date:20160511

Re: OpenLDAP logging and rsyslog

2016-05-11 Thread Quanah Gibson-Mount

--On Wednesday, May 11, 2016 9:20 PM + jeevan kc  
wrote:




Hello everyone,
We're migrating our LDAP servers to new RHEL 7. Previously we had RHEL
5.2 and Openldap logging was working just fine with the following config
using syslog.


Turn on syslog logging. By default RHEL7 now logs everything via binary 
logs to systemd.  We've hit this with recent Zimbra installs, you can see 
 for more detail.


--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
A division of Synacor, Inc

OpenLDAP logging and rsyslog

2016-05-11 Thread jeevan kc

Hello everyone,We're migrating our LDAP servers to new RHEL 7. Previously we 
had RHEL 5.2 and Openldap logging was working just fine with the following 
config using syslog.·   
Set up OpenLDAP logging:

o   (as
root user) mkdir /var/log/openldap

o   (as
root user) chmod 755 /var/log/openldap

o   (as
root user) touch /var/log/openldap/openldap.log

o   (as
root user) vi /etc/syslog.conf

§  Add
the line “Local6.*/var/log/openldap/openldap.log”

o   (as
root user) kill –HUP 
The new servers have rsyslog instead of syslog  and I did the same procedures 
in rsyslog.conf file, set olcloglevel as sync stats  same as in the old server 
and  restarted rsyslog with systemctl restart rsyslog.service .The openldap.log 
file is  empty. I have tried local4 too and same result. My rsyslog.conf file 
looks like this . Can someone please help me with this? Any help is appreciated.
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you 
experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
 MODULES 
$ModLoad imuxsock # provides support for local system logging (e.g. via logger 
command)$ModLoad imklog   # provides kernel logging support (previously done by 
rklogd)$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception$ModLoad imudp$UDPServerRun 514
# Provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514

 GLOBAL DIRECTIVES 
# Use default timestamp format$ActionFileDefaultTemplate 
RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not 
required,# not useful and an extreme performance hit#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/$IncludeConfig 
/etc/rsyslog.d/*.conf

 RULES 
# Log all kernel messages to the console.# Logging much else clutters up the 
screen.#kern.* /dev/console
# Log anything (except mail) of level info or higher.# Don't log private 
authentication messages!*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.authpriv.*
  /var/log/secure
# Log all the mail messages in one place.mail.* 
 -/var/log/maillogdaemon.*  
  /var/log/daemon.logkern.* 
 /var/log/kern.logsyslog.*
/var/log/syslog
# Log cron stuffcron.*  
/var/log/cron
# Everybody gets emergency messages*.emerg  
   *
# Save news errors of level crit and higher in a special file.uucp,news.crit
  /var/log/spooler
# Save boot messages also to boot.loglocal7.*   
 /var/log/boot.log
#OpenLDAP logginglocal6.*
/var/log/openldap/openldap.log

# ### begin forwarding rule  The statement between the begin ... end define 
a SINGLE forwarding# rule. They belong together, do NOT split them. If you 
create multiple# forwarding rules, duplicate the whole block!# Remote Logging 
(we use TCP for reliable delivery)## An on-disk queue is created for this 
action. If the remote host is# down, messages are spooled to disk and sent when 
it is up again.#$WorkDirectory /var/lib/rsyslog # where to place spool 
files#$ActionQueueFileName fwdRule1 # unique name prefix for spool 
files#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as 
possible)#$ActionQueueSaveOnShutdown on # save messages to disk on 
shutdown#$ActionQueueType LinkedList   # run 
asynchronously#$ActionResumeRetryCount -1# infinite retries if host is 
down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* 
@@remote-host:514# ### end of the forwarding rule ###
## Nessus/CIS compliance items## Send everything to Unix syslog host## 
Following setting is per Chris Humphrey 
6/19/2013*.err;kern.notice;auth.notice;auth.crit;daemon.notice   
@siem-unix.abc.com## Send httpd logs to Apache syslog host - requires 
additional apache configdaemon.notice   @@SIEM-apache.abc.comauth,user.* 
/var/log/messages
# A template to for higher precision timestamps + severity logging$template 
SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% 
%syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

Jeevan

Re: ldap user login attempt kills slapd service

2016-05-11 Thread Matus Honek

Hello,

as OpenLDAP distributed with RHEL uses NSS for crypto (which is
deprecated by OpenLDAP upstream community) please contact Red Hat
customer support with the issue. There, please supply full debug-level
logs from all servers and client. I have noticed the suppressed log lines
from journal in logs you have supplied bellow, which is not sufficient.
Thank you for your understanding.

