Re: ACL using netgroups
by Claudio Strizzolo
Hi Dieter,
>> Hello Dieter,
>> thanks for your reply.
>> I tried as you suggested:
>>
>> by dn="cn=ldapauth,dc=example,dc=com" \
>> group/nisNetgroup/nisNetgroupTriple=cn=linuxa,ou=netgroup,dc=example,dc=com
>> read
>>
>> Unfortunately it does not work:
>>
>> [...]
>>
>> If that matters, I am using openldap 2.2.13.
> Ah your historic version might be a problem. I can't remember, in
> which version the group expansion has been implemented.
> My slapd.access(5) OpenLDAP-2.3.27 states
> THE <WHO> FIELD
>
> [...]
> It can have the forms
>
> [ other forms deleted ]
> group[/<objectclass>[/<attrname>]]
Actually I have the same syntax available in my slapd.access:
<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]
[dnattr=<attrname>]
[group[/<objectclass>[/<attrname>]][.<style>]=<group>]
[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]
[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]
So probably the error is somewhere else. I report it again for the list
(sorry, I replied to Dieter only instead of the list the first time):
Checking configuration files for slurpd: /etc/openldap/userauth.acl:
line 82: group "cn=linuxa,ou=netgroup,dc=example,dc=com": inappropriate
syntax: 1.3.6.1.1.1.0.0
<access clause> ::= access to <what> [ by <who> <access> [ <control> ] ]+
(...)
Any hints?
Thanks again
Claudio
16 years
Re: ppolicy - getting to work
by Prakash Velayutham
Thanks again. Makes sense.
Now that I am locked out for SSH access, I will just ask questions of
interest without actually trying things out. For all the different
ppolicy-related things to work, I am guessing the following is the
procedure. Please correct me.
a) Editing slapd.conf and adding "include", "modulepath", "loadmodule
ppolicy.la", "overlay", "ppolicy_use_lockout", "ppolicy_default"
statements.
b) Adding necessary policy-related objects to LDAP (policy object and
standard policy sub-object). These will inherit from pwdPolicy
objectclass.
c) Adding the users that will be managed by the password policy to the
directory. Do I have to add "objectClass=pwdPolicy" attribute to all the
users that need to be managed by ppolicy and leave it out for the other
users?
I will try all these out on monday.
Prakash
>>> Aaron Richton <richton(a)nbcs.rutgers.edu> 11/24/06 8:06 PM >>>
Note that I build static modules, so this may need
verification/clarification, but I'll try:
The .la files are libtool archives. If you examine them (e.g. cat(1)),
then you'll see that they point to .so files (among other details). A
libtool-aware application--note that slapd(8) should be one of them--can
parse the .la file, which allegedly offers advantages (mostly platform
independence). So, following a 'make install', you should be able to
specify in slapd.conf
> moduleload /path/to/ppolicy.la
and that should parse OK. At least, that's the way I remember it...
Then again, you should be able to moduleload the .so also. If the .la
doesn't work out, try that.
On Fri, 24 Nov 2006, Prakash Velayutham wrote:
> Thanks Aaron. So I built openldap with:
>
> $ ./configure --with-tls=no --with-cyrus-sasl=no --enable-slurpd=no
> --enable-ipv6=no --enable-ppolicy=mod --enable-hdb=yes
--enable-modules
> --enable-bdb=no --enable-ldif=no --enable-monitor=no --enable-relay=no
> --enable-syncprov=no
>
> Why do I have a ppolicy*.so and a ppolicy*.la file in the install
> location? When do you use the ppolicy*.so?
>
> I have temporarily lost access to the system because of PAM. Will have
> access again on monday.
>
> Thanks,
> Prakash
>
>>>> Prakash Velayutham 11/24/06 5:13 PM >>>
>>>> Aaron Richton <richton(a)nbcs.rutgers.edu> 11/24/06 4:04 PM >>>
> configure --enable-hdb --enable-ppolicy={yes|mod} should handle it.
