Simulating search filter
by Don Hoover
Ok. Here is an interesting problem.
We have purchased one of those remote serial console
access devices, and it "supports" ldap.
On our servers we use search filters to control who
has access to which of our servers... such as
sub?|(gid=55) etc.
BUT, this little thing only supports proving a "base"
and not any filters. If it just has our base then
everyone in our LDAP has access to this device and
want to limit it to just the sysadmin group.
Is there a way to create a virtual view of our
existing LDAP directory with a different base but
behind the scenes is a filtered view of our full LDAP
directory.
I thought I remember seeing something like this was
available. Either as a backend option or something
like that.
Any ideas?
13 years, 11 months
checking syncrepl consistency
by Andreas Hasenack
Hi all,
I want to be able to check for the syncrepl consistency between a
provider and a consumer with this database layout:
provider (OL 2.3.30) consumer (OL 2.3.32)
+ dc=example,dc=com + dc=example,dc=com
/ \ / \
... + ou=global -------> ou=global + ...
/ \ (syncrepl) / \
... ... ... ...
That is, only the ou=global branch is replicated to the other server, which
then has two databases (one for dc=example,dc=com and another one for
ou=global).
This works. Now I want to be able to check if the ou=global databases
are in sync with each other.
There are some scripts floating around that check the contextCSN
attribute, so I started with that. But it doesn't work in this scenario.
The problem is when a change is done to somewhere other than ou=global
on the provider. The contextCSN at dc=example,dc=com on the provider is
updated, but there is no need to replicate anything because the change
was not under ou=global. This means that contextCSN at the provider will
be different from the contextCSN on the consumer, even though the
databases are in sync.
Is there another (quick, scriptable) way to make this check? I will try
updated versions (2.3.33) on both sides shortly.
I also noticed that once the consumer is restarted, its contextCSN
assumes the same value that the one of the provider, even though there
was no change to the ou=global branch.
13 years, 11 months
Ppolicy overlay password checking module
by Metcalf, Roger
Hi John,
I didn't find a response to your query (pasted below). I'm about to try
cooking up something similar. Did you ever get help or find the magic
combination of ingredients to get pwdCheckModule working? If so, please
share the recipe!
Thanks,
Roger Metcalf
# # # # #
Hi all,
I don't know if this is the right list, but i'm hoping the author of the
overlay or somebody equally knowledgeable is on this list and will be
able to help me.
I'm attempting to use the password policy overlay with a custom password
strength checker. The docs say the following on the subject:
"pwdCheckModule This attribute names a user-defined loadable module that
must instantiate the check_password() function. This function will be
called to further check a new password if pwdCheckQuality is set to one
(1) or two (2), after all of the built-in password compliance checks
have been passed. This function will be called according to this
function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
...
Note: The user-defined loadable module named by pwdCheckModule must be
in slapd's standard executable search PATH. Note: pwdCheckModule is a
non-standard extension to the LDAP password policy proposal
Now, i'm a little unclear on how exactly to compile such a module or
where to place it so as to load it. "standard executable search PATH"
seems to imply it should go where binaries go (for example
/usr/local/bin) but i'm wondering if maybe it's the modulepath in the
slapd.conf. I've tried both so i'm assuming i'm not compiling it up
correctly
The following is my simple program using cracklib (untested but i
believe should work). The file is called ldap_cracklib.c
#include <portable.h>
#include <slap.h>
#include <packer.h>
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
int check_password( char *pPasswd, char **ppErrStr, Entry *pentry)
{
char *ret;
ret = (char *) FascistCheck( pPasswd,
'/usr/local/libdata/cracklib/pw_dict' );
if (ret == NULL)
{
return 0;
}
*ppErrStr = ret;
return 1;
}
I've compiled it to an object file with gcc -c (and a whole bunch of
other arguments for includes, etc) and also to a library using libtool
(i took the makefile for smbk5pwd and modified it). I've then tried
modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so
respectively (after copying the relevant files to both /usr/local/bin
and our module path, /usr/local/libexec/openldap).