"Real, Elizabeth (392K)"  writes:

> Openldap gurus:
>
> Here is my setup,
>
> LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. 
> Both servers are configured with multi-master replication. Ldaps is enabled 
> and a ppolicy applied.
>
> LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and 
> openldap client 2.4.40.
>
> I have been troubleshooting this problem for a while and can’t figure out why 
> everytime I try to login to an ldap client with a test user account the slapd 
> service on only one of my ldap servers gets killed.
>
> Both getent and ldapsearch return the expected information when ran on the 
> ldap client:
> ldapclient ~]# getent passwd realtest
> realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh
>
> ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' 
> '(uid=realtest)'
> # extended LDIF
> #
> # LDAPv3
> # base  with scope subtree
> # filter: (uid=realtest)
> # requesting: ALL
> #
>
> # realtest, People, cluster.sec312
> dn: uid=realtest,ou=People,dc=cluster,dc=sec312
> gidNumber: 312
> objectClass: account
> objectClass: top
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: realtest
> loginShell: /bin/tcsh
> homeDirectory: /home/real
> cn: Liz RealTest
> uidNumber: 1004
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> LDAP SERVER /VAR/LOG/SECURE:
> serverA journal: Suppressed 19192 messages from /system.slice/slapd.service
> serverA journal: Suppressed 8449 messages from /system.slice/slapd.service
> serverA systemd: slapd.service: main process exited, code=killed, 
> status=6/ABRT
> serverA systemd: Unit slapd.service entered failed state.
> serverA systemd: slapd.service failed.
>
> LDAP CLIENT  /VAR/LOG/SECURE:
> ldapclient sshd[122938]: pam_sss(sshd:auth): authentication failure; logname= 
> uid=0 euid=0 tty=ssh ruser= rhost=node12.cluster.sec312 user=realtest
> ldapclient sshd[122938]: pam_sss(sshd:auth): received for user realtest: 7 
> (Authentication failure)
> ldapclient sshd[122938]: pam_ldap(sshd:auth): Authentication failure; 
> user=realtest
> ldapclient sshd[122936]: error: PAM: Authentication failure for realtest from 
> node12.cluster.sec312
>
> ATTEMPT TO SSH AS TEST USER TO LDAP CLIENT:
> % ssh -v realtest@ldapclient
> OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 60: Applying options for *
> debug1: Connecting to ldapclient [] port 22.
> debug1: Connection established.
> debug1: could not open key file '/etc/ssh/ssh_host_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission 
> denied
> debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission 
> denied
> debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission 
> denied
> debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
> debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission 
> denied
> debug1: identity file /home/real/.ssh/id_rsa type -1
> debug1: identity file /home/real/.ssh/id_rsa-cert type -1
> debug1: identity file /home/real/.ssh/id_dsa type -1
> debug1: identity file /home/real/.ssh/id_dsa-cert type -1
> debug1: identity file /home/real/.ssh/id_ecdsa type -1
> debug1: identity file /home/real/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/real/.ssh/id_ed25519 type -1
> debug1: identity file /home/real/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
> debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x0400
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com none
> debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com none
> debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
> debug1: kex: curve25519-sha...@libssh.org need=16 dh_need=16
> debug1: sending SSH2_MSG_KEX_ECDH_INIT
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ECDSA 14:c5:c2:60:29:ce:99:aa:67:41:a6:6a:11:2c:ca:86
> debug1: Host 'ldapclient' is known and matches the ECDSA host

Re: ldap user login attempt kills slapd service

2016-05-11 Thread Real, Elizabeth (392K)

I reported the bug to red hat.

What is the openldap technical URL where all of the submitted requests are 
listed on?

Thank you,
Liz


From: Matus Honek mailto:mho...@redhat.com>>
Date: Wednesday, May 11, 2016 at 4:13 AM
To: Elizabeth Real Chavez 
mailto:elizabeth.r...@jpl.nasa.gov>>, 
"openldap-technical@openldap.org" 
mailto:openldap-technical@openldap.org>>
Subject: Re: ldap user login attempt kills slapd service

Hello,

as OpenLDAP distributed with RHEL uses NSS for crypto (which is
deprecated by OpenLDAP upstream community) please contact Red Hat
customer support with the issue. There, please supply full debug-level
logs from all servers and client. I have noticed the suppressed log lines
from journal in logs you have supplied bellow, which is not sufficient.
Thank you for your understanding.

