IBM Security Directory Server Notes
ldapmodify vs ldif2db vs bulkload
ldapmodify is the slowest and requires special ldif modify syntax. Requries LDAP to be up. Changes replicate across ldaps (unless you use the -l option to avoid replication)
ldif2db can handle ldif generated by ldapsearch or by db2ldif but can not modify entries (add/remove/cahnge attributes). It will skip over already existing entries. Requires LDAP to be down. Faster than ldapmodify but not very fast. Changes will replicate unless you use the "-r no" option
bulkload - fastest, but will error out and stop if entries already exist, if attributes are not in the schema. Needs to run as the ldap user. Requires LDAP to be down. No data will be replicated
How SDS cryptography works
- ibmslapdcfg.ksf dictates the AES encryption settings for the passwords stored in the ibmslapd.conf file.
- ibmslapddir.ksf dictates the AES encryption settings for the passwords stored in ITDS directory. When an instance is started for the first time, it initializes ibm-slapdcryptosync attribute in LDAP from ibmsladdir.ksf
- ibm-slapdcryptosync value in cn=crypto,cn=localhost is for the directory where as the ibm-slapdcryptosync in the ibmslapd.conf file is for the configuration file. These will be different.
- idsgendirksf command can be used to regenerate ibmslapddir from the given encryption seed and salt
- look at the schema V3.user.at for ENCRYPT AES-256 to get the full list of attributes that are encrypted
http://www-01.ibm.com/support/docview.wss?uid=swg21388619
Undestanding LDAP SSL
Create the db
gsk8capicmd_64 -cert -create -db /home/isimldap/idsslapd-isimldap/etc/serverkey.kdb -pw password -label sdsv64 -sigalg SHA256WithRSA -size 2048 -dn "cn=$(hostname),o=kpmg,c=us" -default_cert yes -expire 3650
Extract the key
gsk8capicmd_64 -cert -extract -db /home/isimldap/idsslapd-isimldap/etc/serverkey.kdb -stashed -label sdsv64 -target /home/isimldap/idsslapd-isimldap/etc/$(hostname)-key.cert -format ascii
List KDB details
gsk8capicmd_64 -cert -details -db /home/isimldap/idsslapd-isimldap/etc/serverkey.kdb -pw ${KEYSTORE_PWD}
LDAP error messages
Error / Data Code Error Description
0 LDAP_SUCCESS Indicates the requested client operation completed successfully.
1 LDAP_OPERATIONS_ERROR Indicates an internal error. The server is unable to respond with a more specific error and is also unable to properly respond to a request. It does not indicate that the client has sent an erroneous message. In NDS 8.3x through NDS 7.xx, this was the default error for NDS errors that did not map to an LDAP error code. To conform to the new LDAP drafts, NDS 8.5 uses 80 (0x50) for such errors.
2 LDAP_PROTOCOL_ERROR Indicates that the server has received an invalid or malformed request from the client.
3 LDAP_TIMELIMIT_EXCEEDED Indicates that the operation's time limit specified by either the client or the server has been exceeded. On search operations, incomplete results are returned.
4 LDAP_SIZELIMIT_EXCEEDED Indicates that in a search operation, the size limit specified by the client or the server has been exceeded. Incomplete results are returned.
5 LDAP_COMPARE_FALSE Does not indicate an error condition. Indicates that the results of a compare operation are false.
6 LDAP_COMPARE_TRUE Does not indicate an error condition. Indicates that the results of a compare operation are true.
7 LDAP_AUTH_METHOD_NOT_SUPPORTED Indicates that during a bind operation the client requested an authentication method not supported by the LDAP server.
8 LDAP_STRONG_AUTH_REQUIRED Indicates one of the following: In bind requests, the LDAP server accepts only strong authentication.
In a client request, the client requested an operation such as delete that requires strong authentication. In an unsolicited notice of disconnection, the LDAP server discovers the security protecting the communication between the client and server has unexpectedly failed or been compromised.