I'm using the following command to try and change my password:
ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D
"uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"
It prompts me for my old password twice, once for my new and then says:
ldap_bind: Invalid credentials (49)
I can confirm that my (old) password is correct by using ldapwhoami.
So should i be making a library? Should i be making a basic compiled
object? Should i be making something else? Please bear in mind that i'm
an administrator not a programmer so i am a little ignorant.
I've tried boosting the ldap log level and looking for errors but i dont
see anything.
Any help would be greatly appreciated.
Thanks,
John
13 years, 11 months
gss_wrap/gss_unwrap sasl buffers?
by Michael B Allen
Hi,
I need to gss_wrap/gss_unwrap all requests and responses into SASL
buffers. Is there an existing method for doing that?
Otherwise, I suppose the best techniqure would be to allow the user to
register an "inspect" callback that will be called with the data buffer
just read from or wrtten to the network. I'm starting to look at the
code now but if someone could give me a hint I would appreciate it.
Mike
13 years, 11 months
pcache + LDAP_NO_ATTRS
by Mike Malsman
I am using OpenLDAP 2.3.33. I run a slapd service using the pcache
overlay, which in turn queries another instance of slapd by means of
'database ldap'. It seems to work nicely for my simple use. I can
verify that query results are cached if the requested attribute
matches that of the "proxyattrset" directive.
However, I have a software which specifies LDAP_NO_ATTRS to the
attributes parameter of ldap_search_st(), as the software is
interested only in the presence of results, not their content. Is it
possible to instruct the pcache overlay, via "proxyattrset" or any
combination of other directives, to cache the results of such queries?
I have unsuccessfully attempted to define "proxyattrset 0", simply
omitting the attribute set. slapd starts fine, but does not seem to
cache my queries. It is unclear to me how slapd interprets this
configuration.
I've failed to find any relevant information in the list archives or
google. Am I asking the wrong question? Is this simply an unnatural
use of the pcache overlay?
Ciao,
-Mike
13 years, 11 months
invalidAttributeSyntax error when an empty string is added
by Kazu Nisimura
Hi,
When I tried to add an empty string to the IA5 String attribute, slapd
returned invalidAttributeSyntax(21) error. Is this a correct
behavior?
from RFC4517:
===
3.3.6. Directory String
A value of the Directory String syntax is a string of one or more
arbitrary characters from the Universal Character Set (UCS) [UCS]...
[...]
3.3.15. IA5 String
A value of the IA5 String syntax is a string of zero, one, or more
characters from International Alphabet 5 (IA5) [T.50], ...
===
It seems that zero-length IA5 String is allowed, while Directory
String have to be one or more characters. (However, I don't
understand why zero-length Directory String is not allowed. It is
very frustrated.)
I'm using OpenLDAP 2.3.27.
Regards,
--
Kazu Nisimura
13 years, 11 months
slapd-relay
by Douglas B. Jones
I am on 2.3.33 and I am trying to fix it so that people with an
old base of o=gpc,c=us will automatically be given the results
from the base dc=employee,dc=gpc,dc=edu. From the slapd-relay doc.,
I first tried:
database relay
suffix "o=gpc,c=us"
relay "dc=employee,dc=gpc,dc=edu"
and tried a lookup with the command:
ldapsearch -b o=gpc,c=us uid=someone cn
and I get:
result: 53 Server is unwilling to perform
If I change the config. file to:
database relay
suffix "o=gpc,c=us"
overlay rwm
suffixmessage "dc=employee,dc=gpc,dc=edu"
and try the same command, the slapd process disappears and no core
file is found (I did a find on the whole system for anything with
'*core*' in it. The output to the terminal is:
ldap_result: Can't contact LDAP server (-1)
and the logs have:
Jan 26 09:38:37 mldap slapd[19110]: conn=0 op=1 SRCH base="o=gpc,c=us" scope=2 d
eref=0 filter="(uid=someone)"
Jan 26 09:38:37 mldap slapd[19110]: conn=0 op=1 SRCH attr=cn
When I start slapd back up, it says in the logs:
Jan 26 09:42:55 mldap slapd[19149]: bdb_db_open: unclean shutdown detected; atte
mpting recovery.
and works fine otherwise. I can stop and restart and the warning does
not appear again - as expected (unless of course I do the same experiment
again).
