Re: OpenLDAP UTF8 values support

[Andrew Findlay]

On Wed, Mar 21, 2018 at 07:35:34PM +, André Rodier wrote:

> On 21/03/18 17:19, Michael Ströder wrote:

> > That's why I proposed 'intlMailAddr' herein:
> > https://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-07#section-2
> > 
> > Note that this attribute only makes sense in case of non-ASCII local part
> > and for use with SMTPUTF8 extensions. I currently only know of one SMTPUTF8
> > implementation (postfix 3.x).

> I am using postfix 3 as well, with dovecot.

So you can probably use that extension. However, most people cannot.
Therefore if you create mail accounts with non-ASCII characters in the
local part those accounts will not be able to exchange mail with 95%
of the world's population. (unless you install a translating gateway,
but then the address seen outside your system will not be the same as
the one inside and your users will get confused).

This is why the LDAP mail attribute is limited to IA5 (7-bit ASCII) syntax.

None of this prevents having UTF8 characters in the 'comment part', as you
do youself ("André" contains one character that cannot be represented in
IA5). This part is not stored in the LDAP mail attribute, which should
be just LHS@RHS.domain

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Account expiry

[Andrew Findlay]

On Thu, Mar 08, 2018 at 05:18:55AM +, Brad Marshall wrote:

> As I understand there's no native way to do this, I've written a python script
> that loops over and checks the authTimestamp from the lastbind overlay, which
> is all good.  To lock the account I set the pwdAccountLockTime to the
> timestamp, which all works well with the ppolicy overlay in place.
> 
> The problem becomes when we want to unlock the accounts, and give the end 
> users
> a chance to auth so it will clear out the lock.  My understanding from reading
> the code was that I could set the timestamp for pwdAccountLockTime into the
> future, and it should expire the account when it gets to that time.  This 
> gives
> the users a grace period in which to authenticate.

As you have found, that is not going to work. pwdAccountLockedTime
is an operational attribute used by the server to *record* when the
password was actually locked.  It does not mean 'lock the account at
this time'. In OpenLDAP the mere presence of this attribute in an entry
locks the password.

This is a bit of a fudge in the "standard" (actually a long series of
Internet Drafts) or perhaps in OpenLDAP's interpretation of it. Operational
attributes are not supposed to be modified directly, yet the standard
way to lock an account is to set pwdAccountLockedTime to 0101Z.

> Should any of this be working?  Am I missing any piece of this puzzle here? 
> Has anyone got any suggestions on how to solve this problem, either via the
> approach I'm trying or any alternative solution?  Please let me know if I've
> left any useful information out about this.

You might get somewhere by artificially expiring the password and giving
the account a couple of grace authentications, but this also requires
modifying operation attributes and it does not set a time limit.

I think you are going to have to create a new attribute to hold the time
you want the password to re-lock. You can then either write an overlay to
enforce it or (simpler perhaps) extend your python script to check and
re-lock accounts that have not logged in before the deadline.

This is one of the problems with the existing password policy framework.
It mixes password policy with account policy for historical reasons (most
of the concepts came from Unix password policy files). As you say above,
you want to unlock the *accounts* which is not the same as unlocking the
*passwords* because there may be non-password ways of authenticating and
you want to block those too.

Note also that some features of password policy have "interesting"
behaviour when replication is involved.

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Using virtual IP and N-way mutlimaster mode

[Andrew Findlay]

On Wed, Jan 24, 2018 at 09:43:58AM -0800, Quanah Gibson-Mount wrote:

> > How about adding a flag to slapd to specify the server ID so that it can
> > go the other way through the config, convert ID to FQDN, and drop that
> > FQDN from the set of replication sources?
> 
> I'll discuss with Howard, and see.  I hate seeing more options added to
> slapd, but it may be the only option (no pun intended!) for this scenario.
> ;)  The cloud was fairly nascent when this was all designed, so this case
> wasn't really a consideration at that point in time.  If you were to pass in
> the server ID, I think you could get rid of the multi-valued serverID bit
> entirely, since every server would know who it was already.

I think you would still need that. Maybe I have missed something else
here, but how does slapd avoid making a syncrepl connection to itself
in the replicated-config scenario? I was assuming that it just ignores
syncrepl clauses where the provider URL matches its own hostname.
If it is done by IP then more thought will be required.

The multi-valued attribute is neat in the case of servers with simple
IP<->hostname mappings so we would probably want to keep it for that.

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Using virtual IP and N-way mutlimaster mode

[Andrew Findlay]

On Wed, Jan 24, 2018 at 09:27:20AM -0800, Quanah Gibson-Mount wrote:

> Please ellaborate on what is risky (or load inducing) about changing the
> maxsize.

It is entirely my assumption - wrong it would appear, which is good news!
I was thinking of this as something like grow/shrink ops on filesystems.

>  I've had a script for years that has automatically adjusted the
> maxsize as necessary based on the size of the DB vs maxsize, etc, via
> cn=config.  This script has been deployed on servers throughout the world
> via my former job @ Zimbra. Changing the maxsize has never been a problem.
> 
> You have 3 basic scenarios:
> 
> #1: You decrease the maxsize to < size of the DB
> #2: You set the maxsize = to the size of the DB
> #3: You increase the maxsize > size of the DB
> 
> In scenario #1, lmdb refuses to set the maxsize to something less than the
> size of the DB.  It will make it equal to the size of the DB (Leading to
> scenario #2)

Is 'size of the DB' the current length of the DB file, or the amount of disk
space actually used by it?

> In scenario #2, the server will not accept any new growth (write ops will be
> rejected).  Monitoring should alert you to that, but the system will recover
> once you adjust the maxsize to something useful.
> 
> In scenario #3, the maxsize is increased.
> 
> I've not seen any load related issues for such an operation, so it's not
> clear to me what you mean by that, either.

Just to be clear on this, is it OK to change maxsize in the config file while
slapd is down or does this only work with LDAP-based config changes?

> The other problem is definitely interesting, and I'm not clear on a good
> solution for it.

How about adding a flag to slapd to specify the server ID so that it can go the
other way through the config, convert ID to FQDN, and drop that FQDN from the
set of replication sources?

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Using virtual IP and N-way mutlimaster mode

[Andrew Findlay]

On Wed, Jan 24, 2018 at 06:37:43AM -0800, Quanah Gibson-Mount wrote:

> You can change the MDB maxsize at any time, including while slapd is
> running.  So that scenario at least doesn't compute. ;)

I would still rather do such risky / load-inducing changes on one replica at a
time. Anyway, running with fully-replicated config makes it even more important
to have a good solution to the problem I described.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Using virtual IP and N-way mutlimaster mode

[Andrew Findlay]

On Tue, Jan 16, 2018 at 10:24:42AM +0400, Jephte Clain wrote:

> all nodes run with -h ldap:// and I have as many olcServerID as defined nodes
> my cn=config is also replicated  between all nodes
> 
> for example, I have:

> olcServerID: 1 ldap://ldapm3.univ.run/
> olcServerID: 2 ldap://ldapm4.univ.run/

> olcSyncrepl: {0}... rid=0 provider="ldap://ldapm3.univ.run/; ...
> olcSyncrepl: {1}... rid=3 provider="ldap://ldapm4.univ.run/; ...

There is an important variation of this problem when running cloud
machines in services like AWS. The actual machines have IPv4 addresses
in private address space - usually 10.x.x.x - but if you need to access
them from outside their own availability zone (datacentre) you must use
a different (public) IP address. The machines usually have hostnames of
the form ip-10-x-x-x and there is no way to resolve those globally.

So, we might have one server in each of three zones and need to set up
MMR between them:

Zone A:
Server IP: 10.21.0.1
Public IP: 134.82.17.63
Default hostname: ip-10-21-0-1

Zone B:
Server IP: 10.22.0.71
Public IP: 193.17.65.123
Default hostname: ip-10-22-0-71

Zone C:
Server IP: 10.35.0.5
Public IP: 7.45.81.52
Default hostname: ip-10-35-0-5

Not too much of a problem if each server has a separate config, but if
we want replicated configs it gets harder.

The first problem is that the private IP ranges used by the three zones
may overlap. Indeed, there are cases where the three servers could have
identical local IPs (and thus identical default hostnames).

Even without that, we have to cope with the fact that the servers are on
private addresses but have to contact each other using public addresses.

One option would be to set new hostnames on the servers and use those
to key into the appropriate config values. The hostnames would need to be
resolvable to public IP addresses so that the MMR config would work properly.
Does anything check that the hostname actually resolves to an IP address
bound to the server I wonder? Even if OpenLDAP is OK with that, it might
break something else running on the machine.

Another option would be to use the new hostnames in the -h URL list, but as has
already been mentioned this will fail because the server cannot bind to the
public IP.

What is best practice here? I am leaning towards *not* replicating config
because it makes some updates really hard (think changing the max size of
an MDB database without stopping all the servers at the same time). I still
like the idea that the config should be identical on all servers during
normal operation though.

[ Note that I am not considering the OP's virtual IP problem here, as
load-balancing/failover in this environment would be done separately ]

Andrew
-- 
-------
|     From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Antw: Re: [Q] amendments to schemes existent

[Andrew Findlay]

On Fri, Oct 20, 2017 at 01:08:01PM +0300, Zeus Panchenko wrote:

> 1. search works with filter: (authorizedService=mail@hh001.umidb)
>(and without index it returns empty result)

That is odd. Th eindex should only be a performance thing - it should
not change the results at all. You need to be very careful about using
slapindex whenever you change the list of indexes.

> 4. search (unexpectedly) does not work at all with filter: 
> (authorizedService:caseIgnoreSubstringsMatch:=m...@hh001.umi*)
> 
># base 

Re: Antw: Re: [Q] amendments to schemes existent

[Andrew Findlay]

On Thu, Oct 19, 2017 at 02:02:55PM +0300, Zeus Panchenko wrote:

> is there other way to get originally SUBSTR-less attributes to be
> matchable by substring, except hacking the scheme?

You could try using the extended search filter syntax:

(dhcpOption:caseIgnoreSubstringsMatch:=boot*)

See RFC4515 for more details. In practice you will probably want to create a
suitable index on the attribute unless the search will also include another
attribute that is already indexed and which will cut down the number of results
sufficiently. e.g.

(&(hostCategory=finance)(dhcpOption:caseIgnoreSubstringsMatch:=boot*))

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: [Q] amendments to schemes existent

[Andrew Findlay]

On Tue, Oct 03, 2017 at 11:35:56PM +0300, Zeus Panchenko wrote:

> I'm wondering of search possibility lack for some attributes
> 
> my question is: is it correct/good/sane/e.t.c. to patch them this
> way? is there other way to get those attributes searchable?

You should not change the definitions of standard attributes or
objectclasses. That does not stop you from setting up an index for the
attribute though, and most LDAP servers will then allow you to search
for it even if the published schema does not allow for the possibility.

Andrew
-- 
---
|     From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

LDAPCon 2017 programme now online

[Andrew Findlay]

The programme for the 2017 LDAP Conference has just been published:

https://ldapcon.org/2017/conference-program/

It's looking good, so get your booking in quickly to get early-bird
tickets and start thinking about where you want to stay in Brussels!

The conference runs 19th and 20th October 2017.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: ppolicy issues

[Andrew Findlay]

On Tue, Aug 08, 2017 at 07:46:02PM +0200, Michael Ströder wrote:

> Yes, slapo-ppolicy config can be different per database.
> Also consider setting password-hash / password-crypt-salt-format per database.

Be aware that you must put ppolicy entries (including default entries)
in the same database as the entries that they will govern. Thus you need
at least one policy entry in each backend DB.

See ITS#7262 for details:

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7262;selectid=7262

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Openldap Configuration issues

[Andrew Findlay]

Please keep the discussion on-list so that others can find it
if they have similar problems.

On Tue, Aug 08, 2017 at 12:44:25PM +0200, R H wrote:
> Subject: Re: Openldap Configuration issues

> > No point in changing stuff without knowing what is going on.
> > Add this to your config and restart slapd:
> >    loglevel stats,stats2

> after setting loglevel to stats, stats2
> 
> Aug  8 05:40:18 docker slapd[2990]: daemon: read active on 14
> Aug  8 05:40:18 docker slapd[2990]: daemon: epoll: listen=9 active_threads=0
> tvp=zero
> Aug  8 05:40:18 docker slapd[2990]: daemon: epoll: listen=10 active_threads=0
> tvp=zero

No - something has set a different log level. You are seeing a lot of
connection-management and debug stuff rather than the query and
response summaries that you need.

You might do better to stop the server and run it manually. Something
like this:

/usr/sbin/slapd -d stats,stats2 -h ldap:/// -g openldap -u openldap

What I am expecting to see looks more like this (from a Cyrus mailbox
server using LDAP via saslauthd):

Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=103 BIND anonymous 
mech=implicit ssf=0
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=103 BIND 
dn="cn=saslauthd,dc=ldap,dc=example,dc=com" method=128
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=103 BIND 
dn="cn=saslauthd,dc=ldap,dc=example,dc=com" mech=SIMPLE ssf=0
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=103 RESULT tag=97 err=0 text=

That shows saslauthd connecting to LDAP and authenticating correctly.

Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=104 SRCH 
base="dc=example,dc=com" scope=2 deref=0 filter="(uid=myusername)"
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=104 SRCH attr=dn

That is the search to find the user account.

Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=104 ENTRY 
dn="uniqueIdentifier=1405431085.7365.0,associatedDomain=example.co.uk,ou=domains,dc=example,dc=com"
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=104 SEARCH RESULT tag=101 err=0 
nentries=1 text=

That shows the search result: the user entry is 
"uniqueIdentifier=1405431085.7365.0,associatedDomain=example.co.uk,ou=domains,dc=example,dc=com"

Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=105 BIND anonymous 
mech=implicit ssf=0
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=105 BIND 
dn="uniqueIdentifier=1405431085.7365.0,associatedDomain=example.co.uk,ou=domains,dc=example,dc=com"
 method=128
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=105 BIND 
dn="uniqueIdentifier=1405431085.7365.0,associatedDomain=example.co.uk,ou=domains,dc=example,dc=com"
 mech=SIMPLE ssf=0
Aug  8 17:48:33 owl slapd[616]: conn=1282270 op=105 RESULT tag=97 err=0 text=

Finally the password is checked by binding to LDAP using the account DN and 
password as credentials.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Openldap Configuration issues

[Andrew Findlay]

On Sun, Aug 06, 2017 at 05:54:56PM +0200, R H wrote:

> which is great, this is exactly the way it should look like, however I've
> noticed, that cn=admin,o=testcompany.com entry doesn't exists, while it 
> did
> using the default config after i've installed openldap.

I assume that you cleared out the database at some point (which you should do,
to get rid of example entries from the distro). Thus, cn=admin,o=testcompany.com
will not exist unless you explicitly create it - and nor will o=testcompany.com
which you need to create first.

>  6. In Redmine, I've configured and tested the ldap authentication. It is
> working correctly (it can both connect to my ldap and If i wish to add a
> new user and choose the before configured ldap authentication for it, i 
> can
> even choose from the entries that are in my ldap, which is also great)
> 
>  7. However (this is where my problem is) when i try to log into Redmine with 
> a
> user that i've just created (with ldap authentication) i always get 
> Invalid
> credentials error (while it works like a charm when i login with any other
> account, created with Simple Authentication)
> 
> These events led me to believe that the error is in the LDAP configuration.

Maybe, maybe not...

> After a few more hours/days of fooling around with the ACLs and
> dpkg-reconfigure slapd (and even purging-reinstalling slapd and ldap-utils) i

No point in changing stuff without knowing what is going on.

Add this to your config and restart slapd:

loglevel stats,stats2

Find where the log stream goes to - probably /var/log/daemon.log or similar.
Look at the LDAP operations and results when you try to login on your app.
This will tell you what the app is actually doing.

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: [Q] "selective" ACL

[Andrew Findlay]

[ This is a very old thread you are resurrecting! ]

On Fri, Sep 09, 2016 at 01:51:47PM +0300, Zeus Panchenko wrote:

> I have two posixGroup groups 
> 
> cn=admins,ou=group,dc=foo
> cn=coadmins,ou=group,dc=foo
> 
> my users resides in ou=People,dc=foo
> 
> so, in subtree ou=People,dc=foo I need to allow anything to admins (and
> it is not difficult of course)
> 
> for example this works for me:
> 
> access to dn.subtree="ou=People,dc=foo"
> by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
> by self write
> by users read
> by * break
> 
> but in addition I need to allow my coadmins to do the same things except
> manipulations upon the objects which belong to admins (
> ...anyobject,uid=adminuser,ou=People,dc=foo )
> 
> so, the question is: how? (if it is possible at all) :(

It depends partly on why the ACI ends with 'by * break'. What other
rules could be applied in that case?