9 Reserved.
10 LDAP_REFERRAL Does not indicate an error condition. In LDAPv3, indicates that the server does not hold the target entry of the request, but that the servers in the referral field may.
11 LDAP_ADMINLIMIT_EXCEEDED Indicates that an LDAP server limit set by an administrative authority has been exceeded.
12 LDAP_UNAVAILABLE_CRITICAL_EXTENSION Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type.
13 LDAP_CONFIDENTIALITY_REQUIRED Indicates that the session is not protected by a protocol such as Transport Layer Security (TLS), which provides session confidentiality.
14 LDAP_SASL_BIND_IN_PROGRESS Does not indicate an error condition, but indicates that the server is ready for the next step in the process. The client must send the server the same SASL mechanism to continue the process.
15 Not used.
16 LDAP_NO_SUCH_ATTRIBUTE Indicates that the attribute specified in the modify or compare operation does not exist in the entry.
17 LDAP_UNDEFINED_TYPE Indicates that the attribute specified in the modify or add operation does not exist in the LDAP server's schema.
18 LDAP_INAPPROPRIATE_MATCHING Indicates that the matching rule specified in the search filter does not match a rule defined for the attribute's syntax.
19 LDAP_CONSTRAINT_VIOLATION Indicates that the attribute value specified in a modify, add, or modify DN operation violates constraints placed on the attribute. The constraint can be one of size or content (string only, no binary).
20 LDAP_TYPE_OR_VALUE_EXISTS Indicates that the attribute value specified in a modify or add operation already exists as a value for that attribute.
21 LDAP_INVALID_SYNTAX Indicates that the attribute value specified in an add, compare, or modify operation is an unrecognized or invalid syntax for the attribute.
22-31 Not used.
32 LDAP_NO_SUCH_OBJECT Indicates the target object cannot be found. This code is not returned on following operations: Search operations that find the search base but cannot find any entries that match the search filter. Bind operations.
33 LDAP_ALIAS_PROBLEM Indicates that an error occurred when an alias was dereferenced.
34 LDAP_INVALID_DN_SYNTAX Indicates that the syntax of the DN is incorrect. (If the DN syntax is correct, but the LDAP server's structure rules do not permit the operation, the server returns LDAP_UNWILLING_TO_PERFORM.)
35 LDAP_IS_LEAF Indicates that the specified operation cannot be performed on a leaf entry. (This code is not currently in the LDAP specifications, but is reserved for this constant.)
36 LDAP_ALIAS_DEREF_PROBLEM Indicates that during a search operation, either the client does not have access rights to read the aliased object's name or dereferencing is not allowed.
37-47 Not used.
48 LDAP_INAPPROPRIATE_AUTH Indicates that during a bind operation, the client is attempting to use an authentication method that the client cannot use correctly. For example, either of the following cause this error: The client returns simple credentials when strong credentials are required...OR...The client returns a DN and a password for a simple bind when the entry does not have a password defined.
49 LDAP_INVALID_CREDENTIALS Indicates that during a bind operation one of the following occurred: The client passed either an incorrect DN or password, or the password is incorrect because it has expired, intruder detection has locked the account, or another similar reason. See the data code for more information.
49 / 52e AD_INVALID CREDENTIALS Indicates an Active Directory (AD) AcceptSecurityContext error, which is returned when the username is valid but the combination of password and user credential is invalid. This is the AD equivalent of LDAP error code 49.
49 / 525 USER NOT FOUND Indicates an Active Directory (AD) AcceptSecurityContext data error that is returned when the username is invalid.
49 / 530 NOT_PERMITTED_TO_LOGON_AT_THIS_TIME Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on at this time. Returns only when presented with a valid username and valid password credential.
49 / 531 RESTRICTED_TO_SPECIFIC_MACHINES Indicates an Active Directory (AD) AcceptSecurityContext data error that is logon failure caused because the user is not permitted to log on from this computer. Returns only when presented with a valid username and valid password credential.
49 / 532 PASSWORD_EXPIRED Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The specified account password has expired. Returns only when presented with valid username and password credential.