"Real, Elizabeth (392K)" 
mailto:elizabeth.r...@jpl.nasa.gov>> writes:

Openldap gurus:

Here is my setup,

LDAPSERVERS: I have two ldap servers running RHEL7.2 and openldap 2.4.40. Both 
servers are configured with multi-master replication. Ldaps is enabled and a 
ppolicy applied.

LDAPCLIENT: My ldap client is running RHEL7.2 as well, sssd 1.13.0, and 
openldap client 2.4.40.

I have been troubleshooting this problem for a while and can’t figure out why 
everytime I try to login to an ldap client with a test user account the slapd 
service on only one of my ldap servers gets killed.

Both getent and ldapsearch return the expected information when ran on the ldap 
client:
ldapclient ~]# getent passwd realtest
realtest:*:1004:312:Liz RealTest:/home/real:/bin/tcsh

ldapclient ~]# ldapsearch -x -s sub -b 'ou=People,dc=cluster,dc=sec312' 
'(uid=realtest)'
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (uid=realtest)
# requesting: ALL
#

# realtest, People, cluster.sec312
dn: uid=realtest,ou=People,dc=cluster,dc=sec312
gidNumber: 312
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: realtest
loginShell: /bin/tcsh
homeDirectory: /home/real
cn: Liz RealTest
uidNumber: 1004

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

LDAP SERVER /VAR/LOG/SECURE:
serverA journal: Suppressed 19192 messages from /system.slice/slapd.service
serverA journal: Suppressed 8449 messages from /system.slice/slapd.service
serverA systemd: slapd.service: main process exited, code=killed, status=6/ABRT
serverA systemd: Unit slapd.service entered failed state.
serverA systemd: slapd.service failed.

LDAP CLIENT  /VAR/LOG/SECURE:
ldapclient sshd[122938]: pam_sss(sshd:auth): authentication failure; logname= 
uid=0 euid=0 tty=ssh ruser= rhost=node12.cluster.sec312 user=realtest
ldapclient sshd[122938]: pam_sss(sshd:auth): received for user realtest: 7 
(Authentication failure)
ldapclient sshd[122938]: pam_ldap(sshd:auth): Authentication failure; 
user=realtest
ldapclient sshd[122936]: error: PAM: Authentication failure for realtest from 
node12.cluster.sec312

ATTEMPT TO SSH AS TEST USER TO LDAP CLIENT:
% ssh -v realtest@ldapclient
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Connecting to ldapclient [] port 22.
debug1: Connection established.
debug1: could not open key file '/etc/ssh/ssh_host_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission 
denied
debug1: could not open key file '/etc/ssh/ssh_host_dsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': Permission denied
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': Permission 
denied
debug1: identity file /home/real/.ssh/id_rsa type -1
debug1: identity file /home/real/.ssh/id_rsa-cert type -1
debug1: identity file /home/real/.ssh/id_dsa type -1
debug1: identity file /home/real/.ssh/id_dsa-cert type -1
debug1: identity file /home/real/.ssh/id_ecdsa type -1
debug1: identity file /home/real/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/real/.ssh/id_ed25519 type -1
debug1: identity file /home/real/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x0400
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr 
hmac-md5-...@openssh.com none
debug1: kex: client->server aes128-ctr 
hmac-md5-...@openssh.com

Re: Cannot re-enable synchronization

2016-05-11 Thread Olivier Nicole

Hi,

On Monday I had a major issue, my root CA (for all my encryption)
expired, so my LDAP server number 1 became inaccessible.

I have a server number 2, running from another root certificate, that
did not expire and that was properly replicating from the server
number 1, using:

syncreplrid=0
  provider=ldaps://ldap server 1/
  type=refreshAndPersist
  bindmethod=simple
  binddn=cn=Manager,dc=xxx
  credentials="XXX"
  searchbase=dc=xxx
  tls_reqcert=try
  starttls=yes
  retry="60 10 300 +"

But since I updated the root certificate on server 1, I cannot get the
replication.

I can still ldapsearch from server 2 to server 1.

In the log of server 1 I see a proper connection, but I don't know how
to further debug the replication.

Best regards,

Olivier

Re: OpenLDAP logging and rsyslog

OpenLDAP logging and rsyslog

Re: ldap user login attempt kills slapd service

Re: ldap user login attempt kills slapd service

Re: Cannot re-enable synchronization

5 matches

Site Navigation

Mail list logo

Footer information