Re: openldap proxy to kerberos

[Dan White]

On 01/07/19 16:18 -0500, vad...@gmail.com wrote:

I am using openldap proxy today with ldap backend.

Any suggestions on how to use kerberos as the backend?

Here is my config (sanitized)

$ cat slapd.conf



### Database definition (Proxy to AD) #
databaseldap
readonlyyes
protocol-version3
rebind-as-user  yes
uri "ldaps://ldap.example.com:1636"
suffix  "ou=People,dc=example,dc=net"


I'm not clear on where kerberos authentication fits scenario, but
the two pieces of documentation to start with would be the slapo-ldap
manpage, and the OpenLDAP Software 2.4 Administrator's Guide, section 14.5,
and chapter 15.

If that doesn't adress your question, please provide more detail, including
how your clients authenticate with the proxy server.

Re: How to make ldap evaluate clear text password vs DES stored password

[Dan White]

On 09/21/18 12:04 +0900, yokoy...@jacic.or.jp wrote:


I can't find 'Pass-Through authentication (section 14.5)'
in slapd-config(5) man page.

Could you send me its URL?


http://www.openldap.org/doc/admin24/

Re: How to make ldap evaluate clear text password vs DES stored password

[Dan White]

in message "Re: How to make ldap evaluate clear text password vs DES stored 
password",
Dan White  wrote:

On 09/20/18?08:43?+0900, yokoy...@jacic.or.jp wrote:
>LDAP’s userPassowrd stored in the RDB has been already DES hashed by
>original app. On the other hand, input password from ldapseach command
>line is CREARTEXT.

If the hashed/encrypted password is supported by your local crypt(3)
library, you can prepend the userPassword value with {CRYPT} as specified
in slapd-config(5) and section 14.4.2 of the Admin Guide.

Else, if you have a pam module which supports authentication of your hash,
take a look at Pass-Through authentication (section 14.5).


On 09/20/18 23:27 +0900, yokoy...@jacic.or.jp wrote:

My CentOS can make cleartext into DES .

hete is a part of my previous slapd.conf

olcPasswordHash: {CRYPT}
olcSizeLimit: 5000
olcPasswordCryptSaltFormat: "_%s"

unfortunately,it didn't work for my issue.

i think my  slapd uses DES when i try to store new userPasword.


slapd will not really be concerned about the format of your hash, as long
as your underlyding crypt(3) supports it. slapd will pass the cleartext
password received from the client to crypt. You will need to consult your
cyrpt(3) manpage for what is supported, and for what format it expects to
receive ($id$rounds=yyy$salt$encrypts).


i think unless i fetch userPasdword from RDB through slapd,
i will not be able to find SALT in userPassword.


If your RDB has a pam authentication module, then that may be a more
appropriate route. In that case you would not need to make any of your RDB
password hashes directly available to slapd. slapd would pass the cleartext
password, from the client, down to the pam module by way of pass-through
authentication and saslauthd.

Also, you should be taking appropriate security measures to protect the
cleartext password over the wire (ldaps/STARTTLS).

Re: How to make ldap evaluate clear text password vs DES stored password

[Dan White]

On 09/20/18 08:43 +0900, yokoy...@jacic.or.jp wrote:

LDAP’s userPassowrd stored in the RDB has been already DES hashed by
original app. On the other hand, input password from ldapseach command
line is CREARTEXT.



I’d like to change certification process of LDAP source file to make input
password into DES hashed by using 2 characters of userPassword as its
SALT.



I've already known that 2 characters at the beginning of userPasswordwas
used as its SALT when it was hashed.



So the fact is ,my slapd can read userPassword from the RDB. I think I'll
be able to find out what will be SALT to make input password into DES
hashed text.


If the hashed/encrypted password is supported by your local crypt(3)
library, you can prepend the userPassword value with {CRYPT} as specified
in slapd-config(5) and section 14.4.2 of the Admin Guide.

Else, if you have a pam module which supports authentication of your hash,
take a look at Pass-Through authentication (section 14.5).

Re: new attribute

[Dan White]

On 03/13/18 12:40 +0100, Alexander Schwarz wrote:

I tried to create a new objectclass and a new attribute to develop scripts
to use against an ActiveDirectory.

objectlass=user
attribute=sAMAccountName

attributetype ( 1.2.840.113556.1.4.221
  NAME 'sAMAccountName'
  EQUALITY caseIgnoreMatch
  SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
  SINGLE-VALUE )

objectclass ( 1.2.840.113556.1.5.9
   NAME 'user'
   DESC 'a user'
   SUP inetOrgPerson STRUCTURAL
   MUST ( cn )
   MAY ( sAMAccountName ) )

This is included in slapd.conf:
include ./schema/test.schema

modify.ldif:
dn: cn=test test,ou=Benutzer,ou=Netzwerk,dc=network,dc=de
changetype: modify
add: sAMAccountName
sAMAccountName: test

I used the ldapmodify tool:
ldapmodify -a -x -D "cn=admin,dc=network,dc=de" -w passwd -H ldap:// -f
d:\modify.ldif

Eintrag cn=test test,ou=Benutzer,ou=Netzwerk,dc=network,dc=de wird geändert
ldap_modify: Objektklassenverletzung
ldap_modify: Zusätzliche Info: attribute 'sAMAccountName' not allowed


Have you added the 'user' object class to the 'cn=test test' entry?

--
Dan White

Re: Antw: Re: OpenLDAP / Active directory cohabitation

[Dan White]

On 05/30/17 08:10 +0200, Ulrich Windl wrote:

Clément OUDOT  schrieb am 29.05.2017 um 20:43 in

Nachricht

Re: OpenLDAP / Active directory cohabitation

[Dan White]

On 05/29/17 23:36 +0900, Alexandre Rosenberg wrote:

I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user 
group, unix group (...)


This means that if perform a BIND and a search, the BIND should be 
performed against the AD but the search result should from OpenLDAP. 
(anonymous search is fine)



The short username are used in in OpenLDAP like this:

uid=john01,ou=People,dc=example,dc=com

While the AD uses the long username. From my test when binding to AD, 
only the "DN" is simply set to the username.


john.sm...@example.com


Pass-through authentication should work if you're performing simple binds.
Chapter 14 of the admin guide has a good example.

If you're doing sasl binds, use gssapi to authenticate against the AD
server directly.

--
Dan White

Re: Search for primary group

[Dan White]

On 05/23/17 09:17 -0400, Bernard Fay wrote:

Is there a way to find the primary group of a user with ldapsesarch or
other command?

I run OpenLDAP version 2.4.40 on CentOS 7.2 if that matters.


I assume you're asking about unix groups.

Commonly the primary unix group id is stored within the gidNumber
attribute of the user's corresponding DN. You can retrieve the primary
group id with 'getent passwd ', or by searching for that attribute.

Refer to your nss documentation (libnss-ldap, nss-pam-ldapd, nssov) for how
to resolve the gidNumber to a group name, or use 'getent group '.

The first group printed using 'groups ' should be the primary group,
but the man page makes no claims of that being true.

--
Dan White

Re: Filtered proxy to Active Directory

[Dan White]

On 04/21/17 21:23 +, Kamenko Pajic wrote:

We have Panasonic KX-UTG300B phones (SIP phone) which has LDAP Phonebook
option.

Settings on the phone to make this work are simple:

LDAP Server Address:

LDAP Server Port:

LDAP Authentication ID:

LDAP Authentication Password:

LDAP Search Base:



When I go to LDAP address book on the phone I get thousands of entries
listing not only users with their phone number but also all other entries
like resources, empty lines(???), N/A, Distribution lists .. Etc. in short
probably everything.


Try creating a group with your desired users and use that as your base.

Re: Dovecot can't connect to openldap over starttls

[Dan White]

On 03/20/17 16:06 +0100, i...@gwarband.de wrote:
I don't have any idea how to set a higher debug level to dovecot. In 
my opinion I have the highest. So I can't deliver a greater log.


I recommend consulting Dovecot's advice on how to run a debugger, or dig
into the code which calls libldap.

Re: Dovecot can't connect to openldap over starttls

[Dan White]

On 03/19/17 09:07 +0100, i...@gwarband.de wrote:

Am 2017-03-19 01:09, schrieb Dan White:

On 03/17/2017 04:27 PM, i...@gwarband.de wrote:

https://gwarband.de/openldap/dovecot.log


Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: 
Connect error
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: 
Connect error
Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177)
Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): 
user=<>, rip=149.172.171.148, lip=188.68.37.50, session=


https://gwarband.de/openldap/dovecot-ldap.conf


uris = ldap://ldap.gwarband.de
dn = cn=T2,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs = 
mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail

user_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
pass_attrs = email=user
pass_filter =
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))


https://gwarband.de/openldap/openldap.conf


# Certificate
TLSCACertificateFile/etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile  /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile   /etc/ssl/certs/gwarbandDE_LDAP.key
TLSCipherSuite
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin  3.1
TLSVerifyClient never


# Read slapd.conf(5) for possible values
loglevel256

There are more verbose options.

# Include ACLs
include /etc/ldap/acl.conf


What are the contents of /etc/ldap/ldap.conf?


The ldap.conf has no difference to the dovecot-ldap.conf.
See: https://gwarband.de/openldap/ldap.conf
The point "TLS_REQCERT" is in both confs "demand". I've changed it 
after that.


The ldapsearch command works also under the user "dovecot"
See: https://gwarband.de/openldap/ldapsearch-dovecot.log

~$ ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"


There is a difference in your binding DN.

Debug Dovecot's implementation of ldap_start_tls_s().

--
Dan White

Re: Dovecot can't connect to openldap over starttls

[Dan White]

Reformatted:


On 03/17/2017 04:27 PM, i...@gwarband.de wrote:

Hello guys,

actually I'm trying to configure dovecot to access openldap for
passwordcheck.



All datalinks:

https://gwarband.de/openldap/dovecot.log


Mar 11 11:18:26 s1 dovecot: auth: Debug: Read auth token secret from 
/var/run/dovecot/auth-token-secret.dat
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: 
Connect error
Mar 11 11:18:26 s1 dovecot: auth: Error: LDAP: ldap_start_tls_s() failed: 
Connect error
Mar 11 11:18:26 s1 dovecot: auth: Debug: auth client connected (pid=27177)
Mar 11 11:18:33 s1 dovecot: imap-login: Disconnected (no auth attempts in 7 secs): 
user=<>, rip=149.172.171.148, lip=188.68.37.50, session=


https://gwarband.de/openldap/dovecot-ldap.conf


uris = ldap://ldap.gwarband.de
dn = cn=T2,ou=tech,dc=gwarband,dc=de
dnpass = secret
tls = yes
tls_ca_cert_file = /etc/ssl/certs/LetsEncrypt.pem
auth_bind = yes
ldap_version = 3
base = dc=gwarband,dc=de
scope = subtree
user_attrs = mail=maildir:/var/vmail/%{ldap:mailbox},uid=vmail,gid=vmail
user_filter = 
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))
pass_attrs = email=user
pass_filter = 
(&(email=%u)(memberOf=cn=mailbox,ou=application,ou=groups,dc=gwarband,dc=de))


https://gwarband.de/openldap/openldap.log


Mar 11 10:48:38 s1 slapd[26962]: conn=1001 fd=14 ACCEPT from 
IP=188.68.37.50:60814 (IP=188.68.37.50:389)

Mar 11 10:48:38 s1 slapd[26962]: conn=1001 op=0 STARTTLS

Mar 11 10:48:38 s1 slapd[26962]: conn=1002 fd=15 ACCEPT from 
IP=188.68.37.50:60815 (IP=188.68.37.50:389)

Mar 11 10:48:38 s1 slapd[26962]: conn=1002 op=0 STARTTLS

Mar 11 10:49:42 s1 slapd[26962]: connection_get(14): got connid=1001
Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): checking for input on 
id=1001
Mar 11 10:49:42 s1 slapd[26962]: connection_read(14): TLS accept failure 
error=-1 id=1001, closing

Mar 11 10:49:42 s1 slapd[26962]: connection_get(15): got connid=1002
Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): checking for input on 
id=1002
Mar 11 10:49:42 s1 slapd[26962]: connection_read(15): TLS accept failure 
error=-1 id=1002, closing

Mar 11 10:49:42 s1 slapd[26962]: conn=1001 fd=14 closed (TLS negotiation 
failure)
Mar 11 10:49:42 s1 slapd[26962]: conn=1002 fd=15 closed (TLS negotiation 
failure)


https://gwarband.de/openldap/trace.dump


It appears that the client is sending an unbind request after the server
sends a successful starttls response.


The bugreportinglink from openldap:

http://www.openldap.org/its/index.cgi/Incoming?id=8615



Am 2017-03-17 22:48, schrieb Tomas Habarta:

been running Dovecot 2.2.27 against OpenLDAP 2.4.40 normally over
the unix socket on the same machine, but tried over inet with
STARTTLS and it's working ok...  I would suggest double-checking
key/certs setup on OpenLDAP side; for the test I have used LE certs,
utilizing following cn=config attributes:

olcTLSCertificateKeyFile contains private key
olcTLSCertificateFilecontains certificate
olcTLSCACertificateFile  contains both certs (DST Root CA X3
   and Let's Encrypt Authority X3)

and used the same CA file in Dovecot's tls_ca_cert_file
Is ldapsearch working ok (-ZZ) and only Dovecot has 
troubles or ... ?



On 03/18/2017 09:41 AM, i...@gwarband.de wrote:

I have also installed LE certs.  But nothing helps, I have
double-checking all certs.  ldapsearch with -ZZ works see:

https://gwarband.de/openldap/ldapsearch.log


ldapsearch -x -ZZ -D "cn=admin,dc=gwarband,dc=de" -W "cn=mailbox"


I have also uploaded the TLSCACertificateFile, maybe I have a failure
in the merge of the two fiels:

https://gwarband.de/openldap/LetsEncrypt.crt

And also I have uploaded my complete openldap configuration:

https://gwarband.de/openldap/openldap.conf


# Certificate
TLSCACertificateFile/etc/ssl/certs/LetsEncrypt.pem
TLSCertificateFile  /etc/ssl/certs/gwarbandDE_LDAP.pem
TLSCertificateKeyFile   /etc/ssl/certs/gwarbandDE_LDAP.key
TLSCipherSuite 
SECURE128:-ARCFOUR-128:-CAMELLIA-128-CBC:-3DES-CBC:-CAMELLIA-128-GCM
TLSProtocolMin  3.1
TLSVerifyClient never


All other components can work and communicate with my openldap
server.  The components are postfix, openxchange, apache
(phpldapadmin).  My installated software is:

Debian 8
OpenLDAP 2.4.40
Dovecot 2.2.13



Am 2017-03-18 12:30, schrieb Tomas Habarta:

Well, if ldapsearch works, try to replicate its settings for dovecot
client.  It's not obvious what settings ldapsearch uses, have a look
at default client settings in /etc/openldap/ldap.conf, there may be
something set a slightly different way.  Also double check permissions
for files used by dovecot, I mean mainly the file listed for
tls_ca_cert_file as dovecot may not have an access for reading...  I
cannot see anything downright bad, just posted CA cert (which is ok,
tested) is *.crt and your config mentions *.pem but I consider it's
the same file.  Finally, I would recommend to enable debug 

Re: user removed from ldap group but Linux groups command still shows user as member of the group

[Dan White]

On 02/24/17 08:55 -0500, Bernard Fay wrote:

I removed a user from an LDAP group about a week ago. Today, this user
still shows as member of the group with the Linux command groups. Also, the
group (Administrators) appears twice in the output of the command id:
uid=1(username) gid=1(Administrators)
groups=10001(users),10005(devel),10011(video),10015(ansible),1(Administrators)

The command getent though shows the proper group assignation:
getent group | grep username | cut -d: -f1
users
devel
video
ansible

All of those groups are LDAP group.