> "yes" will build it into slapd, "mod" will give you a module. (You can
> do
> the same for --enable-hdb.)
>
> On Fri, 24 Nov 2006, Prakash Velayutham wrote:
>
>> Hello All,
>>
>> I am trying to get ppolicy working on my openldap-2.3.29 server. I
> want
>> this setup to work with hdb backend and either static or dynamic
> ppolicy
>> module. What compile time options would be sufficient?
>>
>> Thanks,
>> Prakash
>
16 years
Re: ppolicy - getting to work
by Prakash Velayutham
Thanks Aaron. So I built openldap with:
$ ./configure --with-tls=no --with-cyrus-sasl=no --enable-slurpd=no
--enable-ipv6=no --enable-ppolicy=mod --enable-hdb=yes --enable-modules
--enable-bdb=no --enable-ldif=no --enable-monitor=no --enable-relay=no
--enable-syncprov=no
Why do I have a ppolicy*.so and a ppolicy*.la file in the install
location? When do you use the ppolicy*.so?
I have temporarily lost access to the system because of PAM. Will have
access again on monday.
Thanks,
Prakash
>>> Prakash Velayutham 11/24/06 5:13 PM >>>
>>> Aaron Richton <richton(a)nbcs.rutgers.edu> 11/24/06 4:04 PM >>>
configure --enable-hdb --enable-ppolicy={yes|mod} should handle it.
"yes" will build it into slapd, "mod" will give you a module. (You can
do
the same for --enable-hdb.)
On Fri, 24 Nov 2006, Prakash Velayutham wrote:
> Hello All,
>
> I am trying to get ppolicy working on my openldap-2.3.29 server. I
want
> this setup to work with hdb backend and either static or dynamic
ppolicy
> module. What compile time options would be sufficient?
>
> Thanks,
> Prakash
16 years
ppolicy - getting to work
by Prakash Velayutham
Hello All,
I am trying to get ppolicy working on my openldap-2.3.29 server. I want
this setup to work with hdb backend and either static or dynamic ppolicy
module. What compile time options would be sufficient?
Thanks,
Prakash
16 years
Reg openLDAP config
by shilpa muramkar
Hi,
I hv installed openLDAP on windowsxp. Now im trying to populate it with our
company specific values using java code.It is giving me the following error.
error result (53); modification of subschema subentry not supported; DSA is
unwilling to perform
i have provided access previlages in slapd.conf as
access to dn.base="" by * write
access to dn.base="cn=subschema by * write
access to *
by self write
by users write
by anonymous auth
but still i get an error saying i cannot modify the subschema entry.
can anyone just let me knwo where exactly is the error??
How do i add my values into the subschema.l
16 years
Client passing "NTLM" as DN
by AW W
ldap_read: want=75, got=75
0000: 3a 60 84 00 00 00 44 02 01 03 04 04 4e 54 4c 4d :`....D.....NTLM
0010: 8a 39 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 b2 .9NTLMSSP.......
0020: 08 a2 09 00 09 00 30 00 00 00 08 00 08 00 28 00 ......0.......(.
0030: 00 00 05 02 ce 0e 00 00 00 0f 5a 54 43 46 56 30 ..........ZTCFV0
0040: 4e 32 41 4d 45 52 49 43 41 53 45 N2AMERICASE
>>>dnPrettyNormal: <NTLM>
=> ldap_bv2dn(NTLM,0)
ldap_err2string
<= ldap_bv2dn(NTLM)=-4 Decoding error
bind: invalid dn (NTLM)
Is slapd(8) responding properly to this ldap client request and is it
possible to influence this behavior somehow? Can somewhat speculate as to
what is going on here?
_________________________________________________________________
Ready for the world's first international mobile film festival celebrating
the creative potential of today's youth? Check out Mobile Jam Fest for your
a chance to WIN $10,000! www.mobilejamfest.com
16 years
slapd + valsort using 100% CPU and causing slpad to become unresponsive
by Michael.Heep@o2.com
Hello list,
I've been recently experimenting with the valsort overlay. After enabling
it on the servers in our test environment they became unresponsive after a
few minutes and a simple "top" showed a 100% cpu utilization on the
machines.