49 / 533 ACCOUNT_DISABLED Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The account is currently disabled. Returns only when presented with valid username and password credential.
49 / 568 ERROR_TOO_MANY_CONTEXT_IDS Indicates that during a log-on attempt, the user's security context accumulated too many security IDs. This is an issue with the specific LDAP user object/account which should be investigated by the LDAP administrator.
49 / 701 ACCOUNT_EXPIRED Indicates an Active Directory (AD) AcceptSecurityContext data error that is a logon failure. The user's account has expired. Returns only when presented with valid username and password credential.
49 / 773 USER MUST RESET PASSWORD Indicates an Active Directory (AD) AcceptSecurityContext data error. The user's password must be changed before logging on the first time. Returns only when presented with valid user-name and password credential.
50 LDAP_INSUFFICIENT_ACCESS Indicates that the caller does not have sufficient rights to perform the requested operation.
51 LDAP_BUSY Indicates that the LDAP server is too busy to process the client request at this time but if the client waits and resubmits the request, the server may be able to process it then.
52 LDAP_UNAVAILABLE Indicates that the LDAP server cannot process the client's bind request, usually because it is shutting down.
53 LDAP_UNWILLING_TO_PERFORM Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons: The add entry request violates the server's structure rules...OR...The modify attribute request specifies attributes that users cannot modify...OR...Password restrictions prevent the action...OR...Connection restrictions prevent the action.
54 LDAP_LOOP_DETECT Indicates that the client discovered an alias or referral loop, and is thus unable to complete this request.
55-63 Not used.
64 LDAP_NAMING_VIOLATION Indicates that the add or modify DN operation violates the schema's structure rules. For example,
The request places the entry subordinate to an alias. The request places the entry subordinate to a container that is forbidden by the containment rules. The RDN for the entry uses a forbidden attribute type.
65 LDAP_OBJECT_CLASS_VIOLATION Indicates that the add, modify, or modify DN operation violates the object class rules for the entry. For example, the following types of request return this error:
The add or modify operation tries to add an entry without a value for a required attribute. The add or modify operation tries to add an entry with a value for an attribute which the class definition does not contain. The modify operation tries to remove a required attribute without removing the auxiliary class that defines the attribute as required.
66 LDAP_NOT_ALLOWED_ON_NONLEAF Indicates that the requested operation is permitted only on leaf entries. For example, the following types of requests return this error:
The client requests a delete operation on a parent entry. The client request a modify DN operation on a parent entry.
67 LDAP_NOT_ALLOWED_ON_RDN Indicates that the modify operation attempted to remove an attribute value that forms the entry's relative distinguished name.
68 LDAP_ALREADY_EXISTS Indicates that the add operation attempted to add an entry that already exists, or that the modify operation attempted to rename an entry to the name of an entry that already exists.
69 LDAP_NO_OBJECT_CLASS_MODS Indicates that the modify operation attempted to modify the structure rules of an object class.
70 LDAP_RESULTS_TOO_LARGE Reserved for CLDAP.
71 LDAP_AFFECTS_MULTIPLE_DSAS Indicates that the modify DN operation moves the entry from one LDAP server to another and requires more than one LDAP server.
72-79 Not used.
80 LDAP_OTHER Indicates an unknown error condition. This is the default value for NDS error codes which do not map to other LDAP error codes.
Good Filters for searches under the suffix cn=schema. == Problem Filters only in certain formats will work in searches under the suffix cn=schema, in case you need to find the definition of a certain objectclass or attribute
Solution
A simple way to get the information about a certain OID or objectclass, from a large cn=schema search result, is to pipe the output to a grep command as mentioned below:
ldapsearch -D <BindDN> -w <BindPW> -s base -b "cn=schema" objectclass=* | grep -i <OID/NAME/Description..>
Though the search results obtained this way will have a pure text based filtering and may show multiple occurences of the OID itself, most of the times it is effective to get the definition out of a cn=schema search.
