OpenLdap Master / Master Replication Stops When Node Goes Offline - openldap

I'm currently using Ubuntu 10.04 (I've set this up on RHEL 5.x but the config is way different in Ubuntu).
Anyway, at first I figured I had everything working. When I made an update to ldap01 I immediately saw the change on ldap02. However, if I take down slapd on ldap02 (or 01) and I add LDAP entries into ldap01, then bring ldap02's slapd process back online I never see the entries created while slapd was down on ldap02. New entries continue to propigate between ldap01 and ldap02 and long as both servers have the slapd process running, but the entries created when slapd was down on ldap02 never propagate to 02.
Here are my configs and ldap versions:
ii slapd 2.4.21-0ubuntu5.7 OpenLDAP server (slapd)
---- /etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif -----
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 deacdc79
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=example,dc=net" write by * none
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=net" write b
y * read
structuralObjectClass: olcDatabaseConfig
entryUUID: 19eb3cc6-3898-1031-954c-351a2fbb42e9
creatorsName: cn=config
createTimestamp: 20120522202605Z
olcSyncrepl: {0}rid=001 provider="ldap://ldap-01:389" type=refreshAndPer
sist retry="5 5 300 +" searchbase="cn=config" attrs="*,+" bindmethod=simple b
inddn="cn=admin,dc=example,dc=net" credentials="secret"
olcSyncrepl: {1}rid=002 provider="ldap://ldap-02:389" type=refreshAndPer
sist retry="5 5 300 +" searchbase="cn=config" attrs="*,+" bindmethod=simple b
inddn="cn=admin,dc=example,dc=net" credentials="secret"
olcMirrorMode: TRUE
entryCSN: 20120528195647.027315Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=net
modifyTimestamp: 20120528195647Z
---- /etc/ldap/slapd.d/cn=config/olcDatabase={0}config/olcOverlay={0}syncprov.ldif ----
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 807029fa
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
structuralObjectClass: olcSyncProvConfig
entryUUID: 3be00cb6-3dee-1031-8f60-519aa1b6f74f
creatorsName: cn=admin,dc=example,dc=net
createTimestamp: 20120529152514Z
entryCSN: 20120529152514.987191Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=net
modifyTimestamp: 20120529152514Z
---- /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif ----
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 1b0a3130
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=net
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=example,dc=net" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=net" write b
y * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW:: e1NTSEF9Ni9IZWJCczRTbmJQYlc4NHFOMWxHWUI5NVNoVUl4U20=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 19ebfdc8-3898-1031-9554-351a2fbb42e9
creatorsName: cn=config
createTimestamp: 20120522202605Z
olcSyncrepl: {0}rid=001 provider="ldap://ldap-01:389" type=refreshAndPer
sist retry="5 5 300 +" searchbase="dc=example,dc=net" attrs="*,+" bindmeth
od=simple binddn="cn=admin,dc=example,dc=net" credentials="secret"
olcSyncrepl: {1}rid=002 provider="ldap://ldap-02:389" type=refreshAndPer
sist retry="5 5 300 +" searchbase="dc=example,dc=net" attrs="*,+" bindmeth
od=simple binddn="cn=admin,dc=example,dc=net" credentials="secret"
olcMirrorMode: TRUE
entryCSN: 20120528195647.026244Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=net
modifyTimestamp: 20120528195647Z
----- /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb/olcOverlay={0}syncprov.ldif ----
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 807029fa
dn: olcOverlay={0}syncprov
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpNoPresent: TRUE
structuralObjectClass: olcSyncProvConfig
entryUUID: 3be00cb6-3dee-1031-8f60-519aa1b6f74f
creatorsName: cn=admin,dc=example,dc=net
createTimestamp: 20120529152514Z
entryCSN: 20120529152514.987191Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=net
modifyTimestamp: 20120529152514Z