Before filing an ITS I thought I'd first post my problem here. Maybe it's
just something as simple as a misplaced configuration directive. Therefor
I've included the relevant information below.
The test-servers only have about 100 entries and usually no more than half
a dozen clients access them simultaneously.
OpenLDAP Version: 2.3.30
BerkeleyDB: 4.2.52 + 5 patches
OS: RHES 2.1 and 3.0
Relevant slapd.conf parts:
... <ACL's, TLS opts, other global stuff> ...
...
overlay chain
chain-uri "ldap://<...>"
chain-idassert-bind bindmethod=sasl binddn="<...>" saslmech=external
mode=self
chain-tls start
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=o2online,dc=de"
rootdn <...>
rootpw {SSHA}<...>
directory /var/lib/ldap/openldap-data
index objectClass eq
index entryCSN eq
index entryUUID eq
index sudoUser pres,eq,sub
index uid,cn pres,eq,sub
index uidNumber eq
index gidNumber eq
index memberUid eq
index uniqueMember eq
index host eq
## Syncrepl provider settings
#overlay syncprov
#syncprov-checkpoint 50 5
#syncprov-sessionlog 1000
# Syncrepl consumer settings
syncrepl rid=100
provider=ldap://<...>
type=refreshAndPersist
interval=00:00:00:10
retry="60 10 300 +"
searchbase="dc=o2online,dc=de"
filter="(objectclass=*)"
scope=sub
attrs="*,+"
schemachecking=on
starttls=critical
bindmethod=sasl
saslmech="external"
updateref ldap://<...>
limits dn.exact="<...>" size=unlimited time=unlimited
cachesize 10000
idlcachesize 30000
checkpoint 1024 5
overlay unique
unique_base "dc=o2online,dc=de"
unique_attributes uid uidNumber
overlay dynlist
dynlist-attrset extensibleObject memberURL uniqueMember
overlay valsort
valsort-attr uniqueMember dc=o2online,dc=de alpha-ascend
valsort-attr host dc=o2online,dc=de alpha-ascend
authz-policy to
authz-regexp
email=<...>
cn=<...>
Any help or hints would be much apreciated.
With kind regards
Michael Heep
16 years
slow queries with long strings in filters
by Sylvain Amrani
Hi list,
I've got an attribute that could contains very long strings (more than
150 chr).
It's a string made of small tokens separated by spaces and slashes :
departmentUID: BA/BAC ANDL/BAPZ IDF/GRPT YVLN/CIE GN ST GERM...
The attibute is indexed with pres,eq,sub
When I search for small substrings like (departmentUID=*/GRPT*) it's
fast and ok.
When I search for a long subset of the string, the query is _very_ long
(many seconds) :
(departmentUID=BA/BAC ANDL/BAPZ IDF/GRPT YVLN/CIE GN ST*)
The more the string is long, the more the answer is slow.
I can use very complex filters (&((|()())(|()()))... and the answer is
very fast, unless I use a long string in it.
The backend is BDB (berkeley 4.2)
Openldap is 2.2.26
Is this a BDB or an Openldap related issue ?
Using subinitial or subany in the index slap.conf parameter did not
solve the problem.
I found only one post in the archives related to a server were any query
string with more than 3 characters makes slow answers. He was told to
adjust :
index_substr_if_minlen
index_substr_if_maxlen
index_substr_any_len
index_substr_any_step
But theses parameters are only available with openldap 2.3 and it
doesn't seem to be exactly my problem (I've no differences between 2,3,4
or 5 characters query strings)
Thanks,
Sylvain.
16 years
samba-computer record at OpenLdap
by Roman Yushin
Hello.
