December 2007 - openldap-software

by Allan E. Johannesen

I'm not runing a 2.3 server for comparison, but is this a bug or is it expected behavior to have this sort of error? In a program, which had constructed the ** due to a missing first name, it also was found to break the connection to the server... CCC5:~> ldapsearch '(cn=** VERNON-GERSTENFELD*)' SASL/GSSAPI authentication started SASL username: aej(a)WPI.EDU SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=WPI, dc=EDU> (default) with scope subtree # filter: (cn=** VERNON-GERSTENFELD*) # requesting: ALL # # extended result response extended: 1.3.6.1.4.1.1466.20036 result: 2 Protocol error text: unexpected data in PDU # numResponses: 1 # numExtended: 1 CCC5:~> ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.7 (Dec 17 2007 09:23:50) $ aej@CCC1.WPI.EDU:/tools/src/openldap/RHEL4-i686/openldap-2.4.7/clients/tools (LDAP library: OpenLDAP 20407)

15 years, 11 months

5
9
0 / 0

How to generate an LDIF file?

by canaparo

Hi everyone, I have to write a program in C++ that generates a valid LDIF file (both related to the LDIF syntax and LDAP schema). It is possibile to do without having a running LDAP server? Any suggestion for libraries that helps for this task? (e.g. something similar to Xerces-C++ for XML). Thanks, Marco

15 years, 11 months

4
4
0 / 0

rebind-as-user for reconnecting broken backend connection

by Andrew Bidwell

Hi, I'm using openldap 2.4.7 as a proxy to backend ldap servers. I've enabled "rebind-as-user" ("rebind-as-user yes" on "database ldap" definition) to allow for connections to reconnect when the backend is restarted or connection is lost. Which works fine in certain situations, but not in others. It seems that when a search operation (I haven't tested any other operations, but I can replicate a search operation) is performed when the backend is down, and then performed again when the backend is back up (both over an already bound connection), a rebind operation is not sent from openldap to the backend. But if no searches were performed against openldap while the backend was down and came up again and a search was performed against openldap, the rebind is successful. To explain I'll detail the scenarios: This works fine - 1) client binds 2) ldap search 3) backend is restarted 4) ldap search (bind operation is made from openldap to backend to re-establish authenticated connection) This fails - 1) client binds 2) ldap search 3) backend is down 4) ldap search (fails as expected) 5) backend is up 6) ldap search (no bind operation is made, search is performed on unauthenticated connection) Given that the rebind-as-user is specified, and that the client connection to openldap is still valid, I would have expected openldap to rebind at step 6 of the failing scenario as it does in step 4 of the working scenario. Is this behaviour expected, or is there a configuration option that will allow a rebind to take place in my failing case? I apologise if this question has been asked before - I searched through the archives, but couldn't find any related threads. Please let me know if you require further details. Thanks for your help! Andrew