Upgraded my version of OpenLDAP and my problem went away

Related

OpenLDAP Invalid credentials for readonly user

I try to follow this guide https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect to create SSO solution with OpenLDAP and Keycloak. I'm trying to add the readonly user. It should be the same LDIFs as here https://github.com/osixia/docker-openldap/tree/master/image/service/slapd/assets/config/bootstrap/ldif/readonly-user
I apply those LDIFs for the readonly user but I get
$ ldapsearch -x -H ldap://localhost:1389 -b "dc=muellerpublic,dc=de" -D "cn=readonly,dc=muellerpublic,dc=de" "+" -w xxx
Handling connection for 1389
ldap_bind: Invalid credentials (49)
Here are the users/groups:
$ ldapsearch -x -H ldap://localhost:1389 -b "dc=muellerpublic,dc=de" -D "cn=admin,dc=muellerpublic,dc=de" "+" -w xxx
Handling connection for 1389
# extended LDIF
#
# LDAPv3
# base <dc=muellerpublic,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: +
#
# muellerpublic.de
dn: dc=muellerpublic,dc=de
structuralObjectClass: organization
entryUUID: ce600638-0d8f-103c-8fb1-1558d46de393
creatorsName: cn=admin,dc=muellerpublic,dc=de
createTimestamp: 20220119162257Z
entryCSN: 20220119162257.152328Z#000000#000#000000
modifiersName: cn=admin,dc=muellerpublic,dc=de
modifyTimestamp: 20220119162257Z
entryDN: dc=muellerpublic,dc=de
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE
# users, muellerpublic.de
dn: ou=users,dc=muellerpublic,dc=de
structuralObjectClass: organizationalUnit
entryUUID: ce601dc6-0d8f-103c-8fb2-1558d46de393
creatorsName: cn=admin,dc=muellerpublic,dc=de
createTimestamp: 20220119162257Z
entryCSN: 20220119162257.152933Z#000000#000#000000
modifiersName: cn=admin,dc=muellerpublic,dc=de
modifyTimestamp: 20220119162257Z
entryDN: ou=users,dc=muellerpublic,dc=de
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# readonly, muellerpublic.de
dn: cn=readonly,dc=muellerpublic,dc=de
structuralObjectClass: organizationalRole
entryUUID: ce60b6a0-0d8f-103c-8fb3-1558d46de393
creatorsName: cn=admin,dc=muellerpublic,dc=de
createTimestamp: 20220119162257Z
entryCSN: 20220119162257.156845Z#000000#000#000000
modifiersName: cn=admin,dc=muellerpublic,dc=de
modifyTimestamp: 20220119162257Z
entryDN: cn=readonly,dc=muellerpublic,dc=de
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Here are the LDIFs created:
20-readonly-user.ldif: |
# Paths
dn: cn=readonly,dc=muellerpublic,dc=de
changetype: add
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: {SSHA}5Y0mPhzRCYDBRltdvF6hp+m0DWgPTdjD
description: LDAP read only user
21-readonly-user-acl.config.ldif: |
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=muellerpublic,dc=de" write by anonymous auth by * none
olcAccess: to * by self read by dn="cn=admin,dc=muellerpublic,dc=de" write by dn="cn=readonly,dc=muellerpublic,dc=de" read by * none

