=allow ldapsearch ..."
To be clear, that setting disables the client's authentication of the
server: no protection from active attacks, back to "trust the network
layer". This is only useful for confirming that everything _except_ the
CA/cert setup are fine.
Philip Guenther
rt of confidential data in on the server or non-anonymous binds are used
then you should almost certainly either
a) list the specific ciphers you want to permit, or
b) at the very least exclude unauthenticated ciphers, ala
olcTLSCipherSuite: HIGH!aNULL
If you believe you know what you're doing is safe then sure, go wild...)
Philip Guenther
On Wed, 14 Dec 2022, Jeffrey Walton wrote:
> On Wed, Dec 14, 2022 at 4:29 AM Philip Guenther
> wrote:
> >
> > On Wed, 14 Dec 2022, Stuart Henderson wrote:
> > > On 2022/12/14 06:22, Andre Rodier wrote:
> > > > > olcTLSProtocolMin: 3.3
> > >
>
including protocol version) using a gnuTLS-style
cipher string.
Philip Guenther
ports.
ISRT that the ldap backend woiuld simply never reply to queries if
configured with no uris. No error, just never reply, leaving connections
open.
Philip Guenther
want to use
TLSCipherSuite HIGH:MEDIUM
or probably:
TLSCipherSuite HIGH
because do you *really* want to permit RC4-MD5, which is part of MEDIUM?
If you have clients that require such crappy old ciphers then they
*absolutely* need to be updated/replaced.
Philip Guenther
0/60/90
day remediation requirements, then no, stock openldap on stock centos, for
example, will not get you there.
Philip Guenther
On Wed, 23 Oct 2019, Quanah Gibson-Mount wrote:
> --On Wednesday, October 23, 2019 5:52 PM +0200 Saša-Stjepan Bakša
> wrote:
> > Is there any good reason that I see one of my custom objectClass garbled
> > like this below. It happens when I am reading content from file. From GUI
> > tool it looks
p1; , the request is redirected to server ldap1.
The LDAP protocol does not carry the hostname or URL that the client
thinks that it is connecting to, so there's nothing for such a reverse
proxy to test so that it can decide which backend to forward the client
to.
Philip Guenther
nds on what you want to happen when there are more than two
components before the ou=Delegated component.
Philip Guenther
ch
as:
(|(ou:dn:=orgunit1)(ou:dn:=orgunit2))
Note the ":dn" syntax there.
Perhaps an ACL using an LDAP filter containing something like that would
be part of a solution.
Philip Guenther
oesn't support TLS
1.2 then you'll need to hack OpenLDAP to disable it, perhaps adding a
TLSProtocolMax option to your tree.
Philip Guenther
Lv3|SSL_OP_NO_SSLv2.
*/
And now in OpenSSL 1.1.0 the use of the SSL_OP_NO_TLSv1* options is
deprecated in favor of new SSL_CTX_set_{min,max}_proto_version() APIs,
making it impossible at the API level to specify discontiguous sets of
versions.
Philip Guenther
e the bits described in ldap.conf(5) are implemented.
Philip Guenther
ies and the other doesn't...
>
> I also stepped through smbd with gdb and verified that the parameters to
> ldap_simple_bind_s are the same as my test case.
>
> Wonder if anyone can venture a guess how this might occur?
Are smbd and your test program linked against the same libldap version and
openssl version?
Philip Guenther
On Wed, 22 Oct 2014, Peter Boguszewski wrote:
I am running into issues on RHEL 6.x servers (mix of 6.5 and now 6.6) when
attempting to disable SSLv3. I have compiled the servers with the
--with-tls=openssl option and communication appears to be working well between
servers to matter what I
On Wed, 27 Aug 2014, SOMA SEKHAR wrote:
On Sat, Aug 23, 2014 at 1:08 PM, SOMA SEKHAR somasekha...@gmail.com wrote:
link to question on stackoverflow
...
I'm having trouble verifying the correct behavior of my software. Here
are the steps I am performing to verify correct operation:
to waste my time
reading the openldap source to find a workaround for the stuff that the
openldap developers aren't going to stand behind by documenting.
Philip Guenther
of your
cn=config (passwords stripped), the logging, and your test cases
w/results.
Philip Guenther
with
TLS_REQCERT demand
in the system ldap.conf. It also worked as expected with 'allow' in then
ldap.conf and 'demand' in the env-var.
