Re: kerberos-cache location

[Ulf Volmer]

Am 01.04.24 um 17:02 schrieb Stefan Kania:

As soon as I change to KCM: it's not working anymore :-. That's why I 
was thinking that there is maybe some settings for the openldap-client 
commands


I'm not aware of such an configuration setting.

Only idea is a wrong setting of $KRB5CCNAME, but I guess you should know 
if you have set this.


Best regards
Ulf

Re: kerberos-cache location

[Ulf Volmer]

Am 01.04.24 um 15:09 schrieb Stefan Kania:
I normally use Debian for OpenLDAP and Kerberos, but now I have to 
uses Alamalinux 9. When I create a Ticket with kinit I'm getting:

-
u1-prod@ldapserver1 ~]$ kinit
Password for u1-p...@example.net:
[u1-prod@ldapserver1 ~]$ klist
Ticket cache: KCM:10001
Default principal: u1-p...@example.net
-

So the ticket cache is the KCM-daemon and not FILE: like in Debian. 
When I die an ldapsearch or an ldapwhoami I'm getting

---
[u1-prod@ldapserver1 ~]$ ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error: 
Miscellaneous failure (see text) (get-principal lstat(/tmp/krb5cc_10001))

---

All the ldap-commands are looking for the credential cache in FILE: 
and not in KCM:


I'm using OpenLDAP 2.6 from the repositories.

Is there a way that the ldap-commands are using KCM:?



Weird. For me, ldap tools works without any issue on alma 9 with KCM.

Per default, without any manual configuration. So I don't know how I can 
reproduce your issue.



But anyway: If you want back the old behavior with a file based ticket 
cache:



/etc/krb5.conf.d/kcm_default_ccache is your friend.


Best regards

Ulf

Re: memberOf with groupOfNames

[Ulf Volmer]

Am 01.03.24 um 10:47 schrieb Stefan Kania:

Hi Ulf,


Am 29.02.24 um 18:20 schrieb Ulf Volmer:

olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames
olcDynListAttrSet: groupOfURLs memberURL 
uniqueMember+memberOf@groupOfUniqueNames


But these to entries are still for groupOfURLs and not groupOfNames or 
groupOfUniqeNames. Or am I wrong?



Honestly, I don't get your point.

What I can say, with the config from above I got memberof attributes 
containing groupOfNames and groupUniqueOfNames.



I assume, that is that what you want to archive, but I may be wrong.


Best regards

Ulf

Re: memberOf with groupOfNames

[Ulf Volmer]

Am 29.02.24 um 12:00 schrieb Stefan Kania:

up to now I only used:

olcDlAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames

to dynamically add the Attribute memberOf to all members of a 
groupOfURLs. Is it possible to do the same with members for 
groupOfNames and groupOfUniqueNames?

I yes, can someone please post the syntax?



You can set it twice:


dn: olcOverlay=dynlist,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcDynListConfig
objectClass: olcOverlayConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames
olcDynListAttrSet: groupOfURLs memberURL 
uniqueMember+memberOf@groupOfUniqueNames


Best regards

Ulf

Re: ldapi issue

[Ulf Volmer]

Am 12.02.24 um 18:09 schrieb Chili Mili:

find / -type s
find: '/proc/9/map_files': Permission denied
/usr/var/run/ldapi

The Unix socket file located inside the container is at /usr/var/run/ldapi. I 
have tried to mount it to the host system but encountered the same result.



Again, use it from inside of the container. You can put the socket after 
the -H ldapi://.


If I remember correctly, you have to replace the slashes with %2F.

So you will need something like -H ldapi://%2Fusr%2Fvar%2Frun%2Fldapi


Best regards

Ulf

Re: ldapi issue

[Ulf Volmer]

Am 12.02.24 um 17:01 schrieb Chili Mili:

it seems that Unix sockets aren't being used. I've compared the results with the old 
server, and they are consistent. Additionally, I've checked using lsof -U -a -p 
 with the same outcome.

Please keep in mind that the ldap is running in the docker container



Yes, I aware of that. So you should look for the socket inside of the 
container.



Best regards

Ulf

Re: ldapi issue

[Ulf Volmer]

Am 12.02.24 um 16:19 schrieb Chili Mili:


inside the container:
lsof -U |grep slapd
bash: lsof: command not found


That's quite sad. I assume, you have no experience using linux?

Best regards
Ulf

Re: ldapi issue

[Ulf Volmer]

Am 12.02.24 um 13:18 schrieb Chili Mili:

per example :

ourside of the container :
docker exec -it 

lsof -U |grep slapd

would be interesting.