In the simple case where 'by * none' would have the same effect, you could
just put another ACI ahead of the one above so it comes out like this:

access to 
by self write
by users read
by * none

access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * none

The problem is to write the ''.
That would probably be easier if you were not defining admin users by their
UID in a Posix group. Ideally there would be an attribute visible in each
entry that defines admin status, as then you could just key on that.
If your admin group is defined as a standard DN-based groupOfNames then
you could use the memberof overlay to reflect membership into an attribute
of the user entry.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: syncrepl fails after upgrade to openldap 2.4.45

[Andrew Findlay]

On Mon, Jun 26, 2017 at 11:09:43AM -0700, Quanah Gibson-Mount wrote:

> Now you're switching topics.  Your original mail did not include
> cert authentication, it used simple binds:
> 
> syncrepl rid=000
>  provider=ldaps://ldap.dannatu.ch:636
>  type=refreshAndPersist
>  retry="5 5 300 +"
>  searchbase="dc=dannatu,dc=ch"
>  attrs="*,+"
>  scope=sub
>  bindmethod=simple
>  binddn="cn=Manager,dc=dannatu,dc=ch"
>  credentials=**
> 
> 
> Either way, cert authentication AND TLS encrypted syncrepl both work
> for me with OpenSSL 1.0.2l and OpenLDAP 2.4.45 just fine, so I would
> have to again guess issues with proper TLS configuration.

It seems that the CA cert was never referenced in the syncrepl clause, so
it would have dropped back to whatever TLS config was in the LDAP *client*
config file (probably /etc/ldap/ldap.conf). I seem to remember a change in
behaviour of OpenSSL libs a while ago where I was bitten by something
similar. Maybe Juergen's earlier setup used ldap.conf and the new one
is ignoring it?

Andrew
-- 
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: [Q] can I replicate several branches to the same slave from one master?

[Andrew Findlay]

On Thu, Jun 29, 2017 at 03:47:07PM +0100, Andrew Findlay wrote:

> I suspect part of the trouble is that you have two syncrepl clauses using the
> same search base on the same master. The timestamps are likely to be stored
> in the same place, causing a clash.
> 
> One definite error is that all three clauses are labelled 'rid=123'. They 
> should
> all have different numbers.

As it happens, Quanah has just replied to a question with a very similar issue.
See message below, and also the ITS: 
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8100;selectid=8100

... so you should also make at least one change to data on the master node
so that the syncrepl process has something to do.

Andrew

On Tue, Jun 27, 2017 at 01:55:34PM -0700, Quanah Gibson-Mount wrote:
> Date: Tue, 27 Jun 2017 13:55:34 -0700
> From: Quanah Gibson-Mount <qua...@symas.com>
> To: btb <b...@bitrate.net>, openldap-technical@openldap.org
> Subject: Re: mmr pair stops replicating: "consumer state is newer than
>  provider"
> Sender: openldap-technical <openldap-technical-boun...@openldap.org>
> 
> --On Tuesday, June 27, 2017 5:35 PM -0400 btb <b...@bitrate.net> wrote:
> 
> >On 6/27/17 10:27 AM, Quanah Gibson-Mount wrote:
> >>--On Tuesday, June 27, 2017 10:37 AM -0400 btb <b...@bitrate.net> wrote:
> >>>i'm using 2.4.44 on freebsd, built from ports.  i can provide any config
> >>>details etc - i just didn't want to inundate the post with guesses on
> >>>detail that might not be relevant.
> >>
> >>What is your accesslog purge setting?  Do you have long periods of time
> >>with no write activity?
> >
> >there are some extended periods of time with no write activity, yes.
> 
> That's one form of a known issue then with using accesslog
> (ITS#8100). I've made a suggestion on how it could be fixed, and
> Howard agreed that would be the correct solution.  Just need the
> fix. :)
> 
> In the meantime, you can set up a cronjob that does a modify once a
> day on some object that doesn't really do anything, like if you had:
> 
> dn: cn=someobject,dc...
> objectClass: ...
> cn: someobject
> description: blah
> 
> you could have a job that does:
> dn: cn=someobject,dc...
> changetype: modify
> replace: description
> description: blah
> 
> So it in effect does nothing, but it keeps an active change in the
> accesslog alive.
> 
> Basically what happens with the accesslog empty is that it'll end up
> generating its own new contextCSN that differs for that server than
> the one stored in the rootDB, and will be /newer/ than it as well,
> which is why you get that message.  You can also fix the problem
> simply by doing a modify on each master, and it'll reset the
> contextCSNs and things will flow (i.e., no need to do a dump/reload,
> etc).
> 
> --Quanah
> 
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
> 
> 


-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: [Q] can I replicate several branches to the same slave from one master?

[Andrew Findlay]

On Tue, Jun 27, 2017 at 01:04:38AM -2100, Zeus Panchenko wrote:

> Subject: [Q] can I replicate several branches to the same slave from one 
> master?

> on master I see: consumer state is newer than provider
> on slave: LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform
> 
> so ... what is wrong here?

I suspect part of the trouble is that you have two syncrepl clauses using the
same search base on the same master. The timestamps are likely to be stored
in the same place, causing a clash.

One definite error is that all three clauses are labelled 'rid=123'. They should
all have different numbers.

Try fixing the RIDs - use small numbers, all different. The exact values are 
not important.
Also try commenting out the second syncrepl clause until you have the others 
working properly.
You should be able to merge the first and second clauses as they share a 
search-base.

You may also need to put ACLs on the accesslog database.

Andrew

> - ---[ master configuration quotation start ]---
> ...
> access to dn.children="dc=example"
>by dn.exact="uid=replABC,ou=repl,dc=example" read
>by * break
> 
> # syncprov specific indexing
> index entryCSN eq
> index entryUUID eq
> 
> overlay syncprov
> syncprov-checkpoint 50 10
> syncprov-sessionlog 100
> 
> overlay accesslog
> logdb   cn=example-accesslog
> logops  writes
> logold  (objectclass=*)
> index   default eq
> 
> ### Accesslog DB
> databasemdb
> maxsize 1073741824
> suffix  cn=example-accesslog
> rootdn  "cn=root,cn=example-accesslog"
> rootpw  ***
> directory   "/var/db/openldap-data/example-accesslog"
> 
> index   default eq
> index   entryCSN,objectClass,reqEnd,reqResult,reqStart
> 
> overlay syncprov
> syncprov-nopresent TRUE
> syncprov-reloadhint TRUE
> ...
> - ---[ master configuration quotation end   ]---
> 
> 
> 
> - ---[ slave configuration quotation start ]
> syncrepl rid=123
> provider=ldap://master.example:389
> starttls=critical
> searchbase="dc=example"
> bindmethod=simple
> binddn="uid=replABC,ou=repl,dc=example"
> credentials="***"
> filter="(|(&(objectClass=authorizedServiceObject)(objectClass=mailutilsAccount)(authorizedService=m...@foo.bar)))"
> attrs="cn,entry,entryCSN,entryUUID,o,uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,userPassword,creatorsName,createTimestamp,modifiersName,modifyTimestamp,mail,rfc822MailMember,sn,authorizedService,mu-mailBox"
> tls_cacert=/usr/local/etc/openldap/ssl/ca.crt
> tls_cert=/usr/local/etc/openldap/ssl/ABC.crt
> tls_key=/usr/local/etc/openldap/ssl/ABC.key
> tls_reqcert=try
> type=refreshAndPersist
> retry="60 +"
> logbase="cn=example-accesslog"
> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
> syncdata=accesslog
> 
> syncrepl rid=123
> provider=ldap://master.example:389
> starttls=critical
> searchbase="dc=example"
> bindmethod=simple
> binddn="uid=replABC,ou=repl,dc=example"
> credentials="***"
> filter="(&(objectClass=authorizedServiceObject)(authorizedService=x...@foo.bar))"
> tls_cacert=/usr/local/etc/openldap/ssl/ca.crt
> tls_cert=/usr/local/etc/openldap/ssl/ABC.crt
> tls_key=/usr/local/etc/openldap/ssl/ABC.key
> tls_reqcert=try
> type=refreshAndPersist
> retry="60 +"
> logbase="cn=example-accesslog"
> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
> syncdata=accesslog
> 
> syncrepl rid=123
> provider=ldap://master.example:389
> starttls=critical
> searchbase="ou=ABC,ou=Sendmail,dc=example"
> bindmethod=simple
> binddn="uid=replABC,ou=repl,dc=example"
> credentials="***"
> tls_cacert=/usr/local/etc/openldap/ssl/ca.crt
> tls_cert=/usr/local/etc/openldap/ssl/ABC.crt
> tls_key=/usr/local/etc/openldap/ssl/ABC.key
> tls_reqcert=try
> type=refreshAndPersist
> retry="60 +"
> logbase="cn=example-accesslog"
> logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
> syncdata=accesslog

-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Permission issue for normal user with ldap_add

[Andrew Findlay]

On Thu, Jan 19, 2017 at 10:23:22AM +0100, Dieter Klünter wrote:

> man slapd.access(5)

See also some examples in the Admin Guide:


http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20Examples

More examples here:

https://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

For any non-trivial policy I would suggest building a test-suite before
trying to write the ACLs. OpenLDAP has one of the most predictable ACL
mechanisms in the industry but it can still be hard to cover all the
edge-cases correctly.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP search rule to find group owners

[Andrew Findlay]

On Mon, Jan 16, 2017 at 03:21:41PM +, Philip Colmer wrote:

> to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/
> owner/member & user" write by users none by * none

> Is there a way of performing an LDAP search that does the equivalent of the 
> ACL
> (or something like it) to tell me which groups can be written to for a given
> DN?

I don't think you will be able to do that in a single LDAP operation on a 
standard server.
The most efficient way is probably:

Search for all groups that the user is a member of, returning just the 
DN

Search for all groups where any of those DNs are found in the owner 
attribute

Beware though, that if some users are members of very large numbers of groups 
then the
search assertion could be very large...

If you have the memberof overlay then you may be able to simplify the process
by having it maintain an 'ownerOf' attribute in the group entries. Then you 
could get
what you want in a single search:

Match: (&(objectclass=groupOfNames)(member=))
Return: ownerOf attribute

This may return multiple entries. You just need to gather up all the ownerOf 
values.
To be really cute you could add the dynlist overlay to do this for you...

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Slapd.conf for doing stress

[Andrew Findlay]

On Thu, Jan 12, 2017 at 02:39:12PM +0530, PRATIK SINGAL wrote:

> Am new to openldap and need to perform stress on openldap2.4.
> Can any one please provide me with some usefull link / optimized conf file for
> stress.

Optimisations will depend on the data you will use and on the operations being 
done.
In particular, the indexing setup can have a big effect on performance and the 
'optimum'
configuration depends on the mix of searches and updates.

> we are using Berkley DB.

That is not optimum :-) Install 2.4.44 and use mdb for best results...

Andrew
-- 
---
|     From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Searches with dereferncing causing high CPU load.

[Andrew Findlay]

On Tue, Nov 17, 2015 at 06:02:36PM +, Howard Chu wrote:

> slapindex on back-mdb is faster than slapadd. But, for the problem
> being discussed here, slapindex is inadequate; you need a full
> reload with slapadd.

Useful to know, thanks.

What about the root cause - is it likely that 64k aliases would trigger a
problem, or is something else going on here?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Searches with dereferncing causing high CPU load.

[Andrew Findlay]

On Tue, Nov 17, 2015 at 11:11:04AM +, Mark Cairney wrote:

> Just as an update- we've managed to restore service. It turns out that
> we had went over the value of 65,535 (66,291) aliases which we think was
> the root cause of this behaviour suddenly starting.

It's a significant number certainly...

> Although it relates to MDB this ITS sounded very similar:
> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146;page=10
> 
> We started deleting as many aliases as we could but performance only
> improved slightly. What appears to have fixed it was doing a slapcat of
> the "pruned" data and re-loading it into the database via slapadd.
> Having done this searches with deref set to always are now performing as
> they were before.

If this happens again, you could try stopping the server and running
slapindex rather than reloading everything.

> Ultimately we've been wanting to move away from both a) hdb and b)
> aliases for a while but one of our user bases runs a web application
> that requires them as it doesn't support either groups or modifying it's
> search filter. Given this incident there might be a push for them to
> re-evaluate this approach.

That does sound like a problematic app. There may be other ways of
solving the problem if you have to keep it though. I would tend to look
at having a separate instance of slapd to service it, and it might then
be possible to use mapping overlays to build a view of your data that it
can cope with. Does the app need to modify LDAP data or is it read-only?

Andrew
-- 
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Searches with dereferncing causing high CPU load.

[Andrew Findlay]

On Mon, Nov 16, 2015 at 03:13:11PM +, Mark Cairney wrote:

> We're having severe performance issues for any query with alias
> dereferencing set to "always".
> 
> Any query with this causes the CPU to spin up to 100% and if we have a
> number of these concurrently the machine will become unresponsive.

I hit something similar a while ago using mdb:

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8146

> We're using OpenLDAP 2.4.42 with the old hdb backend.
> 
> We do have a large number of aliases (~63,000). Could this be the cause?

It would be worth checking that you have indexed the objectclass attribute.

I prefer to avoid aliases...

Andrew
-- 
-------
|     From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: ldiftopasswd: Can it be done with SSHA hashes?

[Andrew Findlay]

On Wed, Nov 04, 2015 at 04:45:28PM +, Chuck Peters wrote:

> Can I convert the ldif's userPassword:: "salted hash, aka SSHA" to "hash 
> type$salt$hash" format of shadow passwords?

Not usefully: there is no support for single-round SSHA1 in most Unix-like
crypt(3) libraries.

> Or do I need to force those users with SSHA hashed passwords to change their 
> password?

Yes

> Most of the users passwords are in crypt format.  I found a perl one liner to 
> base64 decode those passwords hashes.  (1)

By 'crypt format' do you mean the old Unix 13-char DES-based hash, or one of
the newer ones? At present you should really only be using the newer
multi-round hashes, with this order of preference:

$2y$ or $2a$Bcrypt
$6$ Multi-round SHA512
$5$ Multi-round SHA256
$1$ Multi-round MD5

> I'm attempting to create shadow passwd files with an old Debian 6.0.10 
> (squeeze) LDAP installation and Debian's slapd package (2.4.23-7.3+deb6u2 
> squeeze-lts patched oldoldstable) includes a perl script ldiftopasswd, which 
> I thought came from upstream, but it's not included in the most recent source 
> of openldap.  If my reading of the perl is correct, it was meant for earlier 
> iterations of shadow passwords that did not include hash format or salt.  I'm 
> not having any success using the script this far.
> 
> 
> 1. http://www.perlmonks.org/bare/?node_id=963814
> alias ldapdecode="perl -MMIME::Base64 -n -00 -e 's/\n //g;s/(?<=:: 
> )(\S+)/decode_base64(\$1)/eg;print'" and just do ldapsearch | ldapdecode

That script simply converts the Base64 encoded fields of an LDIF file into
their native (binary) format.

Beware of old distros as they may not support all of the hash formats.

Why do you need a passwd/shadow file in the first place? Surely it is much
better to set your systems up to validate logins against LDAP directly.
That way the only thing that needs to care about hash formats is the LDAP
server process.

Andrew
-- 
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Allowing users to update their passwords

[Andrew Findlay]

On Tue, Oct 13, 2015 at 09:02:01AM +0200, Dieter Klünter wrote:

> Am Mon, 12 Oct 2015 16:13:18 -0500
> schrieb Kartik Vashishta <kartik.u...@gmail.com>:
> 
> > Team,
> > 
> > I am not anything but new to ldap. I have however successfully
> > installed and configured Openldap on CentOS7. Online material was a
> > BIG help.
> > 
> > I am trying to figure out how to allow users to change their own
> > passwords.
> > 
> > Googling pointed me out to this:
> > access to attrs=userPassword
> > by self write
> > by anonymous auth
> > by users none
> > 
> > access to * by * read
> > 
> > But where and how does this get input into the ldap db. There is no
> > more a slapd.conf.
> 
> slapd-config(5)

Also
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration

I would suggest changing the access list:

olcAccess: to attrs=userPassword
   by self =wx
   by anonymous auth
   by * none
olcAccess: to * by * read

The important change is the 'self' access. If you use 'write' then you are also
granting read access, so someone who gets control of an authenticated session
would be able to read the user's password. By using =w or =wx you allow
passwords to be changed and to be used in authentication, but you prevent them
being read.

You will need to search your config to find the appropriate entry to add the
above values to. It will be something like olcDatabase=mdb,cn=config

You should also configure a strong hash function for passwords, and ideally you
should install a password policy overlay to enforce password hashing.
The choice of hash function depends on the libraries available in your
operating system. SSHA is always available but is very weak in the face of a
password cracker. The Linux/FreeBSD/OpenBSD '$1$' '$6$' and '$2a$' hashes are
very much stronger. Config looks like this:

olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: "$6$%.12s"

It should be added to the olcDatabase=frontend,cn=config entry.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: SSL based LDAP client verification

[Andrew Findlay]

On Wed, Oct 07, 2015 at 02:13:38AM +0500, Aneela Saleem wrote:

> I have followed this link to generate self-signed certificates. I have
> successfully performed server side validation.

