Linus van Geuns | 29 Jan 2013 13:39

ldapcon 2013?

Dear all,

At ldapcon 2011 there was the vague idea of ldapcon 2013.
Is there any news or activity on the next ldapcon?

Regards, Linus




Net Warrior | 21 Jan 2013 13:57
Picon

ACL issues Insufficient access (50)

Hi there guys.

I'm facing a problem with my acl, basically I want my users be able to
change their password,  but I always get
New password:
Re-enter new password:
ldap_initialize(ldap://ldapserver  )
Enter LDAP Password:
Result: Insufficient access (50)

From the logs
access_allowed: backend default write access denied to userxxxx

Reading some posts, someone suggested to add olcAccess: {0} to * by *
write to the ACL, which I tested bu with no luck, I'm just using
simple
authentication, no ssl or that king of stuff.

dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0} to * by * write

The weird thing is that I still see the anonymous access.

slap_access_allowed: backend default auth access granted to "(anonymous)"

I'm trying to change the password locally from the ldap server itself,
from the client doesn't work either, I'm using nslcd.conf and I'm not
allowing anon logins, but it seems
that by default in some place it' allowing it.

These are the default password policies:

objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdSafeModify: FALSE
sn: dummy value
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdMaxFailure: 5
pwdMinAge: 0
pwdMaxAge: 0
pwdMustChange: TRUE
pwdMinLength: 5

I'm Using:
openldap-servers-2.4.23-26.el6_3.2.x86_6
Centos 6.3

If you need more information just let me know.
Thanks in advance.
Best regards

Michael Ströder | 16 Dec 2012 22:48

Fwd: New Version Notification for draft-stroeder-mailboxrelatedobject-00.txt

HI!

Please review this draft intended to be published as informational RFC.

Ciao, Michael.

-------- Original Message --------
Subject: New Version Notification for draft-stroeder-mailboxrelatedobject-00.txt
Date: Sun, 16 Dec 2012 13:47:40 -0800
From: internet-drafts@...
To: michael@...
CC: michael@...

A new version of I-D, draft-stroeder-mailboxrelatedobject-00.txt
has been successfully submitted by Michael Ströder and posted to the
IETF repository.

Filename:	 draft-stroeder-mailboxrelatedobject
Revision:	 00
Title:		 Lightweight Directory Access Protocol (LDAP): Auxiliary Object Class
'mailboxRelatedObject'
Creation date:	 2012-12-16
WG ID:		 Individual Submission
Number of pages: 4
URL:
http://www.ietf.org/internet-drafts/draft-stroeder-mailboxrelatedobject-00.txt
Status:
http://datatracker.ietf.org/doc/draft-stroeder-mailboxrelatedobject
Htmlized:        http://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-00

Abstract:
   This document defines the auxiliary object class
   'mailboxRelatedObject' that can be used to associate an arbitrary
   object with a RFC 2822 mail address.

The IETF Secretariat

Attachment (smime.p7s): application/pkcs7-signature, 3883 bytes
Csányi Pál | 14 Nov 2012 18:21
Picon
Gravatar

ldap_bind: Invalid credentials (49)

Hi,

I have Ubuntu 12.10 operating system.

I just installed slapd and want to use it as my e-mail AddressBook.

I'm following the tutorial:
http://linsec.ca/Using_OpenLDAP_as_an_Address_Book

When I'm trying to run the following command:
ldapadd -h localhost -D "cn=root,dc=mylan,dc=net" \
-W -x -f addr-skel.ldif

Enter LDAP Password: 

and when I add here the slapd administrator password that I was enter
when I was installed slapd and was asked for, I get error message:

ldap_bind: Invalid credentials (49)

How can I solve this problem?

--

-- 
Regards from Pal

David | 6 Aug 2012 03:35
Picon
Favicon

Re: Lovely Generator From China

Dear Sir:

Glad to hear that you're in the market for generator. We specialize in this field for 
several years, with good quality and pretty competitive price. 
The product mode as follow:

1) Diesel generator set. 
2) Gasoline generator set.
3) Mobile-trailer power station.
4) ATS series diesel gen-sets.