Is this from a long running shell? If so, start a new shell or
run newgrp.

Otherwise, verify that it is not cached (such as with nscd), and trouble
shoot as an nss ldap problem.

--
Dan White

Re: cant create child entrys

[Dan White]

On 12/22/16 14:07 +, robert k Wild wrote:

i cant create child entrys apart from OU and OR, why is this?

i have installed openldap on a centos 7 vm and also phpldapadmin to manage
the ldap server

i imagine this is an openldap issue and not a php ldap admin issue

https://s28.postimg.org/l5zb58h4t/Capture.png


What error are you getting on the failed create? 


Is your new entry properly formatted? I'd suggest creating the entry using
ldapadd, which would be easier to trouble shoot on failure.

Re: LDAP User can't login can su to with root account

[Dan White]

On 12/22/16 17:39 +0800, Frank Yu wrote:

I can see this log from audit.log when try to login

type=USER_AUTH msg=audit(1482399412.928:11840): pid=23099 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
msg='op=pubkey acct="luo.lu" exe="/usr/sbin/sshd" hostname=?
addr=10.31.0.113 terminal=ssh res=failed'


I presume you are using selinux? If so I can't offer much help here other
than to suggest disabling it in a lab environment to see if that's what's
tripping you up.

Can you get better logging from sshd?

Re: How to move from hdb to mdb

[Dan White]

On 09/20/16 12:40 +, Nikolas Stylianides wrote:

Hi there.
Is there a howto move from hdb to mdb?

What we need to do is to transfer our directory from hdb to the mdb.
Is there a book to learn about openldap? With the new OLC way of doing
things?

Can i have hdb and mdb running at the same time?

Currently I have done the following:
1. Load the Module back_mdb
2. Created a OlcBackend
3. Created a OlcDatabase


See http://www.openldap.org/doc/admin24/ and slapcat(8), slapadd(8),
slapd-mdb(5), and slapd-config.

Consider converting in two steps - converting your database to mdb first,
then converting to slapd-config.

Re: nslcd listing users and groups twice

[Dan White]

On 08/15/16 14:50 -0400, John Lewis wrote:

The commands return duplicate data is getent passwd and getent group, if
I don't add a specific user as a parameter in the command.

# /etc/nsswitch.conf

passwd: compat ldap
group:  compat ldap


Are you using netgroups in /etc/passwd?

On 08/14/16 13:50 -0400, John Lewis wrote:

uid nslcd
gid nslcd
uri ldap://localhost
base dc=d,dc=oflameo,dc=com
ldap_version 3
binddn cn=ldap-connect,ou=Users,dc=d,dc=oflameo,dc=com
bindpw x
tls_cacertfile /etc/ssl/certs/ca-certificates.crt
base dc=d,dc=oflameo,dc=com
filter  passwd  (objectClass=posixAccount)
filter  group   (objectClass=posixGroup)
map passwd  uiduid
map passwd  uidNumber  uidNumber
map passwd  loginShell loginShell
map passwd  homeDirectory  homeDirectory
map passwd  gecos  gecos
map passwd  gidNumber  gidNumber
map group   member member
bind_timelimit 60
timelimit 60
idle_timelimit 300


Do you have multiple users which meet the above criteria?

--
Dan White

Re: nslcd listing users and groups twice

[Dan White]

On 08/14/16 13:50 -0400, John Lewis wrote:

Subject: nslcd listing users and groups twice

This is surprisingly non-trivial especially when the nis schema for
openldap is more documented than the samba one when I use to run
samba-ad-dc. I have the nslcd.conf attatched.


What command are you running which duplicates data? What are the contents
of your nsswitch.conf?

--
Dan White

Re: LDAPI mechanism too weak for this user

[Dan White]

On 04/07/16 16:16 -0400, Frank Crow wrote:

I have locked down my server to disallow anonymous binds and set the
SSF=128.   I also have SaslSecProps: noplain,noanonymous,minssf=128

Which all seems to work fine for my usage with one exception.   If I try to
use any of the command line tools with "-Y EXTERNAL -H ldapi:///", I now
get:

additional info: SASL(-15): mechanism too weak for this user: mech EXTERNAL
is too weak

Is there some configuration item that I can change to allow that work while
maintaining my existing policy of no anonymous binds for everything else,
etc?


Set olcLocalSSF to your desired value within your server config.

--
Dan White

Re: Question about ldap_init()/ldap_initialize() behavior with OpenLDAP

[Dan White]

On 03/30/16 10:19 -0400, Frank Crow wrote:

I'm not clear on whether I'm allowed to ask "C" API questions here.   If
not, I apologize in advance and please disregard in that case.   However,
the question is more about configuration than coding.

I'm seeing that the ldap_init() function allows the hostname parameter to
be null or a list of hosts.If it is null, the function attempts to
determine the default ldap host.

How does it determine the default LDAP host when the hostname parameter is
null?   Does it load the list of hosts from the ldap.conf URI parameter?
And/or does it use the LDAPURI environment variable?


The order is detailed in the ldap.conf manpage, within the DESCRIPTION
section.

--
Dan White

Re: BINDDN in ~/.ldaprc ignored(?)

[Dan White]

On 02/09/16 10:28 +0100, Frank Thommen wrote:

BINDDN in ~/.ldaprc seems to be ignored or I'm doing something wrong.

/etc/openldap/ldap.conf is empty.

~/.ldaprc is:

$ cat ~/.ldaprc
BINDDN  
BASE
URI ldaps://
TLS_REQCERT never
$


ldapsearch returns an error if I don't declare the bindDN on the 
commandline:


$ ldapsearch -W -v cn=xyz
ldap_initialize(  )
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No Kerberos 
credentials available)

$


For SASL binds, specify SASL_AUTHCID instead; however this option will be
ignored by the sasl library for GSSAPI binds, in which case SASL_AUTHZID
may be used if you need to specify an authz identity.

For non-sasl binds, specify '-x' on your command line, which does make use
of BINDDN.

--
Dan White

Re: pass-through authentication

[Dan White]

You can view your config with:

slapcat -n0

And verify that object exists.

If you're receiving this error due to an ACL problem, verify you
have the proper configuration in place to authenticate as the rootdn using
sasl/external. See the slapd-config manpage, and see section 15.2 (and in
particular 15.2.5) of the Administrator's guide, and reference your
OS/distro documentation.

On 01/21/16 12:35 -0600, Timothy Keith wrote:

I commented the  mech_list in slapd.conf

The ldapsearch result is now No such object

ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
"(|(cn=config)(olcDatabase={1}hdb))"
No such object (32)

On Fri, Jan 8, 2016 at 2:34 PM, Dan White <dwh...@cafedemocracy.org> wrote:

On 01/07/16 17:24 -0600, Timothy Keith wrote:


ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
"(|(cn=config)(olcDatabase={1}hdb))"
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
   additional info: SASL(-4): no mechanism available:



I'm missing some context here. Most likely you have a mech_list hard coded
in your slapd.conf sasl, which does not include the external mech.

Re: LDAP with MySQL Support and Radius

[Dan White]

On 01/20/16 18:07 +, Alexandre Vilarinho wrote:

I'm trying to install LDAP wirh mysql support to authenticate users radius
account and I'm having problems finding documentation explaining how to do
it. Does any implemented an environment link I'm willing to do? It is
possible to share this documentation? Is there a step-by-step explaining
how to do it?


OpenLDAP supports sql authentication via ODBC and back-sql. See the
back-sql manpage, and sections 11.11 and 1.8 of the Administrator's guide
for an PostgreSQL example and discussion. I would not recommend it, unless
you have an entrenched environment and know what you're doing.

RADIUS, MySQL, and OpenLDAP are orthogonal. A RADIUS server, such as
FreeRADIUS can be configured to use MySQL or LDAP for its credentials
database.

--
Dan White

Re: pass-through authentication

[Dan White]

On 01/07/16 17:24 -0600, Timothy Keith wrote:

ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config
"(|(cn=config)(olcDatabase={1}hdb))"
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
   additional info: SASL(-4): no mechanism available:


I'm missing some context here. Most likely you have a mech_list hard coded
in your slapd.conf sasl, which does not include the external mech.

--
Dan White

Re: pass-through authentication

[Dan White]

On 01/04/16 09:41 -0600, Timothy Keith wrote:

ldapwhoami -Y PLAIN -H ldap://182.19.136.42 -U testuser

produces :

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
   additional info: SASL(-4): no mechanism available: No worthy mechs
found


Verify you have the sasl plain mechanism available on your local system with
saslpluginviewer/pluginviewer. On some systems it is contained in a separate
package from the libsasl2 glue library, e.g. libsasl2-modules.

--
Dan White

Re: pass-through authentication

[Dan White]

On Wed, Dec 30, 2015 at 7:04 PM, Dan White <dwh...@cafedemocracy.org> wrote:

Is DIGEST-MD5 available on your ldap server? Try:

ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b ""
supportedSASLMechanisms


On 12/31/15 09:51 -0600, Timothy Keith wrote:

Dan, that ldapsearch returns :
dn:
supportedSASLMechanisms: PLAIN



On Mon, Jan 4, 2016 at 1:16 PM, Dan White <dwh...@cafedemocracy.org> wrote:

On 01/04/16 09:41 -0600, Timothy Keith wrote:


ldapwhoami -Y PLAIN -H ldap://182.19.136.42 -U testuser

produces :

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
   additional info: SASL(-4): no mechanism available: No worthy mechs
found


On 01/04/16 14:47 -0600, Timothy Keith wrote:

pluginviewer returned this, as well as several other plugins :

List of server plugins follows


Plugin "plain" [loaded],API version: 4
   SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
   security flags: NO_ANONYMOUS
   features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION


Something doesn't add up here. The remote server claims to support sasl
plain, and your local server claims to support it as well.

I suppose your server could be claiming support, but not really supporting
it without a security layer, in which case you might investigate doing
ssl/starttls.

See if you can get a hold of any logs from the server.

--
Dan White

Re: pass-through authentication

[Dan White]

On 12/31/15 11:13 -0600, Timothy Keith wrote:

I defined:
ldap_mech: PLAIN

I am new at LDAP , that is obvious I guess.  But, I've been around Unix for
30 years.

This is the latest output from saslauthd in debug mode :

saslauthd[19271] :main: num_procs  : 5
saslauthd[19271] :main: mech_option: NULL
saslauthd[19271] :main: run_path   : /var/run/saslauthd
saslauthd[19271] :main: auth_mech  : ldap
saslauthd[19271] :ipc_init: using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[19271] :detach_tty  : master pid is: 0
saslauthd[19271] :ipc_init: listening on socket:
/var/run/saslauthd/mux
saslauthd[19271] :main: using process model
saslauthd[19271] :have_baby   : forked child: 19272
saslauthd[19271] :have_baby   : forked child: 19273
saslauthd[19271] :have_baby   : forked child: 19274
saslauthd[19271] :have_baby   : forked child: 19275
saslauthd[19271] :get_accept_lock : acquired accept lock
saslauthd[19271] :rel_accept_lock : released accept lock
saslauthd[19272] :get_accept_lock : acquired accept lock
ldap_sasl_interactive_bind: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP  182.19.136.42:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying  182.19.136.42:389
ldap_pvt_connect: fd: 10 tm: 10 async: 0
ldap_ndelay_on: 10
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 10 tm: 10
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
ldap_int_sasl_open: host=182.19.136.42
ldap_msgfree
ldap_err2string
ldap_unbind
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
ldap_create
ldap_url_parse_ext(ldap:// 182.19.136.42:389)
ldap_sasl_interactive_bind: user selected: PLAIN
ldap_int_sasl_bind: PLAIN
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP  182.19.136.42:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying  182.19.136.42:389
ldap_pvt_connect: fd: 10 tm: 10 async: 0
ldap_ndelay_on: 10
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 10 tm: 10
ldap_is_sock_ready: 10
ldap_ndelay_off: 10
ldap_pvt_connect: 0
ldap_int_sasl_open: host=182.19.136.42
ldap_msgfree
ldap_err2string
saslauthd[19271] :do_auth : auth failure: [user=testuser]
[service=slapd] [realm=] [mech=ldap] [reason=Unknown]
saslauthd[19271] :do_request  : response: NO


On 12/31/15 11:43 -0600, Timothy Keith wrote:

attempting to connect:
connect errno: 115


*EINPROGRESS*



That doesn't appear to be a critical piece of the problem. Notice libldap
is polling and reporting the socket as ready.

Trouble shoot this as a basic authentication problem between your unix
server and the ldap server. I.e., attempt to reproduce a sasl plain
authentication using ldapwhoami:

ldapwhoami -Y PLAIN -H ldap://182.19.136.42 -U testuser

Adjust to match your saslauthd ldap config.

Assuming your connection is unencrypted, which is appears to be, performing
a tcpdump/wireshark trace will help.

--
Dan White

Re: pass-through authentication

[Dan White]

On 12/17/15 18:32 -0600, Timothy Keith wrote:

We are attempting to set up an LDAP server which will answer queries
from an application. The database will contain metadata on a set of
users in the application. The application will also query the server
to authenticate the user’s password, however, this server will not
house the password. That resides on another server, which our server
will query.   We do not have administrative rights to the other
server.

The difficulty we are having now is setting up the pass-through
authentication for the passwords. Any pointers in how to proceed with
this would be greatly appreciated.


On 12/21/15 17:24 -0600, Timothy Keith wrote:

We have limited access to the servers.  Same company, different IT
organization.   Our LDAP requirement must be transparent to those servers.
We want to inherit the LDAP directory information from the Unix servers -
mostly the user Id and passwords, and add information that is needed  by
applications that our servers will manage.