I assume that means that you have made an SSL or TLS connection to the server
and done an LDAP operation, so this operation should succeed:

ldapwhoami -x -H ldap://my.server.com/ -ZZ

If it does not, you may need to specify the TLS_CACERT location in
/etc/openldap/ldap.conf or temporarily provide the cert location in the
environment:

LDAPTLS_CACERT=/path/to/ca.crt ldapwhoami -x -H ldap://my.server.com/ -ZZ

Don't start trying to use any other clients until you have the command-line
ones working properly.

> What if i want to access LDAPS:/
> / from other client. I have copied servercrt.pem and serverkey.pem file on
> client machine, also added servercrt.pem file to client trust store. I'm using

NO! Don't ever give clients the secret key.

Assuming you followed http://www.openldap.org/faq/data/cache/185.html fully you
created two certificates: a master CA cert and a server-specific cert. You can
use the CA cert to create as many server certs as you like, and client machines
only need a copy of the CA cert to verify trust.

Andrew
-- 
---
|         From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: New User unable to authenticate on new client

[Andrew Findlay]

On Mon, Oct 05, 2015 at 09:56:25PM +, Varadi, Louis - 0442 - MITLL wrote:

> I have added a user but cannot authenticate.

> This user fails
> 
> [root@ldapserver]# ldapwhoami -x -D cn=lou,dc=group1,dc=ldap -W
> 
> Enter LDAP Password:
> 
> ldap_bind: Invalid credentials (49)

No surprise there, as your later search shows the user has a different DN:

> # lou, Users, group.ldap
> dn: uid=lou,ou=Users,dc=group1,dc=ldap
> uid: lou
> mail: louxxx
> sn: 
> pwdAttribute: xxx
> telephoneNumber: xx
> roomNumber: 
> uidNumber: 
> gidNumber: x
> employeeNumber: x
> cn: Louis x
> loginShell: /bin/bash
> gecos: Lou 
> homeDirectory: /home/
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: pwdPolicy
> objectClass: shadowAccount
> userPassword:: xxx

> [root@ldapserver man1]#   su - lou
> 
> su: user lou does not exis

> 5612ebc3 conn=1053 fd=12 ACCEPT from IP=192.168.0.101:59310 (IP=
> 192.168.0.101:389)
> 
> 5612ebc3 conn=1053 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
> 
> 5612ebc3 conn=1053 op=0 SRCH attr=* altServer namingContexts supportedControl
> supportedExtension supportedFeatures supportedLDAPVersion
> supportedSASLMechanisms domainControllerFunctionality defaultNamingContext
> lastUSN highestCommittedUSN

This session is anonymous (no BIND operation).

> 5612ebc3 conn=1053 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
> 
> 5612ebc3 conn=1053 op=1 SRCH base="dc=group1,dc=ldap" scope=2 deref=0 filter="
> (&(uid=lou)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0"
> 
> 5612ebc3 conn=1053 op=1 SRCH attr=objectClass uid userPassword uidNumber
> gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp
> modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning
> shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration
> pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock
> host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey
> 
> 5612ebc3 conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=

err=50

If you look that up you find:

insufficientAccessRights (50)

Indicates that the client does not have sufficient access rights
to perform the operation.

So the anon user does not have the right to do a search from the base
"dc=group1,dc=ldap" (this says nothing about the right to read the uid=lou
entry).

You have an ACL problem. I suggest removing all ACLs and starting with this:

access to attrs="userPassword"
by self =w
by * auth

access to * by * read

Once you have the basic service working you can start thinking about ACLs.
You may then want to define an account for your Linux client machines to use
when accessing LDAP so that you don't have to give anon access to your data.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: uniqueness unique_uri specification help

[Andrew Findlay]

On Fri, Sep 11, 2015 at 05:26:35PM +, Peter Heinemann wrote:

> Working with an ldap implementation that builds  the dit from scratch daily
> using extracts from an RDBMS.
> The nature of the source data/tables and the code that creates the extracts
> builds an ldif (imported via slapadd) that has some multi-value attributes,
> specifically cn, sn, and givenName because the RDBMS does no case checking.
> 
> Stanzas like this can occur in the ldif:
> 
> dn: uid=aperson,ou=people,dc=school,dc=edu
> 
> cn: Andrew Person
> cn: ANDREW PERSON
> sn: Person
> sn: PERSON
> givenName: Andrew
> givenName: ANDREW
> 
> and slapadd will happily write them all, but ldapmodify etc. can (and do)
> return errors when encountering these entries.

You should only use slapadd with correctly-formed LDAP entries.
The example given here is not correctly formed because all the attributes
you show have case-ignore syntax and the multiple values differ only in case.

> What I'd like to do is use ldapadd under the uniqueness overlay instead of
> slapadd.  But I'm unsure of the specific syntax for the unique_uri
> specification so that that cn, sn, and givenName attributes are unique 
> under/in
>  each DN.
> Most of the examples I've found are how to enforce uniqueness over an entire
> branch.  Still reading the specifics about uri specification but would
> appreciate any assistance.

The uniqueness overlay will not do what you want. It is for enforcing
uniqueness across multiple entries. If you use ldapadd rather than
slapadd then you will not be able to load bad entries such as the one above.
However, this is probably still not what you want as it will throw an error
rather than removing the unnecessary extra values!

I think the best approach would be for your build process to check each
attribute before writing the LDIF file. Where:

lowercase(next value) matches lowercase(any existing value)

then it should either ignore the new value or should overwrite the
clashing value in the attribute (e.g. if the new one is mixed case
and the existing one is all upper case).

It would still be wise to load the data through LDAP rather than using
slapadd, but the process will be much slower.

How many entries do you have? Do you run multiple LDAP servers?

Andrew
-- 
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: OpenLDAP error - ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[Andrew Findlay]

On Fri, Sep 11, 2015 at 03:07:00PM +0200, Clément OUDOT wrote:

> Le 11/09/2015 14:54, Varadi, Louis - 0442 - MITLL a écrit :

> slapd: [INFO] Listening to services ldap://*:389 ldaps://*:636

> I ran the command tail –f /var/log/openldap.log

> Maybe you are using the ldapsearch command from the distro, which may not work
> with LTB package. Try /usr/local/openldap/bin/ldapsearch
> 
> Check also your selinux configuration and your iptables.

It is worth trying ldapsearch with the debug option to see where
it is trying to connect:

ldapsearch -x -d 1

The first few lines of output should look something like this:

ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:479:1f45:20::201 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request

Using the same command on a machine that does not have an LDAP server
configured looks like this:

ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect errno: 111
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect: 
connect errno: 111
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Look particularly at the ldap_connect_to_host: lines.

Andrew
-- 
---
|         From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

LDAPCon 2015 booking now open

[Andrew Findlay]

LDAPCon 2015, the fifth International Conference on LDAP, Directory 
Services and Identity Management will be held in the UK at the 
University of Edinburgh School of Informatics Forum.

Tutorials: 11th November 2015
Conference: 12th and 13th November 2015

We have 22 peer-reviewed papers. Topics include service design, 
LDAP schema, protocol enhancements, server technology and client 
programming. There will be a poster display area for updates on the very
latest work-in-progress, and a social event in a spectacular city-centre
venue for networking with other LDAP professionals.

http://ldapcon.org/2015/

Several of the regular contributors to this list will be speaking.

Booking is now open and early-bird prices are available until the
end of September. For full details see the booking page:

http://ldapcon.org/2015/?page_id=112

Book now to get the early-bird price!


There are opportunities for commercial sponsorship that will be of
interest to companies working in related areas. See
http://ldapcon.org/2015/?page_id=101 for details.


Andrew Findlay
Conference Chairman

Thanks to our sponsors for their support.
Our first Platinum sponsor: Symas http://symas.com/
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: ldapmodrdn accented characters with windows client

[Andrew Findlay]

On Tue, Sep 08, 2015 at 04:06:42PM +0200, LAROCHETTE Philippe wrote:

> In fact, it's working fine if i replace the "é" character with this sequence 
> "\c3\a9"

OK - so it works if you feed it UTF-8. This is expected, as LDAP expects every
text string to use the UTF-8 encoding and the standard version of the
command-line tools does not do any character-set conversion.

> 1 - I precise that i use a normal command-line charset like chcp 1250 or chcp 
> 850 with the Lucidia Font in the windows console that show correctly the 
> accented characters in the windows command

Can you change the working locale of the system to use UTF-8 ?
If you are really using Windows XP this may be hard, but it is really time to
get rid of that obsolete OS anyway.

Can you move the client application to a Linux platform?
Most modern distros default to UTF-8 which makes this easy.

> 2 - When i use ldapadd or ldapmodifiy, i have no problem with the accentes 
> characters... but for this command i copy the .exe binaries from the OID 11g 
> of oracle windows client... but in this product for windows there is not à 
> ldapmodrdn.exe program...

In those cases the accents may be in data files in UTF-8 of course.
It also sounds as if you are getting ldapmodify from a different set of
binaries so maybe one set has charset conversion and the other does not.

If you really have to keep the XP system you might be able to build a
workaround using something like iconv to process the command-line args
and input files:

iconv --from-code=CP1250 --to-code=UTF-8 /path/to/inputfile

Andrew
-- 
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: load balancer

[Andrew Findlay]

On Fri, Aug 28, 2015 at 02:38:33PM +0800, Eileen(=^ω^=) wrote:

>I have two LDAP servers using mirrormode. I want to run a  FREE service to
> achieve load balancer for these servers. 
>Due to i can't find any load balancer information in OpenLDAP-Admin-Guide,
> so my question is which kind of service do you advice for load balancer, or
> which kind service openldap supported?

Depending on exactly what you want to achieve, you may not need to run
a separate service at all.

Much LDAP client software allows you to specify multiple servers,
which will be tried in rotation until one answers. This gives protection
against unreachable servers.

Another option is to put several 'A' or '' records in the DNS entry
for your LDAP service (use a service-specific name like ldap.example.org
rather than the name of the server). Most DNS servers will change the order
of records in each reply (round-robin DNS) so your clients are likely
to spread their load across all servers and will fall back to a different
server if the first attempt does not connect.

The solutions above involve TCP timeouts if servers go down,
and this may be too slow for you. One way to get around that is to use
a service-specific IP address which is shared by two or more servers.
Each server monitors the other and will take over the service address
if necessary. Note that this does not give you load balancing between
the servers: it is a hot-standby system.

If you do not trust the client software to work properly with multiple
server addresses then you could use OpenLDAP with the LDAP back-end
or the META back-end. Both allow you to specify multiple servers and will
handle fallback even if clients don't. This configuration has a very low
resource requirement so you can run an instance of it on every client
machine if you need to.

Andrew
-- 
---
|         From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: disable simple paged results control support?!

[Andrew Findlay]

On Thu, Aug 27, 2015 at 01:46:53PM +0300, Igor Shmukler wrote:

> Is it possible to disable OpenLDAP server-side support of simple paged
> results control, so the OpenLDAP server would respond that this
> control is unavailable?
> 
> I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me
> many times, in past. Can OpenLDAP be configured to do what I need, so
> I could test my fallback code in the client using an OpenLDAP server?

Have a look at the RETCODE overlay: slapo-retcode(5) - this should allow you
to return whatever error codes you like to your client during testing.

Andrew
-- 
---
|         From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Replication speed and data sizing (mdb)

[Andrew Findlay]

On Mon, Aug 10, 2015 at 05:19:22PM -0700, Brian Wright wrote:

 We're trying to solve the problem of how to recover/replace a failed
 node in a system containing a very large number of records and bring
 it back into the cluster as quickly as possible. We're also trying
 to resolve how to ensure that replication works consistently on
 restart.

In terms of recovering a failed node, the very fastest method is to use
a database backup made with mdb_copy. The output from that command is
a file that can be used directly as an MDB database so all you have to do
is put it in place and restart slapd. Even if the backup is a day or two
old, the replication process should bring in the more recent changes
from another server.

If your servers have identical software, you can even take a backup
from one server and install it on another one. That gives you a quick
way of copying in very fresh data.

Note that mdb_copy is not installed by default. For safety you must
use a binary built from the same OpenLDAP distribution as your slapd.
You will find the source for the MDB tools in
openldap-2.4.*/libraries/liblmdb

There are some caveats with mdb_copy. In particular it can cause
database bloat if run on a server that has a heavy write load at the
time.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Adding Members to Groups

[Andrew Findlay]

On Fri, Aug 07, 2015 at 01:46:42AM +0500, Aneela Saleem wrote:

 So which objectClass best suits for this situation?

If you want to have groups that are easy to adminster and are capable
of being empty then you should consider groupOfEntries. A quick scan
through the Apache Ranger docs suggests that you can configure the
group class and group search so this may well work. You will need to
add the groupOfEntries class to your LDAP server schema as it is not
likely to be there by default.

 On Fri, Aug 7, 2015 at 1:42 AM, Michael Ströder mich...@stroeder.com wrote:

 Or rather ietf-ldapext *WG* should make progress with
 draft-findlay-ldap-groupofentries... ;-)

You can use the class defined in that draft even if IETF don't
officially endorse it. Copy attached to this message.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---



Network Working Group A. Findlay
Internet-DraftSkills 1st Ltd
Expires: March 16, 2008   September 13, 2007


  The LDAP groupOfEntries object class
  draft-findlay-ldap-groupofentries-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as work in progress.

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 16, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This memo describes the LDAP groupOfEntries object class which is a
   replacement for the existing groupOfNames class.  The new class
   permits the creation of empty groups.

   If approved as a Standards Track document, this document will update
   RFC4519 [2]

Document Intent

   This document is intended to be, after appropriate review and
   revision, submitted to the RFC Editor as a Standards Track document.
   Distribution of this memo is unlimited.  Technical discussion of this
   document will take place on the IETF LDAP Extensions mailing list
   ldap...@ietf.org.  Please send editorial comments directly to the
   author andrew.find...@skills-1st.co.uk


1.  Introduction

   A groupOfNames object class has existed since the earliest X.521 [1]
   standard.  It has an identical definition in LDAP (RFC4519 [2]).  The
   class is used to define entries holding DN-valued member attributes,
   each value pointing to an entry that represents a single member of
   the group being described, or to another entry of type groupOfNames.

   groupOfNames is a structural object class, so it is often the only
   class used in the definition of group objects.

   Experience has shown that the definition of groupOfNames causes
   difficulties in practice.  In particular, the fact that 'member' is a
   mandatory attribute means that it is not possible to create an empty
   group or to delete the last member from a group.  This leads to
   artificial tricks such as making every group a member of itself, or
   adding a dummy member to every group when it is created.  These
   tricks in turn make the management of groups more complex and prone
   to error.  Groups are commonly used to control access to resources,
   so management errors can lead to security risks.

   There does not appear to be any good reason for the 'member'
   attribute to be mandatory.  This memo describes a new object class
   called groupOfEntries that is equivalent to groupOfNames in all other
   respects but which makes 'member' an optional attribute.


2.  The existing groupOfNames object class

   RFC4519 [2] contains this definition:

   The 'groupOfNames' object class is the basis of an entry that
   represents a set of named objects including information related to
   the purpose or maintenance of the set.  (Source: X.521 [1])

 ( 2.5.6.9 NAME

A new open-source TLS implementation

[Andrew Findlay]

Amazon have just announced a completely new implementation of TLS.
By avoiding all the history and ignoring features that they don't need
the code has been cut by a factor of 10 when compared with the equivalent
part of OpenSSL. OpenSSL or some other crypto library is still needed,
but this is surely worth a look for future use with LDAP:

http://blogs.aws.amazon.com/security/post/TxCKZM94ST1S6Y/Introducing-s2n-a-New-Open-Source-TLS-Implementation
https://github.com/awslabs/s2n/blob/master/README.md

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: group email addresses

[Andrew Findlay]

On Thu, Jun 18, 2015 at 08:13:48AM -0400, brendan kearney wrote:

 I am using postfix. is there a benefit to the group based expansion piece you
 speak of?  Postfix is already tied to my ldap instances for user aliases, etc.

It would allow you to use the LDAP groups to define the members of the
mailing list as well as the address of the list. The Postfix LDAP README
has some ideas about how you might set this up:

http://www.postfix.org/LDAP_README.html#example_group

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: group email addresses

[Andrew Findlay]

On Sat, Jun 20, 2015 at 10:11:38AM -0400, Brendan Kearney wrote:

 I am just wondering which OID (and schema) is the least unofficial
 or the most official one to use.

It does not really matter. All you need from an OID in an LDAP system
is that it does not clash with anything else. The designers of those
schema have presumably allocated OIDs from a space that they control
so any of them should be OK.

Attribute names are more important, and certainly must not clash with
anything else that you are likely to use so make sure they have been
chosen sensibly.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

LDAPCon 2015 submission deadline approaching

[Andrew Findlay]

LDAPCon 2015 will be held in Edinburgh on 11-13 November.
The submission deadline for paper and tutorial proposals is 28th June 
so you have just one week to send us your ideas:

http://ldapcon.org/2015/?page_id=5

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: group email addresses

[Andrew Findlay]

On Wed, Jun 17, 2015 at 04:37:36PM -0400, Brendan Kearney wrote:

 i have done some reading, and it seems that no official standard
 exists for group email addresses.  to that end, i am looking to
 enlighten myself about what is done to provide mail addresses for
 groupOfNames groups.