I have an old server with openldap-server-2.0.27_3 (+ samba schema),
samba-3.0.8,1 as PDC
All information stored at LDAP: domain-computers, domain-users
So, i have a record for computer:
dn: uid=ws01$,ou=People,o=campus,c=ru
uidNumber: 2000
gidNumber: 553
homeDirectory: /dev/null
loginShell: /bin/false
objectClass: top
objectClass: posixAccount
objectClass: sambaAccount
uid: ws01$
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdMustChange: 2147483647
displayName: ws01$
cn: ws01$
description: Computer
rid: 5000
primaryGroupID: 2107
acctFlags: [W ]
creatorsName: cn=Manager,o=campus,c=ru
createTimestamp: 20060324104820Z
pwdCanChange: 1162105007
ntPassword: A49B017193432C718AA03C008C681836
pwdLastSet: 1162105007
modifiersName: cn=Manager,o=campus,c=ru
modifyTimestamp: 20061029065647Z
I am commented lines "creatorsName, createTimestamp, modifiersName,
modifyTimestamp" and obtained ldiff-record to add it to another ldap server.
The problem is that i could not add domain-computers to new server with
openldap-server-2.3.30!
All users were added from old ldap to new, but i have a problem with
computers!
Here is the error
adding new entry "uid=ws01$,ou=People,o=campus,c=ru"
ldap_add: Internal (implementation specific) error (80)
additional info: no structuralObjectClass operational attribute
debug.log (256)
Nov 23 13:40:38 new slapd[765]: conn=0 fd=12 ACCEPT from
IP=127.0.0.1:57407 (IP=127.0.0.1:389)
Nov 23 13:40:38 new slapd[765]: conn=0 op=0 BIND
dn="cn=manager,o=campus,c=ru" method=128
Nov 23 13:40:38 new slapd[765]: conn=0 op=0 BIND
dn="cn=Manager,o=campus,c=ru" mech=SIMPLE ssf=0
Nov 23 13:40:38 new slapd[765]: conn=0 op=0 RESULT tag=97 err=0 text=
Nov 23 13:40:38 new slapd[765]: conn=0 op=1 ADD
dn="uid=ws01$,ou=People,o=campus,c=ru"
Nov 23 13:40:38 new slapd[765]: No structuralObjectClass for entry
(uid=ws01$,ou=People,o=campus,c=ru)
Nov 23 13:40:38 new slapd[765]: conn=0 op=1 RESULT tag=105 err=80
text=no structuralObjectClass operational attribute
Nov 23 13:40:38 new slapd[765]: conn=0 op=2 UNBIND
Nov 23 13:40:38 new slapd[765]: conn=0 fd=12 closed
If i try to add this ldiff record at old openldap, it works fine.
16 years
ACL using netgroups
by Claudio Strizzolo
Hi all,
I'd like to set up an ACL which allows access to a subtree only to a
user, and only if the query is coming from a restricted set of hosts.
Up to now I've been doing this:
access to dn.subtree="ou=People,dc=example,dc=com"
by self read
by dn="cn=myuser,dc=example.com" \
peername.regex="10\.10\.10\.1[0-9]" read
by * none
This works.
However, the number of hosts to be allowed in this way is rapidly
increasing, and it is not easy to group their addresses in such a way to
make them easily summarized by a single regex, or a limited group of regexp.
Moreover, for other reasons I have grouped the hosts in a netgroup
inside the same database:
dn: cn=mynodes,ou=netgroup,dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
cn: mynodes
nisNetgroupTriple: (node0.example.com,-,-)
nisNetgroupTriple: (node1.example.com,-,-)
(...)
nisNetgroupTriple: (node9.example.com,-,-)
My question is: is there any way to set the ACL above in such a way to
use this netgroup definition to limit access to the hosts listed in the
netgroup AND to the user as above, at the same time? I'm dreaming of
something like:
access to dn.subtree="ou=People,dc=example,dc=com"
by self read
by dn="cn=myuser,dc=example.com" \
netgroup="cn=mynodes,ou=netgroup,dc=example,dc=com" read
by * none
Any way to do something like this?
I beg your pardon if this is a stupid question, I'm just a LDAP beginner.
Thanks in advance
Claudio
16 years