Philip Guenther
# check for other random failures
(Obviously if your OS doesn't have strace, substitute the correct local
system call trace facility, be it truss, ktrace, or whatever.)
Philip Guenther
://www.openldap.org/doc/admin24/appendix-upgrading.html
?
I also don't see any replication details in /var/log/slapd.log
Since you don't mention how you configured replication to this 2.4 box or
what output you were expecting, I can't help on this.
Philip Guenther
the certificates by name:
certutil -d /path/to/certdbdir -L
Philip Guenther
the SASL clients in your setup to use SRP?
(if it's that easy to require new mechanisms, I would expect more
use of Kerberos!)
2) does the openldap 'slapd' auxprop support lookup of those alternate
data types as other attributes? If so, what/where's the schema for
them?
Philip Guenther
On Thu, 30 Jan 2014, Quanah Gibson-Mount wrote:
--On Thursday, January 30, 2014 4:25 PM -0500 Borresen, John - 0442 - MITLL
john.borre...@ll.mit.edu wrote:
...
Question, about the manage Access Level when would that be used?
It is not talked about at all other than Table 5.4 in section
you prefer (cat -vet is my preference) to verify
that the blank lines are really blank and that there aren't other hidden
characters in the input file.
Philip Guenther
On Thu, 2 Jan 2014, Warron S French wrote:
Philip, are you saying that if you are using VI in editor mode and turn on
set list to make sure that a $ is in the first column as opposed to $
in the first two columns?
That sounds like a reasonable way to check for trailing whitespace and
) manpage.
DOS-style line-endings (CRLF instead of just LF) are also perfectly legal
(though the ldif(5) manpage doesn't mention that). You can even mix CRLF
and LF line-endings inside a single file.
(Really folks, the RFC isn't that hard to read.)
Philip Guenther
vs ldaps) in the same line. Next, in order
for the server certificate to be validated, the hostname you connect to
(in the URI) must match what's in the certificate, which should be an
FQDN. I.e., something like:
URI ldaps://spsdel192.YOUR.DOMAIN.GOES.HERE:636/
Philip Guenther
', the ldap client library doesn't care whether the cert's
signature can be validated back to a known-and-trusted root CA.
(If you copied the self-signed cert into the client's trusted CA file or
directory, then you might be able to use 'TLS_REQCERT demand' and be
secure from MitM attacks.)
Philip
On Wed, 13 Nov 2013, Ulrich Windl wrote:
Philip Guenther guenther+ldapt...@sendmail.com schrieb am 12.11.2013 um
16:37
in Nachricht alpine.BSO.2.11.1311120655310.19673@morgaine.local:
On Tue, 12 Nov 2013, Jan Synacek wrote:
quoting ldap.conf(5):
TLS_REQCERT level
...
try
:
dn: uid=maxUid,ou=ndtcadministration,o=ndtc
objectClass: top
objectClass: extensibleObject
uidNumber: 55083
'top' is an abstract object class, while extensibleObject is an auxiliary
object class, so none of that entry's object classes are structural object
classes.
Philip Guenther
, as well as
whatever infrastructure is behind them, which you didn't mention so
I'll assume you don't have.
So, right now, which one of those were you planning on using?
Philip Guenther
and needs reported but wanted to review it with
the list members before I submitted the ITS entry.
No, you're telling it to the delete the CN attribute. If you don't want
it to do that, put deleteoldrdn: 0 in your LDIF instead.
Philip Guenther
that allows storing
and reading of the contextCSN on the subordinate databases as well as
the maximum contextCSN on the superior database.
Sounds like you're looking for sync_use_subentry true, to be used
in the database contexts of the consumers.
Philip Guenther
On Wed, 23 Oct 2013, Jesus Jr M Salvo wrote:
Using the meta backend, I have specified a list of LDAP URIs.
I am testing what happens if the first URI becomes unresponsive ( e.g.
The host was shutdown, etc. ).
So I deliberately put in a bogus URI as the first URI that I know will
not
days ago:
http://www.openldap.org/lists/openldap-technical/201309/msg00091.html
Philip Guenther
/dev/null
as the 'file' for the option.
Once you add that, slapd will negotiate DHE cipher suites.
Philip Guenther
, passing LDAP_SASL_SIMPLE as
the mechanism.
Philip Guenther
only.