Are you just trying to add a 'mail' attribute to the group entry,
or do you want the MTA (mail system) to use LDAP data to expand
the mailing list?

Adding the mail attribute is quite simple: define an AUXILIARY object
class that permits the attribute, add that to the group entries, and
you can then add the mail attribute.

Doing group-based mail expansion takes more work, and really depends
on what MTA you are using. You would need to configure the MTA to
recognise the groups as valid list-expansion targets. It would then
read the group and fetch the mail attribute from each member entry to
construct the list. If the MTA cannot do this two-stage process itself,
you could consider using the dynlist overlay in slapd to collect
the members' mail addresses into the group entry itself.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: getent passwd only catch local user passwd

[Andrew Findlay]

On Thu, Apr 30, 2015 at 01:06:54AM +, Yingbo Li wrote:

 If you find anything wrong, please let me know. I can only configure the 
 client side, the LDAP server controlled by IT.

You need to find out what each component in the stack is doing.
If you have access to the LDAP server logs, try looking there to see what
operations are performed. If not, consider setting up your own LDAP server so 
that
you can run it at a high log-level.

Another way to check LDAP operations is to use tcpdump and/or wireshark
to capture and analyse network traffic. You will need to disable TLS for
that to be useful.

There is a fair amount of advice about debugging SSSD issues on the web,
e.g.:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
https://fedoraproject.org/wiki/How_to_debug_SSSD_problems

I would advise turning OFF nscd. It is not helpful when sssd is in use, and can
cause great confusion and problems of its own.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: getent passwd only catch local user passwd

[Andrew Findlay]

On Tue, Apr 28, 2015 at 07:49:07PM +, Yingbo Li wrote:

 I am new to LDAP.  The company’s IT own LDAP server, I tried to configure
 openldap client but failed. My OS is CentOS 7, openldap is 2.4.39.
 
 I configured ldap and ldaps. I can use ldapsearch to find out full ldap info 
 of
 my LDAP account. I configured with authconfig-tui. I also modified /etc/pam.d/
 system-auth and password-auth, change pam_sss.so to pam_ldap.so. While when I
 tried getent passwd, I can only find local users. I cannot su to my LDAP
 account. Why?

You have probably messed up the config by making those changes. CentOS 7 
expects to
use SSSD to access LDAP: it provides useful services and isolates system 
processes
from the LDAP service so you should not try to bypass it.

Lots of useful information here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Deployment_Guide/index.html#SSSD-Introduction

Rather than editing config files directly, try to get a basic system running by
using the authconfig command. This should make sure that you have a consistent
setup. Better still, select LDAP authentication when you install the system and 
let
the install wizard help you through the process.

If your LDAP service places size limits or restrictive access-control on the 
data
you may need to create an account for SSSD to bind with so that it can bypass 
the
limits.

This is not really an OpenLDAP problem, so you are likely to get more detailed 
help
on a Red Hat or CentOS mailing list or forum.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Antw: Re: Slapd running very slow

[Andrew Findlay]

Did you get to the bottom of this?

On Thu, Apr 23, 2015 at 08:29:48PM +1000, Geoff Swan wrote:

 On 2015-04-23 5:56 PM, Howard Chu wrote:
  In normal (safe) operation, every transaction commit performs 2
  fsyncs. Your 140MB/s throughput spec isn't relevant here, your disk's
  IOPS rate is what matters. You can use NOMETASYNC to do only 1 fsync
  per commit.

Decent SAS disks spin at 10,000 or 15,000 RPM so unless there is a non-volatile
memory cache in there I would expect at most 15000/60 = 250 fsyncs per second 
per
drive, giving 125 transaction commits per second per drive.

 OK. I ran a reduced version of test script (20 processes each performing
 40 read/write operations) with normal (safe) mode of operation on a test
 server that has 32GB RAM, and everything else identical to the server
 with 128GB.

So that is just 800 operations taking 60s?

 A quick test using vmstat at 1s intervals gave the following output
 whilst it was running.
 
 procs ---memory-- ---swap-- -io
 -system-- --cpu-
  r  b swpd free buffcache   si   sobibo   in  
 cs us sy id wa st
 20  00 32011144   167764   33041600 115   40  
 56  0  0 99  1  0
  0  00 31914848   167764   33042400 0  1560 2594
 2130  2  1 97  0  0
  0  00 31914336   167764   33042400 0  1708  754
 1277  0  0 100  0  0
  0  00 31914508   167772   33042000 0  2028  779
 1300  0  0 99  1  0

 The script took about 60s to complete, which is a lot longer than
 expected. It appears almost all I/O bound, at a fairly slow rate (1500
 blocks in a second is 6MB/s).

As you say, it is IO bound (wa ~= 100%). Stop worrying about MB/s: the data 
rate is
irrelevant, what matters is synchronous small-block writes and those are 
limited by
rotation speed.

Are you absolutely certain that the disks are SAS? Does your disk controller
believe it? I had big problems with an HP controller once that refused to run 
SATA
drives at anything like their full speed as it waited for each transaction to
finish and report back before queuing the next one...

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: All entries belong to the top object class?

[Andrew Findlay]

On Tue, Apr 28, 2015 at 10:21:25AM +0530, dE wrote:

 No. 'top' is defined in RFC4512:
 
  ( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )
 
 so every entry MUST contain an objectclass attribute.
 It does not say anything about any other attributes.
 
 Yeah, so that's the question, can any attribute which is in the MAY
 of the top object class be added to any entry in the DIT regardless
 of what object class it belongs to?

The top object class does not have any MAY attributes. If it did then yes you 
could
use them in any entry in the DIT as all normal entries are members of top.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Ldap challenge

[Andrew Findlay]

On Wed, Apr 22, 2015 at 08:08:11PM +, Ross, Daniel B. wrote:

 What i need to do is continue to use the campus usernames and passwords but
 present the Data in a format that my linux/unix hosts can use.  Is this
 possible?

Probably, but I don't think you have given us enough information so far.

 i.e.  userid would still be samwise but instead of a bizzarre OU=
 monkeypeople,dc=example,dc=com I want it to present as people,dc=example,dc=
 com.

I assume the latter DN should be O=people,dc=example,dc=com

If this is your main problem then it may not need solving on the server side.
There is no fixed rule about the structure of a base DN used for Linux and Unix
LDAP authentication. You should be able to work with any DN structure, provided
that you know where to base your searches and provided you can do one-level or
subtree searches on the AD service to find what you need.

 I looked at referral and aliasing but it does not seem to be doing what I am
 trying to do.  Passthrough authentication looks close but I cant find
 sufficient documentation to actually configure a system to use it.

Does the campus AD service contain everything that Linux/Unix would need?
e.g. does it have:

Username (almost certain - called samAccountName in AD)
Unix numeric UID
Unix numeric GID
Unix homedir
Unix shell
Something to use for GECOS (optional)

It does not matter what those attributes are called in AD as you can set the
clients to work with whatever you have, but they *do* have to be present.
It used to be necessary to load a Microsoft package called SFU (Services For 
Unix)
to support this, but I think more recent versions of AD already have schema for 
it
by default.

If you don't have at least that set of attributes with sensible values to work 
with
then you will have to maintain a parallel or overlay directory service. There 
are
several ways to do that, so let's start by establishing what you have!

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: All entries belong to the top object class?

[Andrew Findlay]

On Sat, Apr 25, 2015 at 05:58:43PM +0530, dE wrote:

 Does adding of the top object class (implicitly) make it possible to
 add all attributes in the DIT to the entry? I'm talking about
 attributes which are out of the 'MAY' in the most subordinate object
 class the entry belong to.

If you really want to permit *any* attribute to be added to an entry,
then you can add the ExtensibleObject objectclass. In general this is a *bad* 
thing
to do. See RFC4512 section 4.3 for the definition.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate loglevels for different databases?

[Andrew Findlay]

On Mon, Apr 27, 2015 at 05:19:54PM +0200, Meike Stone wrote:

  I've configured two different databases (one ldap, one bdb) in openLDAP.
  Is it possible, to configure separate loglevels for each database?
 
  maybe at least different logfiles?

loglevel / olcLogLevel is a global option, so no I'm afraid you cannot do this.

If you really want different logging you will have to put each backend in a
separate server instance and join them together with a third using back-ldap or
back-meta.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Ldap challenge

[Andrew Findlay]

On Mon, Apr 27, 2015 at 06:27:39PM +, Ross, Daniel B. wrote:

 ismemberof  does not exist  we have to use memberof

Memberof is fairly common. I don't think I have ever found a system
that used 'ismemberof'.

Note that maintaining memberof takes some work so it
is not enabled on all LDAP servers by default.

 nsUniqueId we have to use objectGUID

What do you use nsUniqueId for? Probably not a problem anyway as you
may be able to use other similar attributes as you mention above.

 no uniqueMember again can only use memberof.

uniqueMember and memberOf have completely different use-cases:
uniqueMember is used just like 'member' in most cases, to indicate
which entries are members of the group that it appears in.
memberOf indicates which groups the entry that it appears in is a
member of (i.e. it is the inverse mapping).

 while there is a guarantee of person there is not the same for Posixaccount 
 or shadowaccount.

Ah - if you lack those attributes then AD is certainly not going to do
the job on its own.

 While I have been able to get linux with SSSD to work, to some extent, with 
 this its rather hit and miss and the Solaris systems just wont work at all.  
 This is why I was hoping to be able to use the campus for the username and 
 password, and then provide the rest from a local ldap server.   It doesnt 
 sound like this is really possible.

Yes - it should be possible but it will take a bit more work.

 saslauthd did not work at all with the MS LDS.

Did you try following the instructions here?:


http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Note that you will need the DN and password of an existing AD user
to allow saslauthd to do LDAP searches on AD. You can try the
ldapsearch commands from section 14.5.3 without any other setup to
test that you have a good user account.

In principle it may be better to do Kerberos authentication against AD
rather than LDAP, but I didn't have a Kerberos server handy when I
wrote that bit.

 What is a parallel or overlay directory service?

Parallel would be where you replicate some subset of data from AD into
a local LDAP server, which then operates as a self-contained system.
You could have the replication process create or look up Unix-specific
attributes like UID and GID for new accounts.

Overlay would be where you use what you can get from AD, and put a
translucent overlay on top containing Unix-specific data that you
administer locally.

In either case you need to decide how to handle password checking and
account locking.

All of my customers so far have chosen the parallel approach, as that
allows the Unix LDAP to continue working if it loses access to AD.
Ideally this includes installing a module on the AD Domain Controllers
that detects password changes and forwards them immediately to the Unix
LDAP. I have generally used Microsoft's SFU password-capture module for
this as AD admins seem happier to install Microsoft code than things from
other sources. It does have its problems though, and the code quality
of the Unix end that they provide leaves a lot to be desired. I believe
newer AD versions come with an updated version of this built in, but I
have not tested it.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: All entries belong to the top object class?

[Andrew Findlay]

On Mon, Apr 20, 2015 at 11:06:07AM +0530, dE wrote:

 I'm concerned about the attributes. Does adding of the top object
 class (or person) add all attributes to the entry?

No. 'top' is defined in RFC4512:

( 2.5.6.0 NAME 'top' ABSTRACT MUST objectClass )

so every entry MUST contain an objectclass attribute.
It does not say anything about any other attributes.

In any case, objectclasses do not directly add attributes to entries.
They do permit (MAY) or require (MUST) certain attributes.
It is up to the user or application to supply values for MUST
attributes and for any MAY attributes that you want to use.
LDAP does not support 'present but empty' attributes, so there must
be a non-null value in each MUST attribute.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

LDAPCon 2015

[Andrew Findlay]

LDAPCon 2015


 Please note the new submissions address 


The fifth International Conference on LDAP and Directory Services will be
held in the UK at the University of Edinburgh School of Informatics Forum.

Tutorials: 11th November 2015
Conference: 12th and 13th November 2015


Call for papers and tutorials
=

Topics

You are using LDAP in interesting projects?
You do LDAP client or server development?
You have used LDAP in a new way?
You do identity and access management on top of LDAP?

Why not share your ideas and experiences with others?

We are looking for speakers who are willing to talk about any topic
related to LDAP and identity management, including:

LDAP technology implementation (Servers, API, User interfaces etc.)
LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.)
LDAP related technologies (PKI, XACML, SAML, etc.)
LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.)
Best Practices for directory services.

Accepted talks will be grouped into tracks such as a
standards/development and deployment/administration.


Deadlines  Important Dates

Submission Deadline: 28th June
Author Notification: 10th July
Final Papers due: 10th October 2015
Tutorials: 11th November 2015
Conference: 12th-13th November 2015


Talk Submissions

Main presentations should last about 45 minutes including discussion;
we will also provide smaller slots of 15 minutes and 5 minutes for
poster presentations or lightning talks. Please tell us which duration
you prefer when proposing your talk. The talk must be in English.

The one and only way to submit your abstract (approximately 200-800 words,
accompanied by your biography of about 100-300 words) is via email to
submissions2...@lists.ldapcon.org. Abstracts must reach the Program Committee
by 28th June 2015. Early submission is encouraged. We already have several 
papers.

All abstracts will be reviewed by the program committee.

For accepted talks we expect you to submit slides and/or a paper
of approximately 2-10 pages (A4 or US Letter format, 25mm borders,
preferably LaTeX source or OpenOffice).

For 5-minute talks, a brief abstract is required. A short paper, slides or
a poster should be provided for accepted talks. We will provide display
boards for posters throughout the conference.

By submitting a paper you grant the conference organizers the
non-exclusive right to publish your paper in the conference proceedings
and on the website; you maintain the right to publish it elsewhere at
your discretion.


Tutorial Submissions

We are looking for high-quality tutorials on LDAP and related subjects,
at any level from introductory to advanced. Tutorial length can range from an
hour to a full day. Wireless Internet access will be available if required.
The purpose of the tutorials is focussed education, so they should cover
established topics and best practice rather than presenting new work.

Tutorials will be on Wednesday 11th November 2015.

The Programme Committee has an open mind about the format of the tutorial
day, but has a limited number of rooms available. Make your proposal early
and we will aim to build an attractive programme for the day.


Expenses

Speakers get free access to the conference, including the social event.

If requested in advance we will provide accommodation for speakers.

Travel expenses might also be covered in special cases.
If you need this, please contact us early so we can try to arrange it.


Website

http://ldapcon.org/2015/


Contacts

General enquiries: enquir...@lists.ldapcon.org
Paper/Tutorial submissions:submissions2...@lists.ldapcon.org



-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: i am new to ldap plz help i have provided ldif file and simple authentication code

[Andrew Findlay]

On Wed, Feb 11, 2015 at 11:19:40AM +0530, Bharath K wrote:

 this is my java code where i can get output for none authentication when i
 use simple authentication its not working...

     env.put(Context.SECURITY_AUTHENTICATION, simple);
     env.put(Context.SECURITY_PRINCIPAL, cn=Manager, 
 ou=People,dc=example,dc=com);

That DN is not in the LDIF data that you posted.
It might be set as the rootDN for the database, but we need to see the
OpenLDAP configuration to know whether it is right (either the
slapd.conf file or an LDIF dump of everything under cn=config
depending on which config system you are using).

     env.put(Context.SECURITY_CREDENTIALS, ldap123);
  //   env.put(Context.SECURITY_CREDENTIALS, 
 {SSHA}rZe5WkunQdmRkyCcEHu9g6VsqRecnzIa);

Note that you must send the plain-text password. The SSHA hash is only
used in server config or in LDAP entries.

 this is my LDIF file

 # nagios, People, example.com
 dn: uid=nagios,ou=People,dc=example,dc=com
 objectClass: inetOrgPerson
 objectClass: posixAccount
 objectClass: shadowAccount
 uid: nagios
 sn: nagios
 givenName: nagios
 cn: nagios
 displayName: nagios
 uidNumber: 500
 gidNumber: 500
 userPassword:: secret

If you want to set the password to 'secret' then you should only have
one colon:

userPassword: secret

Using :: means that the data is Base-64 encoded.

Please post the OpenLDAP configuration so that we can check the DNs
and passwords.

Please also reload the data with the correct userPassword values and try:

     env.put(Context.SECURITY_PRINCIPAL, 
uid=nagios,ou=People,dc=example,dc=com);
     env.put(Context.SECURITY_CREDENTIALS, secret);

VERY IMPORTANT: please post the actual data and the real passwords
that you are using to test with. If they are really secret, then
change them to something trivial BEFORE doing the tests.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: plz provide me any simple authentication code in ldap

[Andrew Findlay]

On Fri, Feb 06, 2015 at 10:42:45AM +0530, Bharath K wrote:

 To: Andrew Findlay andrew.find...@skills-1st.co.uk

Please keep your replies on-list so that others with similar problems
can learn from the archive.