I am sort of new to the linux (RHEL4) environment, so I am not really
sure where I should go from here. On tru64, I can attach to a process,
slapd in this case, I am not sure how to do that in linux.
The two examples I used above came from the slapd-relay man page,
as far as I can tell, with just what they had. Thanks for any help!
13 years, 11 months
the best and the shortest way ?
by Julien Oix
Hi everyone,
I'm stopped with technical stuff tryin' to deploy a specific backend meta.
(see here :
http://www.openldap.org/lists/openldap-software/200701/msg00190.html
and here :
http://www.openldap.org/lists/openldap-software/200701/msg00272.html )
So iI will try to explain what I want, and maybe what I'm tryin' to do
is not the best way :)
The background :
1) there is a general openldap directory existing D1, on which I just
have a system account to read its data
--> no anonymous bind permitted to access the data, I need to call
ldapsearch this way to retrieve any results :
ldapsearch -x -D "cn=toto,ou=system,dc=univ-paris7,dc=fr" -w xxxx -H
ldaps://ldap.univ-paris.fr -b "ou=people,dc=univ-paris7,dc=fr" cn mail
-LLL
2) the fact is that I need authentication datas on people who are not in
that directory D1, so I have to build my own ldap directory D2; and I
don't want any data redundancy between D1 and D2
--> D1 (union) D2 = empty set
3) to have an unique way to get authentication in Apache for example, in
order that people from D1 AND D2 can access, I've been thinkin' that the
best solution was to deploy a openldap meta backend D3 that would
transmit the authentication requests both to D1 and D2.
--> D1 and D2 are D3's targets.
Is this the simplest way ? are there any solutions to implement that ?
The technical stuff
See the previous posts to see what stops me. Directory with anonymous
binds don't have any problems to be targeted, but as soon as
authentication is needed, access is refused whenever I give a dn to
authenticate ...
Thanks,
--
Julien Oix
UFR d'Informatique - Université Paris Diderot
Bureau 5C01 (5ème étage)
175 rue du Chevaleret
75013 PARIS
Tel : +33 (0) 144 278 504
Mobile : +33 (0) 664 392 207
---------------------------------------------
http://www.gnu.org/philosophy/no-word-attachments.html
13 years, 11 months
sessionlog vs syncprov_sessionlog / missing delete phase
by Daniel Eckstein
Dear listmember,
I have a openldap setup consisting of 1 master (read/write) and 4
replica, with around 370.000 entries,
~200 reads/s at the replica and ~5 modifications/s on master.
Replication is just working fine in terms of adding, modify entries, but
not, when it comes to deletion of
entries.
If I delete an entry at the master, the deletion seems not to be
synchronised to the replica. All the replica
do have the very same count of objects, but they differ to the masters
object count (master have less, because
deletions work there...)
What I have found so far is that I only have syncprov_sessionlog
configured and the manual page is talking
about sessionlog too. Which directive should I use on the syncprov master?
Is there a problem with the delete phase? What else could I check?
Thanks alot in advance!
Best regards,
Daniel
13 years, 11 months
base_64 encoding
by Thierry Lacoste
According to Faq-O-Matic:
The command
slappasswd -h {SHA} -s abcd123
will generate
{SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
so, in your entry, an attribute like this could be specified:
userPassword: {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E=
but when you do a slapcat or ldapsearch and the output is in LDIF format,
the userpassword will be base_64 encoded, and it will look like this:
userPassword:: e1NIQX1mRFlIdU9ZYnp4bEU2ZWhRT21ZUElmUzI4L0U9
Just out of curiosity why is it further encoded as everything in
the userPassword is already base_64 encoded except the string {SHA}?
I thought it may be because of the brackets but putting brackets in
another attribute (e.g. mail) doesn't trigger an encoding.
Regards,
Thierry.
13 years, 11 months