Further, to drill on only objectclass definitions ldapsearch given below can be used :
ldapsearch -D <BindDN> -w <BindPW> -s base -b "cn=schema" objectclass=* objectclassess| grep -i " '<objectclass>' "
For Example: In ITDS 6.0
ldapsearch -D cn=root -w root -p 389 -s base -b "cn=schema" objectclass=* objectclasses | grep -i " 'container' "
Output:
objectclasses=( 1.3.18.0.2.6.28 NAME 'container' DESC 'An object that can contain other objects.' SUP top STRUCTURAL MUST cn )
Similarly, to drill on only attribute definitions ldapsearch given below can be used :
ldapsearch -D <BindDN> -w <BindPW> -s base -b "cn=schema" objectclass=* attributetypes | grep -i " '<attribute>' "
For Example: In ITDS 6.0
ldapsearch -D cn=root -w root -p 3389 -s base -b "cn=schema" objectclass=* attributetypes|grep -i " 'userPassword' "
Output:
attributetypes=( xx.5.4.35 NAME 'userPassword' DESC 'Holds a password value for a distinguished name.' EQUALITY xx.5.13.17 SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
IDS 6.0 improvements
- IDS - Improved replication. Multi-instance.
- IDS 6.0 comes bundled with TIM/TAM
- Only stand alone version comes with a proxy and ITDI
- w/o idi agents perl scripts are needed to control (rollover,tarball) logs
Installing TDS
Partner download comes with a zip for IDS that has licence.txt password protected. the password is "password" - it is only relevant for business partners. (i.e they put a password on it so that customers do not unzip it as it does not apply to the customers, only to business partners)
TDS SSL configuration
- Create my SSL kdb for LDAP
- Setup the JAVA environment before running gsk7cmd ! ! (look in WAS bin directory for the setupcmdenv.cmd
set gsk=secret set o=i78.com set site=i78_ set env=LAB_ @echo Clean up any old files . . @del \keystore\%site%%env%eLDAP.* @echo create my keystore @c:\progra~1\ibm\gsk7\bin\gsk7cmd -keydb -create -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -type cms -stash @echo Create my self-signed certificate @c:\progra~1\ibm\gsk7\bin\gsk7cmd -cert -create -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -size 1024 -dn "CN=LDAP,O=%o%,C=US" -label "eLDAP default key" -default_cert yes @echo Save it as a ascii file fro others to use @c:\progra~1\ibm\gsk7\bin\gsk7cmd -cert -extract -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -label "eLDAP default key" -target C:\keystore\%site%%env%eLDAP_default_cert.arm -format ascii @echo and list what I have in my keydb . . @c:\progra~1\ibm\gsk7\bin\gsk7cmd -cert -list personal -db C:\keystore\%site%%env%eLDAP.kdb -pw %gsk% -type cms
- ibmslapd config file needs a few changes:
ibm-slapdSecurity: SSL ibm-slapdSslCertificate: eLDAP default key ibm-slapdSslKeyDatabase: C:\keystore\i78_LAB_eLDAP.kdb
- OPTIONAL - (to use the default ldapkey.kdb for the client)
cd C:\Program Files\IBM\LDAP\lib copy \keystore\i78_LAB_eLDAP.kdb ldapkey.kdb copy \keystore\i78_LAB_eLDAP.sth ldapkey.sth
- Check to see if it is working:
C:\Program Files\IBM\LDAP\lib>ldapsearch -D cn=root -w secret -s base -b cn=connections,cn=monitor "objectclass=*" cn=connections,cn=monitor connection=27 : 127.0.0.1 : 2005-03-17 15:46:36 GMT : 1 : 1 : CN=ROOT : : C:\Program Files\IBM\LDAP\lib>ldapsearch -Z -D cn=root -w secret -s base -b cn=connections,cn=monitor objectclass=*" cn=connections,cn=monitor connection=28 : 127.0.0.1 : 2005-03-17 15:46:47 GMT : 1 : 1 : CN=ROOT : : SSL
@TechnicalNotes @ITDS