 Subject: Re: plz provide me any simple authentication code in ldap
 
 i configured openldap and i added user in ldif file,,without authentication 
 its
 working.. when i use simple authenticaion its not working its showing as
 invalid credentials so what might be the problem??..

I expect the credentials that you are presenting to the LDAP server are
invalid (the DN or the password is wrong or is missing).

If you want help you need to supply more information.
Your code does not include the DN and password that you are trying to
use, and you have not supplied any information about the entry that
you are trying to bind as. You need to tell us or we cannot help you.

When you run this program, what do you put on the command line?

Did you turn up the logging as I suggested? What is in the log?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Openldap migration from 2.4.11 to 2.4.40 for 4-way multimaster servers

[Andrew Findlay]

On Wed, Feb 04, 2015 at 08:56:08AM +, Gary Ho wrote:

 What's the proper procedure of migrating the data from servers A,B,C,D to
 W,X,Y,Z ?
 
 My procedure is as follows :
 - Export data from server A using slapcat command.
 - Delete the first 6 lines of the ldif files (the lines contains the
 contextCSN).
 - Shutdown the process slapd in servers W,X,Y,Z and remove all the openldap
 data files under /usr/local/var/openldap-data.
 - Import the ldif files to server W, then start the slapd process in server W.
 - Export the ldif files from server W.
 - Import the ldif files to server X,Y,Z respectively.
 - Start the slapd process in X,Y,Z.

I don't think it needs to be that complex. I would do something more like this:

- Shutdown the process slapd in servers W,X,Y,Z and remove all the openldap
data files under /usr/local/var/openldap-data.
- Export data from server A using slapcat command.
- Import the data to each of the new servers, taking care to use the -w
flag on slapadd.
- Start the slapd process in W,X,Y,Z.

Another option is to add the new servers one at a time to the existing topology
(which would still involve export and import of LDIF if there is a significant
amount of data). You could then migrate the clients gradually and eventually
remove the old servers. This would achieve transition without a break in 
service.

 What I observe is that all four servers then has 100% CPU and never drop back
 to idle ?

I have seen something like that before where the new servers were trying
to fetch all entries from all other servers. They were spinning on locks
as each syncrepl consumer thread was trying to write the same set of
entries. Importing with the -w flag should reduce the risk of that.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: plz provide me any simple authentication code in ldap

[Andrew Findlay]

On Thu, Feb 05, 2015 at 09:56:19AM +0530, Bharath K wrote:

 Subject: plz provide me any simple authentication code in ldap

 below is my codeby executing this i am getting as error as invalid
 credentials

This is apparently the same question that you asked on 23rd January,
but this time you have provided even less information. It does not appear to be
an OpenLDAP question at all: more of a Java programming question so maybe there
is a better list to ask.

I am not a Java programmer so I cannot help much with the code.
All I can suggest is that if you are using an OpenLDAP server you should turn up
the logging to include at least 'stats' and 'stats2' and post the log entries
that appear when you run your program. You will also need to post the entry that
you are trying to bind as.

Logging is controlled by the global option 'loglevel' if you are using 
file-based
config, and by the olcLogLevel attribute of cn=config if you are using 
slapd-config.

File based:

loglevel stats stats2

or in LDIF:

dn: cn=config
...
olcLogLevel: stats stats2

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: bind UID in DN instead of CN

[Andrew Findlay]

On Fri, Jan 30, 2015 at 06:36:29PM +0100, Dennis wrote:

 This fails because it tries to accomplish this by using
 dn=uid=..., but as shown in phpldapadmin the dn is cn=Test
 Testuser,ou=users,dc=dmp,dc=...
 Therefore the distinguished name for
 dn=uid=...,ou=users,dc=dmp,dc=... doesn't exist (the user has a
 uid of course).
 Therefore my question is, is there a possibility to change / to
 configure openldap to use / allow the uid instead of the cn?

You can use any locally-unique attribute value in a DN, but each entry can only
have one DN. So: you can change your DIT design to use
uid=...,ou=users,dc=dmp,dc=... if you want to, but then anything that is
assuming the existing DN structure wil break!

In this case I would say that your management application is at fault.
It should not be assuming that it can make a DN by tacking the UID value onto a
fixed suffix. If all it knows is the UID then it should first search for the
entry using the UID in the search filter. The search result will include the DN
of any entry that is found, so it is then easy to work on that entry.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Large Number of Transactions x Low performance

[Andrew Findlay]

On Thu, Jan 29, 2015 at 07:49:29PM +, Alessandro Lasmar Mourao wrote:

 I work in a company that has 140,000 registered users in OpenLDAP. This 
 OpenLDAP is used for authentication of our internal systems. In our tree of 
 groups we have the systems and below the each system there are the groups' 
 authorization (systems profiles). The user is bound in each group according 
 to position, function and department in the company.
 When a user replaces another user hierarchically higher, this user is taken 
 from the respective group (that he belonged) and registered in user_group 
 with the highest hierarchy.
 This movement in the company is very common, and this is the cause of our 
 problems.
 We have a group with 50,000 registered users, and when we need to delete a 
 user of that group or add a new one, OpenLADP takes up to 6 minute to effect 
 the transaction.

Assuming that these groups are the conventional 'single entry with many values 
of
the member attribute' type, you should turn on the 'sortvals' global option:

   sortvals attr [...]
  Specify a list of multi-valued attributes whose values will
  always be maintained in sorted  order.  Using  this  option
  will allow Modify, Compare, and filter evaluations on these
  attributes to be performed more efficiently. The  resulting
  sort  order  depends on the attributes' syntax and matching
  rules and may not correspond to lexical order or any  other
  recognizable order.

I cannot offhand remember whether you need to re-load the data for that to take 
effect.

 We have a tool (BMC Identity Management (formerly Control-SA)) that automates 
 the transactions, but due to delay in the transactions are with a row of 
 100,000 operations of insert / delete to perform.

Check how it modifies the groups. If it rewrites the whole set of
'member' attributes each time then you are forcing the server to
re-index every value. The efficient way to do this is to specify
the value that you want to remove or the one you want to add. It should
be very quick.

Also look at your replication setup. With this sort of data you really
do need delta mode.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

LDAPCon 2015 Call for Papers

[Andrew Findlay]

LDAPCon 2015


The fifth International Conference on LDAP and Directory Services will be
held in the UK at the University of Edinburgh School of Informatics Forum.

Tutorials: 11th November 2015
Conference: 12th and 13th November 2015


Call for papers and tutorials
=

Topics

You are using LDAP in interesting projects?
You do LDAP client or server development?
You have used LDAP in a new way?
You do identity and access management on top of LDAP?

Why not share your ideas and experiences with others?

We are looking for speakers who are willing to talk about any topic
related to LDAP and identity management, including:

LDAP technology implementation (Servers, API, User interfaces etc.)
LDAP Usage (Schema, Security, Operations, Scaling, big data, etc.)
LDAP related technologies (PKI, XACML, SAML, etc.)
LDAP and Beyond (IAM, Identity Federation, Authentication on the web, etc.)
Best Practices for directory services.

Accepted talks will be grouped into tracks such as a
standards/development and deployment/administration.


Deadlines  Important Dates

Submission Deadline: 28th June
Author Notification: 10th July
Final Papers due: 10th October 2015
Tutorials: 11th November 2015
Conference: 12th-13th November 2015


Talk Submissions

Main presentations should last about 45 minutes including discussion;
we will also provide smaller slots of 15 minutes and 5 minutes for
poster presentations or lightning talks. Please tell us which duration
you prefer when proposing your talk. The talk must be in English.

The one and only way to submit your abstract (approximately 200-800 words,
accompanied by your biography of about 100-300 words) is via email to
submissi...@lists.ldapcon.org. Abstracts must reach the Program Committee
by 28th June 2015. Early submission is encouraged.

All abstracts will be reviewed by the program committee.

For accepted talks we expect you to submit slides and/or a paper
of approximately 2-10 pages (A4 or US Letter format, 25mm borders,
preferably LaTeX source or OpenOffice).

For 5-minute talks, a brief abstract is required. A short paper, slides or
a poster should be provided for accepted talks. We will provide display
boards for posters throughout the conference.

By submitting a paper you grant the conference organizers the
non-exclusive right to publish your paper in the conference proceedings
and on the website; you maintain the right to publish it elsewhere at
your discretion.


Tutorial Submissions

We are looking for high-quality tutorials on LDAP and related subjects,
at any level from introductory to advanced. Tutorial length can range from an
hour to a full day. Wireless Internet access will be available if required.
The purpose of the tutorials is focussed education, so they should cover
established topics and best practice rather than presenting new work.

Tutorials will be on Wednesday 11th November 2015.

The Programme Committee has an open mind about the format of the tutorial
day, but has a limited number of rooms available. Make your proposal early
and we will aim to build an attractive programme for the day.


Expenses

Speakers get free access to the conference, including the social event.

If requested in advance we will provide accommodation for speakers.

Travel expenses might also be covered in special cases.
If you need this, please contact us early so we can try to arrange it.


Website

http://ldapcon.org/2015/


Contacts

General enquiries: enquir...@lists.ldapcon.org
Paper/Tutorial submissions:submissi...@lists.ldapcon.org



-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Antw: Re: OpenLDAP Replication Issue

[Andrew Findlay]

On Fri, Jan 23, 2015 at 04:10:47PM +0100, Ulrich Windl wrote:

  The answer is the same: you must start by updating to a current version of
  the OpenLDAP server. There are a lot of bugfixes so this will probably 
  solve 
  your problem.
 
 I have a logic problem with this: If the update will only probably solve 
 the problem, why must he update? ;-)

Because until he does, people on this list will assume that the
problem is due to a bug that has already been fixed.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: I am new to ldap and i dont know much about ldap simple authentication could you plz help me and give some suggestions......and below is the simple code which i tried and ther is also uid test 12

[Andrew Findlay]

On Fri, Jan 23, 2015 at 10:32:18AM +0530, Bharath K wrote:

 Subject: I am new to ldap and i dont know much about ldap simple
  authentication could you plz help me and give some suggestions..and
  below is the simple code which i tried and ther is also uid test 12 which
  i want to authenticate

It is best to put your question in the body of the message rather than all in 
the
subject line.

     env.put(Context.SECURITY_PRINCIPAL,args[0]);
     env.put(Context.SECURITY_CREDENTIALS,args[1]);

What values did you supply for these?
What happened?
What did you expect to happen?

 dn: uid=nagios,ou=People,dc=example,dc=com
 ...
 userPassword::

 dn: uid=test1,ou=People,dc=example,dc=com
 ...
 userPassword::
 
 dn: uid=test2,ou=People,dc=example,dc=com
 ...
 userPassword::

All three accounts appear to have blank passwords. LDAP servers will
not normally allow authentication with a blank password. For testing,
you can easily add passwords like this:

userPassword: secret

Note the single ':' character. If you use '::' then the data is expected
to be in Base 64.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: OpenLDAP Replication Issue

[Andrew Findlay]

On Thu, Jan 22, 2015 at 03:49:52PM +0100, sofien BLOUZA wrote:

 I have the same problem, I'm running on OpenLDAP  2.4.39-8.el6.
 Sometimes the ldap server is blocked ?
 Can you help me i have the same ldap replication topology 

The answer is the same: you must start by updating to a current version of
the OpenLDAP server. There are a lot of bugfixes so this will probably solve 
your
problem.

You can build from source:

 http://www.openldap.org/software/download/

Or you can use the LTB RPMs:

   http://ltb-project.org/wiki/documentation/openldap-rpm

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: OpenLDAP Replication Issue

[Andrew Findlay]

On Wed, Jan 21, 2015 at 01:30:51PM -0800, Tony S. Wu wrote:

 We have 5 servers running OpenLDAP, 001 - 005. Server is CentOS 6.4, LDAP
 version is openldap-servers-2.4.23-32.el6_4.1.x86_64, current replication

2.4.23 is a very old version - released 2010/06/30. There have been about 750
updates to the code-base since then:
http://www.openldap.org/software/release/changes.html

It is very unlikely that RedHat have incorporated all those fixes into their
distro, so you will not get much help here if you continue to use their version.

Your first move should be to build OpenLDAP from current source:
http://www.openldap.org/software/download/

You can easily set it to install in /usr/local or some other place of your 
choice
to avoid over-writing the RedHat version so that you can run tests and still be
able to revert if you need to.

I would advise that you use a new location to store the database, and that you
load it from LDIF using slapadd. Don't try to use new code with the existing
database (though it may well work as the version is similar enough).

Building from current source gives you the opportunity to switch to LMDB so you
don't even need to link the Berkeley DB libraries. LMDB (database mdb) is highly
recommended.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Search with non-existent attributes

[Andrew Findlay]

On Fri, Jan 16, 2015 at 03:34:11PM +0100, Dirk-Willem van Gulik wrote:

 W’re comparing various LDAP server setups; and we are wondering what the 
 ‘correct’ search result is for a search which is done such as
  
 '(|(|(|(givenname=fred*)(sn=fred*)(mail=fred*)(cn=fred*)

You have a mismatch of parentheses there. The filter should be:

  (|(givenname=fred*)(sn=fred*)(mail=fred*)(cn=fred*))

[ Note that one '|' can be followed by a list of one or more filters - it is
not a dyadic operator - see RFC4515 section 3 ]

Where are the 'non-existent attributes'? All of those listed in the search
filter are in the standard schema. Your sample entry below may not have values
for all of them, but as the sub-filters are combined with OR that would not
matter. Providing an attribute-value assertion containing an outlandish
attribute name just might provoke a different response, but the standard
says that such elements in a filter should evaluate to UNDEFINED and the OR
operator would then treat the element as FALSE.

 in a situation where we have records which do not have a certain attribute 
 (e.g. no givenname or cn) — e.g. a record as light weight as:
 
   dn: uid= 1234
   objectClass: person
   uid: 1234
   sn: fred fred
   telephoneNumber: 1234

That would not be a valid entry as objectClass person requires both cn and sn.
It *might* be a valid answer to a search - e.g. if access-control prevented
disclosure of cn.

 As we notice that some servers will return this given above query; and some 
 do not. 

In principle the entry matches the filter so it should be returned.

However, the '|' (OR) operator poses a significant problem for a server,
particularly where there are a lot of entries and one or more of the attributes
in the search string are not indexed. This can force the server to inspect
every entry in its database individually which is a lot of work, so servers may
refuse to do it. For some servers, an attribute type is treated as 'not 
indexed' if
there are no entries with a value for that attribute type, even if indexing is
enabled. [ I think OpenLDAP used to do this but I have not checked recently ]

The actual result that you would get from the server in this case depends to
some extent on the security stance of the developers and of the manager of the
server instance. I can see valid arguments for several results:

adminLimitExceeded
busy
unwillingToPerform
success - along with zero or more entries

 And I cannot find the exact spot in the RFC where the 
‘correct’ behaviour is 
 mentioned.

RFC4511, 4.5.1.7. SearchRequest.filter

 As we notice that some servers will return this given above query; and some 
 do not. 

It would be interesting to have more detail on exactly what you did and what
results you found.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: back-sql deployment woes

[Andrew Findlay]

On Wed, Jan 07, 2015 at 09:59:28AM +0100, Dieter Klünter wrote:

 You may use back-sql as a read only subordinate database, but
 performance is limited to the sql engine. Be aware that your
 are on your own risk.

Another option would be to use back-sock and write a separate server process to
translate between the back-sock protocol (extended LDIF) and SQL.
You should get better performance (if your server programming is good)
and if something goes wrong there is less code to debug: back-sock has under
1500 lines of C, where back-sql has over 11000...

There are still many caveats though: limited ACLs, fundamental mismatch in data
model, poor performance and resource usage when compared with back-mdb etc...

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Can't contact LDAP server (-1) additional info: error:14077410:SSL routines :SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

[Andrew Findlay]

On Sat, Nov 22, 2014 at 01:18:18PM +0100, Ferenc Wagner wrote:

 Date: Sat, 22 Nov 2014 13:18:18 +0100
 From: Ferenc Wagner wf...@niif.hu
 To: wailok tam wailok...@yahoo.com
 Cc: openldap-technical@openldap.org
 Subject: Re: Can't contact LDAP server (-1) additional info:
  error:14077410:SSL routines :SSL23_GET_SERVER_HELLO:sslv3 alert handshake
  failure
 Sender: openldap-technical openldap-technical-boun...@openldap.org
 
 wailok tam wailok...@yahoo.com writes:
 
  ldapmodify -x -W -D 'cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp'
  Enter LDAP Password:
  ldap_bind: Can't contact LDAP server (-1) additional info: 
  error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
  failure
 
 Maybe you want to use SSLv3, and the server does not support it?

I suspect that the ldap.conf file has a URL of the form ldaps://server
but the config fragment we saw did not have any TLS config so ldaps: will
not work.