On 12/31/15 09:51 -0600, Timothy Keith wrote:

On Wed, Dec 30, 2015 at 7:04 PM, Dan White <dwh...@cafedemocracy.org> wrote:

On 12/30/15 18:51 -0600, Timothy Keith wrote:


This is tail of the latest saslauthd debug  output :

ldap_sasl_interactive_bind: user selected: DIGEST-MD5



res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched:

<>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: DIGEST-MD5
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_msgfree
ldap_err2string



Is DIGEST-MD5 available on your ldap server? Try:

ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b ""
supportedSASLMechanisms
Which should list the advertised sasl mechanisms.

Verify the digest-md5 mechanism is installed with
saslpluginviewer/pluginviewer.


Dan, that ldapsearch returns :
dn:
supportedSASLMechanisms: PLAIN


The server is only offering the PLAIN mechanism to you. It appears you're
using saslauthd's ldap backend, and have explicitly configured 'ldap_mech:
digest-md5' in your corresponding config. If that's correct, you could
change that to PLAIN instead.

Consider protecting the bind with tls if available.

slapo-pbind may be a simpler alternative (to pass-through sasl
authentication), depending on the specifics of your setup.

--
Dan White

Re: SASL Passthrough no request

[Dan White]

On 12/30/15 08:40 +, Küchler, Simon wrote:

Our password authetication should use SASL but we don't see any requests
in our Logs or by tcpdump.

The password authentication should work as follows

- userPassword-Attribute: {SASL}User@Domain
- saslauthd -> use PAM
- PAM -> use kerberos
- kerberos -> send request to Active-Directory Server



Configuration files:

lshxx0693:~ # cat /etc/sasl2/slapd.conf
mech_list: plain login
pwcheck_method: saslauthd

lshxx0693:~ # cat /etc/sysconfig/saslauthd
SASLAUTHD_AUTHMECH=pam
SASLAUTHD_THREADS=5
SASLAUTHD_PARAMS="-r"

lshxx0693:~ # cat /etc/pam.d/ldap
auth required  pam_krb5.so no_user_check
account requiredpam_permit.so



lshxx0693:~ # cat /etc/krb5.conf

[libdefaults]
   default_realm = INT.IT.DPP
   dns_lookup_kdc = true

[realms]
   INT.IT.DPP = {
   kdc = 10.150.10.10
   kdc = 10.150.10.10
   }

[logging]
   default = SYSLOG:NOTICE:DAEMON


Is testsaslauthd successful? If not, address that first (on the cyrus sasl
mailing list).

If you're still having issues, run saslauthd in debug mode, and verify your
slapd process is communicating with the saslauthd mux. Verify it is
writable by the slapd process.

--
Dan White

Re: pass-through authentication

[Dan White]

On 12/30/15 18:29 -0600, Timothy Keith wrote:

I'm still having troubles with pass-through SASL on RHEL

testsaslauthd produces this message :
   0: NO "authentication failed"


Consult the cyrus sasl documentation, which for saslauthd is underneath the
saslauthd directory within the source, as well as the manpage.


With this in the system log :
 saslauthd logs reason=Unknown

When saslauthd is launched in verbose mode and followed
by testsaslauthd  it prints :

connect() : No such file or directory


When running in debug mode, verify you're including the exact options with
which saslauthd is normally running, with the -d option added. The mux
location compiled into testsaslauthd is not matching where the mux is
listening in this case, or the mux isn't listening.


On Thu, Dec 24, 2015 at 1:46 PM, Timothy Keith <timothy.g.ke...@gmail.com>
wrote:


As per my ongoing LDAP SASL design question, can anyone recommend a good
tutorial for pass-through authentication ?


See section 14.5 of the Administrator's Guide, and read through the
documentation at cyrussasl.org.

--
Dan White

Re: pass-through authentication

[Dan White]

On 12/30/15 18:51 -0600, Timothy Keith wrote:

This is tail of the latest saslauthd debug  output :

ldap_sasl_interactive_bind: user selected: DIGEST-MD5



res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched:
<>
ldap_free_request (origid 1, msgid 1)
ldap_int_sasl_bind: DIGEST-MD5
ldap_parse_sasl_bind_result
ldap_parse_result
ldap_msgfree
ldap_err2string


Is DIGEST-MD5 available on your ldap server? Try:

ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b "" supportedSASLMechanisms 


Which should list the advertised sasl mechanisms.

Verify the digest-md5 mechanism is installed with saslpluginviewer/pluginviewer.

--
Dan White

Re: sasl-auxprop (and sasl/slapd.conf)

[Dan White]

On 11/17/15 18:38 +0100, Simone Piccardi wrote:

I'm trying to understand which values I can use for the sasl-auxprop
directives and how to configure (if possible) sasl/slapd.conf.


That's a lot more painful to determine than it should be. Do:

# cat > /sasl/pluginviewer.conf << EOF

ldapdb_uri: ldapi:///
sql_select: select foo from bar
EOF


# pluginviewer -a
Installed and properly configured auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,   API version: 8
 supports store: yes

On Debian based systems, use saslpluginviewer.

To this list, add 'slapd', which is the internal auxprop plugin, and
subtract ldapdb, which should not be used within the slapd server.


I was trying to use the users created with slappasswd2 -c (as written in
the Administration guide) but no sasldb file was open by the server (I
straced out a full session). I tried to put an explicit configuration in
sasl/slapd.conf, and stracing the server I saw it was open and read, but
the configuration inside is just ignored.


The auxprop_plugin configuration parameter is ignored. Most/all other
config statements will be honored.


Reading the manpage I found it says that sasl-auxprops "Specify which
auxprop plugins to use for authentication lookups." and that the default
is use the slapd internal support.

But I did not define this one, and sasl/slapd.conf still seems to be
ignored. And no possible values for the available plugins to use as
sasl-auxprops parameter are listed.


If you wish to use the sasldb database, specify the 'sasldb' auxprop plugin
(via sasl-auxprops/olcSaslAuxprops), and maintain your authentication
database with saslpasswd2.


I could get DIGEST-MD5 authentication working putting the password inside
the server (userPassword in CLEARTEXT), so it seems that the default is
used anyway. But I'd like to have it working using using sasldb or
configuring sasl/slapd.conf to use saslauthd.


pwcheck_method is honored within sasl/slapd.conf.

--
Dan White

Re: I don't want to use GSSAPI !?

[Dan White]

On 10/26/15 15:49 +0100, Olivier wrote:

supported before redhat6. So my nswitch.conf looks like this :

# cat /etc/nsswitch.conf
sudoers:ldap
passwd: files sss
shadow: files sss
group:  files sss
...



The problem is that I have not found which option I should use in ldap.conf
to say NOT to use sasl when binding the ldap directory (aka the equivalent
of '-x').


There is no such option.

Consult the documentation for your pam ldap module. If you're using PADL,
consider using nss-pam-ldapd, or nssov (which is distributed with
OpenLDAP).

--
Dan White

Re: I don't want to use GSSAPI !?

[Dan White]

On 10/23/15 23:31 +0200, Olivier wrote:

2015-10-22 20:54 GMT+02:00 Dan White <dwh...@cafedemocracy.org>:

Without including a '-x' option on the command line, you are directing
ldapsearch to perform a SASL authenticated bind. See the ldapsearch
manpage.


I use SASL in certain circumstances (aka: EXTERNAL), but not GSSAPI and
find strange that this particular machine (I mean the client) even tries it.

Do you know why ldapsearch tries to authenticate using GSSAPI ?


Because your local cyrus sasl library determined it was the best option,
because it was not provided with a specific mechanism to use (-Y).


In this case, ldapsearch deferred the underlying authentication exchange
to libsasl2, which has determined that GSSAPI is the most appropriate SASL
mechanism to use, likely because the ldap server is offering it. You can
use '-Y' to specify a preferred sasl mechanism, if that is your intention.


Is there any way to configure the server not to serve GSSAPI mechanism ? I
have not fount any parameter that could deal with that on the server side.


Yes. Configure a sasl slapd.conf file, and specify an explicit 'mech_list'
which excludes GSSAPI. See:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php


You can remove the GSSAPI libsasl2 shared library from your system, but
that would simply mask the problem.


Mmm... Thanks for this idea, but again, this is GSSAPI that I don't want to
use, not SASL.

Is there any documentation that describes the dialog between the client and
the server before they agree an a particular mechanism ?


SASL authentication is based on a server-offers - client-chooses model. The
server offers all available mechanisms to the client, which then chooses
the most appropriate mechanism to use based on which mechanisms it has
available. You can explicitly set the mechanism with the '-Y' option, or
via a SASL_MECH user-only option (see ldap.conf(5)).

See section 5.2 of RFC 4513 for further detail.

--
Dan White

Re: I don't want to use GSSAPI !?

[Dan White]

On 10/22/15 17:59 +0200, Olivier wrote:

Hello everyone,

authentication over ldap doesn't work on one of my linux box. Trying to
query the ldap server from this machine with ldapsearch, I get this :

$ ldapsearch -ZZZ -h ldap1.example:389  -D uid=olivier,dc=example,dc=fr -b
dc=example,dc=fr -W
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
   additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (No credentials cache
found)


Without including a '-x' option on the command line, you are directing
ldapsearch to perform a SASL authenticated bind. See the ldapsearch
manpage.


Do you know why ldapsearch tries to authenticate using GSSAPI ?


In this case, ldapsearch deferred the underlying authentication exchange
to libsasl2, which has determined that GSSAPI is the most appropriate SASL
mechanism to use, likely because the ldap server is offering it. You can
use '-Y' to specify a preferred sasl mechanism, if that is your intention.


I don'use such a mechanism (nor kerberos) and I don't remember that I
configured any such a thing.

Any idea to desactivate the attempt to use GSSAPI to authenticate ?


You can remove the GSSAPI libsasl2 shared library from your system, but
that would simply mask the problem.

--
Dan White

Re: configuring ldap-client to use TLS (Certificate not found in database)

[Dan White]

On 10/20/15 21:24 -0400, Sridhar Acharya Malkaram wrote:

I am a novice to linux administration. Recently I had to configure a
system to authenticate using LDAP with TLS. I have read guides from
several websites. But I still could configure it. There seem to be several
reasons for the failure. I tried many suggestions, but with no success. I
don’t have access to the LDAP server. So I have been just playing with
config on the client.

The LDAP server is sso.abcdef.edu

My ldap.conf content is below

BASE dc=abcdef,dc=edu
TLS_REQCERT allow
TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt
uri ldap://sso.abcdef.edu 
TLS_CACERTDIR /etc/openldap/cacerts


You output below says your local ldap libraries are linked against moznss.
See:

http://www.openldap.org/faq/data/cache/1514.html

and the ldap.conf manpage. More comments below.


I could issue a ldapsearch -x which returns several entries. However, when
I couldn’t do using TLS.  The following command shows some errors. Could
you suggest me possible directions to resolve this. The directory
/etc/openldap/cacerts/ contains  the server certificate
sso.abcdef.edu.crt. I also made a copy of it with name sso.abcdef.edu.pem.
I am not sure whether this pem file should be that of the server or the
client.

Another question, should the client also have a ca (or self-signed )
certificate and it whether it should be uploaded onto the LDAP server?


The depends on the security needs of your network.

If the server is configured to require client certificates, then you'll
need to specify a TLS_CERT and TLS_KEY (again, see ldap.conf(5)).


/etc/openldap/cacerts root@wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu 
-d -1



ldap_msgfree
TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt.
TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could 
not be found in the database - error -12285:Unable to find the certificate or 
key necessary for authentication..
TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded 
from PEM file.
TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - 
error -8018:Unknown PKCS #11 error..
TLS: error: could not initialize moznss security context - error -8018:Unknown 
PKCS #11 error.
TLS: can't create ssl handle.
ldap_err2string
ldap_start_tls: Connect error (-11)


Does /etc/openldap/cacerts/sso.abcdef.edu.pem exist? If so, moznss will
attempt to open it as a database. It should not exist if you wish to use
the collective cert files within /etc/openldap/cacerts/ as your cacerts.
You should not specify TLS_CACERT in that case either.

--
Dan White

Re: Change userPassword

[Dan White]

On 09/03/15 10:54 -0700, Chuck Theobald wrote:
I am finding it impossible to set user passwords to the form 
{SASL}n...@ad.domain.my


ldapmodify can delete userPassword, and can add it again but ends of 
setting it to a hash despite trying password-hash {CLEARTEXT} and 
password-hash {SASL} in slapd.conf. And no, I am not using slapd.d.


By hash, I assume you mean base64 encoding, which is how ldapsearch
displays contents of userPassword when retrieved. uudecode the contents to
see the actual data.

Here's a simple perl script I use:

#!/usr/bin/perl

use MIME::Base64;

print decode_base64($ARGV[0]);  
print "\n";


If you are actually retrieving a crypt(3) style hash, verify you are not
running ldapmodify with an extention (-E) and that you are not doing
something strange with an overlay.

password-hash should only come into play when performing an ldap password
extended operation, such as with ldappasswd.

Every post I find taunts me with things like "oh, set the userpassword 
to {SASL}<b...@blah.com> and it will Just Work". This simple step 
eludes me. I am seriously missing some thing quit easy.



--
Dan White

Re: Change userPassword

[Dan White]

On 09/03/15 12:16 -0700, Chuck Theobald wrote:
Thanks to all who replied. I did not realize or remember that the 
output of ldapsearch was base64 encoded for userPassword. Decoding 
gives me the string I expect, so it is set correctly in the database. 
Since testsaslauthd works, I just need to get ldap to reference the 
saslauthd, which is still failing.


I recommend running saslauthd in debug mode to trouble shoot. If no
connections are established when authenticating against slapd, verify
permissions are good to your saslauthd mux, and explicitly set a
saslauthd_path within your (sasl) slapd.conf if necessary. See:

http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php

--
Dan White

Re: ldapsearch and kerberos keytab

[Dan White]

On 09/02/15 16:22 +0300, l...@avc.su wrote:

Hi all.

I've got CentOS 6.5 server enrolled in an AD domain.


Does that mean you're using Samba, or something else?


There's a script which should connect to AD and get some info with
ldapsearch.

We were using simple bind with username and password, but I wonder if
there is any way to do queries and being authenticated by GSSAPI without
the need of password entering?


Yes, it should work fine.


Maybe, I somehow can use system krb5.keytab and do queries from the name
of the server (host/pc@DOMAIN credentials)?


You'll need to export a keytab file from Active Directory. See:

https://cwiki.apache.org/confluence/display/DIRxINTEROP/Exporting+Keytabs+from+Active+Directory


Or I should create separate keytab and specify it in ldapsearch? But I
haven't found this option. Moreover, I know that kerberos tickets could
expire and I should re-enter pass to obtain new one.


ldapsearch will not initialize your credentials cache. You're responsible
for kinit to initialize it, such as from your crontab.