Best regards
Ulf

Re: ldapi issue

[Ulf Volmer]

Am 09.02.24 um 16:45 schrieb chilimi...@outlook.de:

> Could you please provide guidance on how to conduct searches within 
the container given this constraint?


docker exec  ldapsearch ...


Additional to this, I would like to activate pagination, but I have not been 
able to find any configuration for it. Is this something that needs to be done 
on the server or client side?


client side. For ldapsearch for example you may pass -E 'pr=50/prompt' /
-E 'pr=50/noprompt'

Best regards
Ulf

Re: Symas repos for Debian 12

[Ulf Volmer]

Am 03.01.24 um 10:58 schrieb Uwe Sauter:


Whenever there are issues with distribution provided packages you are promoting 
your own
repositories at https://repo.symas.com .

I was wondering if there are any plans to provide an OpenLDAP 2.6 repo for 
Debian 12 Bookworm?

I understand that you save the effort for OpenLDAP 2.5 as it being the version 
Debian 12 supplies.


I can't answer for the symas team, but the symas bullseye packages are 
working fine with bookworm also:


ulf@ldap3:~$ cat /etc/debian_version
12.4
ulf@ldap3:~$ cat /etc/apt/sources.list.d/soldap-release26.list
deb https://repo.symas.com/repo/deb/main/release26 bullseye main
# deb-src https://repo.symas.com/repo/deb/main/release26 bullseye main
ulf@ldap3:~$

Best regards
Ulf

Re: SSL certificate install

[Ulf Volmer]

Am 14.12.23 um 18:00 schrieb Jean-Luc Chandezon:

Thank you Stefan for suggestion
Thank you Howard. It was exactly what I understood. When I start the daemon 
with command line:

slapd -h 'ldap://127.0.0.1:389 ldaps://192.168.190.58:636' -g openldap -u 
openldap -F /etc/ldap/slapd.d/ -d -1

I can see:
657ad073.144a7a3e 0x7f71df270200 TLS: opening 
`/etc/ssl/private/annuaire.lexp.fr.key' failed: Permission denied
657ad073.144b02fb 0x7f71df270200 TLS: could not use private key file 
`/etc/ssl/private/annuaire.lexp.fr.key`.

It is more detailed than rsyslog.
As Quanah suggest, this is due to permission issue.

I can see these rights:
-rw--- 1 openldap openldap 1704 Nov 29 17:37 
/etc/ssl/private/annuaire.atol.fr.key



On debian, /etc/ssl/private is only readable by root and members of 
ssl-cert.


You ćan either add your openldap user to this group or move your 
certificate to /etc/ldap.



Best regards

Ulf

Re: We cannot connect to TLS/SSL ldaps using openldap's built-in tools

[Ulf Volmer]

On 13.10.23 06:40, 228844...@qq.com wrote:


Configure the ldap.conf certificate on the client as follows:

TLS_CACERT  /usr/local/openldap-2.6.6/cert/demoCA/newcerts/


That's wrong from my knowledge.

With TLS_CACERT you have to specify a filename.
If you just want to pass a directory, please use TLS_CACERTDIR.
Please consult the ldap.conf man page before.

Best regards
Ulf

Re: export certificate and key

[Ulf Volmer]

On 05.10.23 18:39, Stefan Kania wrote:

Am 05.10.23 um 07:02 schrieb Howard Chu:



Read tests/scripts/test066-autoca for examples of how to do that.

Does anyone has an answer for an non developer WITHOUT compiling the 
software. I'm not a developer and I use the packages to install OpenLDAP 
and the tests are only running on self compiled versions. The answer of 
a question should NEVER be "read the source code" "or "compile it your 
self" The answer should be part of the documentation


You can access this part online without compiling anything.

It is just a shellscript.

https://git.openldap.org/openldap/openldap/-/blob/master/tests/scripts/test066-autoca?ref_type=heads

Best regards
Ulf

Re: setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)

[Ulf Volmer]

On 04.10.23 01:12, Quanah Gibson-Mount wrote:



--On Tuesday, October 3, 2023 10:24 PM +0200 Jérôme BECOT 
 wrote:




I guess it is a problem of terminology, I should have use baseDN I guess.


Sure... but the question was about two admin users both under the same 
base :)


That was, how I understand his first question, yes.
Second one sounds different, so I came to the same result as Jérôme did.