Quick test:

ldapmodify -x -h ldap://server/ -W -D 
'cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp'

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: slapd read_config / interface bind errors

[Andrew Findlay]

On Wed, Nov 19, 2014 at 04:09:32PM -0500, Jason Swank wrote:

 What about the interface bind conflict when ldap:// is specified?  Is
 that expected behavior?

Yes. ldap:/// binds to port 389 on *all* IPv4 and IPv6 interfaces.
If you also have ldap://hostname/ then you are trying to bind at least
one of those interfaces twice.

Note also that you should be using fully-qualified domain names everywhere.
Simple hostnames will not work properly with TLS.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: debugging OpenLDAP client

[Andrew Findlay]

On Tue, Nov 18, 2014 at 06:59:12PM +0200, Igor Shmukler wrote:

 Well, I raised this subject stating that -1 does not do what I need.

-1 prints everything that OpenLDAP has got, so you need to look elsewhere
if that is not enough..

I suggest Wireshark: either use it directly to capture network traffic
or run tcpdump on the LDAP server or client machine and transfer the dump
file to your desktop machine for analysis. If the server or client machine
has a graphical display then you can do the whole job directly with Wireshark.

Here is an invocation of tcpdump to do the capture:

tcpdump -i eno1 -w /tmp/traffic host myclient.example.com and port 389

eno1 is the name of the network interface
/tmp/traffic is the dump file
myclient.example.com is the name of the server if this is run on the client host
or the name of the client if run on the server

Set that running and have your client code do its stuff.
Break into tcpdump with control-C
Copy /tmp/traffic to your desktop if necessary
Open /tmp/traffic in Wireshark.

You can expand the various protocol levels to get nore detail.
If you drill down into the LDAP layer you will see the search request
and if you drill further you will see the paged results control,
cookies etc.

Note that you will have to turn off encryption (SSL/TLS) on the LDAP
session if you are using it (which you should be when you go into production).

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: any help on ldap_sasl_bind_s failed (53)

[Andrew Findlay]

On Wed, Nov 19, 2014 at 07:38:02AM +, wailok tam wrote:

 Subject: any help on ldap_sasl_bind_s failed (53)

 but I am getting the error given in the title when I start the slave with
 splad -d sync . Replication does 
 not work. 

 sladp.conf of the slave:

 syncrepl rid=001   
 provider=ldap://mail.ier.hit-u.ac.jp  
 type=refreshAndPersist
 interval=00:00:05:00
 searchbase=dc=ier,dc=hit-u,dc=ac,dc=jp  
 binddn=uid=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp
 bindmethod=simple
 #bindmethod=sasl saslmech=DIGEST-MD5
 #authcid=replicator 
 credentials=secretofreplicator

The two comment lines are likely to be the problem. the manpage for
slapd.conf says:

   If a line begins with white space, it is considered a continuation
   of the previous line.  No physical line should be over 2000
   bytes long.

   Blank lines and comment lines beginning with a `#' character are
   ignored.  Note: continuation lines are unwrapped before comment
   processing is applied.

That says to me that comments inside an indented block are to be avoided.

As an aside, you may not want to use DIGEST-MD5 anyway, as it requires
the server to store the password in cleartext rather than hashed.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding VLV support to OpenLDAP 2.4.31

[Andrew Findlay]

On Wed, Nov 12, 2014 at 01:02:36AM +0200, Igor Shmukler wrote:

 Interestingly, lsof does have the following entry:
 slapd   13310 openldap  memREG  202,126872 409681
 /usr/lib/ldap/sssvlv-2.4.so.2.8.3
 
 Hence, it seems that sssvlv is loaded. At the same time, ldapsearch is
 telling me VLV control requires server side sort control

It would appear that the sssvlv *module* has loaded, but you still have to 
apply the overlay to the database that you want it to work on.

 Does this mean like Quanah said that my OpenLDAP from Ubuntu server is broken?

Not necessarily. Many people on this list dislike the way that some
of the major Linux distros build OpenLDAP and the old versions of
OpenLDAP that they use, so the default setup tends to get described as
'broken'. Quanah was also referring to the fact that you had hand-edited
a file under /etc/ldap/slapd.d/cn=config - that is a very risky thing
to do and you may have caused problems that way.

In this case I think it more likely that you just need to add the overlay
to the database.

On Wed, Nov 12, 2014 at 08:38:14AM +, Chris Card wrote:

 Date: Wed, 12 Nov 2014 08:38:14 +
 From: Chris Card ctc...@hotmail.com
 
 dn: olcOverlay=sssvlv,olcDatabase={1}bdb,cn=config
 objectClass: olcSssVlvConfig
 olcOverlay: sssvlv
 olcSssVlvMax: 10
 olcSssVlvMaxKeys: 5
 
 something like 
 
 ldapadd -x -w password -D cn=config -f ldif file

As Chris says, ldapadd (or slapadd if the server is down) is the right
way to modify a config of this type. The exact LDIF required will
depend on your database setup: Chris has assumed that you want the
overlay on the first non-config database and that it is a bdb.
If your setup is different then the DN will have to change.

Note also that bdb is deprecated. If you continue to use the binaries
shipped with Ubuntu then you should at least consider swapping to hdb.
Ideally you should build the latest OpenLDAP from source and use mdb.
Changing to a different database type requires dumping all data to LDIF
text files and re-loading it in the new database, so this is not something
to be undertaken until you are more familiar with OpenLDAP.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding VLV support to OpenLDAP 2.4.31

[Andrew Findlay]

On Wed, Nov 12, 2014 at 12:41:46PM +0200, Igor Shmukler wrote:

 I am also curious about another part of the olcDatabase parameter.
 How do I know whether to use bdb or hdb? I don't care either way of
 course. I just need my test server to work, so I could proceed with my
 main duty - programming.

For a test server it probably does not matter which database you use
unless you need to load large amounts of data, or do unusual things
like rename whole subtrees (bdb cannot do that).

For a production server using current OpenLDAP code, mdb is the first
choice. If you are forced to use older software then hdb may be safer.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: export directory in LDIF format

[Andrew Findlay]

On Tue, Nov 11, 2014 at 07:46:19AM -0500, Jerry wrote:

 This is the actual code I am using in CRON:
 
 nice /usr/local/sbin/slapcat -f /usr/local/etc/openldap/slapd.conf -b 
 dc=MyDomain,dc=net  -l usr/home/gerard/LDAP_Backup/MyDomain.net.ldif

Try running it under 'strace' so you can see what file it really tried to open. 
e.g.

strace -o /tmp/slapcat-trace.`date +%Y%m%d%H%M` /usr/local/sbin/slapcat -f 
/usr/local/etc/openldap/slapd.conf -b dc=MyDomain,dc=net  -l 
usr/home/gerard/LDAP_Backup/MyDomain.net.ldif

 Originally, I had created a Bash script and had CRON call that script; 
 however, when things were not working as planned, I thought that might be the 
 problem. However, it does not appear to be so.
 
 Any ideas what I could be doing wrong? Remember, this only happens when there 
 has been several hours of inactivity; otherwise it works fine.

Do any of the paths involved in the config go through NFS or automount points?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding VLV support to OpenLDAP 2.4.31

[Andrew Findlay]

On Tue, Nov 11, 2014 at 11:48:59PM +0200, Igor Shmukler wrote:

 Thank you for your answer. I spent quite a lot of time reading various
 man pages including the one for slaps.conf(5), of course.
 As I mentioned, there is no slapd-config on my system. [How] is it
 possible that system is configured cn=config without it?

slapd-config is a manual page, not an executable.

man slapd-config
Describes the LDAP/LDIF configuration method

man slapd.conf
Describes the flat text-file configuration method

Both methods configure the same things, so those pages are quite
similar. The keywords / attribute names are different though, so
make sure you read the right one for the method you are using.

 Is there a way to determine whether slapd.conf is used and where the
 daemon is trying to find it, short of doing a system call trace?

Use 'ps ax | grep slap' to see whether there are any command-line options
applied to the slapd process. If there are, look them up in 'man slapd'
taking particular note of the -f and -F options. If those options are not
present then the daemon will use the default config database (see slapd-config
above) or, failing that, will use the default config file (see slapd.conf
above).

Each of those manual pages starts with a note of exactly where the
default database or config file will be found on your system.

 Also, is there a command to list loadable modules in use?

'lsof -p slapd PID' perhaps :-)

Modules can be backends or overlays. I cannot think of a single command
that finds all loaded slapd modules. You can find what backends and
overlays are available/active by browsing under cn=monitor. Similarly
you could search under cn=config to find what the config says *should*
be loaded.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay]

On Thu, Oct 30, 2014 at 09:54:57AM -0300, Net Warrior wrote:

 I suspect that you do not want that. It would force every client to
 have a client-side X.509 certificate. Good for secure authentication,
 but more effort to manage than most people are prepared to handle.
 
 Is it because of the certificte expiration or something like that tha's hard 
 to
 mantain?

Yes. It is worth considering though, provided you have a well-organised
system for distributing and installing new client-side certificates.
You will also need to make sure that the admin tools you use can work with
client-side certs.

 That is because you tried to add it to a database but it is a global option.
 I added to the global section cn=config and do not see it.

Odd. If you use ldapadd to do this then it should either work or return an 
error code.

 Are you really using the BDB database? It has been deprecated for some time
 now.
 I would suggest using MDB
 
 Yes my bad, after I went to production, I was told that backend was
 deprecated,  is there any doc related to migrate from one backend to another 
 or
 should I reconfigure the whole database from scratch ?

The safest approach is to slapcat each of your databases into LDIF files
then configure new MDB databases and slapadd the data. You will find
that loading MDB with slapadd -q is extremely fast.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay]

On Thu, Oct 30, 2014 at 08:11:31AM -0300, Net Warrior wrote:

 1 ) Added tls_reqcert demand to the client side
 2 ) Configured a user to bind instead of anonymous
  binddn cn=ldapuser,Ou=Users,dc=server,dc=com
  bindpwd  :$6$oZ8qYohy$lU0sYJXInOO1ISO4WKgzeuDyyFh9a

Good.

 3 ) Added olcTLSVerifyClient:demand to server side:

I suspect that you do not want that. It would force every client to
have a client-side X.509 certificate. Good for secure authentication,
but more effort to manage than most people are prepared to handle.

 Object added to server:
 
 dn: olcDatabase={2}bdb,cn=config
 changetype:modify
 add: olcTLSVerifyClient:demand
 
 Still I did not corrected my ACL but I do not see olcTLSVerifyClient:demand
 reflected on my configuration

That is because you tried to add it to a database but it is a global option.


Are you really using the BDB database? It has been deprecated for some time now.
I would suggest using MDB.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay]

On Wed, Oct 29, 2014 at 08:19:03AM -0300, Net Warrior wrote:

 200 Servers and 20 users

OK - that means that you will not have problems with the default
limits on result-set size (500 entries).

 I hope you don't really bind with the ROOTDN account!
 NO!  and I have a user to test the configuration but I do not use it  to bind
 purposes, but I could if I knew how to configure it.

As you have quite a lot of servers and a policy of hiding all data
from anonymous users, I would suggest having more than one LDAP-client
account. Either create one per client server, or one per group of similar
servers.

I would suggest putting the client accounts in a dedicated part of the
LDAP tree, so it might look like this:

ou=Users,dc=server,dc=com   POSIX user accounts
ou=Groups,dc=server,dc=com  POSIX groups
ou=Clients,dc=server,dc=com Client machine accounts

You need to get all your client machines to bind with their account DN
and password before you start changing ACLs. Config file entries will look
something like this:

binddn  cn=server1,ou=Clients,dc=server,dc=com
bindpw  SomeLongAndSecurePassword

 You should also add:
 tls_reqcert demand
 and you may want to consider restricting the connection to high-grade ciphers
 e.g.:
 tls_ciphers HIGH:MEDIUM:@STRENGTH
 
 Both, client and server side right?

Yes, but the keyword for slapd.conf is TLSCipherSuite
and for ldap.conf it is TLS_CIPHER_SUITE

Once you have *all* the clients using TLS and binding with their client
account and password, you can start on ACLs. If your logging includes
the 'stats' category (256) you will be able to see TLS setup and bind
in the logs, e.g.:

Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 ACCEPT from 
IP=[::1]:43386 (IP=[::]:389)
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 EXT 
oid=1.3.6.1.4.1.1466.20037
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 STARTTLS
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=0 RESULT oid= err=0 text=
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 fd=26 TLS established 
tls_ssf=128 ssf=128
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND 
dn=cn=client234,ou=Clients,dc=server,dc=com method=128
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 BIND 
dn=cn=client234,ou=Clients,dc=server,dc=com mech=SIMPLE ssf=0
Oct 28 18:25:38 ldapserver slapd[4846]: conn=1009 op=1 RESULT tag=97 err=0 text=

After all that, the ACLs turn out to be really simple! Something like this
will probably be close to what you need for the main database:

access to attrs=userPassword
by self =w
by * auth

access to * by users read

access to * by * none

If you have a replica server then you will need to add an ACL giving read access
to all attributes. This should go right at the top of the list, and will look 
something
like this:

access to * by dn.exact=cn=replicator,ou=Clients,dc=server,dc=com read

If you are using the Monitor database then you should probably protect it like 
this:

access to dn.subtree=cn=Monitor
by users read
by * none

And to make sure that critical stuff like the root DSE and the schema can be
read by everyone, add this to the global section of the config:

access to * by * read


Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay]

On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote:

 Based on the the  ACL's I posted from my configuration, what else can you
 recommend to include, tweak or modify?

As both Michael and Dieter have said, this is very dependent on your
site's requirements and policy. You need to work out what those are.
If you can answer these questions, we might be able to help you some more:

1)  Should an anonymous user be able to get any data at all?
(Ignore the root entry: we are talking about the subtree
under dc=domain,dc=com here)

2)  What classes of user should have access to the data?
Examples might be:

LDAP administrator
Web applications
Desktop addressbook users
Webmail users
Directory synchronisation processes

3)  For each of the above, what data (entries and attributes)
do they need?

4)  How will the users authenticate to the LDAP service?
i.e. Will the user DNs and passwords be configured into 
the applications, or is the human user expected to supply
a username and password each time?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay]

On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:

 1 - Well, users only authenticate their passwords, nothing else, on the client
 side to login to the server, so I guess anon logins should not be allowed.

So is the LDAP service just used to provide passwd and group databases
for Unix-like systems, and not for any other purpose?

 2 - I use the Manager account to login to the phplpdapadmin console or apache
 directory studio.

If my guess above is right then you have missed a very important class
of LDAP user. Every Unix-like server must access LDAP data.
Do your Unix/Linux systems bind to LDAP with specific DNs?
(This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
/etc/sssd.conf etc...)

 3 - Password and groups and ppolicy
 4 - Using pam on the client side, a human is expected to provide username and
 password which is working along with the ppolicy, expiration time , password
 lenght and so on. I can provide how's configured if you want.

Right, so the account(s) used by the Unix-like systems must be able to search
based on username, groupname, numeric UID and numeric GID. Those accounts must
also be able to retrieve most attributes from the LDAP entries (though not
the password value).

I assume you allow users to change their own passwords. How is this handled?
Are users allowed to update any other details, or do all changes come to you?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay]

On Tue, Oct 28, 2014 at 01:53:22PM -0300, Net Warrior wrote:

 So is the LDAP service just used to provide passwd and group databases
 for Unix-like systems, and not for any other purpose?
 
 Yes, only password auth

OK. How many systems (approximately) use this? How many users are registered,
and how many groups?

 If my guess above is right then you have missed a very important class
 of LDAP user. Every Unix-like server must access LDAP data.
 Do your Unix/Linux systems bind to LDAP with specific DNs?
 (This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf
 /etc/sssd.conf etc...)
 
 Yes,
 ldap.conf client config file.
 base dc=server,dc=com
 
 # The distinguished name to bind to the server with.
 # Optional: default is to bind anonymously.
 #binddn cn=Manager,dc=example,dc=com

I hope you don't really bind with the ROOTDN account!
That would expose the most important password in your system to anyone
who managed to compromise a single server.

I would suggest creating either a single account for all client machines
of a given type, or one account per client machine. That way if one
client gets compromised you just have to change one password and don't have
to rush around fixing every other client config. Please tell us what you decide
to do here, as it affects how the ACLs might be written.

 bind_policy soft
 idle_timelimit 3600
 pam_filter objectClass=posixAccount
 pam_lookup_policy yes
 pam_check_host_attr yes
 pam_password exop
 nss_base_passwd ou=Users,dc=server,dc=com?one
 nss_base_shadow ou=Users,dc=server,dc=com?one
 nss_base_group  ou=Groups,dc=server,dc=com?one
 
 ssl start_tls
 #ssl on
 tls_cacertfile /etc/openldap/certs/cert.pem
 tls_cacertdir /etc/openldap/certs

You should also add:

tls_reqcert demand

and you may want to consider restricting the connection to high-grade ciphers 
e.g.:

tls_ciphers HIGH:MEDIUM:@STRENGTH

 I assume you allow users to change their own passwords. How is this handled?
 Are users allowed to update any other details, or do all changes come to you?
 
 yes, they can change their password based on the ppolicy and the pam module,
 other properties are changed
 by me, like phone number, photo, address and so on.