ActiveMQ Artemis fails to authenticate against OpenLDAP

I'm having a simple setup locally running in docker containers, one container based on openjdk:13-alpine installing artemis 2.11.0 and the other based on osixia/openldap.
When I try to login to the web console I receive an error that I cannot understand at all:
HTTP ERROR 500
Problem accessing /console/auth/login/. Reason:
Server Error
Caused by:
java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 11: expected [option value], found [null]
at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
at java.base/sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:166)
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:404)
at java.base/java.lang.Class.newInstance(Class.java:591)
at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:255)
at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:246)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
at java.base/javax.security.auth.login.Configuration.getConfiguration(Configuration.java:245)
at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:242)
at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:240)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:240)
at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:378)
at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:451)
at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:128)
at io.hawt.system.Authenticator.authenticate(Authenticator.java:92)
at io.hawt.web.AuthenticationFilter.doFilter(AuthenticationFilter.java:168)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.XXSSProtectionFilter.doFilter(XXSSProtectionFilter.java:28)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:28)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.CORSFilter.doFilter(CORSFilter.java:42)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.CacheHeadersFilter.doFilter(CacheHeadersFilter.java:37)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.SessionExpiryFilter.process(SessionExpiryFilter.java:117)
at io.hawt.web.SessionExpiryFilter.doFilter(SessionExpiryFilter.java:57)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.RedirectFilter.process(RedirectFilter.java:73)
at io.hawt.web.RedirectFilter.doFilter(RedirectFilter.java:38)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1613)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1593)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1239)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1562)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1141)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:564)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)
at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.io.IOException: Configuration Error:
Line 11: expected [option value], found [null]
at java.base/sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:665)
at java.base/sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:578)
at java.base/sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:479)
at java.base/sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:426)
at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
... 61 more
Caused by:
java.io.IOException: Configuration Error:
Line 11: expected [option value], found [null]
at java.base/sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:665)
at java.base/sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:578)
at java.base/sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:479)
at java.base/sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:426)
at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
at java.base/sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:166)
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:404)
at java.base/java.lang.Class.newInstance(Class.java:591)
at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:255)
at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:246)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:554)
at java.base/javax.security.auth.login.Configuration.getConfiguration(Configuration.java:245)
at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:242)
at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:240)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:312)
at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:240)
at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:378)
at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:451)
at io.hawt.system.Authenticator.doAuthenticate(Authenticator.java:128)
at io.hawt.system.Authenticator.authenticate(Authenticator.java:92)
at io.hawt.web.AuthenticationFilter.doFilter(AuthenticationFilter.java:168)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.XXSSProtectionFilter.doFilter(XXSSProtectionFilter.java:28)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:28)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.CORSFilter.doFilter(CORSFilter.java:42)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.CacheHeadersFilter.doFilter(CacheHeadersFilter.java:37)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.SessionExpiryFilter.process(SessionExpiryFilter.java:117)
at io.hawt.web.SessionExpiryFilter.doFilter(SessionExpiryFilter.java:57)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1621)
at io.hawt.web.RedirectFilter.process(RedirectFilter.java:73)