Best regards
Ulf

Re: setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)

[Ulf Volmer]

Am Mon, Oct 02, 2023 at 04:11:19PM +0530 schrieb Kaushal Shriyan:
> Thanks Ulf for the quick response and detailed explanation. So do I need to
> have two openldap servers running on Red Hat Enterprise Linux release 8.8
> (Ootpa)
> 
> For example
> 
> 
> *corporate.mydomain.com  *
> dn: cn=admin,dc=corporate,dc=mydomain,dc=com on openldap on port 389
> 
> *checker.mydomain.com  *
> dn: cn=admin,dc=checker,dc=mydomain,dc=com on openldap on port 390

You can run multiple databases in differnent backends on the same
server and same slapd instance.

Best regards
Ulf

Re: setup two DNs on one single Openldap server running on Red Hat Enterprise Linux release 8.8 (Ootpa)

[Ulf Volmer]

On 02.10.23 09:56, Kaushal Shriyan wrote:


Is there a way to set up two DN's in OpenLDAP server?

dn: cn=admin,dc=corporate,dc=mydomain,dc=com
dn: cn=admin,dc=checker,dc=mydomain,dc=com


If you are still talking about rootdn: No that is not possible.
You can have only one rootdn per database.

But you can give any LDAP user the same privileges by setting the ACLs 
propperly.


Please consult man slapd.access or the admin guide.

Best regards
Ulf

Re: Unable to ldapadd Kerberos schema in LDIF format

[Ulf Volmer]

On 26.09.23 16:23, Uwe Sauter wrote:

This worked but your sendmail.ldif doesn't contain 
'structuralObjectClass' like krb5-kdc.ldif does. krb5-kdc.ldif also 
contains lines with 'structuralObjectClass', 'entryUUID', 
'creatorsName', 'createTimestamp', 'modifiersName', 'modifyTimestamp' 
and 'entryCSN'.


If I compare the krb5-kdc.ldif from the symas debian package, there is 
no line with structuralObjectClass.


So looks like, the el9 package is different.

I would say, edit the file, go to the end and removed all lines from 
structuralObjectClass to the end of the file.


Best regards
Ulf

Re: reset openldap root and cn=admin password

[Ulf Volmer]

On 21.09.23 21:27, Kaushal Shriyan wrote:

Is there a way to reset both openldap root and cn=admin password?



It depends if your are using classic slapd.conf or cn=config backend.


In the first case, just edit slapd.conf and look for rootdn and rootpw 
in the database section.


Please use slappasswd to generate the password hash (if your not using 
argon2)



If you are using cn=config, you have to search for olcRootDN and 
olcRootPW in your database config, maybe


olcDatabase={1}mdb,cn=config. You have to create an ldif file and apply 
it using



ldapmodify -Y EXTERNAL -H ldapi:/// -f file.ldif.


cat file.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: 


Best regards

Ulf

Re: openldap + bind-dyndb-ldap + bind

[Ulf Volmer]

Am Thu, Sep 21, 2023 at 11:58:50AM + schrieb Marc:

> What a fuckups there at redhat/fedora. This plugin served me always wel. Now 
> these morons require ldap write access which I manage to bypass with[1]. Then 
> I guess it downloads everything from ldap and I have more memory/swap usage 
> and named is being slow because of the disk access.

Is there a moderator on this list?

Or should I filter this polite guy on my own?

Best regards
Ulf

Re: newer TLS clients (> 3.0?) can't connect to OpenLDAP's TLS with SSSD

[Ulf Volmer]

On 09.01.23 22:10, Jarett DeAngelis wrote:


hi - using OpenLDAP 2.6.3 and finding that newer LDAP client libraries (like 
the one that comes with Ubuntu 22.04.1 LTS) can't complete a connection to the 
LDAP server's TLS port. A machine I have running Rocky 8.6, however, with 
OpenSSL 1.1.1k, connects just fine. This is using self-generated certificates, 
but the correct CA cert and server cert have been provided to SSSD to use for 
login. The two machines are using identical certificates and SSSD configuration 
files.


Ubuntu's libldap is linked agaings gnutls, not openssl.

Maybe you will find the solution in

https://github.com/SSSD/sssd/issues/5444

Best regards
Ulf

Re: symas pacakages on Debian

[Ulf Volmer]

On 05.08.22 14:48, Michael Ströder wrote:

On 8/5/22 13:29, Ulf Volmer wrote:
I'm running symas OpenLDA on Debian 11. Today we got an upgrade, which 
make the server unable to start:


apt show symas-openldap-server
Package: symas-openldap-server
Version: 2.6.3-1bullseye1
[..]
ii  symas-cyrus-sasl-lib  2.1.27-4bullseye1 amd64 
Cyrus-SASL Libraries


You should have also received an update of this package (see file 
symas-cyrus-sasl-lib_2.1.28-2bullseye1_amd64.deb):


https://repo.symas.com/repo/deb/main/release26/pool/main/s/symas-cyrus-sasl/ 


Yesm thanks, it is available now.