Using a keytab would obviate the need for sticking a password in your
crontab of course. The underlying kerberos libraries will request necessary
service tickets as needed.

--
Dan White

Re: SASL/EXTERNAL not available

[Dan White]

On 09/02/15 08:25 -0500, Dan White wrote:

dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN


If you have a olcSaslAuxprops configured, verify it includes EXTERNAL.


That's a mistake. Check your SASL slapd.conf file for mech_list. If it
exists, add EXTERNAL to it. 


olcSaslAuxprops is something totally unrelated.

--
Dan White

Re: authz-regexp behavior with GSSAPI

[Dan White]

From: Dan White [dwh...@olp.net]
Sent: Sunday, August 30, 2015 10:09 AM
To: Peter Heinemann
Cc: openldap-technical@openldap.org
Subject: Re: authz-regexp behavior with GSSAPI

On 08/26/15 12:51 +, Peter Heinemann wrote:

I am trying to figure out different behaviors with authz-regexp in slapd.conf.


Any differences in your /etc/krb5.conf? What is your default realm? Any
differences in the libraries you're using (cyrus-sasl and kerberos)?


On 08/31/15 13:52 +, Peter Heinemann wrote:

Here are version details:
openldap 2.4-39
RHEL 6.5
cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15
krb5-libs   1.10.3-42

It appears that cross-realm authentication is problematic.  In the
following results, "success" means that the search specified by the regex
occurred and the identity was remapped.  Both commands used GSSAPI (-Y for
ldapwhoami, -M for slapauth):



so:
 slapauth appears to work if a realm is explicitly specified with -R  (either 
cross-realm or within realm), but won't remap if the realm isn't specified.
 ldapwhoami (and ldapsearch)  works within a realm whether or not the realm is 
specified with -R;  but won't remap if -R specifies a different realm.


There are several possibilities as to why this behavior might occur. You
might be able to change sasl-host/sasl-realm to make things work
consistently, or change your default realm in krb5.conf.

The pragmatic solution would be to create more than one authz-regexp to
match each/all cases, so that future Kerberos changes don't break your
setup.

--
Dan White

Re: LDAP over TLS

[Dan White]

On 07/14/15 03:45 +0500, Aneela Saleem wrote:

but when i run the search command: i.e.,
*ldapsearch -x -b dc=platalytics,dc=com -H 'ldap://localhost:389' -ZZ*

i get the following error:

ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation


Which ssl library is your slapd compiled against? See the slapd-config
manpage for appropriate configuration for your ssl lib.


Following is my *cn=config.ldif* file:

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0cd16f20
dn: cn=config
objectClass: olcGlobal
cn: config

*TLSCertificateFile: /etc/ldap/servercrt.pem*
*TLSCertificateKeyFile: /etc/ldap/serverkey.pem*
*TLSCACertificateFile: /etc/ldap/cacert.pem*


Assuming these are correct paths, verify permissions to these files, and
check them again.

Enable logging/debugging on the server side to trouble shoot.


olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: none
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: 59729584-bdf0-1034-90b9-fdf431101d87
creatorsName: cn=config
createTimestamp: 20150713211745Z
entryCSN: 20150713211745.443612Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 20150713211745Z


--
Dan White

Re: LDAP over TLS

[Dan White]

On Tue, Jul 14, 2015 at 11:09 PM, Dan White dwh...@cafedemocracy.org
wrote:

On 07/14/15 23:05 +0500, Aneela Saleem wrote:

I found three libraries in mangpages of slapd-config i.e., OpenSSL,
GnuTLS, or Mozilla NSS


This should give you a hint:

~# ldd `which slapd`


On 07/15/15 00:37 +0500, Aneela Saleem wrote:

It gives the following output:

*libgnutls.so.26 = /usr/lib/x86_64-linux-gnu/libgnutls.so.26


GnuTLS.

--
Dan White

Re: LDAP over TLS

[Dan White]

Dan White wrote:


ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation



Which ssl library is your slapd compiled against? See the slapd-config
manpage for appropriate configuration for your ssl lib.


On 07/14/15 23:05 +0500, Aneela Saleem wrote:

Hi Dan,

I found three libraries in mangpages of slapd-config i.e., OpenSSL, GnuTLS,
or Mozilla NSS


Correct, as OpenLDAP supports all three of those libraries. Consult your
system documentation for which library your binary slapd was linked
against.

This should give you a hint:

~# ldd `which slapd`

--
Dan White

Re: ldap.conf not being used for TLS_CERT/TLS_KEY

[Dan White]

On 07/06/15 08:53 +1000, Deon George wrote:

Hi,

Looking for feedback on why this is not working, or if it is a bug.

The details of my configuration are here:
http://serverfault.com/questions/702739 
http://serverfault.com/questions/702739

I discovered (and proved), that ldapsearch is not honouring TLS_CERT/TLS_KEY in 
/etc/openldap/ldap.conf. I’m running the query as “root” and selinux is 
disabled.

If however, I put the TLS_CERT/TLS_KEY in my ~/ldaprc or ~/.ldaprc, then they 
are honoured.

Is this a bug?

What is stopping the “global default” of TLS_CERT/TLS_KEY from being read?


Both TLS_CERT and TLS_KEY are user-only options, by design. See the manpage
for ldap.conf for details on how to specify the settings within a user
configuration file.

--
Dan White

Re: proxy to AD does not work during login client machine

[Dan White]

From: Dan White dwh...@cafedemocracy.org

On 06/11/15 23:38 +, Leo Xiao wrote:
Hi technical,

I hit a problem during configure proxy to AD.
I can run command:
$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D 
cn=open,cn=users,dc=mydomain,dc=local -W (cn=open1) cn sAMAccountName
which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy 
works well.
But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The 
search will failed.


So you are attempting to authenticate anonymously? Or with SASL?


On 06/15/15 22:58 +, Leo Xiao wrote:

Hi Dan,

Thanks a lot for the comments. I want to authenticate anonymously, Not with 
SASL.

Is there any pam configuration needed for this scenario? Could you share
some link/doc to me? Thanks  so much.

When I use openldap user login, just run authconfig-gtk(modified the
/etc/openldap/ldap.conf) and set the ldapserver/base DN can lead me login
success.


The configuration to do anonymous binds is highly dependent on the ldap pam
module you are using. See slapo-nssov(5) if you are using the one
distributed by the OpenLDAP project. Otherwise, configuration of your ldap
pam module is outside the scope of this project. However, assuming your pam
ldap module uses (links against) libldap, consult the ldap.conf(5) manpage
as well.

--
Dan White

Re: proxy to AD does not work during login client machine

[Dan White]

On 06/11/15 23:38 +, Leo Xiao wrote:

Hi technical,

I hit a problem during configure proxy to AD.
I can run command:
$ldapsearch -x -h localhost -LLL -b dc=mydomain,dc=local -D 
cn=open,cn=users,dc=mydomain,dc=local -W (cn=open1) cn sAMAccountName
which return the SAMACCOUNTNAME:open successfully. --- This may mean the proxy 
works well.
But if I run command with out -D -D cn=open,cn=users,dc=mydomain,dc=local. The 
search will failed.


So you are attempting to authenticate anonymously? Or with SASL?


when I try to login my client machine with AD user. It always failed. --- I can 
login with openldapuser successfully.


You'll need to trouble shoot your nss/pam config, which ever one you're
using.


I think I need some configuration to force the -D in slapd.con. Is there any 
problems with my slapd.conf? Or any trouble shooting comments? Appreciate it 
very much.

Below is my slapd.conf:
###
# database definitions
###
database   ldap
suffix DC=mydomain,DC=local
urildap://dc-ad.mydomain.local/
chase-referrals no
rebind-as-user  yes
idassert-bind   bindmethod=simple
   binddn=CN=open,OU=users,DC=mydomain,DC=local
   credentials=open
   mode=none
   flags=non-prescriptive
idassert-authzFrom *


Thanks,
Leo



--
Dan White

Re: Create Mailing List

[Dan White]

On 06/01/15 07:16 -0400, Jerry wrote:

Is it possible to create a mailing list in openldap?  My MUA allows me to
create an alias like MyGroup that would then contain all the email addresses
of the people in the group. I can then simply type that alias and it is
replaced by the actual email addresses. I am looking for something like that
in openldap. I realize that I can associate multiple email addresses to a
single name; however, only one address can be chosen at a time.


You're looking for Address Book integration within your mailer. See:

http://www.openldap.org/faq/data/cache/1005.html

or google around for examples.

--
Dan White

Re: nss_ldap: failed to bind to LDAP ser

[Dan White]

On 05/31/15 10:12 +0300, Gokan Atmaca wrote:

I installed OpenLDAP. ldapsearch -x comes with everything. However,
I get an error when I try to connect to the client as follows:

Ldapcliet: (/var/log/auth.log)

02:49:58 debian8 nscd: nss_ldap: reconnecting to LDAP server (sleeping
1 seconds)...
May 31 02:49:59 debian8 nscd: nss_ldap: could not connect to any LDAP
server as (null) - Can't contact LDAP server
May 31 02:49:59 debian8 nscd: nss_ldap: failed to bind to LDAP server
ldapi://ldap01.gokan.local: Can't contact LDAP server


ldapi://ldap01.gokan.local is wrong. You probably want
ldap://ldap01.gokan.local.

Consult ldap.conf(5), and the nss_ldap documentation.


# ldapsearch -x

# extended LDIF
#
# LDAPv3
# base dc=gokan,dc=local (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#



Listening to the socket.
tcp0  0 0.0.0.0:389 0.0.0.0:*
LISTEN  4409/slapd
tcp6   0  0 :::389  :::*
LISTEN  4409/slapd


--
Dan White

Re: Openldap password problems

[Dan White]

On 05/14/15 21:02 +, jeevan kc wrote:


Hello all,We've just noticed that when a user authenticates via LDAP, it  
ignores characters after the right password. For example a user jkc900 has 
Password Welcome1 But the user can type in Welcome  or Welcome12 etc and 
still can get into the application. Its just checking the first Welcome1 and 
they can type anything after that and still can log in.  We've tested at least 
50 users and they all have the same issues. Any clues/ solution for this?
Your inputs are highly appreciated.


Can you reproduce this with ldapwhoami?

Is there a 3rd party PAM or NSS library involved in your authentication?

--
Dan White

Re: Ldap challenge

[Dan White]

On 04/22/15 20:08 +, Ross, Daniel B. wrote:

Ok I have looked a couple options but I really dont know how to accomplish
what I need to do.

Here is what I am trying to do.


I have a greater organization that is stuck on using Microsoft products
namely Microsoft LDS.   To make matters worse they present the data to my
linux servers in a completely non-standard way.   Its driving my solaris
and linux box nuts and they simply dont want to work with it.

What i need to do is continue to use the campus usernames and passwords
but present the Data in a format that my linux/unix hosts can use.  Is
this possible?

i.e.  userid would still be samwise but instead of a bizzarre
OU=monkeypeople,dc=example,dc=com I want it to present as
people,dc=example,dc=com.

I looked at referral and aliasing but it does not seem to be doing what I
am trying to do.  Passthrough authentication looks close but I cant find
sufficient documentation to actually configure a system to use it.


See slapo-rwm(5).

Pass-through is documented in section 14.5 of the Administrator's Guide:

http://www.openldap.org/doc/admin24/

Supporting Cyrus SASL documentation:

http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/
And /saslauthd/LDAP_SASLAUTHD within the Cyrus SASL source.

You'll find workable pass-through examples for authenticating to Exchange
in this list's archives as well as the Cyrus SASL list archives. The 'ldap'
and 'kerberos5' saslauthd backends should both be workable solutions.

--
Dan White

Re: slapd verifyclient fails on demand

[Dan White]

On 04/20/15 20:07 +0200, E.therepa wrote:

Dear Tech list,

I'd like to use CRL's to regulate client connections to my slapd server.
So i've build working certs and keys with gnutls. The whole keysetup is tested 
and working properly,
by invoking gnu-serv and gnu-cli i could succesfully create connections and 
drop clients in my revocation list.

In order to use this in slapd/ldap utils i use this settings,

slapd.conf,
TLSCACertificateFile /etc/ldap/ssl/ca-cert.pem
TLSCertificateFile /etc/ldap/ssl/clients/lrc-ldap.crt
TLSCertificateKeyFile /etc/ldap/ssl/clients/lrc-ldap.key
TLSCRLFile /etc/ldap/ssl/crl.pem
TLSCipherSuite SECURE256:-VERS-SSL3.0
TLSVerifyClient hard

ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ldap/ssl/ca-cert.pem
TLS_CERT /etc/ldap/ssl/clients/lrc-ldapsearch.crt


This is a user only option. See ldap.conf(5).


TLS_KEY /etc/ldap/ssl/clients/lrc-ldapsearch.key
TLS_REQCERT hard

Slapd debug,
55353d59 slapd starting
55353d5b conn=1000 fd=16 ACCEPT from IP=10.50.2.12:50764 (IP=0.0.0.0:636)
TLS: can't accept: No certificate was found..
55353d5b conn=1000 fd=16 closed (TLS negotiation failure)

ldapsearch debug,
ldap_start_tls: Can't contact LDAP server (-1)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
 :  30 05 02 01 02 42 00   0B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed


As far as i can see and found info my client and servers TLS settings are 
configured properly.
What i really don't get is that the client doesnt send his certs to the server.


--
Dan White

Re: How to disable SSF (integrity) on GSSAPI mech?

[Dan White]

On 04/19/15 17:11 +, Osipov, Michael wrote:

On 04/15/15 21:10 +, Osipov, Michael wrote:
Hi folks,

I am binding against Active Directory with GSSAPI mech and would like to
disable SASL integrity for debugging purposes with Wireshark.
Unfortunately, this call fails:



Setting a minssf should not be necessary. Do you also get this error with
maxssf=0? maxssf=1 may be a more workable option, since encryption is
really what you want to turn off, not integrity.


Yes, the error remains the same. Maxssf=1 does not help because integrity won't 
be disabled.
The encryption you are talking about is GSS confidentiality which won't be 
active anyway with
maxssf=1.


I recall being able to capture GSSAPI traffic with wireshark several years
ago. I wasn't doing it programatically though. I was either using maxssf=1
or maxssf=0, and was likely using Heimdal.

--
Dan White

Re: How to disable SSF (integrity) on GSSAPI mech?