at io.hawt.web.RedirectFilter.doFilter(RedirectFilter.java:38)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1613)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:541)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1593)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1239)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:481)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1562)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1141)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:564)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:672)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:590)
at java.base/java.lang.Thread.run(Thread.java:830)
The same kind of error occurs when I try to use the bin/artemis producer command from within the Artemis container itself:
2020-03-26 15:44:34,845 INFO [org.apache.activemq.artemis.core.server.plugin.impl] AMQ841000: created connection: RemotingConnectionImpl [ID=e66c8100, clientID=null, nodeID=1fa3713e-6926-11ea-b9f9-0242c0a8d002, transportConnection=org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection#3d04dde0[ID=e66c8100, local= /127.0.0.1:61616, remote=/127.0.0.1:40444]]
2020-03-26 15:44:34,937 ERROR [org.apache.activemq.artemis.core.server] AMQ224018: Failed to create session: java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 11: expected [option value], found [null]
at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137) [java.base:]
at java.base/sun.security.provider.ConfigFile.<init>(ConfigFile.java:102) [java.base:]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [java.base:]
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) [java.base:]
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [java.base:]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) [java.base:]
at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:166) [java.base:]
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:404) [java.base:]
at java.base/java.lang.Class.newInstance(Class.java:591) [java.base:]
at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:255) [java.base:]
at java.base/javax.security.auth.login.Configuration$2.run(Configuration.java:246) [java.base:]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:554) [java.base:]
at java.base/javax.security.auth.login.Configuration.getConfiguration(Configuration.java:245) [java.base:]
at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:242) [java.base:]
at java.base/javax.security.auth.login.LoginContext$1.run(LoginContext.java:240) [java.base:]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:312) [java.base:]
at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:240) [java.base:]
at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:501) [java.base:]
at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.getAuthenticatedSubject(ActiveMQJAASSecurityManager.java:190) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager.validateUser(ActiveMQJAASSecurityManager.java:99) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:137) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1530) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:166) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handlePacket(ActiveMQPacketHandler.java:88) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.handlePacket(ChannelImpl.java:720) [artemis-core-client-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.doBufferReceived(RemotingConnectionImpl.java:408) [artemis-core-client-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:385) [artemis-core-client-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:654) [artemis-server-2.11.0.jar:2.11.0]
at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:73) [artemis-core-client-2.11.0.jar:2.11.0]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:337) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1408) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:345) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:796) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:427) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:328) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:905) [netty-all-4.1.34.Final.jar:4.1.34.Final]
at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) [artemis-commons-2.11.0.jar:2.11.0]
Caused by: java.io.IOException: Configuration Error:
Line 11: expected [option value], found [null]
at java.base/sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:665) [java.base:]
at java.base/sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:578) [java.base:]
at java.base/sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:479) [java.base:]
at java.base/sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:426) [java.base:]
at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329) [java.base:]
at java.base/sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271) [java.base:]
at java.base/sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135) [java.base:]
... 45 more
2020-03-26 15:44:35,033 INFO [org.apache.activemq.artemis.core.server.plugin.impl] AMQ841001: destroyed connection: RemotingConnectionImpl [ID=e66c8100, clientID=null, nodeID=1fa3713e-6926-11ea-b9f9-0242c0a8d002, transportConnection=org.apache.activemq.artemis.core.remoting.impl.netty.NettyServerConnection#3d04dde0[ID=e66c8100, local= /127.0.0.1:61616, remote=/127.0.0.1:40444]]
The log does not reveal which file is to blame (even in level DEBUG) - I assume the login.config though, but I cannot see any issue in there.
I really appreciate any hints about either invalid Artemis configs or invalid LDAP records which could cause such issues.
The broker seems to be able to read data from LDAP - at least authorization wise - as the logs show details for the population of roles, such as:
