openldap-software December 2006

openldap-software@openldap.org

60 participants
65 discussions

Using different clients to change password result in different stored password's form
by kadafax 08 Dec '06

08 Dec '06

Hi list, as I don't know if this behavior comes from my slapd itself, I'm not giving too much details on it. Here is what's happening: in slapd.conf I have: 'password-hash {SSHA}' so I'm expecting that each password attribute change results in a new SSHA hashed password. Our users can change their password on several ways which all result in different stored password'hashes (cleartext (!), SHA, but not SSHA). Does the hashing type is specified on the client's side and not enforced by the directory? Can someone give me some pointers for doc explaining how password's change mechanism works in openldap? kfx

2 1

is_entry_objectclass("",*) no objectClass attribute
by Michael Ströder 08 Dec '06

08 Dec '06

HI! What does these messages (OpenLDAP 2.3.30) during startup mean? These OIDs are object classes subentry, alias and referral. Dec 7 10:46:07 nb2 slapd[5158]: is_entry_objectclass("", "2.5.17.0") no objectClass attribute Dec 7 10:46:07 nb2 slapd[5158]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute Dec 7 10:46:07 nb2 slapd[5158]: is_entry_objectclass("", "2.16.840.1.113730.3.2.6") no objectClass attribute Ciao, Michael. -- Michael Ströder E-Mail: michael(a)stroeder.com http://www.stroeder.com

2 3

Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory
by Andrew Kay 07 Dec '06

07 Dec '06

Hi, (Apologies if anybody has already received this, I sent the message before subscribing to the list and later discovered that it may not be relayed if I wasn't a subscriber.) I am trying to configure OpenLDAP such that it acts as a subordinate to an Active Directory server to allow applications to seamlessly authenticate users against both directories via the OpenLDAP server (some users will be in OpenLDAP, some in AD). The directory suffixes are set up as follows, for example: Active Directory dc=xyz, dc=com OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate) I have successfully configured OpenLDAP such that a query with a base "dc=xyz, dc=com" will return results from both directories. I now want to add a rewrite rule to entries from the AD directory such that Microsoft object classes (user and group) are transformed into inetOrgPerson and groupOfNames respectively. Also, I'd like the SAMAccountName attribute to be mapped to an attribute named uid. I followed the example of using the rwm overlay here: http://www.openldap.org/lists/openldap-software/200510/msg00256.html I was then able to perform a query on the uid attribute against the AD directory, the entry was returned rewritten as an inetOrgPerson as I had expected. However, I am no longer able to perform a query on the uid attribute against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz, dc=com") as, AFAIK, the rewrite rule is removing it from the query, results or both. Is it possible to only apply such rewrite rules to entries within the AD directory, and leave entries stored in the OpenLDAP subordinate directory untouched, or is there a better way to approach this problem? Andrew

3 3

Re: Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory
by Gavin Henry 07 Dec '06

07 Dec '06

<quote who="Andrew Kay"> > Gavin, > > Thanks for your reply. Apologies for the delay in replying, I've been > away from a computer for the past two days. Did you see Howards reply? "You need to configure the rwm overlay so that it only applies to the main DB. You do this by explicitly configuring the position of the glue overlay, putting it above the rwm overlay: database ldap suffix dc=xyz,dc=com ... overlay rwm ... overlay glue " > > The database portion of my configuration file is currently: > > database bdb > suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com" > subordinate > rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com" > rootpw secret > directory /usr/local/var/openldap-data > index objectClass eq > > database ldap > suffix "ou=XYZ, dc=xyz, dc=com" > uri "ldap://dc1" > > acl-bind > bindmethod=simple > binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" > credentials="secret" > > idassert-bind > bindmethod=simple > binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" > credentials="secret" > mode=none > authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com" > > idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com" > > overlay rwm > rwm-map objectclass inetOrgPerson user > rwm-map objectclass groupOfNames group > rwm-map attribute uid sAMAccountname > rwm-map attribute cn name > rwm-map attribute sn sn > rwm-map attribute mail mail > rwm-map attribute member member > rwm-map attribute * > > If I run a query against a user from the AD portion of the directory: > > extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, > dc=com" -W -b "ou=Users, ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)" > ... > > # Andrew Kay, Users, XYZ, xyz.com > dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > sn: Kay > cn: Andrew Kay > uid: Andrew > mail: andrew.kay(a)xyz.com > > ... > extranet:~# > > The AD user is successfully mapped to an inetOrgPerson, if I run a > query against a user from the OpenLDAP portion of the directory where > the user is already an inetOrgPerson: > > extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, > dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)" > ... > > # John Smith, Users, Extranet, XYZ, xyz.com > dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com > objectClass: inetOrgPerson > sn: Smith > > ... > extranet:~# > > The result is missing the uid field. If it comment out all rwm > directives in the configuration and perform the same query (after > restarting OpenLDAP), I get the following: > > extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, > dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)" > ... > > # John Smith, Users, Extranet, XYZ, xyz.com > dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com > objectClass: inetOrgPerson > cn: John Smith > sn: Smith > uid: john.smith > userPassword:: am9obi5zbWl0aA== > > ... > extranet:~# > > If I query the AD portion of the directory I recieve the unaltered > user, with AD schema attributes such as SAMAccountName. > > > Andrew >