[Dan White]

On 04/15/15 21:10 +, Osipov, Michael wrote:

Hi folks,

I am binding against Active Directory with GSSAPI mech and would like to 
disable SASL integrity for debugging purposes with Wireshark. Unfortunately, 
this call fails:

char *secprops = minssf=0,maxssf=0;
rc = ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, secprops);

with:

Diagnostic message: SASL(-1): generic failure: GSSAPI Error: A required input 
parameter could not be read (Unknown error)
Result code: -2


This error is likely produced by your Kerberos library (whichever one Cyrus
is compiled against), or perhaps with the way the security properties are
passed down from OpenLDAP to Cyrus to Kerberos.

Setting a minssf should not be necessary. Do you also get this error with
maxssf=0? maxssf=1 may be a more workable option, since encryption is
really what you want to turn off, not integrity.

--
Dan White

Re: can't chang ldap user passwd by self

[Dan White]

On 04/12/15 22:56 +0800, feora wrote:

I found log in ldap.log file

Apr 12 14:20:54 abc slapd[3136]: = access_allowed: auth access to 
uid=bobliu,ou=it,dc=abc,dc=com userPassword requested
Apr 12 14:20:54 abc slapd[3136]: = slap_access_allowed: backend 
default auth access granted to (anonymous)
Apr 12 14:20:54 abc slapd[3136]: = access_allowed: auth access 
granted by read(=rscxd)
Apr 12 14:20:54 abc slapd[3136]: = access_allowed: backend default 
write access denied to uid=bobliu,ou=it,dc=abc,dc=com


why access granted to anoymous not  bobliu.


On 04/12/2015 10:05 PM, feora wrote:

 hi, Dan
  thanks for u answer.
   I still a little confused about it.
  I run the following command
   /opt/openldap/bin/ldappasswd -x -D 
uid=bobliu,ou=it,dc=abc,dc=com -W -S

New password:
Re-enter new password:
Enter LDAP Password:
Result: Insufficient access (50)

   when I run ldapsearch is ok.

userPassword:: removed


Be aware that your ssha password hash is know publicly known.

The above would indicate that you *are* successfully authenticating, since
the userPassword attribute was returned. That's assuming that your ACL
config below is accurate.


On 04/02/2015 01:40 AM, Dan White wrote:

On 03/31/15 17:47 +0800, rockwang wrote:

access to attrs=userPassword
by self write
by anonymous auth
by dn.base=cn=Manager,dc=abc,dc=com
by *  none


This config block has been through the wringer, but verify user
userPassword ACL config. Something's up. Run slaptest on your config to
verify and verify it's formatted properly.



access to *
by self write
by dn.base=cn=Manager,dc=abc,dc=com
by * read
by * none



--
Dan White

Re: can't chang password via simple authentication

[Dan White]

On 04/09/15 12:59 +0800, rockwang wrote:

hi,guys

I can't chang user password via simple authentication at ldap
client.

 I have set acl rule in slapd.conf.

 access to attr=userPassword
  by self write
  by anonymous auth
  by dn.base=cn=Manager,dc=abc,dc=com write
  by * none
  access to *
  by self write
  by dn.basecn=Manager,dc=abc,dc=com write
  by * read

ldappasswd  -x -D uid=bobliu,ou=it,dc=abc,dc=com -W -S

New password:
Re-enter new password:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

but can use  ldapsearch via simple authentication.
what about problem. thks


Are you positive that you are successfully authenticating with ldapsearch?
Your 'by * read' for 'access to *' would allow anonymous users read access
to everything except the userPassword entry. See chapter 8 in the OpenLDAP
Admin Guide for a saner example.

Use debugging/logging to trouble shoot. See slapd(8), and slapd.conf(5).

--
Dan White

Re: can't chang ldap user passwd by self

[Dan White]

On 03/31/15 17:47 +0800, rockwang wrote:

 access to attrs=userPassword
 by self write
 by anonymous auth
 by dn.base=cn=Manager,dc=abc,dc=com
 by *  none

 access to *
 by self write
 by dn.base=cn=Manager,dc=abc,dc=com
 by * read
 by * none

my question is user can't change his own password. I use following command
so I have different result.


img /

when not add -x

img /

Consult the manpage for ldappasswd. In the first case (simple bind) you did
not provide a binddn (-D). In the second case, you directed ldappasswd to
perform a SASL bind but did not correctly provide an authentication
identity, and the sasl mechanism negotiated could not derive one.

Hint: if using a simple bind, specify a full DN (with -D), and not a
uid.

--
Dan White

Re: still can't run ldapadd command after install openldap

[Dan White]

On 03/27/15 20:45 +, Wang, Hui wrote:

[root@oldaptest01 bin]# pwd
/opt/bin
[root@oldaptest01 bin]# ls -l
total 2268
lrwxrwxrwx 1 root root 10 Mar 25 10:34 ldapadd - ldapmodify
-rwxr-xr-x 1 root root 264824 Mar 25 10:34 ldapcompare
-rwxr-xr-x 1 root root 265432 Mar 25 10:34 ldapdelete
-rwxr-xr-x 1 root root 265624 Mar 25 10:34 ldapexop
-rwxr-xr-x 1 root root 277336 Mar 25 10:34 ldapmodify
-rwxr-xr-x 1 root root 265016 Mar 25 10:34 ldapmodrdn
-rwxr-xr-x 1 root root 264216 Mar 25 10:34 ldappasswd
-rwxr-xr-x 1 root root 287864 Mar 25 10:34 ldapsearch
-rwxr-xr-x 1 root root 155256 Mar 25 10:34 ldapurl
-rwxr-xr-x 1 root root 262648 Mar 25 10:34 ldapwhoami

[root@oldaptest01 bin]# [root@oldaptest01 bin]# ldapadd -x -D cn=Directory 
Manager,o=csun -W -f example.ldif
-bash: ldapadd: command not found
[root@oldaptest01 bin]#


You've installed your ldap binaries in a location which is not in your
path. Try adding /opt/bin to your path.

--
Dan White

Re: OpenLDAP permissions question

[Dan White]

On 03/19/15 23:05 +0200, Igor Shmukler wrote:

Hello Dan,

I must have done something wrong, yet this thing did not work either.
One: the delete still failed with the usual error, and second - I got
an error concerning my olcs:

550b380f /etc/ldap/slapd.d: line 1: rootdn is always granted unlimited
privileges.
550b380f olcRootPW: value #0: olcRootPW can only be set when rootdn
is under suffix


You don't need to set olcRootPW in this case. See slapd-config(5).

--
Dan White

Re: OpenLDAP permissions question

[Dan White]

On 03/19/15 22:33 +0200, Igor Shmukler wrote:

Hello Dieter,

$ sudo ldapwhoami -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

I have been trying to delete a record using LDAPI as well as -D
cn=config with a password. I have also added commands olcAccess to
both dn: olcDatabase={0}config,cn=config as well as dn:
olcDatabase={1}hdb,cn=config [DIT] databases.

The result is always the same: ldap_delete: Insufficient access (50)
additional info: no write access to parent


If your goal is to manage your server using EXTERNAL over ldapi:///,
configuring a olcAuthzRegexp is a far simpler approach. Map
'gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth' to your rootdn
identity and you'll bypass acl restrictions altogether. 


--
Dan White

Re: external authentication source

[Dan White]

On 03/12/15 20:24 +0100, Dieter Klünter wrote:

Am Thu, 12 Mar 2015 14:00:02 +0100
schrieb Hallvard Breien Furuseth h.b.furus...@usit.uio.no:


What you describe sounds to me more like stuff like Kerberos tickets.
These are passed inside a SASL mechanism (GSSAPI), after SASL on
the server side is configured to check them against a Kerberos server.


It is a more bit complicated than Krb5 and GSSAPI. I'm in a
erlang/OTP environment which provides an authorization server, called
sasl server. I have no clue yet, what this sasl server provides. But
there is a requirement that slapd accepts the authorization string,
which should be mapped to a DN. Mapping seems to be not a problem.


Doesn't sound like EXTERNAL is appropriate here. Cyrus SASL has designed
its EXTERNAL support around the idea of the server having a priori
knowledge of who the user is, outside of the SASL exchange. You can't
tell slapd who the user is, or at least without modifying slapd code.

With EXTERNAL, you would not submit an authentication identity, only an
authz identity, *if* you wished to be authorized as another user.

Consider implementing a new SASL mechanism, or modifying the existing OTP
code. If software is advertising itself as a sasl server, then perhaps
they've already implemented this.

--
Dan White

Re: Error while instaling slapd

[Dan White]

On 03/04/15 11:33 -0300, Verónica Ovando wrote:
I need some help for solving this problem when I try to install slapd 
package on Debian from testing repositories.


|Leyendo lista de paquetes... Hecho
Creando árbol de dependencias
Leyendo la información de estado... Hecho
Se instalarán los siguientes paquetes NUEVOS:
 slapd
0 actualizados, 1 se instalarán, 0 para eliminar y 2 no actualizados.
Necesito descargar 1.344 kB de archivos.
Se utilizarán 4.091 kB de espacio de disco adicional después de esta operación.
Des:1 http://debian.linuxmint.com/latest/ testing/main slapd amd64 
2.4.31-1+nmu2+b1 [1.344 kB]
Descargados 1.344 kB en 50seg. (26,4 kB/s)
Preconfigurando paquetes ...
Seleccionando el paquete slapd previamente no seleccionado.
(Leyendo la base de datos ... 260763 ficheros o directorios instalados 
actualmente.)
Desempaquetando slapd (de .../slapd_2.4.31-1+nmu2+b1_amd64.deb) ...
Procesando disparadores para man-db ...
Configurando slapd (2.4.31-1+nmu2+b1) ...
 Omitting slapd configuration as requested.
insserv: warning: script 'K01subversion' missing LSB tags and overrides
insserv: warning: script 'subversion' missing LSB tags and overrides
[warn] No configuration file was found for slapd at /etc/ldap/slapd.conf. ... 
(warning).
invoke-rc.d: initscript slapd, action start failed.
dpkg: error al procesar slapd (--configure):
el subproceso instalado el script post-installation devolvió el código de 
salida de error 1
Se encontraron errores al procesar:
slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)
|

I do not understand why is trying to find the slapd.conf file, because 
this versión of slapd(2.4.31) uses cn=config.


Verónica,

I suggest filing a debian bug, or contacting:
pkg-openldap-de...@lists.alioth.debian.org.

The 'Omitting slapd configuration as requested.' leads me to believe you've
answered some debconf question in a way which is breaking installation, or
using a debconf frontend that is not interactive. Try dpkg --purge slapd,
and reinstalling.

--
Dan White

Re: main: TLS init def ctx failed: -1

[Dan White]

On 02/26/15 20:53 +, jeevan kc wrote:

Hi all,I followed the TLS directives and was able to generate cacert, 
servercert and server key and also sign it. I also did the configuration o   to
/usr/local/etc/openldap/slapd.d/cn=config.ldif:

§  olcTLSCACertificateFile:
/usr/local/etc/openldap/cacert.pem

§  olcTLSCertificateFile:
/usr/local/etc/openldap/servercrt.pem

§  olcTLSCertificateKeyFile:
/usr/local/etc/openldap/serverkey.pem



Everything was working fine but when I shut down slapd, it doesn't start and 
gives me this error



daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol)



Feb 26 15:28:56 lap00551 slapd[14775]: main: TLS init def ctx failed: -1
Can Someone please tell me what the error is and how I fix the issue?


Which version of OpenLDAP, and which SSL library have you compiled against?

Verify permissions to the 3 files above, for the user that slapd is running
as. Verify your configuration matches the configuration options necessary
to support your SSL library. See slapd-config(5), and the TLS OPTIONS
section.

--
Dan White

Re: main: TLS init def ctx failed: -1

[Dan White]

Date: Thu, 26 Feb 2015 15:04:40 -0600
From: dwh...@cafedemocracy.org
To: jeev_...@hotmail.com
CC: openldap-technical@openldap.org
Subject: Re: main: TLS init def ctx failed: -1

On 02/26/15 20:53 +, jeevan kc wrote:
§  olcTLSCACertificateFile:
/usr/local/etc/openldap/cacert.pem
§  olcTLSCertificateFile:
/usr/local/etc/openldap/servercrt.pem
§  olcTLSCertificateKeyFile:
/usr/local/etc/openldap/serverkey.pem



Feb 26 15:28:56 lap00551 slapd[14775]: main: TLS init def ctx failed: -1
Can Someone please tell me what the error is and how I fix the issue?



Which version of OpenLDAP, and which SSL library have you compiled against?

Verify permissions to the 3 files above, for the user that slapd is running


On 02/26/15 21:30 +, jeevan kc wrote:

Hi Dan,OpenLDAP version 2.4.30OpenSSL version1.0.0dAre these two 
compatible? Also I've verified the permissions. Your reply is appreciated . 
Thanks


Try increasing your debug log level, or starting slapd in debug mode for
additional details.

Use 'openssl verify' (manpage verify(1)) to verify your cert. Running the
command *as* your slapd user could also verify permissions.

--
Dan White

Re: create new user with same UID and GID

[Dan White]

On 02/19/15 11:54 -0300, Fabián M Sales wrote:

I am creating users in LDAP and I assign different UID and GUI. For example.


What utility or process are you using to create these entries?


uid = _16661_ (user1) gid = _16664_ (user1) groups = _16664_ (user1)

I need that when the user is created is created with the same UID and
GID for user created.

as I do this?

I would love for it to be so:

uid = _16664_ (user1) gid = _16664_ (user1) groups = _16664_ (user1)


The values entered for uid/gid into your ldap directory are up to you (and
the tools you use). If you wish to limit or restrict the values that can be
used, see slapo-constraint(5) and slapo-unique(5).

--
Dan White

Re: Search with wildcard

[Dan White]

On 01/28/15 18:19 +, Alessandro Lasmar Mourao wrote:

I have the following structure in my OpenLDAP:

ou = groups
|_cn = system1
| | _cn = Group1
| | _cn = Group2
|_cn = system2
  | _cn = Group1
  | _cn = Group2

I need to perform a search and return only users who are registered on system1, 
regardless of the registered group.
When I use the search with the filter: memberOf=cn=*,cn=system1,ou=groups 
nothing is returned.
How do I perform this search in OpenLDAP? In search Oracle SJDS works!


Please provide a more concrete example of your DIT layout.

--
Dan White

Re: Creating LDAP schema issue

[Dan White]

On 01/22/15 22:32 +0100, Leander Schäfer wrote:
a user. So in the end I want to add a(nother) mail account by 
something like this:


cat  EOF  ./newUser.ldif
dn: mailAddress=t...@domain.tld,ou=mail,uid=User-1,ou=people,dc=MyDomain,dc=TLD
objectclass: top
objectclass: mailAccount

mailAddress: t...@domain.tld
MailPassword: {SSHA}SomePassword
MailAccountStatus: active
[...]
EOF


You have an errant newline between objectclass and mailAddress. You should
have received an error if you processed this file with ldapadd. Your
blank line should come at the end of your input file, or between distinct
dn entries.

