Erralt

OpenLDAP, syncrepl via TLS/SSL

Posted in Administration, LF, Linux by erralt on 19 janvier 2010

I had to configure an Openldap consumer to replicate datas from my Openldap provider.

At the first time, my openldap server does not use slapd.conf directives but cn=config directives.
All the configuration examples i found on Internet, used slapd.conf. So, i had to find by myself howto translate slapd.conf directives in cn=config directives, especially syncrepl directives.


On the provider


1/ Add the attribute « olcModuleLoad » with value « syncprov »

the server will change your modification to :

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModulePath: /usr/lib/ldap

Equivalence with slapd.conf :

module syncprov


2/ Add overlay directive with some suboptions

– add this entry under a node of a database backend configuration, not under the master configuration directive (it doesn’t work, i made the mistake). Verify that you have bdb or hdb database type because syncrepl works only with one of them.

dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 10
olcSpSessionlog: 100

Adjust olcSpCheckpoint and olcSpSessionlog as you want.

Equivalence with slapd.conf :

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100


3/ Add indexes for entryCSN and entryUUID :

on the node dn: olcDatabase={1}hdb,cn=config

olcDbIndex: entryCSN,entryUUID eq

Here are the options for syncprov translated in cn=config version :

syncprov-checkpoint -> olcSpCheckpoint
syncprov-sessionlog -> olcSpSessionlog
syncprov-nopresent -> olcSpNoPresent
syncprov-reloadhint -> olcSpReloadHint


On the consumer


Configuration of syncrepl :

On the node of your database configuration (for me : dn: olcDatabase={1}hdb,cn=config), add the following attribute and value :

olcSyncrepl: {0}rid=000 provider=ldap://provider.mydomain.net
searchbase=dc=mydomain.net
bindmethod=simple
binddn=cn=syncrepl,dc=mydomain.net
credentials=XXXXX
retry="60 +"
type=refreshOnly
interval=00:00:10:00

Equivalence with slapd.conf :

syncrepl rid=000 provider=ldap://provider.mydomain.net
searchbase=dc=mydomain.net
bindmethod=simple
binddn=cn=syncrepl,dc=mydomain.net
credentials=XXXXX
retry="60 +"
type=refreshOnly
interval=00:00:10:00

At this point, the provider directory could be replicated to the consumer directory in clear text. Verify that all work fine.


Using TLS/SSL

Prior to every TLS/SSL configuration of openldap server, add user « openldap » to « ssl-cert » group.

After, check that « openldap » user is able to read /etc/ssl/private/server.key file.

On the provider

Check if the provider is well configured for SSL or TLS connections.
To check SSL connection, launch this :

ldapsearch -H ldaps://provider.mydomain.net -x -W

To check TLS connection :

ldapsearch -H ldap://provider.mydomain.net -W -x -ZZ


On the consumer

* For SSL connection, in syncrepl configuration :
– change provider option to use ldaps:// instead of ldap://
– add these options :

tls_cert=/etc/ssl/certs/server.pem
tls_cacert=/etc/ssl/certs/cacert.org.pem
tls_key=/etc/ssl/private/server.key

* For TLS connection, in syncrepl configuration :
– keep provider option using ldap://
– add these options :

starttls=yes
tls_cert=/etc/ssl/certs/server.pem
tls_cacert=/etc/ssl/certs/cacert.org.pem
tls_key=/etc/ssl/private/server.key

* I got this error :

main: TLS init def ctx failed: -1

=> I had a look on http://readthefuckingmanual.net/2010/01 and my problem came from not following symbolic links, weird.

* I got this error :

main: TLS init def ctx failed: -207

=> It seems to be an error on checking SSL chain (have a look on this thread on Openldap list). I used certtool from GNUTLS package to create self signed certificate.

* I got this error :

main: TLS init def ctx failed: -69

=> remove the passphrase from the key.

Now, all work, but sometimes I have the error :

slap_client_connect: URI=ldaps://****.*****.net DN="cn=syncrepl,dc=*****.net" ldap_sasl_bind_s failed (-1)

and i don’t know if it’s critical. It seems to be not, it works again after.