2020-03-26 14:45:24,021 INFO [org.apache.activemq.artemis.core.server] AMQ221051: Populating security roles from LDAP at: ldap://ldapserver:389
...
2020-03-26 14:45:24,240 DEBUG [org.apache.activemq.artemis.core.server.impl.LegacyLDAPSecuritySettingPlugin] LDAP search result: cn=read,cn=public.foo.test1.\#,ou=Topic
Destination type: topic
Destination name: public.foo.test1.#
Permission type: read
Attributes: {member=member: cn=admins,ou=Group,dc=example,dc=com, cn=users,ou=Group,dc=example,dc=com}
Role name: admins
Role name: users
...
Side note: I'm receiving a log after the above messages that indicates some issues with the pagination support:
2020-03-26 14:45:24,231 ERROR [org.apache.activemq.artemis.core.server] AMQ224086: Caught unexpected exception: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - critical extension is not recognized]; remaining name 'ou=Destination,dc=example,dc=com'
However, as it seems this pops up AFTER the first chunk of records have been processed - if I'm not wrong the default items-per-page limit should be 500, fairly enough for my current case.
I've configured the artemis configs as follows:
login.config:
openldap {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
connectionURL="ldap://ldapserver:389"
connectionUsername="cn=admin,dc=example,dc=com"
connectionPassword="..."
connectionProtocol="s"
connectionTimeout=10000
readTimeout=10000
topicSearchMatchingFormat="cn={0},ou=Topic,ou=Destination,dc=example,dc=com"
topicSearchSubtreeBool=true
authentication=simple
ignorePartialResultException=true
userBase="ou=User,dc=example,dc=com"
userSearchMatching="(uid={0})"
userSearchSubtree=false
queueSearchMatchingFormat="cn={0},ou=Queue,ou=Destination,dc=example,dc=com"
queueSearchSubtreeBool=true
roleBase="ou=Group,dc=example,dc=com"
roleName="cn"
roleSearchMatching="(member:=uid={1})"
roleSearchSubtree=true
;
};
broker.xml:
<configuration ...>
<!-- ... SNIP ... -->
<security-settings>
<security-setting-plugin class-name="org.apache.activemq.artemis.core.server.impl.LegacyLDAPSecuritySettingPlugin">
<setting name="initialContextFactory" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<setting name="connectionURL" value="ldap://ldapserver:389"/>
<setting name="connectionUsername" value="cn=admin,dc=example,dc=com"/>
<setting name="connectionPassword" value="...SNIP..."/>
<setting name="connectionProtocol" value="s"/>
<setting name="authentication" value="simple"/>
<setting name="destinationBase" value="ou=Destination,dc=example,dc=com"/>
<setting name="roleAttribute" value="member"/>
<setting name="ignorePartialResultException" value="true"/>
<setting name="filter" value="(cn=*)"/>
<setting name="readPermissionValue" value="read"/>
<setting name="writePermissionValue" value="write"/>
</security-setting-plugin>
</security-settings>
<!-- ... SNIP ... -->
</configuration>
A slightly modified version of my LDAP records:
version: 1
dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
objectClass: top
dc: example
o: Example Inc.
dn: ou=User,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: User
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword: {SSHA}3++NsuMU6iOErazxJNROGPmk1iw9Nboa
description: LDAP administrator
dn: ou=Group,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Group
dn: ou=Services,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Services
dn: ou=Destination,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Destination
dn: uid=CT84Ac0k,ou=User,dc=example,dc=com
objectClass: uidObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: CT84Ac0k
uid: CT84Ac0k
userPassword: {SSHA}ZGpJdZ3CRyP35pltd16Fbydnhfw6HmzV
dn: cn=users,ou=Group,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: users
member: uid=CT84Ac0k
dn: cn=admins,ou=Group,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: admins
member: uid=admin
dn: cn=mqbroker,ou=Services,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: top
cn: mqbroker
userPassword: {SSHA}lcLtOtmqIT4BjB7hlhV60H2dzUH0C5bb
dn: ou=Queue,ou=Destination,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Queue
dn: ou=Topic,ou=Destination,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Topic
dn: cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: applicationProcess
objectClass: top
cn: ActiveMQ.Advisory.$
description: A destination represents the target for which an ArtemisRole ca
n get access
dn: cn=public.foo.test1.#,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: applicationProcess
objectClass: top
cn: public.foo.test1.#
dn: cn=read,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: read
member: cn=admins,ou=Group,dc=example,dc=com
member: cn=users,ou=Group,dc=example,dc=com
dn: cn=admin,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: admin
member: cn=admins,ou=Group,dc=example,dc=com
dn: cn=write,cn=ActiveMQ.Advisory.$,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: write
member: cn=admins,ou=Group,dc=example,dc=com
member: cn=users,ou=Group,dc=example,dc=com
dn: cn=read,cn=public.foo.test1.#,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: read
member: cn=admins,ou=Group,dc=example,dc=com
member: cn=users,ou=Group,dc=example,dc=com
dn: cn=admin,cn=public.foo.test1.#,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: admin
member: cn=admins,ou=Group,dc=example,dc=com
dn: cn=write,cn=public.foo.test1.#,ou=Topic,ou=Destination,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
cn: write
member: cn=users,ou=Group,dc=example,dc=com