Philip Guenther
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 24d43ee..3c077f8 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -219,6 +219,25 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt,
int is_server
[1] for explanation.
Error, dangling footnote.
Philip Guenther
-d127 -h ldap:///;'
What certificates did you configure slapd to use?
c.f
http://www.openldap.org/doc/admin24/tls.html
which is linked from the quick start guide on www.OpenLDAP.org
Philip Guenther
, this is *exactly* why you should always say what version you're
using!
Philip Guenther
there, but assertions like that work for me with OpenLDAP 2.4.35
Philip Guenther
On Mon, 10 Jun 2013, Ashwin Kumar wrote:
Thanks for the reply. I am using OpenLDAP 2.4.35.
Then my remaining guess would be that your OpenLDAP wasn't actually
compiled to support TLS.
Philip
into sshd.
Philip Guenther
violation. You almost certainly
want this:
dn: uid=aaa,ou=People,dc=sample,dc=com
changetype: modify
replace: userPassword
userPassword: test
-
add: pwdReset
pwdReset: TRUE
Philip Guenther
client certificate authentication, yes. That
doesn't directly affect the identity it binds as, of course.
4) All these statements are also valid for LDAP over SSL. Correct ?
Yes.
Philip Guenther
. It *looks* kinda like LDIF, but it really isn't.
You should contact the book author so they can fix it for a future
printing.
Philip Guenther
On Mon, 18 Feb 2013, Patrick Lists wrote:
On 02/18/2013 07:16 AM, Philip Guenther wrote:
On Mon, 18 Feb 2013, Patrick Lists wrote:
I'm tying achieve the following with OpenLDAP RE24 from last week:
Connections on ldapi:/// are plain text and ldap connections require
TLS
still go out in
cleartext.
Philip Guenther
the percent-encoding when generating the new request to the
referred-to server, as percent-encoding is not used (of course) in DN
field of the actual LDAP request.
Philip Guenther
with a line containing
just a hyphen; check ldif(5) or RFC 2849 for examples.
Philip Guenther
On Tue, 11 Dec 2012, Victor Sudakov wrote:
Philip Guenther wrote:
...
So, it would seem that a client should be able to portably request sorting
on the cn attribute in a case-insensitive fashion by sending the control
with that optional orderingRule filled in. That should work against
: 30840012020100020127a0840006020101020100
Note that an orderingRule is not given, thus unnecessarily making the
client dependent on the server extending a standard schema.
Philip Guenther
.
The ldap.conf(5) manpage indicates that the latter is ignored for GnuTLS,
so presumably you just have to place the trusted root certificate(s) in a
single file and point TLS_CACERT at that, in whatever format GnuTLS uses.
Philip Guenther
as requiring the value to
encoded in valid UTF-8, but that value appears to be encoded in some
ISO-8851 variant. You'll need to reencode the value...and then verify
that any applications reading that value handle it correctly.
Philip Guenther
simply auth to do that, as the upgrade
wouldn't protect the password anyway, but for a site using client certs,
like the original poster, I suppose it could make security sense to do
that...)
Philip Guenther
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
On Fri, Sep 21, 2012 at 07:42:53AM +, Emmanuel Dreyfus wrote:
On Thu, Sep 20, 2012 at 10:21:12PM -0700, Philip Guenther wrote:
So: imagine your search filter is this:
(cn=Bob ?)
which is the *exact same filter* as this:
(cn=Bob
have to precent-encode all non-graphical characters (0x00 through
0x20 and 0x7f though 0xff), as well as:
- %22
% - %25
- %3c
- %3e
? - %3f
\ - %5c
^ - %5e
` - %60
{ - %7b
| - %7c
} - %7d
Philip Guenther
On Fri, 21 Sep 2012, Emmanuel Dreyfus wrote:
Philip Guenther guenther+ldapt...@sendmail.com wrote:
You asked what characters in an LDAP search filter have to be percent
encoded when including that search filter in an LDAP URI. That's the
question I answered above.
Oh, right
On Mon, 17 Sep 2012, Xavier Garcia wrote:
I am setting up a proxy to cache queries against Active
Directory, so our Postfix servers do not hammer the AD servers.
...
pcacheTemplate (mail=smtp:) 0 900
From the slapo-pcache(5) manpage:
A template is defined by a filter string and an
an entry into or out of a matched
subtree.