Therefore I setup a LDAP schema like the following, but it seems to 
ignore the attributes MailPassword and noMailAccountStatus. Why? I 
don't understand what I'm missing here on my objectclass? I'm sure it 
is an easy little thing to fix - but I just can't figure it out with 
the tutarials provided I went thorugh ;/


I assume your mean 'MailAccountStatus' here. If so, the above typo would
explain your situation.


objectclass ( objectClassAccount:2.1
   NAME 'mailAccount'
   SUP ( top )
   STRUCTURAL
   DESC 'Mail account'
   MUST ( mailAddress )
   MAY ( MailPassword $ MailAccountStatus ) )


--
Dan White

Re: 回复： 回复： slapcat command

[Dan White]

On 01/12/15 20:41 +0800, Eileen(=^ω^=) wrote:

[root@tmsr-ldap0 ldap]# ldapadd -x -D cn=manager,dc=xxx,dc=xxx -W -f test.ldif


See the manpage for slapadd(8), which is appropriate for restoring your DB.
ldapadd is something else. If you want to store data in portable ldif
format appropriate for use with ldapadd, use ldapsearch.

--
Dan White

Re: GSSAPI vs GSS-SPNEGO

[Dan White]

On 12/28/14 11:24 -0500, Brendan Kearney wrote:

On Sun, 2014-12-28 at 02:50 +, Howard Chu wrote:

Brendan Kearney wrote:
 i want to use the pass-through auth mechanism with sasl, so that i
 validate credentials against the kerberos database, and not have to
 maintain passwords in multiple places.


ok, then i have misunderstood PLAIN vs SIMPLE, it seems.  i will back up
and explain what i am trying to do.

apache, dhcp and freeradius can all use ldap for various functionality.
they all use what i now believe to be SIMPLE auth, where they are using
cn=user,dc=domain,dc=tld as ldap usernames.  these processes are using
ldap for authentication, whereas i have only kerberos authentication
setup in my environment (and ldap authorization).  my hope was that sasl
could allow me to push the ldap authN request through to kerberos, and
in essence proxy the authentication.


This is a valid use of pass-through in my opinion, but you'll want to
protect the authentication as Howard mentioned over ldapi:/// ideally, or
tls otherwise.

pass-through does not require that you advertise any other sasl mechanisms,
such as plain, since it does not involve sasl over the wire. To use, see:

http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication

Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should
need nothing else unless you're using a non standard location for your
saslauthd mux.

Verify that your slapd user has permissions to access the saslauthd mux,
and verify your saslauthd config with testsaslauthd.

--
Dan White

Re: GSSAPI vs GSS-SPNEGO

[Dan White]

On 12/30/14 11:09 -0500, Brendan Kearney wrote:

/run:
drwxr-xr-x  2 rootroot 100 Dec 30 10:26 saslauthd

/var/run:
lrwxrwxrwx. 1 root root 6 Dec 10 21:46 /var/run - ../run

so the ldap user would have read and execute permissions.  should i
change anything?


No.


i do have a user for dhcpd setup in that way (dn:
uid=dhcpd,dc=bpk2,dc=com and userPassword: {SASL}dh...@bpk2.com).  the
kerberos object does exist as well.


What testsaslauthd command are you running? Are you currently using the
'-r' option when starting saslauthd? Try running saslauthd in debug mode
and compare output. If you're not seeing any output when authenticating
against slapd, verify your configured saslauthd_path in slapd.conf. It
should include the '/mux' in the path, e.g. '/var/run/saslauthd/mux'.

--
Dan White

Re: GSSAPI vs GSS-SPNEGO

[Dan White]

On 12/26/14 12:10 -0500, Brendan Kearney wrote:

i am in the process of updating all of my systems to fedora 20 from
fedora 16, and am using all the latest available builds for openldap,
cyrus-sasl and mit kerberos.  i have put everything together as i had on
fedora 16, and i am finding that the sasl instance is using
sasl/gss-spnego, and not sasl/gssapi like it did on the older version.

i am not sure if i should be concerned about this, but it feels like i
should be.  i am not able to find anything that allow me to configure
things one way or another, so i can force the use of gssapi from
configs, it seems.

can anyone point me in a direction about this, tell me if i should be
concerned, or if you might have come across this before what i should be
doing that i am not?


To limit the use of specific sasl mechanisms, configure a libsasl
slapd.conf file which contains a 'mech_list' option explicitly listing the
mechanisms (space separated) you wish to offer.

Consult the fedora documentation for both slapd and libsasl2 for the
location to place the slapd.conf file in.

To obtain a list of advertised mechanisms, do:

ldapsearch -LLL -x -H ldap://ldap.example.org -s base -b  
supportedSASLMechanisms

You should also force your clients to use gssapi explicitly if that's your
preferred mechanism. The OpenLDAP client utilities offer a '-Y' option for
to do that.

--
Dan White

Re: -DLDAP_CONNECTIONLESS

[Dan White]

On 12/10/14 09:59 +0100, Michael Ströder wrote:

= dropped -DLDAP_CONNECTIONLESS

BTW: Experience shows that the code of rarely needed or unused features most
times get not much attention. Thus it's also a security measure not to add it.


Good point. This feature sounds ripe for amplification attacks.

--
Dan White

Re: SASL hashing schemes

[Dan White]

On 12/08/14 20:41 +0100, Dieter Klünter wrote:

Hi,
RFC 5802 describe a Salted Challenge Response
Authentication Mechanism and RFC 5803 describes a schema for storing
salted challenge response mechanism secrets, which recommend a
authPassword attribute type and a salted hash and a hashing scheme as
attribute value.
It seems, that OpenLDAP doesn't know authPassword

ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0
dn: cn=dieter kluenter,ou=partner,o=avci,c=de
changetype: modify
add: authPassword
authPassword: xxx

modifying entry cn=dieter kluenter,ou=partner,o=avci,c=de
ldap_modify: Undefined attribute type (17)
additional info: authPassword: attribute type undefined

Although the SASL Mechanism is provided and known, but the attribute
userPassword maintains a plaintext value.

ldapwhoami -Y SCRAM-SHA-1 -U dieter -w -H ldapi:///
SASL/SCRAM-SHA-1 authentication started
SASL username: dieter
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

It seems that SASl authentication only supports scram Mechanisms as
plaintext value.
Is there any intention to fully implement RFC 5802 and RFC 5803?


You could adapt this:

https://github.com/bindle/canned-openldap/blob/master/schema-custom/cmusasl.schema

--
Dan White

Re: SASL hashing schemes

[Dan White]

On 12/08/14 13:59 -0600, Dan White wrote:

On 12/08/14 20:41 +0100, Dieter Klünter wrote:

Hi,
RFC 5802 describe a Salted Challenge Response
Authentication Mechanism and RFC 5803 describes a schema for storing
salted challenge response mechanism secrets, which recommend a
authPassword attribute type and a salted hash and a hashing scheme as
attribute value.
It seems, that OpenLDAP doesn't know authPassword

ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0
dn: cn=dieter kluenter,ou=partner,o=avci,c=de
changetype: modify
add: authPassword
authPassword: xxx

modifying entry cn=dieter kluenter,ou=partner,o=avci,c=de
ldap_modify: Undefined attribute type (17)
additional info: authPassword: attribute type undefined

Although the SASL Mechanism is provided and known, but the attribute
userPassword maintains a plaintext value.

ldapwhoami -Y SCRAM-SHA-1 -U dieter -w -H ldapi:///
SASL/SCRAM-SHA-1 authentication started
SASL username: dieter
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de

It seems that SASl authentication only supports scram Mechanisms as
plaintext value.
Is there any intention to fully implement RFC 5802 and RFC 5803?


You could adapt this:

https://github.com/bindle/canned-openldap/blob/master/schema-custom/cmusasl.schema


Also, it's cyrus sasl that is likely deciding which attribute to use.
You'll need to check it's source to verify if it supports authPassword.

--
Dan White

Re: Add attribute to already defined objectclass organizationalUnit in core.schema

[Dan White]

On 11/24/14 14:11 +, Shashi Ranjan wrote:

I need to add two elements to organizationalUnit Object Class.

How can I do it without modifying the core.schema file?
Is there a way to define two new attributes in my private schema file 
(local.schema) and then extend the object class organizationalUnit defined in 
core.schema?
I do not want to modify the file core.schema.

I wish to deliver only my local schema file (local.schema) with other changes 
also.


A better option is to create a new non-structural objectClass and *add* it
to your existing entries using organizationalUnit. Extending/replacing
organizationalUnit is an option, but would make maintenance for future
admins a bit more confusing.

--
Dan White

Re: OpenLDAP, SASL and TLS

[Dan White]

On 10/06/14 13:27 -0400, Kristof Takacs wrote:

I am having issues when I have Kerberos bind and TLS turned on.


On 10/06/14 14:03 -0400, Kristof Takacs wrote:

I use the following version:

- OpenLDAP (2.4.35), but I have tried 2.4.39 as well
- Cyrus SASL (2.1.26)
- OpenSSL (1.0.1h)
- Heimdal ( I beleive 1.5.2)


There is a known bug in Cyrus SASL which triggers this problem:

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

If adding -O maxssf=0 to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.

--
Dan White

Re: OpenLDAP, SASL and TLS

[Dan White]

On 10/06/14 13:24 -0500, Dan White wrote:

There is a known bug in Cyrus SASL which triggers this problem:

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3480

If adding -O maxssf=0 to your ldapsearch command, when using both
Kerberos and TLS, works then that's likely the culprit.


Apparently I can't read my own bug reports. This may or may not be your
issue.

--
Dan White

Re: Syncrepl authentication via GSSAPI/SASL/Kerberos

[Dan White]

On 09/30/14 13:14 -0400, Steven Presser wrote:
I'm running a pair of OpenLDAP servers on a network which primarily 
uses kerberos for authentication.  The two servers replicate data (via 
a simple syncrepl master-slave setup).  Right now, they're using 
simple authentication.  I'd like to move them to using kerberos 
authentication.


Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND 
dn=uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth mech=GSSAPI 
sasl_ssf=56 ssf=56


On 09/30/14 13:30 -0400, Steven Presser wrote:
No; That bind DN is used only in simple authentication.  I am 
maintaining them as separate accounts, for the time being.  One of my 
ACLs is:


access to *
   by dn.exact=cn=repl,dc=pressers,dc=name read
   by dn.exact=uid=ldap/mordor.pressers.name, 
cn=pressers.name,cn=gssapi,cn=auth read


Your line here does not match the identity from your logs.

--
Dan White

Re: troubles while setting-up ldap server + pam

[Dan White]

On 09/24/14 14:30 +0200, Ivaylo Ganchev wrote:

Hello,

I am installing openldap in my cathedra and am running into a strange
problem.



- When I use libnss_ldapd and libpam_ldapd, the communication is OK, but
it seems that the client is not asking for the userPassword agrument and
so, there is no way to login (it only asks for loginShell cn gidNumber
uidNumber objectClass homeDirectory gecos uid and then in another
request shadowExpire shadowInactive shadowFlag shadowWarning
shadowLastChange uid shadowMin shadowMax


See:

http://arthurdejong.org/nss-pam-ldapd/setup

and its troubleshooting steps, namely, getent passwd, getent shadow, and
debug mode.

In default configuration, you will not directly expose the userPassword
attribute to the client - a successful bind will authenticate the client's
credentials.

--
Dan White

Re: LDAP authentication using email address

[Dan White]

On 07/28/14 15:31 +0530, Gokul nath wrote:

Hi,
I have configured openldap and it is working for username and password 
authentication.
How do i make my email address as login id in LDAP?
my working scenario is below.
User : user1, user2Group: Group1, Group2
I have added user1 to Group1 and done apache authentication using Group1. Login 
is working if i add any user to that group. i would like to make email address 
as login id. Please suggest how to configure the same.
ThanksGokul 


Specify the fully qualified username within the RDN (e.g.
uid=jsm...@example.com).

You may, however, need to patch your ldap nss library to support the @
sign. Consult the documentation for the library you're using.

--
Dan White

Re: multiple DIT

[Dan White]

On 07/23/14 10:10 -0400, andres palomo wrote:

ubuntu 12.04
openLdap 2.4.28-1

I have created a DIT dc=com
i need to create 2 additional dit for dc=net and dc=org
I have been all over the web
and it is not vlear how to create the additional DIT with the cn=config.ldif
any help will be greatly appreciated
please request additional info if required to solve


Create two new suffixes (olcSuffix) similar to your existing olcSuffix for
dc=com. See slapd-config(5), and use 'slapcat -n0' to view your config.

If you have slapd.conf examples to work with, slaptest can be used to a
generate a temporary config prior to applying (specify a temporary
directory for the -F option).

--
Dan White

Re: capture password

[Dan White]

On 07/04/14 09:57 -0300, Rogério Augusto Rondini wrote:

I need to implement password sync between AD and OpenLDAP using an IDM tool.

I want to know how to capture clear text password in OpenLDAP before
encryption so that I can sync with AD and potentially with others user
repositories.


You can capture cleartext passwords using the libsasl 'auto_transition'
option, although that requires a specific usage scenario. You'd need to be
authenticating against slapd using SASL LOGIN or PLAIN (or perhaps sasl
pass-through) with a saslauthd daemon authenticating against AD. Like this
in your sasl slapd.conf config:

pwcheck_method: saslauthd
mech_list: plain login
auto_transition: yes

Your saslauthd daemon would need to use the ldap or kerberos backends to
authenticate against AD.

The clear text password should get stored into userPassword by way of the
slapd auxprop plugin.

--
Dan White

Re: slapd dead. pls advise how I can restart it

[Dan White]

On 06/24/14 16:19 +0800, Eileen(=^ω^=) wrote:

When I start slapd, below will be come.

[root@nplserver1 openldap]# slapd start -d 256

@(#) $OpenLDAP: slapd 2.4.23 (Feb 22 2013 01:50:21) $

  
mockbu...@c6b7.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd

bdb(dc=npl,dc=tmsr): unable to join the environment

bdb_db_open: database dc=npl,dc=tmsr cannot be opened, err 11. Restore from 
backup!

bdb(dc=npl,dc=tmsr): txn_checkpoint interface requires an environment 
configured for the transaction subsystem

bdb_db_close: database dc=npl,dc=tmsr: txn_checkpoint failed: Invalid 
argument (22).

backend_startup_one (type=bdb, suffix=dc=npl,dc=tmsr): bi_db_open failed! (11)

bdb_db_close: database dc=npl,dc=tmsr: alock_close failed

slapd stopped.