1 0

identifying weak passwords
by Thierry Lacoste 06 Dec '06

06 Dec '06

I'm running OpenLDAP 2.3.24 on a production server. As I was in a hurry and discovering LDAP when I installed it, I didn't enforce any password policy. Now I would like to identify weak passwords to warn their users. What are my options? Best regards, Thierry.

4 4

schemacheck in slapd.conf
by Anant S Athavale 06 Dec '06

06 Dec '06

Dear List: In version 2.0.x of openldap, I used to use, schemacheck off in slapd.conf file. But, in the newer version 2.3.x, this directive is getting ignored. I want schemacheck to be disabled, how do I achieve this in the current version. Regards, Anant Athavale,

5 4

slapdd running at 100% of the cpu?
by Mike 06 Dec '06

06 Dec '06

Slapd was fine this weekend, then yesterday it went to 100% of the CPU and load average of 1.0+. No filesystems are full and I can find no mention of an issue in /var/log/*. Where can I look next for what's going on? I had this happen a few weeks ago, but I thought it was due to a full file system at the same time. Mike Red Hat Fedora Core 5 with all the latest patches [mikee@host ~]$ rpm -qa | grep ldap openldap-devel-2.3.19-4 ldapjdk-4.17-1jpp_3fc.1.1 openldap-clients-2.3.19-4 nss_ldap-249-1 python-ldap-2.0.6-5.2.1 cyrus-sasl-ldap-2.1.21-10 openldap-servers-2.3.19-4 smbldap-tools-0.9.2-3.fc5 openldap-2.3.19-4 mod_authz_ldap-0.26-6.2.1

2 3

hi, question about slapd.d configuration changed on the fly
by cosmih 06 Dec '06

06 Dec '06

hi, i use the last version of openldap (2.3.30, compiled by hand) and i try to implement an "slapd.d" configuration first i made my slapd.conf file and after that i start ldap server with "slapd -f slapd.conf -F slapd.d" command after that in slapd.d directory i have an cn=config.ldif file and a directory cn=config .... in this directory i have olcDatabase={2}bdb.ldif for my ldap base on second start of ldap server i used this command "/path/to/slapd -F /path/to/slapd.d" if i modify some access rules on this file i must to restart slapd to view that this new access rules are used .... how can i make this access rule to be used on the fly ( from administrator's guide: The LDAP configuration engine allows all of slapd's configuration options to be changed on the fly, generally without requiring a server restart for the changes to take effect) thanks

6 7

openldap2.3-2.3.27/servers/slapd/back-sql/entry-id.c:493: `SQLLEN' undeclared (first use in this function)
by Turbo Fredriksson 05 Dec '06

05 Dec '06

I can't seem to compile 2.3.27 even though I've disabled SQL backend... Any ideas? I'd PREFER to compile with the SQL backend, but it's not a showstopper (I'm not using it myself, but you never know). Where is/should SQLLEN be defined? I have both libiodbc2-dev, libmysqlclient10-dev (3.23.49) and postgresql-dev (7.3.2) installed.

1 0

Need some help on a specific ACL
by Rob Tanner 04 Dec '06

04 Dec '06

Hi, I have most of this bloody long ACL working right, but I still need an anonymous access to any entry under the "ou=people,o=linfield.edu" base DN for the purpose of authentication. I need to be able to search on the UID in order to retrieve the full DN of the entry. None of my trials have been successful. Can someone please help? Thanks, Rob access to dn.one="ou=people,o=linfield.edu" attrs=userpassword by anonymous auth access to dn.one="ou=people,o=linfield.edu" by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa administrators,ou=People,o=linfield.edu" read access to dn.one="ou=people,o=linfield.edu" filter=(!(ou=student)) by * read access to dn.one="ou=people,o=linfield.edu" filter=(&(!(ferpaStatus=Private))(!(entryStatus=Inactive))(ou=student)) by * read access to dn.one="ou=people,o=linfield.edu" filter=(&(!(ou=Student))(!(entryStatus=Inactive))) by * read access to dn.one="ou=people,o=linfield.edu" attrs=userPassword,maillocaladdress,useDefaultAlias,spamdisposition,checkForDirtyWords by self write -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2006