Philip Guenther
, LDAP_OPT_X_TLS_REQUIRE_CERT,
LDAP_OPT_X_TLS_NEVER);
Same problem here.
My conclusion is that the problem is in the real code that you didn't
show.
Philip Guenther
= 'canonical' })
pass { mbcescape = 1 } to canonical_dn().
(Some might also consider it a bug that Net::LDAP::LDIF doesn't default to
RFC conforming output but rather requires you to explicitly request it.)
Philip Guenther
On Fri, 20 Jul 2012, kef...@o2.pl wrote:
--On Saturday, July 14, 2012 12:42 PM +0200 kef...@o2.pl wrote:
Ok, thanx, I do understand that, but my point is, where I can put
those in configuration files ? On a client side set BASE and in
slapd.conf
databasebdb
suffix
with value present in entry
So it's a problem with the dc attribute; let's look at that data again:
dn: dc=mycompany,dc=org
dc: company
So, is it mycompany or company?!?
Philip Guenther
(how confident?), then have
you compared that log output to the log output of a successful login?
Philip Guenther
at the slapd code
would seem to confirm that...but I would test it before designing a system
to depend on it...)
Philip Guenther
On Mon, 28 May 2012, Philip Guenther wrote:
If no path is specified (e.g., ldapi://) then the checking code is
passed a hostname of localhost.
...which then remaps that to the local hostname (if available) for the
actual check.
Huh. So for any URI that doesn't specify a host component
On Sat, 26 May 2012, Nick Milas wrote:
On 25/5/2012 6:59 ??, Nick Milas wrote:
You mean that if we use a what statement without an attrs= clause,
then it affects children and entry pseudo-attributes as well? And what
if there is a filter specified too (still without an attrs= clause)?
On Fri, 25 May 2012, Nick Milas wrote:
Why when assigning access rights to entry and/or children
attributes, in most cases - as I have seen from experience - we have to
end with a by * break clause?
Because that's a popular style of ACL processing logic to use for those
attributes. As you
On Wed, 25 Apr 2012, Uncle Hildegard wrote:
I have a DIT that contains objects like this:
uid=test,ou=user,ou=sales,o=Testcompany
Now I want to find out all objects that have sales in their DN. Since DN
is not an attribute one can search for ...
Yes you can:
(ou:dn:=sales)
configured on the database will be
ignored in checks for conflicts with other databases. By
default, olcHidden is FALSE.
Philip Guenther
** and backward to where they are.
For those trying to script this, you can get the LSN of the most recent
checkpoint with
db_stat -t | awk '$2 ~ /^File\/offset/{print $1; exit}'
Philip Guenther
On Fri, 10 Feb 2012, Brian Reichert wrote:
On Fri, Feb 10, 2012 at 12:00:29PM -0800, Philip Guenther wrote:
** Note that the ordering of this is almost completely inflexible.
** In particular:
** (0) must preceed (5)
** (1) must preceed (2) and (3
searches much slower and inefficient than they can be.
Philip Guenther
to be the problem by the *absence* of
syscalls writing data. dtrace might be able to show it directly...
Philip Guenther
that the CA
at the root of the server's cert's chain really is configured for the
client?
Philip Guenther
window; too bad the code
wasn't. If anyone has a list of other places where the docs are correct
but the code isn't, I'd be interested in a copy.
Philip Guenther
On Tue, 20 Sep 2011, tu...@bayour.com wrote:
The meta seems to work, using '(uid=kpxb140)' (which is my UNIX account
name at work) gives me two results, one from the AD and one from the
external OL server. This is verified, because the objects look different
(and comparing them with the
On Fri, 16 Sep 2011, Tim Watts wrote:
Quick question if I may:
Is it possible to rename a DN,
Yes, it's possible to modify the DN of an entry.
eg this LDIF file:
dn: cn=Fred,ou=people,dc=example,dc=com
changetype: modify
replace: dn
dn:
.
Philip Guenther
?
...
dn: uid=olivier,ou=Staff,ou=People,dc=mydomain,dc=fr
Ah: which comes first in the dn: Staff or People? The good results from
ldapsearch show ou=Staff,ou=People,dc=mydomain,dc=fr while the failing
search is of ou=People,ou=staff,dc=mydomain,dc=fr.
Philip Guenther
wasn't NULL. So, make sure you're building against a current version.
Philip Guenther
85 matches
Mail list logo