I'm not familiar with the specific error messages you're getting. There are
error codes in your output produced by BerkeleyDB. Consult the
documentation for that project for how to proceed in the safest manner.

Have you performed any upgrades? Do you have any permissions problems on
your directory location? Check the location corresponding to your
configured directory/olcDbDirectory.

--
Dan White

Re: slapd dead. pls advise how I can restart it

[Dan White]

On 06/24/14 10:10 -0400, Mauricio Tavares wrote:

On Tue, Jun 24, 2014 at 9:47 AM, Dan White dwh...@olp.net wrote:

On 06/24/14 16:19 +0800, Eileen(=^ω^=) wrote:

bdb(dc=npl,dc=tmsr): unable to join the environment
bdb_db_open: database dc=npl,dc=tmsr cannot be opened, err 11. Restore
from backup!
bdb(dc=npl,dc=tmsr): txn_checkpoint interface requires an environment
configured for the transaction subsystem
bdb_db_close: database dc=npl,dc=tmsr: txn_checkpoint failed: Invalid
argument (22).
backend_startup_one (type=bdb, suffix=dc=npl,dc=tmsr): bi_db_open
failed! (11)
bdb_db_close: database dc=npl,dc=tmsr: alock_close failed
slapd stopped.



I'm not familiar with the specific error messages you're getting. There are
error codes in your output produced by BerkeleyDB. Consult the
documentation for that project for how to proceed in the safest manner.

Have you performed any upgrades? Do you have any permissions problems on
your directory location? Check the location corresponding to your
configured directory/olcDbDirectory.


 I does sound like the database is corrupted somehow. slapcat
needs slapd to be running, right?


slapcat does not need slapd to be running, but will probably hit similar
errors.

--
Dan White

Re: regarding logging when running in the foreground

[Dan White]

On 05/16/14 12:12 +0300, Mike Jackson wrote:

Hi,

Is there a way to prevent slapd from using syslog when running in the 
foreground? I run slapd permanently under the runit process 
supervision package with -d 256, and it already captures stderr to 
it's own logging system. However, I also get the same log messages 
cluttering up my syslog with local4.debug lines. Running in the 
foreground is pretty much a requirement for using process supervision 
and almost every service related software supports it for this reason. 
The background logging, despite running in the foreground, is 
undesired behavior.


You could direct your syslog daemon to ignore those messages.
Look for lines which include:

*.debug
local4.debug
local4.*

--
Dan White

Re: common name

[Dan White]

On 05/12/14 09:30 -0400, Jignesh wrote:

I have confusion on on common name. In Open ldap it is a combination of
first name and last name and other side it is unique. So it is forces us
to use something else then combination of first name and last name.


That's incorrect. The value can be anything that meets the syntax
constraints (see RFC 2256), and it is typically the person's full name.

If you choose to use CN within the entry's DN, then you may well run into
conflicts with other entries. Consider using a uid, with a unique value,
instead.


Now tools like php openldap, apache directory shows the LDPA user in left
navigation by common name. So if we map common name to something else then
we will have problem to view the list  in these tools.


Make liberal use of search filters within client tools, such as apache
directory studio, to find particular entries (such as by common name). Of
course, if you actually have two people with the same name, then you'll
need to find your own method of distinguishing between them.


Is it possible to change the setting for above tools so that they can
reflect based on first name and last name instead of common name?


You also have other attributes to store partial, or whole, names into, such
as gecos and surname. Or you can create your custom attributes via schema
definition.

--
Dan White

Re: Multiple userPasswords entries resetting one value

[Dan White]

On 05/01/14 21:36 -0400, Michael wrote:

I have a user with a SSHA userPassword value as well as a SASL
userPassword entry. The SASL entry will never change but I'd like to be
able to reset and age the SSHA entry only. Is this aging of only one value
possible with ppolicy and is it possible to handle manual resets with
ldappasswd and/or utilizing an LDIF file?


By SASL userPassword entry, do you mean a cleartext value, or a
{SASL}u...@domain.com pass-through entry? I'll assume cleartext.

Try setting olcPasswordHash to {SSHA} only. slapd may (or may
not) leave the cleartext userPassword entry alone. I haven't used that
case.

A more straight forward approach would be to store your sasl authentication
material in another sasl auxprop plugin (sasldb or sql) and set
olcSaslAuxprops appropriately.

--
Dan White

Re: Duplicate dynamically an OU with another RDN ?

[Dan White]

On 04/29/14 14:57 +0200, Sylvain wrote:

Hi !

I have a branch ou=people where RDN are in the form X1234 and NEVER
change for one people.
Ex. : uid=X1234,ou=people,dc=example,dc=org

In this node, I have the login under eduPersonPrincipalName attribute
which MAY change.

Some applications doesn't allow us to define which login to use and so take
uid attribute by default, not so cool.

Is there any possibility in OpenLDAP to duplicate dynamically an OU with
another RDN to have for example :
uid=sylvain,ou=peoplebis,dc=example,dc=org ?


The rwm overlay should handle this. Point your broken applications to a
unique suffix (e.g. dc=example,dc=org,dc=brokenapps), which overwrites the
incoming DN to use eduPersonPrincipalName instead of uid. See slapo-rwm(5).

--
Dan White

Re: Getting the list of members in an AD group

[Dan White]

On 04/07/14 11:06 +0530, Sankar P wrote:

Hi,

I have the SID of an AD group. I want to get the list of members who
belong to that group. All the documentation page that I search for
points me to the reverse only (i.e., getting all the groups membership
information of a user).

Can someone show me to the relevant way to get the users who belong to
a group whose SID I have ?


ldapsearch -Y DIGEST-MD5 -U joe -H ldap://192.0.2.1 \
  -b dc=example,dc=com -s sub objectSid=XXX dn

--
Dan White

Re: Why ldapadd -x -D cn=admin, cn=config -W -f ~/sudoWork/cn\=sudo.ldif does not work?

[Dan White]

On 03/28/14 22:21 -0500, Peng Yu wrote:

I get the following error.

pengy@openldapserver:~$ ldapadd -x -D cn=admin,cn=config -W -f
~/sudoWork/cn\=sudo.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

Here is the log. Does anybody know what the log means and how to fix
the problem? Thanks.

pengy@openldapserver:~$ tail -n 5 /var/log/syslog
Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 fd=21 ACCEPT from
IP=127.0.0.1:47481 (IP=0.0.0.0:389)
Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 op=0 BIND
dn=cn=admin,cn=config method=128
Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 op=0 RESULT
tag=97 err=49 text=
Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 op=1 UNBIND
Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 fd=21 closed


This means that either 'cn=admin,cn=config' does not match your oldRootDN,
or (/and) the password you are providing does not match your oldRootPW. You
may get an idea of which is the case by viewing your config with:

slapcat -n0

See the slapd-config(5) manpage, and 


http://www.openldap.org/doc/admin24/slapdconf2.html

Assuming that you are using using Ubuntu, you may wish to try this instead:

ldapadd -Y external -H ldapi:/// =f ~/sudoWork/cn\=sudo.ldif

--
Dan White

Re: Why ldapadd -x -D cn=admin, cn=config -W -f ~/sudoWork/cn\=sudo.ldif does not work?

[Dan White]

On 03/29/14 09:41 -0500, Peng Yu wrote:

On Sat, Mar 29, 2014 at 8:32 AM, Dan White dwh...@olp.net wrote:

On 03/28/14 22:21 -0500, Peng Yu wrote:

I get the following error.

pengy@openldapserver:~$ ldapadd -x -D cn=admin,cn=config -W -f
~/sudoWork/cn\=sudo.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


This means that either 'cn=admin,cn=config' does not match your oldRootDN,
or (/and) the password you are providing does not match your oldRootPW. You
may get an idea of which is the case by viewing your config with:

slapcat -n0


I assume that this should be run on the server not the client. Here is
what I get. But I have no idea what to look at. Would you please help
me understand how it can be used for debugging my case.


Read the fine manual:


See the slapd-config(5) manpage, and
http://www.openldap.org/doc/admin24/slapdconf2.html



pengy@openldapserver:~$ sudo  slapcat -n0



dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
structuralObjectClass: olcDatabaseConfig
entryUUID: a3343a42-465f-1033-9540-f5ee9a20f09d
creatorsName: cn=config
createTimestamp: 2014034706Z
entryCSN: 2014034706.118986Z#00#000#00
modifiersName: cn=config
modifyTimestamp: 2014034706Z


You have no olcRootDN listed for your configuration database, which, as I
understand it, means you have no capability to modify your config using
ldapadd. For a solution, see:

http://www.openldap.org/lists/openldap-technical/201211/msg00195.html

You'll need to add olcRootDN and olcRootPW to the above entry, such as the
ones you have listed below for your dc=yulab,dc=tamu suffix, assuming that
you know what your original password is:


dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=yulab,dc=tamu
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn=cn=admin,dc=yulab,dc=tamu write by * none
olcAccess: {1}to dn.base= by * read
olcAccess: {2}to * by self write by dn=cn=admin,dc=yulab,dc=tamu write by *
read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=yulab,dc=tamu
olcRootPW:: e1NTSEF9QWk1Z280ZEo1Zy9UYTJEVEpBdWNLRkxoekh1c1kyN1A=


--
Dan White

Re: What is the replacement for /etc/ldap.conf?

[Dan White]

On 03/29/14 10:32 -0500, Peng Yu wrote:

http://ubuntuforums.org/showthread.php?t=1421998

The above link mentioned the following code. But /etc/ldap.conf is not
available on ubuntu 13.10. Does anybody know what I should do instead?
Thanks.


Consult the manpage for ldap.conf. It should list the correct location, for
your system, under the FILES section.

--
Dan White

Re: Converting from slapd.d back to slapd.conf

[Dan White]

On Thu, 27 Mar 2014, Christian Kratzer wrote:

Hi,

On Thu, 27 Mar 2014, Sven Jourgensen wrote:
 Is there a tool to perform the reverse operation, and convert the newer
 cn=config configuration back into a slapd.conf?

no. This is currenty a one way street and is expected to stay that way.

Is there any special reason you would like to have this ?

On 03/27/14 09:11 -0500, Sven Jourgensen wrote:

Yes, we've been using the cn=config method since we upgraded our machines
a year or two back, and it's created problems that we didn't have with a
single flat config file. We don't need the ability to change config on the
fly, so we're going to convert back.

I have my generic slapd.conf for our machines but I'd like to compare it.


Sounds like a job for diff:

slapcap -n0 -F path_to_existing_slapd.d  $TMP/slapd-portable.ldif

mkdir $TMP/slapd.d.generic
slaptest -f path_to/slapd.conf.generic -F $TMP/slapd.d.generic
slapcat -n0 -F $TMP/slapd.conf.generic  $TMP/generic-portable.ldif

diff -ruN $TMP/slapd-portable.ldif $TMP/generic-portable.ldif

Compare the output, and adjust your generic slapd.conf, then rinse, lather,
and repeat until you get the same output.

--
Dan White

Re: Kerberos issue running OpenLDAP on Mac OS X Mavericks

[Dan White]

Putting the email list back into the CC.

On 03/20/14 10:16 -0500, Denis Ahearn wrote:

Thanks for responding Dan.  We have spent the past several days taking the
information you provided and trying to get smarter about how OpenLDAP and
Kerberos work on Mac OS X Mavericks.  Unfortunately we haven't made much
progress.  I think it may be because the way we are trying to use OpenLDAP
is not the standard way that  Apple intends it to be used from a server or
client standpoint, so there doesn't seem to be any documentation available
that speaks directly to our use case.  Responses to your questions are
listed below.


If you are authenticating against Active Directory, how does slapd fit
into the picture?


Our Rails app authenticates using Active Directory only in staging and
production. We're using OpenLDAP (slapd) in our local development
environments to simulate this (i.e. to provide a local LDAP server that
serves the purpose that Active Directory does in production).  To test
locally, we define an organization, groups and users in ldif files that get
loaded into OpenLDAP using ldapadd.


Do you have an authz-regex rule mapping the authentication identity to
this? Can you reproduce this problem with ldapsearch/ldapwhoami, using
the same parameters as your ruby code?


Are you referring to setting an authz-regex rule in slapd.conf?  If so, we
do not have any authz-regex rules in our slapd.conf.  I attached the
slapd.conf and ldap.conf files that are being used with OpenLDAP if that
helps.


It appears your client has a kerberos ticket, and is attempting GSSAPI
authentication. You can verify that with klist or your OS's kerberos
utilities.


I ran the klist command on the Mac that is having this issue.  Output is
below:

$ klist

Credentials cache: API:77A8E90B-01BF-4F18-A94E-035C3AB25A59

   Principal: dahe...@bwd.int

 IssuedExpiresPrincipal



The client side Ruby code may allow you to configure a sasl mechanism.
If not, see ldap.conf(5) and set an appropriate LDAPSASL_MECH
environment variable or set SASL_MECH within your home .ldaprc file
(to, for instance, DIGEST-MD5).


We tried the suggestions you listed above, none of which seemed to have any
effect on OpenLDAP's behavior (output in slapd.log is exactly the same).


I'm still not clear if ruby is attempting SASL GSSAPI authentication or
not.  Your syslog (auth facility) may tell you that. Since you have a
ticket, it's certainly possible.

You can disable GSSAPI in a couple of additional ways:

1) Remove the SASL GSSAPI shared library, assuming your cyrus sasl install
was compiled using shared libraries. pluginviewer (or saslpluginview)
should list the mechanisms which are installed.

2) Configure a slapd.conf SASL configuration, on the server, which
explicitly lists which mechanisms you wish to offer. The FAQ at:

http://www.cyrussasl.org/mediawiki/index.php/FAQ

details how to *enable* GSSAPI for slapd. Find out where cyrus sasl is
looking for config files (e.g. /usr/lib/sasl2 or /etc/sasl2) and create a
slapd.conf file with this line:

mech_list: PLAIN LOGIN DIGEST-MD5

Are you performing pass-through authentication? In that case, try running
saslauthd in debug mode for testing.


We are only using OpenLDAP in our development environment as a way to store
groups and users for testing purposes, and to provide an LDAP server that
our application can talk to in the same way it talks to Active Directory in
our production environment.  We rely upon logic in the application (the
Ruby Devise and CanCan gems) to provide the necessary authentication and
authorization services.  What I think we need to do is make OpenLDAP not
use Kerberos or other authentication mechanisms, but I haven't been able to
figure out if this is possible and if so, how to do that.  Does this sound
like the way to go?  If so, can you provide any assistance in setting this
up?  Is there anything else I can send you to help you understand our setup?


Replace the ruby authentication step with a ldapsearch/ldapwhoami call
(with a -d -1 option for debugging on the client side). Or see if you can
specify a debug option within Ruby (assuming it is using libldap). If you
can figure out how your ruby code is connecting to the server in this way,
your problem will likely stand out pretty quickly. A wireshark trace of the
ruby ldap connection may help with that as well.

