Re: openldap-technical Digest, Vol 17, Issue 4

2009/4/4 <openldap-technical-request@openldap.org>

Send openldap-technical mailing list submissions to
openldap-technical@openldap.org

To subscribe or unsubscribe via the World Wide Web, visit
http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
openldap-technical-request@openldap.org

You can reach the person managing the list at
openldap-technical-owner@openldap.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of openldap-technical digest..."

Send openldap-technical mailing list submissions to
openldap-technical@openldap.org
When replying, please edit your Subject: header so it is more specific than "Re: openldap-technical digest..."

Today's Topics:

1. smbk5pwd for openldap 2.3 (Daniel Spannbauer)
2. Unable to auth on replica (Marcio Merlone)
3. How to Secure openLdap nss_ldap
(Matthew.GARRETT@external.total.com)
4. TLS/Certificate Problem Openldap (Steffen Knauf)

----------------------------------------------------------------------

Message: 1
Date: Thu, 02 Apr 2009 12:02:17 +0200
From: Daniel Spannbauer <ds@marco.de>
Subject: smbk5pwd for openldap 2.3
To: openldap-technical@openldap.org
Message-ID: <49D48D29.5010809@marco.de">49D48D29.5010809@marco.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

Hello,

I'm using the distro opensuse 10.2.
I'm missing the module smbk5pwd.
Can I build this module for openldap 2.3?

Regards

Daniel

--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/ Email ds@marco.de
Gesch?ftsf?hrer Martin Reuter HRB 171775 Amtsgericht M?nchen

------------------------------

Message: 2
Date: Thu, 02 Apr 2009 09:10:32 -0300
From: Marcio Merlone <marcio.merlone@a1.ind.br>
Subject: Unable to auth on replica
To: OpenLDAP <openldap-technical@openldap.org>
Message-ID: <49D4AB38.7070403@a1.ind.br">49D4AB38.7070403@a1.ind.br>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hello,

I have set two Ubuntu 8.04 servers running OpenLDAP
2.4.9-0ubuntu0.8.04.2. I have set replication as per the docs. On the
slave, I start with an empty /var/lib/ldap, and when I start the replica
the dir is populated with the files, I am able to anon search, etc.
Great, except my clients are able to auth on the provider but not on the
replica.

Both provider and consumer have the same acls, and the diff from one
conf to another is:

--- slapd.conf 2009-04-02 09:04:42.000000000 -0300
+++ slapd.conf.replica 2009-04-02 09:05:47.000000000 -0300
@@ -60,19 +61,13 @@
# 'database' directive occurs
database hdb

-overlay syncprov
-syncprov-checkpoint 100 10
-syncprov-sessionlog 100
-
-# Let the replica DN have limitless searches
-limits dn.exact="cn=syncrepl,dc=a1,dc=ind" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
-
# The base of your directory in database #1
suffix "dc=a1,dc=ind"

# rootdn directive for specifying a superuser on the database. This is
needed
# for syncrepl.
-# rootdn "cn=admin,dc=a1,dc=ind"
+rootdn "cn=admin,dc=a1,dc=ind"
+

# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
@@ -112,6 +108,21 @@
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog

+syncrepl rid=3
+ provider=ldap://192.168.0.201:389
+ type=refreshAndPersist
+ interval=01:00:00:00
+ searchbase="dc=a1,dc=ind"
+ scope=sub
+ schemachecking=off
+ bindmethod=simple
+ binddn="cn=syncrepl,dc=a1,dc=ind"
+ credentials=xxxxx
+
+
+# updateref ldap://192.168.0.201:389
+
+
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the

Any idea on what could be wrong? Thanks in advance for any hint or help.

--
Marcio Merlone

------------------------------

Message: 3
Date: Thu, 2 Apr 2009 14:43:12 +0100
From: Matthew.GARRETT@external.total.com
Subject: How to Secure openLdap nss_ldap
To: openldap-technical@openldap.org
Message-ID:
<OF428EEFBC.05C17E8A-ON8025758C.004897FD-8025758C.004B5DD3@total.com">OF428EEFBC.05C17E8A-ON8025758C.004897FD-8025758C.004B5DD3@total.com>
Content-Type: text/plain; charset="utf-8"

Folks

Note sure if this is the right list ?

I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password
Authentication, which is going to be a Replacement for NIS (YP)
All Normal access works fine and users can login , access automount maps
etc

However there are 2 types of Ldap binding

Simple
TLS

At the moment any body can run the following
ldapsearch -x

I would like to try and disable Simple Binding
But if I select "disallow bind_anon" in slapd.conf file
Things start to break like authentication stops working.
/var/log/messages

Apr 1 15:42:15 apricot sudo[31515]: pam_ldap: error trying to bind
(Inappropriate authentication)
Apr 1 15:42:18 apricot sudo[31515]: pam_ldap: error trying to bind
(Inappropriate authentication)
Apr 1 15:42:25 apricot sudo[31515]: pam_ldap: ldap_result Can't contact
LDAP server

How do I get a Machine to authenticate to Ldap ?