OK, and the config lines above include 'pam_password exop' so it should use
the modern mechanism.

I am signing off for the day, but you might like to read this paper
bearing in mind what we have discussed:

http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

I think we are heading for a very simple 'User read-only' policy, but there
may be other issues to consider depending on the size of your user-base.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Openldap for proxy AD

[Andrew Findlay]

On Wed, Nov 20, 2013 at 02:55:43PM -0200, Willy Ramos wrote:

 Subject: Re: Openldap for proxy AD

Have you tried following the examples in the Admin Guide?

http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

There is a detailed setup and diagnosic guide there which should help you
to isolate the problem.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate login/password for several services?

[Andrew Findlay]

On Fri, Sep 27, 2013 at 10:16:43PM +0200, Michael Ströder wrote:

 Did not follow this thread closely. But one should be aware of ITS#6825 when
 planning to use slapo-unique for a more complex setup.
 
 unique_uri filter reaching beyond its intended target
 http://www.openldap.org/its/index.cgi?findid=6825

Good point. We started with these ACLs:

  overlay unique
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH)

so that bug will prevent modifications to the authority entries even though adds
will be processed OK. I cannot think of an easy workaround in this case :-(

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: OpenLDAP duplication

[Andrew Findlay]

On Mon, Sep 30, 2013 at 01:39:03PM +0400, 25Dollar Tech wrote:

 According to my understanding, LDAP authenticates (binds) with DN (distinguish
 name) and password. E.g. CN=bob, OU=Users,DC=test,DC=com.
 
 So OpenLDAP allows the same CN in a different OU.

Yes of course - that is how LDAP and X.500 are designed.

  Is there any option to prevent it. ?

Use the 'unique' overlay:

http://www.openldap.org/doc/admin24/overlays.html#Attribute%20Uniqueness

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate login/password for several services?

[Andrew Findlay]

On Fri, Sep 27, 2013 at 01:23:54AM -2100, Zeus Panchenko wrote:

  overlay unique
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP)
  unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH)
  
 
 this prevents each uid=X,ou=People,dc=org from having more than one
 authorizedService=Y offspring ... while the original idea is to let user
 A to have for the service B, several uid-s but to prevent other users to
 have the same uids for the corresponding service ...
 
 what I mean are multiple attributes uid/userpassword inside the
 offspring not in the `dn' of the offspring:

That can be done - it is just a matter of choosing a naming structure
that allows it.

 dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
 authorizedService: xmpp.org
 uid: john
 uid: john1
 uid: johnN
 userPassword: qwerty
 userPassword: qwerty1
 userPassword: qwertyN
 cn: john@xmpp.org
 sn: xmpp.org
 description: John Doe XMPP account at xmpp.org
 uidNumber: 12345
 gidNumber: 23456
 homeDirectory: /nonexistent
 loginShell: /sbin/nologin
 objectClass: person
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: authorizedServiceObject

That one won't work, as there is no way to link the individual uid and
userPassword values. You need one LDAP entry per uid so either add
another layer to the tree or use multi-valued RDNs. The tree version
would look like this:

dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org


dn: uid=john,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
uid: john
userPassword: qwerty


dn: uid=john1,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
uid: john1
userPassword: qwerty1


dn: uid=johnN,authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
uid: johnN
userPassword: qwertyN


The multi-valued RDNs version like this:


dn: uid=john+authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
uid: john
userPassword: qwerty


dn: uid=john1+authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
uid: john1
userPassword: qwerty1


dn: uid=johnN+authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
authorizedService: xmpp.org
uid: johnN
userPassword: qwertyN



 and in this case we need to prevent some other user from having
 offspring with the same uid ... to prevent for user 
 uid=johandoe,ou=People,dc=org offspring:
 
 dn: authorizedService=xmpp.org,uid=johandoe,ou=People,dc=org
 authorizedService: xmpp.org
 uid: johan
 uid: johan1
 userPassword: qwerty
 userPassword: qwerty1
 cn: johan@xmpp.org
 sn: xmpp.org
 description: Johan Doe XMPP account at xmpp.org
 uidNumber: 12345
 gidNumber: 23456
 homeDirectory: /nonexistent
 loginShell: /sbin/nologin
 objectClass: person
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: authorizedServiceObject
 
 possibility to add another `uid: johnN' which is already used by 
 dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org

That should already be covered by the unique overlay setup.

Incidentally, you seem to be misusung some fields in the person
object:

 cn: john@xmpp.org
 sn: xmpp.org

If you really don't want to put the real name there you should choose
a different objectclass that does not force you to fill in those
attributes.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate login/password for several services?

[Andrew Findlay]

On Fri, Sep 27, 2013 at 02:25:24PM +0300, Zeus Panchenko wrote:

 have I create dedicated object like:
 dn: authorizedService=YYY,uid=AAA,dc=ZZZ
 
 before configuring the service for the user like:
 dn: uid=XXX,authorizedService=YYY,uid=AAA,dc=ZZZ
 
 or the second one will be enough?

You have to create the branch points before you can add entries under
them. That is why I suggested the alternative where both the service
name and the uid are part of the RDN: such multi-valued RDNs are
unusual, but it might be a convenient structure in this case.

 as for the different classes ... I was trying to find it but faced the
 problem when the parent record, which contains 
 objectclass: posixAccount
 objectclass: inetOrgPerson
 objectclass: organizationalPerson
 objectclass: person
 objectclass: inetLocalMailRecipient
 
 was refusing the child creation until the child belongs to that set of
 classes :(

There must have been some other reason for the error. LDAP servers do
not normally restrict what type of entry you can create at a given
point in the DIT. The ACLs in force might restrict what you can do,
but you have control over those.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate login/password for several services?

[Andrew Findlay]

On Fri, Aug 09, 2013 at 04:17:02PM +0300, Zeus Panchenko wrote:

 the uniqueness while *creating* the dn ... since for dn-s
 
 dn: authorizedService=target-service,uid=target-user1,ou=People,dc=org
 dn: authorizedService=target-service,uid=target-user2,ou=People,dc=org
 ...
 dn: authorizedService=target-service,uid=target-userN,ou=People,dc=org
 
 I want to prevent the possibility to create the same 
 uid=john-whatever-format-it-is 

If you always put the uid in the DN using the structure shown above
then it will not be possible to create duplicates. That assumes that
you use the same uid in all the subentries of the main user entry...

 now I do can ldapadd these ldif-s successfully
 ---[ ldif ]
 dn: authorizedService=xmpp.org,uid=jdoe,ou=People,dc=org
 authorizedService: xmpp.org
 cn: john@xmpp.org
 sn: xmpp.org
 description: John Doe XMPP account at xmpp.org
 uidNumber: 12345
 gidNumber: 23456
 homeDirectory: /nonexistent
 loginShell: /sbin/nologin
 objectClass: person
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: authorizedServiceObject
 uid: john
 
 dn: authorizedService=xmpp.org,uid=jsmith,ou=People,dc=org
 authorizedService: xmpp.org
 cn: john.sm...@xmpp.org
 sn: xmpp.org
 description: John Smith XMPP account at xmpp.org
 uidNumber: 12356
 gidNumber: 23456
 homeDirectory: /nonexistent
 loginShell: /sbin/nologin
 objectClass: person
 objectClass: posixAccount
 objectClass: shadowAccount
 objectClass: authorizedServiceObject
 uid: john
 ---[ ldif ]

Both those entries have one uid in the entry and a different one in
the DN. The one in the DN refers to the parent entry in each case so
it is legal but maybe not what you want.

It may be enough for you to simply prevent the non-uniqueness. You can
do that using the 'unique' overlay:

overlay unique
unique_uri ldap:///ou=People,dc=org?uid?sub

Unfortunately this creates another problem: *every entry* must have a
different uid - probably not what you want...

It would be possible to write an access-control list using sets to
require that the two uids match. This is not quite as simple as there
are various cases to consider. Again it may be too restrictive, as
then every sub-entry would have to have the same uid as the main entry
(though the passwords could still be different).

  If each 'john' account exists in a distinct identifiable namespace then
  you could either put the name of the namespace in the account entry or
  you could use it as part of the LDAP hierachy. The application can
  then formulate a search that finds the correct entry in one operation.
 
 I was thinking to use sn: attribute since it is login dedicated dn: and
 it is no need in it

The data you are putting there is clearly *not* a surname. Don't
misuse attributes like this - it will cause trouble later. A more
appropriate attribute might be associatedDomain - you will need to add
the objectclass 'domainRelatedObject' as well.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate login/password for several services?

[Andrew Findlay]

On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote:

 To: Andrew Findlay andrew.find...@skills-1st.co.uk

Please keep replies on the list so that they become searchable
and everyone can benefit.

 here is the diagram depicting what I am thinking about while talking :)
 
 https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png

 I dedicate these DN-s for services, so each such DN *can and supposed to*
 use any (in theory) uid in the entry, the user can ask for

Do you reall want every user account on every service to have a
different username? (i.e. the user cannot request to be known as
'fred' on both the SMTP service and the IMAP service?

 in particular, I do not see another way to authenticate users of
 different domains(for email)/realms(for xmpp) against the same LDAP DB

That depends on how you provide the services. If the network address
of the services used by domain-A users is different from that used by
domain-B users then the server processes will know which domain they
are serving.  If the same network address is used to serve all domains
then you do indeed require the uids to be unique across domains (but
you probably do want to let f...@x.y.com use that ID for all
services).

  It may be enough for you to simply prevent the non-uniqueness. You can
  do that using the 'unique' overlay:
 
 mmm ... will not it prevent non-uniqueness only for parent DN-s? while
 what I'm trying to ask (I'm sorry for muddled up explanation what I mean)
 about is - uniqueness for the uid *in* the entry ... so, the uniqueness
 of the attribute `uid' among all DN-s containing 
 authorizedService=target-service

You could do that if you are prepared to have one config line for each
service. Something like:

overlay unique
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH)

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: adding mail objectClass to schema

[Andrew Findlay]

On Thu, Aug 01, 2013 at 01:57:14PM -0400, Darouichi, Aziz wrote:

 dn: cn=Google,ou=Group,dc=curry,dc=edu
 objectclass: groupOfUniqueNames
 cn:
 mail:
 description:
 uniqueMember:
 uniqueMember:
  
 
 when I try to add  the file I get the following error:adding new entry 
 cn=
 Google,ou=Group,dc=curry,dc=edu
 
 ldap_add: Object class violation (65)
 
 additional info: attribute 'mail' not allowed

That is correct. The definition of groupOfUniqueNames is:

objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
SUP top STRUCTURAL
MUST ( uniqueMember $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description )
)

'mail' is not listed as an allowed attribute. If you want to add that
attribute then you also need to include a suitable auxiliary object class
that permits it. I don't think there is such a class in the standard
set, so you will have to create one of your own. That is probably a good
thing to do anyway, and you could start with a definition like this:

objectclass ( 1.2.826.0.1.3458854.666.1.1 NAME 'curryEduMailObject'
DESC 'Aux object class for curry.edu'
SUP top
AUXILIARY
MAY ( mail )
)

Your entry now has two objectclasses:

dn: cn=Google,ou=Group,dc=curry,dc=edu
objectclass: groupOfUniqueNames
objectclass: curryEduMailObject
cn:
mail:
description:
uniqueMember:
uniqueMember:

Ideally you should use an OID based on your own institution's allocation,
but that is not critical at this stage.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: separate login/password for several services?

[Andrew Findlay]

On Thu, Aug 01, 2013 at 10:41:25AM +0300, Zeus Panchenko wrote:

 I need to set separate credentials for each service I provide
 (optionally) to my users

That seems perverse - most of us work hard to *reduce* the number of
different usernames and passwords that each person has to use!

 I think of something like this:
 
 dn: uid=target-user,ou=People,dc=ibs
 userPassword: **
 ...
 authorizedService: xmpp
 authorizedService: smtp
 authorizedService: pop
 authorizedService: imap
 authorizedService: mail
 ...
 loginSMTP: mail-send-login
 passwSMTP: xxx
 loginPOP3: mail-get-login
 passwPOP3: yyy
 ...
 loginXMPP: login-xmpp
 passwXMPP: zzz

You would end up creating two new attributes for each service type,
and OpenLDAP would still not check the passwords for you in a useful way.

Better method: Create a sub-entry below the user entry for each service.
The service-specific entry can use the standard 'uid' and 'userPassword'
attributes, and you just need to make sure that each service includes the
authorizedService attribute when searching for the entry to authenticate.
Something like this:

dn: uid=target-user,ou=People,dc=ibs
uid: target-user
cn:
sn:

dn: authorizedService=smtp,uid=target-user,ou=People,dc=ibs
authorizedService: smtp
uid: mail-send-login
userPassword: **

dn: authorizedService=pop3,uid=target-user,ou=People,dc=ibs
authorizedService: pop3
uid: mail-get-login
userPassword: **

Your SMTP server would issue searches of the form:

((uid=USERNAME)(authorizedService=smtp))

Your POP3 server would issue searches of the form:

((uid=USERNAME)(authorizedService=pop3))

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: olcAccess best practices

[Andrew Findlay]

On Wed, Jul 31, 2013 at 06:11:02PM +, Jancewicz, Russell wrote:

 Should I create a single entry per account I want to give access, granting 
 all attributes they would need read/write access to with a particular filter?

No - you will end up having to change the ACLs every time you add a user.

 Or would I be better off grouping access granting to members of the groups 
 and adding individual rules for special edge cases?

Much better, but try to avoid those edge cases too!

 Or are both these ideas off base and something else would be preferred?
 
 Currently I am granting access by groups with access to collections of 
 attributes, however as I am discovering that some accounts need access to 
 those attributes with different filters my rules are continually shifting and 
  growing.

Try to cut the complexity of ACLs as far as possible. ACLs are
effectively programs and they take a lot of testing when they are
modified.

I always try to turn the day-to-day changes into group-membership changes
as then the routine mods are just 'data' rather than 'program'.

One approach you might look at is to use two layers of groups: one to
categorise users by role (printer admin, user-support, accounts) and one
to give access to specific resources (password-writer,
home-address-reader, mail-address-reader). You can then make the role
groups members of the appropriate resource groups, which is a more
understandable way to express policy than typical ACLs.

More ideas here:

http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: SSHA as default password-hash in next password change

[Andrew Findlay]

On Tue, Jun 04, 2013 at 10:49:27PM -0500, cbul...@gmail.com wrote:

 We are already using overlay and it is working perfectly.
 Your point about MD5 is great!...but we have some requirements and the
 idea is use SSHA-512 for our password.
 I read some post from Michael talking about this problem and I know that
 there is a contrib module for SSHA-512.

It all depends on what you are protecting against and what you have to
interwork with. The high-profile risk for most organisations is the
theft of large numbers of username-password pairs, so I tend to focus
on mitigating that risk.

  For an indication of the relative strengths of various hash schemes, see
  Hashcat: http://hashcat.net/oclhashcat-plus/ (table near the bottom of the
  page).

On the basis of that table, SSHA-512 will gain you about a factor of
10 protection over SSHA1. A single PC with a mid-range graphics card
can still try about 70,000,000 password guesses per second.

Remember that MD5 and the SHA series were designed to be *fast*.
This is exactly the opposite of what you want when protecting
passwords, so password hash schemes have to use delaying tactics on
top.

  If all your LDAP servers will run on Linux, Solaris, or similar OS then you
  can stay with $6$ like this:
 
  password-hash {CRYPT}
  password-crypt-salt-format $6$%.12s
 
  The result will be about 60,000 times harder to break than SSHA.

The $6$ hash uses SHA512, but does it many times. The effect is to
reduce that single PC's attack rate to nearer 12,000 guesses per
second. If your LDAP database gets compromised or someone steals your
backup tapes then that extra protection could be very valuable.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: SSHA as default password-hash in next password change

[Andrew Findlay]

On Mon, Jun 03, 2013 at 03:54:38PM -0500, cbul...@gmail.com wrote:

 We are not using any client..we are just changing the user password from
 ssh console.

If you use the passwd command, the LDAP operation used to make the change
will depend on your PAM LDAP implementation. It might be the Password
Modify extended operation (good) or it might be an ordinary LDAP Modify
operation (less good).

 We imported our /etc/passwd to openldap and our idea is when the user
 gets the next expiration time the new password be in SSHA.
 Is it possible?

To catch both cases above you will need to add an overlay to your slapd
config. First set the desired hash in the global section:

password-hash {SSHA}

Then add an overlay on top of the main database section:

overlay ppolicy
ppolicy_default cn=Password Policy,dc=dir,dc=example,dc=org
ppolicy_hash_cleartext

You should also create the password policy entry, something like this:

# Default password policy
# Applies to userPassword (2.5.4.35)
dn: cn=Password Policy,dc=dir,dc=example,dc=org
objectClass: organizationalRole
objectClass: pwdPolicy
cn: Password Policy
description: The default password policy
pwdAttribute: 2.5.4.35
pwdLockout: TRUE

The overall effect will be that passwords that arrive at the LDAP server in
plain text will be hashed using the SSHA scheme. Any passwords that arrived
pre-hashed (e.g. by PAM LDAP) will be stored as-is (it is not possible to
convert from one hash scheme to another).