I'm very sure, that was not the case when i wrote my first mail.

Best regards
Ulf

symas pacakages on Debian

[Ulf Volmer]

Hello,

I'm running symas OpenLDA on Debian 11. Today we got an upgrade, which 
make the server unable to start:


apt show symas-openldap-server
Package: symas-openldap-server
Version: 2.6.3-1bullseye1



sudo systemctl status slapd
● symas-openldap-server.service - Symas OpenLDAP Server Daemon
 Loaded: loaded (/etc/systemd/system/symas-openldap-server.service; 
enabled; vendor preset: enabled)

Drop-In: /etc/systemd/system/symas-openldap-server.service.d
 └─override.conf
 /run/systemd/system/service.d
 └─zzz-lxc-service.conf
 Active: failed (Result: exit-code) since Fri 2022-08-05 13:20:57 
CEST; 8min ago

   Docs: man:slapd
 man:slapd-config
 man:slapd-mdb
Process: 536 ExecStart=/opt/symas/lib/slapd -d 0 -h ${SLAPD_URLS} 
$SLAPD_OPTIONS (code=exited, status=254)

   Main PID: 536 (code=exited, status=254)
CPU: 13ms

Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: Starting Symas OpenLDAP 
Server Daemon...
Aug 05 13:20:57 ldap3.lan.u-v.de slapd[536]: ldap_int_sasl_init: SASL 
library version mismatch: expected 2.1.28, got 2.1.27
Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: 
symas-openldap-server.service: Main process exited, code=exited, 
status=254/n/a
Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: 
symas-openldap-server.service: Failed with result 'exit-code'.
Aug 05 13:20:57 ldap3.lan.u-v.de systemd[1]: Failed to start Symas 
OpenLDAP Server Daemon.


dpkg -l|grep sasl
ii  gsasl-common  1.10.0-4+deb11u1   all 
 GNU SASL platform independent files
ii  libgsasl7:amd64   1.10.0-4+deb11u1 
amd64GNU SASL library
ii  libsasl2-2:amd64  2.1.27+dfsg-2.1+deb11u1 
amd64Cyrus SASL - authentication abstraction library
ii  libsasl2-modules:amd642.1.27+dfsg-2.1+deb11u1 
amd64Cyrus SASL - pluggable authentication modules
ii  libsasl2-modules-db:amd64 2.1.27+dfsg-2.1+deb11u1 
amd64Cyrus SASL - pluggable authentication modules (DB)
ii  libsasl2-modules-gssapi-mit:amd64 2.1.27+dfsg-2.1+deb11u1 
amd64Cyrus SASL - pluggable authentication modules (GSSAPI)
rc  sasl2-bin 2.1.27+dfsg-2.1+deb11u1 
amd64Cyrus SASL - administration programs for SASL users database
ii  symas-cyrus-sasl-lib  2.1.27-4bullseye1 
amd64Cyrus-SASL Libraries


Any help is appreciated.

Best regards
Ulf

Re: cannot use RootDN to modify cn=config: Insufficient access

[Ulf Volmer]

On 01.05.22 13:21, butterfly-...@qq.com wrote:


[root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)


Does your /etc/sysconfig/slapd include the ldapi URL?

Should look like

SLAPD_URLS="ldapi:/// ldap:///";

Best regards
Ulf

Re: Attempting to build docker image with symas RPMs

[Ulf Volmer]

On 24.04.22 04:08, thomaswilliampritch...@gmail.com wrote:


#9 0.514   - package symas-openldap-clients-2.5.11-1.el8.x86_64 does not have a 
compatible architecture


Which architecture are you running on your host (uname -m)?

As fas as I know symas provide only for x86_64.

Best regards
Ulf

Re: Attempting to build docker image with symas RPMs

[Ulf Volmer]

On 23.04.22 20:48, thomaswilliampritch...@gmail.com wrote:


FROM debian:buster

RUN apt update
RUN apt install --yes --quiet wget
RUN apt install --yes --quiet gnupg
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys DA26A148887DCBEB
RUN wget -q https://repo.symas.com/configs/SOLDAP/d10/release25.list -O 
/etc/apt/sources.list.d/soldap-release25.list
RUN apt update
RUN apt install symas-openldap-clients symas-openldap-server
RUN rm --force --recursive /var/lib/apt/lists/*


Works for me without any issues. You should add --yes to the apt install 
command.