There's a syntax error in your login.config. The readTimeout and connectionTimeout values need to be in quotes, e.g.:
openldap {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true
initialContextFactory="com.sun.jndi.ldap.LdapCtxFactory"
connectionURL="ldap://ldapserver:389"
connectionUsername="cn=admin,dc=example,dc=com"
connectionPassword="..."
connectionProtocol="s"
connectionTimeout="10000"
readTimeout="10000"
authentication=simple
ignorePartialResultException=true
userBase="ou=User,dc=example,dc=com"
userSearchMatching="(uid={0})"
userSearchSubtree=false
roleBase="ou=Group,dc=example,dc=com"
roleName="cn"
roleSearchMatching="(member:=uid={1})"
roleSearchSubtree=true
;
};
Note: I removed topicSearchMatchingFormat, topicSearchSubtreeBool, queueSearchMatchingFormat, & queueSearchSubtreeBool because org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule doesn't support them. Having them in there doesn't technically cause a problem, but it makes it easier to read & understand with them gone.

Most useful Naxsi rules to maintain

After many searching on Google without finding anything useful, I would like to know what are the most useful rules of Naxsi to keep (even modified)
and which I can safely ignore.
Below, my current configuration.
##################################
## INTERNAL RULES IDS:1-999 ##
##################################
##MainRule "msg:weird request, unable to parse" id:1;
##MainRule "msg:request too big, stored on disk and not parsed" id:2;
##MainRule "msg:invalid hex encoding, null bytes" id:10;
##MainRule "msg:unknown content-type" id:11;
##MainRule "msg:invalid formatted url" id:12;
##MainRule "msg:invalid POST format" id:13;
##MainRule "msg:invalid POST boundary" id:14;
##MainRule "msg:invalid JSON" id:15;
##MainRule "msg:empty POST" id:16;
##MainRule "msg:libinjection_sql" id:17;
##MainRule "msg:libinjection_xss" id:18;
##################################
## SQL Injections IDs:1000-1099 ##
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
## Hardcore rules
MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
MainRule "str:|" "msg:mysql keyword (|)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
## end of hardcore rules
MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
MainRule "str:##" "msg:double arobase (##)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
###############################
## OBVIOUS RFI IDs:1100-1199 ##
###############################
MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
#######################################
## Directory traversal IDs:1200-1299 ##
#######################################
MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
########################################
## Cross Site Scripting IDs:1300-1399 ##
########################################
#MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
#MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
MainRule "str:`" "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
MainRule "rx:%[2|3]." "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
####################################
## Evading tricks IDs: 1400-1500 ##
####################################
MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
#############################
## File uploads: 1500-1600 ##
#############################
MainRule "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
Thanks for any help,
Lorenzo.

OpenLdap "Server is unwilling to perform (53) additional info: no global superior knowledge"

I am new in Ldap, and I can't understand why is giving me that error, when I try to import that file.
I've tried this command:
ldapadd -h elara.alu.com -x -W -D "cn=Manager,dc=alu,dc=com" -f /root/usersFromDavid.ldif
And my olcDatabase={2}bdb.ldif look like this:
#CRC32 dd2c457a
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcSuffix: dc=alu,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=alu,dc=com
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: 7f7892aa-66a8-1034-968b-61cac64128b9
creatorsName: cn=config
createTimestamp: 20150324193414Z
entryCSN: 20150324193414.304614Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150324193414Z
olcRootPW: {SSHA}Ih6JIB2w69nqoZksZsa46ORHNnHBKNbI
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem
I tried to add:
dn: o=users
objectclass: extensibleObject
objectclass: top
objectclass: domain
dc: users
o: users
dn: ou=People,o=users,cn=Manager, dc=alu, dc=com
objectclass: top
objectclass: organizationalunit
ou: People
dn: uid=caterinca,ou=People,o=users,cn=Manager, dc=alu, dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: Caterinca
sn: Caterinca
description: enabled
mail: caterinca#caterinca
title: admin
uid: caterinca
userPassword:: e1NTSEF9Nk0vd2tUY3JSdEpiZUZWU2RzYWszbjhlVWV2eEk4aitCb3psNGc9P

Error install OpenLdap for RedHat6(checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif")

I tried to install OpenLdap for linux redhat6, but i recive an error and looks like this
"5511c732 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
below is the code
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 03c4de5f
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=externa
l,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcSyncUseSubentry: FALSE
olcMonitoring: FALSE
structuralObjectClass: olcDatabaseConfig
entryUUID: 7f788d0a-66a8-1034-968a-61cac64128b9
creatorsName: cn=config
createTimestamp: 20150324193414Z
entryCSN: 20150324193414.304614Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150324193414Z
and
5511c732 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif"
below is the code :
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 dd2c457a
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcSuffix: dc=example,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager,dc=example,dc=com
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: ou pres,eq,sub
olcDbIndex: mail pres,eq,sub
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: 7f7892aa-66a8-1034-968b-61cac64128b9
creatorsName: cn=config
createTimestamp: 20150324193414Z
entryCSN: 20150324193414.304614Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20150324193414Z
olcRootPW: {SSHA}dGaM0fyxrjotXLEKz8Jjl5yoBhpNxLXX
olcTLSCertificateFile: /etc/pki/tls/certs/example.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem
At first error I had modified dn.base="cn=Manager,dc=my-domain,dc=com" =>Manager was with low letter dn.base="cn=manager,dc=my-domain,dc=com"
Second error: - olcSuffix: dc=example,dc=com => was olcSuffix: dc=my-domain,dc=com
- olcRootPW: {SSHA}dGaM0fyxrjotXLEKz8Jjl5yoBhpNxLXX (add)
- olcTLSCertificateFile: /etc/pki/tls/certs/example.pem (add)
- olcTLSCertificateKeyFile: /etc/pki/tls/certs/examplekey.pem(add)

Try the below settings:
vim /etc/profile
press SHIFT + g key combination to go to EOF and add export LC_ALL="en_US.UTF-8"
source /etc/profile

Resources