Kindly contact me if any question. It's our pleasure to be on service of you!

Thanks & Best regards.
David.

Alexda international Ltd

Michael Ströder | 12 Apr 2012 11:23

Any case where same controlType is used twice?

HI!

Is there any known LDAP extended control which is used more than once in a
LDAPRequest or LDAPResponse? Or can a client expect that a controlType is only
used exactly once in the list of returned controls in a single message?

Up to now I've never seen something like this but one never knows.

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 2317 bytes
Linus van Geuns | 9 Mar 2012 12:44

Re: RDN construction (was: Re: LDAPS Connection difficulties)

Hey Peter and Quanah,

On Thu, Mar 8, 2012 at 7:36 PM, Quanah Gibson-Mount <quanah-zAQalKWTt5vQT0dZR+AlfA@public.gmane.org> wrote:
--On Thursday, March 08, 2012 3:07 PM +0100 Peter Schober <peter.schober-4JhlDu4IDl0juwv8T7myQQ@public.gmane.org> wrote:

* Quanah Gibson-Mount <quanah-zAQalKWTt5vQT0dZR+AlfA@public.gmane.org> [2012-03-07 18:04]:
> Is anyone doing that? Is it worth the effort?

See Stanford University's suRegID

Well, I can see[1] that it's a registry identifier that's unique per
person and that accounts refer to it via the owner attribute.
I did not however find how DNS (and most-specific RDNs) are
constructed, but take your above answer to mean that Standford creates
DNs as suRegID=$whatever,cn=accounts,$BASEDN
OK, thanks,
-peter

It creates:

suregid=<whatever>,cn=people,dc=stanford,dc=edu

For people.

For accounts, it uses uid

uid=joe,cn=accounts,dc=stanford,dc=edu

People are not accounts.  ;)

Yeah, that identity vs. account thing is a somewhat rare insight, especially when it comes to applications that need more than just account or identity data from directories.
If you do seperate them, you will almost certainly require some feature to build virtual objects/views containing data from both, accounts and the corresponing identity.

Using persistent identifiers in RDNs for identities as well as accounts can simplify many use cases.
Whether it is worth the effort is something that you must decide for yourself based on the complexity of the required migration an what applications/services would be affected.

Regards, Linus

Wuensche Michael | 7 Mar 2012 19:32
Favicon

filtered replication

I have an Openldap environment with 2 servers, one serving as provider for 2 databases and one as consumer.

On one of the databases I only want to replicate certain entries, filtered by objectclass. I use syncrepl for replication. Now I would like to write entries, which are not covered by the filter and so are not replicated. But Openldap sends me a referral to the master on write attempts if I use the updateref directive. If I don't use this directive, I get error 53: unwilling to perform.

Is there a way to have part of a databases entries to be replicated and others being allowed to write locally?

 

Thanks a lot,

Michael

 

juergen.bernhard | 6 Mar 2012 11:36
Picon
Favicon

Require TLS for simple binds with password

Hi,

I was happy to get your conversation about the LDAPS issues (although your mail went to the spam folder :-)

I do not want to interfere your problem finding, but would like to ask another question around this subject,
and having found the experts I want to keep that chance...

I have the following question: we have about 100 LDAP applications running to our Novell LDAP interface.
Some work on port 636, some on 389. Now I want to set the parameter "require TLS for simple bind with
password". My understanding was that TLS (or StartTLS) is an additional feature which can be used (but
must not be used) and that therefore the running applications should not be affected. I had to learn that
this is not true. Can you help me to identify the requirements to understand which applications would be
affected by this change?

Thanks in advance.