Best regards
Ulf

Re: Setup password policies: problem when adding OU

[Ulf Volmer]

On 12.02.22 20:00, Felix Natter wrote:


policyou.ldif:

dn: ou=policies,dc=company,dc=com
objectClass: organizationalUnit
ou: policies

ldapadd -Y EXTERNAL -Q -H ldapi:/// -f policyou.ldif (1)

which results in https://ldapwiki.com/wiki/LDAP_INSUFFICIENT_ACCESS
(with "additional info: no write access to parent")

Now I tried _several_ commands to fix this, then I did:

ldapadd -H ldapi:/// -D cn=admin,cn=config -W -f policyou.ldif (2)

which works. But I have to fix this on the production server now, and
I don't know whether (2) fixed this or some other command.

What could be the problem with (1)?


Looks like an issue with your ACLs. Here we have somthing like

to *  by 
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage 
 by * none


to enable ldapi auth for local root account.

Best regards
Ulf

Re: issue with importing the samba3 schema

[Ulf Volmer]

On 08.02.22 16:41, Quanah Gibson-Mount wrote:
> --On Tuesday, February 8, 2022 10:50 AM +0100 Ulf Volmer
>> adding new entry "cn=samba3,cn=schema,cn=config"
>> ldap_add: Constraint violation (19)
>>  additional info: structuralObjectClass: no user modification
>> allowed
>>
>> I'm able to import other schemas in the same way, si I don't think 
that I

>> hold the tool in the wrong way.
>>
>> Any pointers for me?
>
> Delete these lines from the samba3.ldif file before importing it:
>
> structuralObjectClass: olcSchemaConfig
> entryUUID: 0f2e03be-de6e-1036-8834-375967239361
> creatorsName: cn=config
> createTimestamp: 20170605190809Z
> entryCSN: 20170605190809.978905Z#00#000#00
> modifiersName: cn=config
> modifyTimestamp: 20170605190809Z

Many thanks. Solved for me.

Best regards
Ulf

issue with importing the samba3 schema

[Ulf Volmer]

Hello,

I'm trying to migrate an old openldap installation to a new one.
OS of the new one is SLES15SP3, we are using the symas 2.5 packages.

Sadly I got an error by importing the samba3 schema:

# /opt/symas/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f 
/opt/symas/etc/openldap/schema/samba3.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=samba3,cn=schema,cn=config"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification 
allowed


I'm able to import other schemas in the same way, si I don't think that 
I hold the tool in the wrong way.


Any pointers for me?

Best regards
Ulf

Re: Failing "id uid" test

[Ulf Volmer]

On 06.12.20 19:45, armin.v...@mmlab.de wrote:

> I'd appreciate hints how to track the issue down. First: What is the
> default LDAP log on Debian 10 or how can I determine an alternative log,
> if this is recommended?

Depends on your syslog configuration. Usually /var/log/syslog and
/var/log/debug.

But it may to easier to run 'journalctl -fu slapd'

Best regard
Ulf

Re: Unable to start up the ldap server after reboot

[Ulf Volmer]

On 02.01.19 17:36, Dieter Klünter wrote:

> If you want to run openldap on solaris, try openIndiana, which
> provides openldap-2.4.46. 

Solaris 11.4 (from oracle) provides the same version.
Just in case, OP will stuck at commercial versions.

best regards
Ulf

Re: Error Loading Schema

[Ulf Volmer]

On 16.04.2018 19:58, Net Warrior wrote:
> Hello there.
> Im trying to load this schema
> http://pig.made-it.com/ldap-openssh.html
> 
> And I get this error.
> ldapmodify: invalid format (line 1) entry: ""

You have to convert your schema file to the ldif format.
i used

https://gist.github.com/jaseg/8577024

in the past for this task.

best regards
Ulf

Re: Question about automounting nfs directories within ldap

[Ulf Volmer]

On 09.10.2017 10:07, Bänsch, Christian (TF) wrote:

> Now I have the next question about automounting nfs directories.

i can't see that your NFS problem is related to openldap. I think, you
should post your issue in a OS specific mailing list.

Besides that:

> Oct  9 09:59:13 fautm89 automount[13131]: >> mount.nfs: access denied 
  ^^^
> by server while mounting fautm89.ltm.uni-erlangen.de:/export
   ^^^


It looks for me that client and server points to the same node.

best regards
Ulf

Re: OpenLDAP not starting using "systemctl start" but runs fine invoking slapd directly

[Ulf Volmer]

On 01.09.2017 11:30, michael.haer...@t-systems.com wrote:

> Where does the script take “*/${SLAPD_URLS}” /*and */“$SLAPD_OPTIONS”
> /*from?

>From /etc/sysconfig/slapd

Your problem was caused by wrong permissions of the database directory.
I have fixed that, slapd is running now.

best regards
Ulf Volmer