Why are you changing from MD5 to SSHA? If it is to improve password
security you may be disappointed, depending on which MD5-based hash you
currently use. As the passwords came from an /etc/passwd file it is likely
that they use the $6$ or $2a$ hash schemes. Those are both vastly more
secure than {SSHA} against brute-force attacks. The known weaknesses in the
MD5 algorithm are much less significant than the fact that {SSHA} only runs
the algorithm *once* whereas $6$ and $2a$ are carefully designed to be slow
to calculate.

For an indication of the relative strengths of various hash schemes, see
Hashcat: http://hashcat.net/oclhashcat-plus/ (table near the bottom of the
page).

If all your LDAP servers will run on Linux, Solaris, or similar OS then you
can stay with $6$ like this:

password-hash {CRYPT}
password-crypt-salt-format $6$%.12s

The result will be about 60,000 times harder to break than SSHA.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Substring Indexes on userPassword Attribute

[Andrew Findlay]

On Tue, Jun 04, 2013 at 08:21:56AM -0500, Dan White wrote:

 You could replace the objectclasses containing userPassword, homeDirectory,
 etc, with your own custom defined schema, along with your own userPassword
 definitions.
 
 That would likely require a slapcat, edit, and slapadd of your database,
 but ultimately gives you more control of your data, and leaves you with
 portable data.

It would probably defeat the object of using LDAP too!
As far as I know, OpenLDAP will only authenticate against the
userPassword attribute (unless you write an overlay to do something
different of course).

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Substring Indexes on userPassword Attribute

[Andrew Findlay]

On Fri, May 31, 2013 at 10:13:12AM -0700, Tim Gustafson wrote:

 slapd.conf: line 82: substr index of attribute userPassword disallowed

And quite right too! You really don't want to make it any easier for an
attacker to search for weak passwords.

 Why is that?  How can I do a search that would tell me which of my
 users is using an SHA-hashed password?

You don't need to modify the Slapd setup for that: just work with an LDIF
backup of the data (e.g. from slapcat). Use grep to extract the
userPassword attributes. You will then need a script to convert the values
from Base-64 encoding to text, and a regular expression to extract the
encoding scheme from the front of the text string.

That will let you count the number of users for each scheme. (e.g. using
sort and uniq).

If you really want to know which users use which scheme then replace grep
with an LDIF parser and extract both userPassword and uid at the same time.
The LDIF parser will take care of the Base-64 for you as well.

You should be able to do the whole job in less than 20 lines of Perl or Python.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Substring Indexes on userPassword Attribute

[Andrew Findlay]

On Mon, Jun 03, 2013 at 09:53:30AM -0700, Tim Gustafson wrote:

 At the very least, this ought to be an option. I can see not making a
 search index on userPassword by default, but as a system administrator
 I ought to be able to make that decision for myself. I don't need a
 person who has absolutely no context about my situation telling me
 that I can't use my copy of the software to do something I want to do
 with my data.

I can sympathise with that, though I would point out that allowing
indexes on userPassword would make an attack through the LDAP
protocol rather easier.

 Also, why are there some other things that can't be searched via
 substring (like homeDirectory)? What if I want to know which users are
 using bash because we're thinking about upgrading it and want to
 notify those users? Or what if I want to know which users are using
 /usr/local/bin/bash instead of /bin/bash so that I can update the
 database to be consistent?

In a word, 'history'. It all comes down to the schema, and the schema
evolved over time without ever really getting cleaned up and
rationalised. Taking userPassword as an example:

attributetype ( 2.5.4.35 NAME 'userPassword'
   DESC 'RFC2256/2307: password of user'
   EQUALITY octetStringMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

This actually goes right back to X.500(1988). The schema says that
you can do exact matches but no other sort. Worse still, it
completely ducks the character-set encoding issue.

Things like homedir and login shell come from RFC2307 and you get a
similar result:

attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
DESC 'The absolute path to the home directory'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
DESC 'The path to the login shell'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

Even 2307bis does not give you substring search, though if you make a
case for it the authors might consider adding it...

Having said that, you still might be able to do substring searches on
some of these attributes by using 'matching rule assertion' rather
than 'attribute-value assertion' forms - see RFC4515.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: index on attribute in acl filter

[Andrew Findlay]

On Thu, May 09, 2013 at 02:18:55PM -0400, Al wrote:

 I am looking for a way to allow certain support individuals to unlock
 ldap accounts that have been locked by too many failed auth attempts
 (ppolicy), however I do not want them to be able to unlock accounts
 that have been locked for administrative reasons.  I was assuming I
 could use an ACL like the one below, since we lock an account for
 administrative reasons with the same pwdAccountLockedTime value -
 
 {6}to dn.subtree=cn=users,dc=company,dc=com
 filter=(!(pwdAccountLockedTime=0101Z)) by
 group/groupOfUniqueNames/uniqueMember.exact=cn=user_admins,cn=groups,dc=company,dc=com
 write  by users read
 {7}to dn.subtree=cn=users,dc=company,dc=com
 filter=(pwdAccountLockedTime=0101Z) by
 group/groupOfUniqueNames/uniqueMember.exact=cn=super_user_admins,cn=groups,dc=company,dc=com
  by users read

Those ACIs control general read access - I assume you would
modify them to grant write access to just the
pwdAccountLockedTime attribute. In fact you may need to grant
'manage' access, as this is an operational attribute that is
not usually modified directly.

 I know for a search with that filter, an index on pwdAccountLockedTime
 would be beneficial, but would it help for an acl filter?

An index is very unlikely to make any difference to the ACL
you propose.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: ACL on create questions

[Andrew Findlay]

[ Keep copying to the openldap-technical@openldap.org list ]

On Thu, May 02, 2013 at 02:15:02PM +, Emmanuel Dreyfus wrote:

 It almost works. My only concern is that it is possible to create an 
 object where LHS of DN is not in object's attributes. Like this:
 
 dn: foo=x,o=org
 objectClass: fooClass
 foo: y

There was some argument about that a few years ago. I am sure that the
intention of X.500 was for values in the RDN to be *chosen from*
values in the entry. X.501(1988) section 8.1(g) defines an RDN:

A set of attribute value assertions, each of which is true,
concerning the distinguished values of a particular entry.

Unfortunately, somewhere along the line one or more LDAP implementations
permitted values in the RDN to be *in addition to* the values in the
entry. This was a pain as it was not clear how search filters etc should
behave, but some people with loud voices apparently became dependent
on it. I remember someone (probably Kurt) saying at one point that the
behaviour was wrong but someone had written it into the standards so it
had to be supported.

However, LDAP is now defined by RFC4512 which says this:

2.3.1.  Relative Distinguished Names

   Each entry is named relative to its immediate superior.  This
   relative name, known as its Relative Distinguished Name (RDN)
   [X.501], is composed of an unordered set of one or more attribute
   value assertions (AVA) consisting of an attribute description with
   zero options and an attribute value.  These AVAs are chosen to match
   attribute values (each a distinguished value) of the entry.

I read that as equivalent to the original X.501 definition, so maybe
we should now treat the behaviour you see as a bug.

Which version of slapd are you using? When I try this on 2.4.35 the
extra value from the RDN gets copied into the entry so although the
LDIF being loaded is not strictly correct it does result in a
conformant entry. What does your entry look like when you read it
back?

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Modern Password Hashes in Openldap?

[Andrew Findlay]

On Tue, Apr 30, 2013 at 08:21:30AM +0200, Michael Ströder wrote:

  --On Monday, April 29, 2013 3:28 PM -0700 Chris Hiestand 
  chiest...@salk.edu
  wrote:
  
  Since SSHA-1 is weak these days I'd like to switch to PBKDF2, Bcrypt or
  the like with key stretching. Since Openldap does not support relatively
  strong hashes, do you guys use SASL to store stronger hashes? If so, what
  kind of backend are you using to store hashes?

 To be more precise:
 One could use the sources in contrib/slapd-modules/passwd/ as a template for
 implementing PBKDF2, Bcrypt, etc. schemes. There are no such implementations 
 yet.

Much easier: use one of the hash schemes supported by the underlying
platform's own crypt library. Most Linux, FreeBSD, OpenBSD, Solaris etc
will allow you to use a range of hash functions by specifying the salt
format string. The more recent hash formats allow you to choose the
number of iterations so that you can tune the algorithm to provide the
desired degree of protection against brute-force attacks.

See man crypt(3) on your platform for details of what is supported.

To enable this in slapd.conf add these lines to the global section:

password-hash {CRYPT}
password-crypt-salt-format $6$%.12s

The salt format here is '$6$' which invokes a SHA512-based hash method
and provides 12 characters (72 bits) of salt. It uses the default 5000
iterations. The table on Hashcat's home page suggests that this is around
50,000 times stronger than the simple SSHA1 hash.

For a slightly stronger hash you might choose bcrypt - introduced by
'$2a$' or '$2y$'. Before doing so you should read the description in
crypt(3) about bugs in early versions relating to 8-bit hashes.

To make sure that passwords presented as plaintext data in the
userPassword attribute get hashed, you should add the Password Policy
overlay:

overlay ppolicy
ppolicy_default cn=Password Policy,dc=dir,dc=example,dc=org
ppolicy_hash_cleartext


... and create a default policy entry something like this:

# Applies to userPassword (2.5.4.35)
dn: cn=Password Policy,dc=dir,dc=example,dc=org
objectClass: organizationalRole
objectClass: pwdPolicy
cn: Password Policy
description: The default password policy
pwdAttribute: 2.5.4.35
pwdLockout: TRUE


BE AWARE that this still only controls passwords set via the LDAP
protocol. If you use slapadd to load your data then the database will get
exactly what is in the ldif file.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: LDAP proxy

[Andrew Findlay]

On Fri, Apr 19, 2013 at 09:49:36AM +, Šerých Jakub wrote:

 I manage the school network in which we have two separate MS-AD servers (one 
 for teachers and the other for students). We also have mySQL database of our 
 alumni. 
 I would like to connect this three information bases to one virtual LDAP 
 server (for authentication purposes on various LAMP web servers etc.).
 
 Is it possible to configure such virtual or proxy server using OpenLDAP? And 
 if yes, could anybody be so kind and redirect me to some how-to resources? 

That should be possible. You need to decide how you want the three
data sources to show up in the LDAP tree presented to the client
systems, and you need to consider what happens if the same username
(uid in LDAP terms) appears in more than one data-source.

I would start by building a simple LDAP proxy in front of one AD and
getting that working first (use the LDAP backend or the META backend).
Then try putting an rwm overlay on it and changing the name mapping.

Once those are working, try a simple SQL backend in isolation.

Finally, join all three together in the same server using the relay
overlay.

Documentation is here:

http://www.openldap.org/doc/admin24/

Look in the Backends and Overlays sections in particular. You will
also need to search Google and the Faq-O-Matic for examples as some of
the documentation is a bit thin.

http://www.openldap.org/faq/data/cache/1.html

Some things are better explained in the manpages than in the Admin
Guide.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: missing entry in slapcat backup

[Andrew Findlay]

On Wed, Jan 30, 2013 at 04:19:17PM +0100, Meike Stone wrote:

 Thanks for enlighten me. I've a separate backup server (read only
 slave), where I can do this.
 So I'll try to get money from the FC for more RAM to make the test in
 a ramdisk ^^

You may not need to expand the physical RAM. Most Linux systems
these days have a tmpfs mounted on /tmp or on something like /dev/shm -
this is a 'virtual ramdisk' which will use RAM and swapspace as
appropriate. Its size is fixed at mount time, but can be
configured to be larger than the physical RAM if you have
enough swapspace to support it. Even when extended into swap, I
would expect this to be faster than a normal filesystem as it
does not have to take precautions to recover after a crash.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Access control

[Andrew Findlay]

On Fri, Feb 01, 2013 at 04:56:18PM +, Philip Colmer wrote:

 I have a followup requirement where I need to be able to restrict read access
 to the groups as well as write access. I only want the owners of an object to
 be able to read and write that object. 
 
 The reason for wanting to do this is to ensure that a user only sees the 
 groups
 that they can edit when they are using LDAP Account Manager. We have quite a
 large number of groups and I am trying to head off users complaining that they
 can't find the group they need to edit.
 
 I've been experimenting with the ACLs to try to get it to work but I can only
 get it to work if the owner is explicitly mentioned, rather than indirectly
 mentioned as per the member of a group approach.
 
 The ACLs so far are:
 
 access to dn.one=dc=example,dc=com
     by users read
     by * none

If your users are also stored in a subtree of dc=example,dc=com
then you may need to give anonymous users a bit more access to
this node. It depends on how your login process works, in
particular the stage that maps from a username to a DN.

 access to dn.one=ou=groups,dc=example,dc=com
     by users read
     by * none

OK so far.

 access to dn.sub=ou=groups,dc=example,dc=com
     attrs=objectClass,uniqueMember
     by users read
     by * none

I assume this is to support point (3) below - probably not needed.

 access to dn.sub=ou=groups,dc=example,dc=com
     by dnattr=owner write
     by users none
     by * none
 
 access to dn.sub=ou=groups,dc=example,dc=com
     by set=this/owner/uniqueMember  user write
     by users none
     by * none

Here you have a problem, as the second clause will never be used.

If you want to allow both direct owners and ownership via
groups then you should merge these two - something like this:

access to dn.sub=ou=groups,dc=example,dc=com
by dnattr=owner write
by set=this/owner/uniqueMember  user write
by * none

I am always a bit wary of putting both direct and indirect
references in the same attribute, just in case some entry that
you think is a user ends up with a uniqueMember attribute
somehow.

 (I know that having 'by users none' is redundant but it is there to be
 explicit)

OK - and you can add it to the merged version if you like.

 The purpose of the ACLs is
 
 1. Allow everyone to see the OU structure in the domain.
 2. Allow everyone to see the OUs within the groups OU.

It may not do that. Do you want everyone to see all the OUs, or
only those that they are 'owner' of?
Is there a layer of OUs under ou=groups,dc=example,dc=com with
the actual groups further down? If so, you may need to add a
clause to give access to the intermediate OUs.

 3. The intention here is to grant enough access to the attributes of a group 
 so
 that slapd can then evaluate the uniqueMember attribute. It isn't entirely
 clear to me whether slapd needs a rule like this or should be able to evaluate
 membership etc before it applies acls for the user.

Slapd will read whatever it needs for internal use in
evaluating ACLs so don't worry about it here. 
On the other hand, you *do* need to grant adequate (auth)
access to *user* entries so that anon can authenticate.

 4. Allow directly mentioned owners to write, nothing to everyone else.
 5. Allow indirectly mentioned owners to write, nothing to everyone else.

With the change given above, that bit should work.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: missing entry in slapcat backup

[Andrew Findlay]

On Mon, Jan 28, 2013 at 12:15:19PM +0100, Meike Stone wrote:

 I think, it would be a great thing to test the slapcat file (after
 dumping it) instantly.

Testing backups is always wise...

 So as reported in
 http://www.openldap.org/lists/openldap-technical/201301/msg00254.html
 I tried to do this with a broken backup and the dry-run switch. But
 slapadd did not report the error.
 It will work only with a real import.
 Are there other possibilities, or can be slapadd modified, that this
 will report such error?

Dryrun won't be able to detect missing structural entries: that
requires a database. Even an internal list of DNs is not
enough, as the actual entries have to be available in order to
check things like schema and content rules.

To be a valid test you really have to import the data into a
server with configuration identical to the production server.
If that would take too long then a reasonable compromise might
be to import to a server set up to write data as fast as
possible. You could reasonably turn off all database-safety
functions to do that, or put the database on a ramdisk.
Even if you use hdb on the production servers you might
consider trying mdb for the backup tests.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---

Re: Access control

[Andrew Findlay]

On Thu, Jan 24, 2013 at 12:22:18PM +, Philip Colmer wrote:

 What I want/need to be able to do is for LDAP to read the DN of the group that
 has permission, in the same what that it does with dnattr. I thought that I 
 had
 read something about this being possible with sets, but slapd.access says that
 The statement set=pattern is undocumented yet. so I'm not clear if that is
 the most appropriate way to proceed.
 
 
 Can someone please advise on how this might be accomplished?

Sets are indeed the answer. The documentation only exists in 
the OpenLDAP FAQ-o-matic at present, but you need something 
like this:

access to dn.sub=ou=groups,dc=example,dc=com
by set=this/manager/member  user write
by users read
by * none

That ACL would give write access to members of any group whose
DN is listed in the manager attribute.

The basic idea is that this/manager/member produces a set of DNs,
user produces a set containing the DN of the bound user,
and  generates the intersection of the two sets.
If the result is a non-empty set then the by clause applies.

Andrew
-- 
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---