Jürgen 

Sitz der Gesellschaft / Corporate Headquarters: Lufthansa Systems Aktiengesellschaft, Kelsterbach,
Registereintragung / Registration: Amtsgericht Darmstadt 84307
Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Stephan Gemkow
Vorstand / Executive Board: Stefan Hansen (Vorsitzender / Chairman), Dr. Gunter Kuechler
 

Peter Hawkins | 4 Mar 2012 04:07
Picon

*****SPAM***** LDAPS Connection difficulties

Hi all

I'm a bit of a newbie with LDAPS but I have been asked to perform an LDAPS authentication from a unix server to a windows server, but I cannot get it to bind.

The windows admin supplied a username, a password, an IP address and a certificate (eLearningPublic.cer) but they don't know their Bind-DN. 

I used #strings to look in the certificate to see what the hostname seemed to be and the following string is in the certificate:

          mldshomdsp01.ce.xyz.com.au 

This does not seem to resolve publically but I assume that's the hostname used to create the certificate. I put an entry into /etc/hosts  to have this resolve to the IP they gave me.

I installed the certificate in a /usr/local/etc/openldap/certs and placed the following in my ldap.conf:

        TLS_REQCERT never
        TLS_CACERT /usr/local/etc/openldap/certs/eLearningPublic.cer

I then looked at the certificate to try and find the bind-DN

# openssl s_client -connect mldshomdsp01.ce.xyz.com.au:636 -CAfile /usr/local/etc/openldap/certs/eLearningPublic.cer

CONNECTED(00000003)
depth=0 /CN=mldshomdsp01.ce.xyz.com.au
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=mldshomdsp01.ce.xyz.com.au
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=mldshomdsp01.ce.xyz.com.au
  i:/CN=mldshomdsp01.ce.xyz.com.au
---
Server certificate
-----BEGIN CERTIFICATE-----

< SNIP...>

-----END CERTIFICATE-----
subject=/CN=mldshomdsp01.ce.xyz.com.au
issuer=/CN=mldshomdsp01.ce.xyz.com.au
---
Acceptable client certificate CA names
/DC=au/DC=com/DC=xyz/DC=ce/CN=Internal Company Root CA
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft
Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 1291 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : AES128-SHA
   Session-ID:
CA3E0000FDAB34D348334DACE16E940397A02812E3F20B60EB631B9784BAA87B
   Session-ID-ctx: 
   Master-Key:
E63D5D64939F6A9AD3A232B046D0AADF4303756335D7FD3B112EACD822BA1B3692BE06FCCBADBACCA14A648A67C018E7
   Key-Arg   : None
   Start Time: 1330655479
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---

At this point I was a bit out of my depth but I made a guess:


#ldapwhoami -x -D "cn=theUserName,dc=au,dc=com,dc=xyz,dc=ce" -H
"ldaps://mldshomdsp01.ce.xyz.com.au" -w #testPassword -d1
ldap_url_parse_ext(ldaps://mldshomdsp01.ce.xyz.com.au)
ldap_create
ldap_url_parse_ext(ldaps://mldshomdsp01.ce.xyz.com.au:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mldshomdsp01.ce.xyz.com.au:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.143.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not load verify locations
(file:`/usr/local/etc/openldap/certs/eLearningPublic.cer',dir:`').
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


I know the server's reachable (for one thing I can telnet to it on port 636 and get a connection).

I can see it says it cannopt load the certificate, but it seemed to parse it with s_client and it has suitable permissions (not to mention I'm logged in as root):

# ls -l /usr/local/etc/openldap/certs/eLearningPublic.cer
-rw-r--r--  1 peter  peter  526 Feb 29 19:20 /usr/local/etc/openldap/certs/eLearningPublic.cer


Can anyone shed any light on this?

Thanks
Peter
Michael Ströder | 17 Feb 2012 12:13

Better schema for room entries

HI!

The COSINE schema defined object class 'room' but requires setting attribute 
'cn' and also recommends to use it for forming the RDN:

http://tools.ietf.org/html/rfc4524#section-3.8

IMHO this does not make sense for most rooms. Are any LDAP admins here 
maintaining rooms as LDAP entries? Do you know a better existing schema?

Ciao, Michael.


Gmane