--
Dan White

Re: Kerberos issue running OpenLDAP on Mac OS X Mavericks

[Dan White]

On 03/20/14 11:18 -0500, Denis Ahearn wrote:

Attached is the output from running ldapwhoami -d -1 on the Mac having
the issue (i.e. running Mavericks).  From the output of that command, it
seems that GSSAPI is a supported SASL mechanism (perhaps the only one?).
The command fails with the following:

ldap_sasl_interactive_bind: server supports: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_int_sasl_open: host=blue52s-mbp.netgear.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous
failure (see text (Matching credential (krbtgt/netgear@bw.int) not
found)


Makes sense. Either specify the mechanism you want to use, or disable
gssapi on the server or client using one of the below methods.


This is a Mac running Mac OS X 10.9 (Mavericks) that was configured by our
sys admin to connect to our company's Active Directory server when logging
into the machine.  That is independent of what we are trying to do with
OpenLDAP from an application development standpoint, but perhaps the two
are conflicting?  We have several developers running the previous Mac OS X
version (i.e. 10.8.5 - Mountain Lion), who are not having these issues with
OpenLDAP.  Perhaps it has something to do with how Apple built/configured
OpenLDAP for Mavericks?



On Thu, Mar 20, 2014 at 10:45 AM, Dan White dwh...@olp.net wrote:

You can disable GSSAPI in a couple of additional ways:

1) Remove the SASL GSSAPI shared library, assuming your cyrus sasl install
was compiled using shared libraries. pluginviewer (or saslpluginview)
should list the mechanisms which are installed.

2) Configure a slapd.conf SASL configuration, on the server, which
explicitly lists which mechanisms you wish to offer. The FAQ at:

http://www.cyrussasl.org/mediawiki/index.php/FAQ

details how to *enable* GSSAPI for slapd. Find out where cyrus sasl is
looking for config files (e.g. /usr/lib/sasl2 or /etc/sasl2) and create a
slapd.conf file with this line:

mech_list: PLAIN LOGIN DIGEST-MD5


--
Dan White

Re: Kerberos issue running OpenLDAP on Mac OS X Mavericks

[Dan White]

On 03/11/14 11:53 -0500, Denis Ahearn wrote:

We have a Rails app that uses OpenLDAP in the local development environment
on Mac OS X to authenticate and authorize users (we use Active Directory in
production and staging).  Up until now all development has been done on
Macs running Mountain Lion, and OpenLDAP has worked fine.  Recently a new
developer joined our team who is using a Mac running Mavericks, however
OpenLDAP is behaving differently on his Mac. On Mavericks, OpenLDAP is
trying to do something with Kerberos, which is failing.  We see the
following in the slapd.log on Mavericks:


If you are authenticating against Active Directory, how does slapd fit into
the picture?


5319fc2c  dnPrettyNormal: cn=jdoe,ou=people,dc=bluewaterbrand,dc=com
5319fc2c  dnPrettyNormal: cn=jdoe,ou=people,dc=bluewaterbrand,dc=com,
cn=jdoe,ou=people,dc=bluewaterbrand,dc=com
5319fc2c do_bind: version=3 dn=cn=jdoe,ou=people,dc=bluewaterbrand,dc=com
method=128
5319fc2c bdb_dn2entry(cn=jdoe,ou=people,dc=bluewaterbrand,dc=com)
5319fc2c = bdb_search
5319fc2c bdb_dn2entry(cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com)
5319fc2c = bdb_dn2id(cn=config,dc=bluewaterbrand,dc=com)
5319fc2c = bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair
found (-30988)
5319fc2c entry_decode: dc=bluewaterbrand,dc=com
5319fc2c = entry_decode(dc=bluewaterbrand,dc=com)
5319fc2c send_ldap_result: conn=-1 op=0 p=0
5319fc2c Entry *odusers_copy_entry(Operation *): Unable to locate
cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com (32)


Do you have an authz-regex rule mapping the authentication identity to
this? Can you reproduce this problem with ldapsearch/ldapwhoami, using the
same parameters as your ruby code?


5319fc2c odusers_copy_krbrealm: No entry associated with KerberosKDC
cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com
5319fc2c odusers_krb_auth: could not retrieve krb realm while authing jdoe
5319fc2c int odusers_increment_failedlogin(struct berval *): Unable to
retrieve description of loginFailedAttempts attribute5319fc2c bdb_bind:
Error to increment failed login count for
cn=jdoe,ou=people,dc=bluewaterbrand,dc=com5319fc2c send_ldap_result:
conn=1003 op=0 p=3


It appears your client has a kerberos ticket, and is attempting GSSAPI
authentication. You can verify that with klist or your OS's kerberos
utilities.


Here's the same section of slapd.log from a Mac running Mountain Lion,
which is working correctly:

531e25c9  dnPrettyNormal: cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com
531e25c9  dnPrettyNormal: cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com,
cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com
531e25c9 do_bind: version=3
dn=cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com method=128
531e25c9 bdb_dn2entry(cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com)
531e25c9 do_bind: v3 bind: cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com to
cn=cjdoe,ou=people,dc=bluewaterbrand,dc=com
531e25c9 send_ldap_result: conn=1003 op=0 p=3
531e25c9 send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 14
ldap_write: want=14, written=14
 :  30 0c 02 01 01 61 07 0a  01 00 04 00 04 00
0a
531e25c9 connection_get(14): got connid=1003
531e25c9 connection_read(14): checking for input on id=1003
ber_get_next
ldap_read: want=8, got=0

We've spent a copule of days looking into this, and can't find any
noticeable differences in the ldap.conf and slapd.conf files between
Mavericks and Mountain Lion that would explain why Mavericks is doing a
search on cn=kerberoskdc,cn=config,dc=bluewaterbrand,dc=com.

Does anyone know why OpenLDAP on Mavericks is behaving the way that it is,
and more importantly, what would be the correct way to resolve this issue?
Our Rails app is using the devise and devise_ldap_authenticatable
gems to handle user authentication, so it would seem that we don't want
OpenLDAP to do anything with Kerberos at all.  Can this be controlled via
configuration, or is this an issue with how the OpenLDAP shipped with
Mavericks was built?


The client side Ruby code may allow you to configure a sasl mechanism. If
not, see ldap.conf(5) and set an appropriate LDAPSASL_MECH environment
variable or set SASL_MECH within your home .ldaprc file (to, for instance,
DIGEST-MD5).

--
Dan White

Re: LDAP Passwordless SSH Problem

[Dan White]

On 03/05/14 13:29 -0800, Kamran Khan wrote:

I have a cluster, running RHEL6.5, which I have installed and configured
LDAP w/ TLS support. The systems are all authenticating using LDAP
properly, and I have added a test user to make sure this works. I can 'su'
into the new user, and SSH across all systems. However, it requires a
password upon every SSH.

Please see verbose SSH below:
===
[root@usdtwclus01 ~]# su - jramey


Do:

ssh-add -L

here, and make sure that key is located within the your authorized_keys
file (on n001). Use ssh-copy-id if not. Run a second instance of sshd on
the server, is debug mode, to catch permissions problems, or something less
obvious, with:

/usr/sbin/sshd -d -p 2200


[jramey@usdtwclus01 ~]$ ssh -v n001
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config



debug1: identity file /home/jramey/.ssh/id_rsa type 1
debug1: identity file /home/jramey/.ssh/id_rsa-cert type -1



debug1: Host 'n001' is known and matches the RSA host key.
debug1: Found key in /home/jramey/.ssh/known_hosts:1
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/jramey/.ssh/id_rsa (0x7f0a9fb7a6a0)



debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list 
publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred 
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: 
gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 172.16.36.1.
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_15000' not found

debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_15000' not found

debug1: Unspecified GSS failure. Minor code may provide more information


debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_15000' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/jramey/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 1645
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
jramey@n001's password:



On 03/06/14 10:20 -0800, Kamran Khan wrote:

I'm not sure which means you are referring to, but I do have a user named
'user' which I created locally, and 'user' can passwordless ssh across the
cluster just fine.


Granted, this problem appears to only be happening to your 'ldap' users,
but there is nothing that you have presented that indicates you have a
problem with your ldap setup. sshd will not, by default, retrieve
keys from an ldap server. If that is your aim, consult the OpenSSH
documentation.

--
Dan White

Re: Slapd TLS issue

[Dan White]

On 03/06/14 16:13 -0600, Eric Falbe wrote:

Hi,

Does anyone know where the database in the message:
TLS: error: the certificate '/etc/pki/tls/certs/ldap.
cassens.com.pem' could not be found in the database - error -12285:Unable
to find the certificate or key necessary for authentication


This error is likely coming from your ssl library. Search for the error
message (-12285 points to an NSS error code).

See slapd-config(5) and its notes underneath olcTLSCACertificatePath, etc,
and consult the documentation for NSS.


Is located at and how I might rebuild it?

Also, the only 3 configuration directives I have set for TLS is:
olcTLSCertificateFile: /etc/pki/tls/certs/ldap2.cassens.com.pem
olcTLSCertificateKeyFile: /etc/pki/tls/private/ldap2.cassens.comKey.pem
olcTLSCACertificateFile: /etc/pki/tls/certs/ca.pem





On Wed, Mar 5, 2014 at 3:27 PM, Eric Falbe ericf...@gmail.com wrote:


Hi,
When I try to start slapd I get this error message:
Checking configuration files for slapd:[WARNING]
PROXIED attributeDescription DC inserted.
config file testing succeeded
Starting slapd: @(#) $OpenLDAP: slapd 2.4.23 (Feb  3 2014 19:11:35) $
mockbu...@c6b10.bsys.dev.centos.org:
/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
PROXIED attributeDescription DC inserted.
bdb_db_open: database dc=cassens,dc=com: unclean shutdown detected;
attempting recovery.
bdb_db_open: database cn=accesslog: unclean shutdown detected;
attempting recovery.
slapd starting
TLS: error: the certificate '/etc/pki/tls/certs/ldap.cassens.com.pem'
could not be found in the database - error -12285:Unable to find the
certificate or key necessary for authentication..
TLS: certificate '/etc/pki/tls/certs/ldap.cassens.com.pem' successfully
loaded from PEM file.
TLS: no unlocked certificate for certificate 'CN=ldap.cassens.com,OU=Ldap
Server,O=Cassens Transport Company,C=US'.
ppolicy_bind: Setting warning for password expiry for
cn=replication,dc=cassens,dc=com = 0 seconds
^Cdaemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.


This server was working last night, I had to promote our secondary ldap
server this morning.

I have attempted to rebuild the database backend (with slapcat and
slapadd), but am still getting this same error.  I have my ssl
(self-signed) certificates located in
/etc/pki/tls/certs/ldap.cassens.com.pem /etc/pki/tls/tls/certa/ca.pem
/etc/pki/tls/private/ldap.cassens.comKey.pem

These certificates worked fine up untill today, does anyone have any
insight on where to look to being troubleshooting this issue?

Thanks,
Eric Falbe



--
Dan White

Re: Restricting access based on IP Address

[Dan White]

On 03/04/14 15:15 -0500, kevin sullivan wrote:

Hi,

I am running an OpenLDAP server version 2.4.23 and I would like to restrict
a user from connecting unless they are connecting via an ldapi connection
or localhost. Specifically, I would like to only let the rootdn manage
things from localhost or from an ldapi connection, which ensures that they
are on localhost. I do not want to prevent other users from connecting to
my LDAP server via an ldaps connection from anywhere on the network.

Is this possible? I have read a good bit about access control directives,
but I haven't seen what I am looking for. I am guessing that what I am
looking for probably deals with 'sockname' or 'sockurl', but I don't know
how to use those statements to properly configure slapd.


See the example given for option '-h' in the slapd manpage.

Use standard olcRootDN/olpRootPW configuration for administrative access,
unless you don't want to allow such access over ldaps:///, in which case
I'd recommend restricting admin access to SASL EXTERNAL over ldapi:///, by
configuring a olcAuthzRegexp and olcRootDN.

--
Dan White

Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb

[Dan White]

Forwarding to the list for posterity.

On 02/25/14 15:22 -0700, Nels Lindquist wrote:

On 2/21/2014 1:45 PM, Dan White wrote:

On 02/21/14 13:09 -0700, Nels Lindquist wrote:


snip


However, from what I can determine I'm not getting any realm component
in the searches coming through.  The default realm configuration works
when I use a bare userid to authenticate, but when using a full e-mail
address, that comes through as
uid=exam...@example.com,cn=[authmech],cn=auth.  That said, I haven't
found a LogLevel which includes AuthzRegexp processing; I've tried
various settings, but the closest I've come is logging the resulting
bind requests (eg. BIND dn=uid=example,ou=people,dc=example,dc=com
mech=DIGEST-MD5 sasl_ssf=128 ssf=128).


I would not depend on realm being delivered in a consistent way from cyrus
imapd/sasl. Different mechanisms will act in different ways. libsasl2 is
responsible for providing the realm (or not). To maintain some consistency,
create two sets of authz-regexp rules, such as:

authz-regexp
  uid=([^,]+),cn=([^,]+),cn=auth
  ldap:///dc=eng,dc=example,dc=com??one?((uid=$1)(objectClass=person))

authz-regexp
  uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth

ldap:///dc=eng,dc=example,dc=com??one?((uid=$1@$2)(objectClass=person))

And you may need a third rule which matches cases where both a fully
qualified username AND a realm are provided.


To be more clear, in my LDAP none of the objects have uids incorporating
e-mail addresses, but that's how Cyrus IMAP allows for virtual domain
logins.

My base dn is actually o=top, and then I have the various domains laid
out like:

dc=example,dc=com,o=top
dc=example2,dc=ca,o=top

... so my plan was to use the virtual domain information to translate
into which subtree I need to search against.  The fallthrough default
domain just searches the bare uid against a particular subtree.

It seems to be working using this (we're using LDAPRouting with
Sendmail, so all mailboxes must have inetLocalMailRecipient attributes):

# Match e-mail address; map to correct subtree

authz-regexp
 uid=([^,]+)@([^,\.]+)\.([^,]+),cn=[^,]*,cn=auth
 ldap:///dc=$2,dc=$3,o=top??sub?((uid=$1)(mailLocalAddress=*))


# Default domain

authz-regexp
 uid=([^,]*),cn=[^,]*,cn=auth
 ldap:///dc=example,dc=com,o=top??sub?((uid=$1)(mailLocalAddress=*))


ldapwhoami is highly recommend for testing this setup. Include all of -Y,
-U, and -X.


Thanks very much for putting me on the right track!


--
Dan White