage uid alocation?

Thanks in advance.

Re: Testing OpenLDAP 2.4.23p1 on OpenBSD 4.9

[Stuart Henderson]

On 2011-05-13, Martin Pelikan  wrote:
> I remember testing it couple of months ago on 4.8-stable - for example
> if you fed it a mod_replace query to delete one value from a field
> with more of them (typically groups->memberUid), it wouldn't touch the
> one you wanted out and just delete the rest :-)
> Or there were some crashes on searches for non-existent
> users/groups/dunno. But that may be already fixed.
> If martinh@ is reading this, maybe he'll find it useful.

Mails on misc@ hoping that somebody will read them are not
good bug reports, please use sendbug so they can be tracked.

Re: Testing OpenLDAP 2.4.23p1 on OpenBSD 4.9

[Martin Pelikan]

2011/5/13 Stuart Henderson :
> you're confused between OpenLDAP and ldapd -
>
> ldapd is the OpenBSD LDAP daemon, part of the base OS.
>
> the OpenLDAP daemon is called slapd, installed with the openldap-server 
> package.

Unfortunately, the OpenBSD ldapd isn't fully finished yet (even the
man page says that). So, if you plan to use it, make sure everything
you need works nicely for you.
I remember testing it couple of months ago on 4.8-stable - for example
if you fed it a mod_replace query to delete one value from a field
with more of them (typically groups->memberUid), it wouldn't touch the
one you wanted out and just delete the rest :-)
Or there were some crashes on searches for non-existent
users/groups/dunno. But that may be already fixed.
If martinh@ is reading this, maybe he'll find it useful. Because
otherwise the daemon rocks, easy-to-use-configuration and memory-wise.
If anyone's interested, I was using the simplest possible setup for
users and groups database to log in against:

# the very top
dn: o=storkhole
objectClass: top
objectClass: domain
o: storkhole

# ou=Users
dn: ou=Users,o=storkhole
objectClass: organizationalUnit
description: all the fancy users
ou: Users

# ou=Users, uid=myusr1 (an example of an user)
dn: uid=myusr1,ou=Users,o=storkhole
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: myusr1
cn: canonical name
sn: surname
homeDirectory: /home/myusr1
loginShell: /bin/ksh
mail: m...@mail.com
uidNumber: 1001
gidNumber: 100
userPassword: {CRYPT}$1$qc3rdebg$H5DsvSd4.1gjTfGPQZex67

# ou=Groups
dn: ou=Groups,o=storkhole
objectClass: organizationalUnit
description: all the fancy groups
ou: Groups

# ou=Groups, cn=mygroup1 (an example of a group)
dn: cn=mygroup1,ou=Groups,o=storkhole
objectClass: top
objectClass: posixGroup
cn: mygroup1
gidNumber: 1001
memberUid: myusr1

-- 
Martin Pelikan

Re: Testing OpenLDAP 2.4.23p1 on OpenBSD 4.9

[Stuart Henderson]

you're confused between OpenLDAP and ldapd -

ldapd is the OpenBSD LDAP daemon, part of the base OS.

the OpenLDAP daemon is called slapd, installed with the openldap-server package.


On 2011-05-13, Tito Mari Francis Esca??o  wrote:
> Good day!
> I was able to install OpenLDAP 2.4.23p1 on OpenBSD 4.9, sure enough it will
> run as daemon when I edited /etc/rc.conf as below:
> ldapd_flags=""
>
> I run slaptest -u and get the complaint:
> unable to open file "/var/run/openldap/slapd.pid"
>
> I find that /var/run/openldap is not created, when I execute:
> mkdir /var/run/openldap
>
> if we execute slaptest -u again, it will say test OK, but if I reboot the
> box, the path /var/run/openldap will be erased again. Can you please advise
> me how this can be resolved? Thank you very much.

Re: Testing OpenLDAP 2.4.23p1 on OpenBSD 4.9

[Zak Elep]

On Fri, May 13, 2011 at 4:02 PM, Tito Mari Francis Escaqo
 wrote:
> Good day!
> I was able to install OpenLDAP 2.4.23p1 on OpenBSD 4.9, sure enough it will
> run as daemon when I edited /etc/rc.conf as below:
> ldapd_flags=""
>
> I run slaptest -u and get the complaint:
> unable to open file "/var/run/openldap/slapd.pid"
>
> I find that /var/run/openldap is not created, when I execute:
> mkdir /var/run/openldap
>
> if we execute slaptest -u again, it will say test OK, but if I reboot the
> box, the path /var/run/openldap will be erased again. Can you please advise
> me how this can be resolved? Thank you very much.

Doesn't this package use new rc.subr(8) framework?  I reckon there
should be an /etc/rc.d/slapd.rc ...

--
Zak B. Elep || orangeandbronze.com
1486 7957 454D E529 E4F1  F75E 5787 B1FD FA53 851D

Testing OpenLDAP 2.4.23p1 on OpenBSD 4.9

[Tito Mari Francis Escaño]

Good day!
I was able to install OpenLDAP 2.4.23p1 on OpenBSD 4.9, sure enough it will
run as daemon when I edited /etc/rc.conf as below:
ldapd_flags=""

I run slaptest -u and get the complaint:
unable to open file "/var/run/openldap/slapd.pid"

I find that /var/run/openldap is not created, when I execute:
mkdir /var/run/openldap

if we execute slaptest -u again, it will say test OK, but if I reboot the
box, the path /var/run/openldap will be erased again. Can you please advise
me how this can be resolved? Thank you very much.

Re: OpenLDAP

[Remi Locherer]

Hi Friedich

It's in current: http://marc.info/?l=openbsd-ports&m=129440451210138&w=2

Regards,
Remi

On 01/11/2011 12:56 AM, Friedrich Locke wrote:


Hi folks,

is there plan for openbsd support openldap with recent version(s) of bdb ?

Thanks in advance,

Gustavo.

OpenLDAP

[Friedrich Locke]

Hi folks,

is there plan for openbsd support openldap with recent version(s) of bdb ?

Thanks in advance,

Gustavo.

openldap mysql openbsd

[Friedrich Locke]

Hi folks,

did anyone using openbsd already deployed openldap with mysql ? What
is your experience running them with openbsd? What about performance
and stability?

Is it a better approach to deploy openldap with mysql or BDBv3 ?

Thanks a lot for your feedback.


Best regards,
Gustavo.

OpenBSD + (OpenLDAP, SASL, Samba)

[Mentesan]

Hi,

I've configured SASL to autenticate against Active Directory (it's 
working, OK)
I've configured OpenLDAP to autenticate against SASL, using 
'pass-through autentication' (it's working too)

I've managed to configure ypldap too, if I set the user password with
  smbldap-passwd 
the user can login on the samba system, it works, no problem.

But my objective is to autenticate the user against AD, just the 
password, there's no problem if I need to create each user on the LDAP 
system and use just the password on the AD side.


I thought it would be possible to configure Samba + LDAP to autenticate 
against AD, since LDAP on the 'pass-through' configuration is working, 
that is, LDAP is autenticating against Active Directory by SASL.


So when I set the "userPassword" attribute on LDAP to:
userPassword: {sasl}fa...@my.domain

I can authenticate via LDAP (ldapsearch) but not via Samba.

Is it possible to get it working like that? Is there another way to get 
this setup working?

Am I totally crazy and trying to do an impossible configuration?

My best regards,
Fabio Almeida