———
Example of syncrepl which does work :

hdb_modify: updated id=00000032 dn="cn=*****,ou=users,dc=*****.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: syncrepl_entry: rid=000 be_modify cn=*****,ou=users,dc=*****.net (0)
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: =>do_syncrepl rid=000
slapd[19443]: =>do_syncrep2 rid=000
slapd[19443]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT
slapd[19443]: do_syncrep2: cookie=rid=000,csn=20100109013243.742646Z#000000#000#000000
slapd[19443]: slap_queue_csn: queing 0x7f0b4ab5f9c0 20100109013243.742646Z#000000#000#000000
slapd[19443]: hdb_modify: dc=******.net
slapd[19443]: bdb_dn2entry("dc=******.net")
slapd[19443]: bdb_modify_internal: 0x0000001d: dc=*****.net
slapd[19443]:  entry_encode(0x0000001d):
slapd[19443]: <= entry_encode(0x0000001d):
slapd[19443]: hdb_modify: updated id=0000001d dn="dc=******.net"
slapd[19443]: send_ldap_result: conn=-1 op=0 p=3
slapd[19443]: send_ldap_result: err=0 matched="" text=""
slapd[19443]: slap_graduate_commit_csn: removing 0x7f0b4ab5fa00 20100109013243.742646Z#000000#000#000000

——–
If you have to control if slapd uses Gnutls or Openssl as a library :

# ldd $(which slapd)
        linux-vdso.so.1 =>  (0x00007fff2a318000)
        libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0x00007f103bb68000)
        liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00007f103b95a000)
        libdb-4.7.so => /usr/lib/libdb-4.7.so (0x00007f103b5f8000)
        libodbc.so.1 => /usr/lib/libodbc.so.1 (0x00007f103b398000)
        libslp.so.1 => /usr/lib/libslp.so.1 (0x00007f103b186000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f103af6c000)
        libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007f103acca000)  <=====
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f103aa91000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00007f103a878000)
        libltdl.so.7 => /usr/lib/libltdl.so.7 (0x00007f103a66e000)
        libwrap.so.0 => /lib/libwrap.so.0 (0x00007f103a463000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x00007f103a247000)
        libc.so.6 => /lib/libc.so.6 (0x00007f1039ed8000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00007f1039cbe000)
        libdl.so.2 => /lib/libdl.so.2 (0x00007f1039aba000)
        libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0x00007f10398a9000)
        libz.so.1 => /lib/libz.so.1 (0x00007f1039692000)
        libgcrypt.so.11 => /lib/libgcrypt.so.11 (0x00007f103941a000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f103bdb1000)
        libgpg-error.so.0 => /lib/libgpg-error.so.0 (0x00007f1039216000)

Edit : pay attention to /usr/local/etc/openldap/ldap.conf, used by ldapsearch and seems to make syncrepl working easier.
Find with « strace ldapsearch -b dc=mydomain.net -x -ZZ », ldapsearch does not use /etc/ldap/ldap.conf on Ubuntu 9.10 (Karmic).

Publicités

Dell Vostro 1220 sur Ubuntu, problème écouteurs

Posted in Administration, Linux by erralt on 14 décembre 2009

Voilà le problème sur mon Dell Vostro 1220 du boulot avec une distrib Ubuntu 9.10 x64:
Quand je branche mes écouteurs, ils ne sont pas détectés et le son des haut-parleurs ne se coupe pas automatiquement.

Solution temporaire que j’ai trouvé sur cette page :
– Installer hda_analyser de chez Alsa
– Démarrer hda_analyser grâce à un « python run.pl »
– Puis dans le « Node[0x1f] » décocher « OUT » (modification faite en direct)
Le tour est joué.

Ps: je ne pense que la modification soit persistante.
Edit 2009/12/18 : La modification n’est persistante que durant le fonctionnement de la machine. Un redémarrage fait perdre la modification

Edit 2010/02/16 : la solution que j’ai trouvé ne fonctionne plus, Hda Analyzer est buggé !!
Mon autre solution est la suivante :

wget http://ftp.kernel.org/pub/linux/kernel/people/tiwai/misc/hda-verb/hda-verb-0.3.tar.gz
tar zxvf hda-verb-0.3.tar.gz
cd hda-verb-0.3
make
sudo cp hda-verb /usr/local/bin
sudo hda-verb /dev/snd/hwC0D0 0x1f SET_PIN_WIDGET_CONTROL 0x0     ## désactive les hauts parleurs principaux
sudo hda-verb /dev/snd/hwC0D0 0x1f SET_PIN_WIDGET_CONTROL 0x40   ## active les hauts parleurs principaux

Attention, la modification ne sera pas persistante au redémarrage.