I think the problem lies with nss_ldap ?
When I add the following line to /etc/ldap.conf

ssl start_tls

I start to get the following error's
Apr 2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Apr 2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Apr 2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
Apr 2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error
Apr 2 14:27:06 bruce sshd(pam_unix)[11233]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local
user=mgarrett
Apr 2 14:27:06 bruce sshd[11233]: pam_krb5[11233]: authentication
succeeds for'mgarrett' (mgarrett@UK.AD.EP.CORP.LOCAL)

/etc/ldap.conf

base dc=unix,dc=total
bind_timelimit 120
idle_timelimit 3600
ldap_version 3
pam_password md5
scope sub
ssl start_tls
timelimit 120
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no

Can any body point me in the right direction

Thanks

Matthew

Server is RedHat 5.3
Clients are RedHat 4.7

Copy of slapd.conf
pwcheck_method: saslauthd
mech_list: gssapi
sizelimit unlimited

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/krb5-kdc.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapd.pem
TLSCertificateKeyFile /etc/openldap/slapd.key

## security - other directives
## prevents anonymous access to
## any connection
#disallow bind_anon
## forces a bind operation before DIT access
#require bind
## Use of reads on ldaps only port forces use
## of TLS/SSL but not a minimum value
## this directive forces a minimum value
#security simple_bind=128

sasl-secprops noanonymous,noplain,noactive

# Map SASL authentication DNs to LDAP DNs
# This leaves "username/admin" principals untouched
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=unix,dc=total
# This should be a ^ plus, not a star, but slapd won't accept it

# Default read access for everything else except anonymous users who have
no access but does not work. !
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read

#by anonymous none

Matthew Garrett
Senior IS Technical Analyst
Tel: 01224 297889
Fax: 01224 296806
Email: Matthew.Garrett@total.com
Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG
Registered in England and Wales No.811900?????????
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information.? If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects. The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.openldap.org/lists/openldap-technical/attachments/20090402/b012a26c/attachment.html>

------------------------------

Message: 4
Date: Thu, 02 Apr 2009 15:11:30 +0200
From: Steffen Knauf <Steffen.Knauf@renderforce.de>
Subject: TLS/Certificate Problem Openldap
To: openldap-technical@openldap.org
Message-ID: <49D4B982.80605@renderforce.de">49D4B982.80605@renderforce.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed

Hello,

i try to configure openldap with TLS/SASL. But i only get the same Error
( TLS certificate verification: Error, unable to get local issuer
certificate)
Perhaps someone have an idea what wrong with the certificate.

Version : $OpenLDAP: slapd 2.3.43
OS: SuseLinux Enterprise 10

Ldap Server Output:

-----------------------------------------------------------
connection_read(12): checking for input on id=31
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(12): got connid=31
connection_read(12): checking for input on id=31
TLS certificate verification: depth: 0, err: 20, subject:
/DC=liga01/ST=Deutschland/L=Munich/O=it/CN=schmidt.muc.liga01, issuer:
/DC=liga01/ST=Deutschland/O=it/CN=schmidt.muc.liga01
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned s3_srvr.c:2482
connection_read(12): TLS accept failure error=-1 id=31, closing
connection_closing: readying conn=31 sd=12 for close
connection_close: conn=31 sd=12
-----------------------------------------------------------

I create the certs like the following tutorial:

http://www.openldap.org/faq/index.cgi?_highlightWords=tls&file=185

/etc/openldap/slapd.conf:
-----------------------------------------------------------

TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
TLSCertificateFile /etc/ssl/zertifikate/servercrt.pem
TLSCertificateKeyFile /etc/ssl/zertifikate/serverkey.pem
TLSCACertificateFile /etc/ssl/zertifikate/demoCA/cacert.pem
TLSVerifyClient demand
-----------------------------------------------------------

/etc/openldap/ldap.conf:
-----------------------------------------------------------
TLS_CACERT /etc/ssl/zertifikate/demoCA/cacert.pem
TLS_REQCERT demand
-----------------------------------------------------------

/etc/ldap.conf:

-----------------------------------------------------------
ssl start_tls
-----------------------------------------------------------

greets

Steffem

------------------------------

_______________________________________________
openldap-technical mailing list
openldap-technical@openldap.org
http://www.openldap.org/lists/mm/listinfo/openldap-technical

End of openldap-technical Digest, Vol 17, Issue 4
*************************************************