15 years, 11 months

1
0
0 / 0

Re: Issue using ldapadd

by Gavin Henry

<quote who="Jonathan Wage"> > Uncommented and restarted ldap with the following command: > > sudo ./slapd -d 256 -f /private/etc/openldap/slapd.conf Can you start up with -d -1 and just paste the first say 50 lines. and CC your reply to openldap-software(a)openldap.org > > Then when I run this command: > > sudo ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif > > I get this in the screen with slapd running: > > conn=0 fd=12 ACCEPT from IP=127.0.0.1:64609 (IP=0.0.0.0:389) > conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 > conn=0 op=0 RESULT tag=97 err=49 text= > conn=0 fd=12 closed (connection lost) > > The error code translates to incorrect DN or password. > > - Jon > > On Dec 21, 2007 1:52 PM, Gavin Henry <ghenry(a)suretecsystems.com> wrote: > >> Uncommment: >> >> # modulepath /usr/libexec/openldap >> # moduleload back_bdb.la >> >> -- >> Kind Regards, >> >> Gavin Henry. >> Managing Director. >> >> T +44 (0) 1224 279484 >> M +44 (0) 7930 323266 >> F +44 (0) 1224 824887 >> E ghenry(a)suretecsystems.com >> >> Open Source. Open Solutions(tm). >> >> http://www.suretecsystems.com/ >> >> <quote who="Jonathan Wage"> >> > When I start slapd like you said above I am able to see the logs. I >> then >> > run >> > the same command where I get the invalid credentials and I get the >> > following: >> > >> > ------------------ >> > >> > daemon: activity on 1 descriptor >> > daemon: listen=7, new connection on 13 >> > daemon: added 13r >> > conn=1 fd=13 ACCEPT from IP=127.0.0.1:63502 (IP=0.0.0.0:389) >> > daemon: select: listen=6 active_threads=0 tvp=NULL >> > daemon: select: listen=7 active_threads=0 tvp=NULL >> > daemon: activity on 1 descriptor >> > daemon: activity on: 13r >> > daemon: read activity on 13 >> > connection_get(13) >> > connection_get(13): got connid=1 >> > connection_read(13): checking for input on id=1 >> > ber_get_next >> > ldap_read: want=8, got=8 >> > 0000: 30 2e 02 01 01 60 29 02 >> > 0....`). >> > ldap_read: want=40, got=40 >> > 0000: 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65 72 2c 64 >> > ....cn=Manager,d >> > 0010: 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d >> > c=example,dc=com >> > 0020: 80 06 73 65 63 72 65 74 >> > ..secret >> > ber_get_next: tag 0x30 len 46 contents: >> > ber_dump: buf=0x003451d0 ptr=0x003451d0 end=0x003451fe len=46 >> > 0000: 02 01 01 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e >> > ...`).....cn=Man >> > 0010: 61 67 65 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c >> > ager,dc=example, >> > 0020: 64 63 3d 63 6f 6d 80 06 73 65 63 72 65 74 >> > dc=com..secret >> > ber_get_next >> > ldap_read: want=8 error=Resource temporarily unavailable >> > ber_get_next on fd 13 failed errno=35 (Resource temporarily >> unavailable) >> > daemon: select: listen=6 active_threads=0 tvp=NULL >> > daemon: select: listen=7 active_threads=0 tvp=NULL >> > do_bind >> > ber_scanf fmt ({imt) ber: >> > ber_dump: buf=0x003451d0 ptr=0x003451d3 end=0x003451fe len=43 >> > 0000: 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65 >> > `).....cn=Manage >> > 0010: 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d >> > r,dc=example,dc= >> > 0020: 63 6f 6d 80 06 73 65 63 72 65 74 >> > com..secret >> > ber_scanf fmt (m}) ber: >> > ber_dump: buf=0x003451d0 ptr=0x003451f6 end=0x003451fe len=8 >> > 0000: 00 06 73 65 63 72 65 74 >> > ..secret >> >>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com> >> > => ldap_bv2dn(cn=Manager,dc=example,dc=com,0) >> > <= ldap_bv2dn(cn=Manager,dc=example,dc=com)=0 >> > => ldap_dn2bv(272) >> > <= ldap_dn2bv(cn=Manager,dc=example,dc=com)=0 >> > => ldap_dn2bv(272) >> > <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0 >> > <<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, >> > <cn=manager,dc=example,dc=com> >> > do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128 >> > conn=1 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 >> > ==> bdb_bind: dn: cn=Manager,dc=example,dc=com >> > bdb_dn2entry("cn=manager,dc=example,dc=com") >> > => bdb_dn2id("dc=example,dc=com") >> > <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found >> > (-30990) >> > send_ldap_result: conn=1 op=0 p=3 >> > send_ldap_result: err=49 matched="" text="" >> > send_ldap_response: msgid=1 tag=97 err=49 >> > ber_flush: 14 bytes to sd 13 >> > 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 >> > 0....a...1.... >> > ldap_write: want=14, written=14 >> > 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 >> > 0....a...1.... >> > conn=1 op=0 RESULT tag=97 err=49 text= >> > daemon: activity on 1 descriptor >> > daemon: activity on: 13r >> > daemon: read activity on 13 >> > connection_get(13) >> > connection_get(13): got connid=1 >> > connection_read(13): checking for input on id=1 >> > ber_get_next >> > ldap_read: want=8, got=0 >> > >> > ber_get_next on fd 13 failed errno=0 (Undefined error: 0) >> > connection_read(13): input error=-2 id=1, closing. >> > connection_closing: readying conn=1 sd=13 for close >> > connection_close: deferring conn=1 sd=13 >> > daemon: select: listen=6 active_threads=0 tvp=NULL >> > daemon: select: listen=7 active_threads=0 tvp=NULL >> > daemon: activity on 1 descriptor >> > daemon: waked >> > daemon: select: listen=6 active_threads=0 tvp=NULL >> > daemon: select: listen=7 active_threads=0 tvp=NULL >> > connection_resched: attempting closing conn=1 sd=13 >> > connection_close: conn=1 sd=13 >> > daemon: removing 13 >> > conn=1 fd=13 closed (connection lost) >> > >> > - Jon >> > >> > On Dec 21, 2007 10:54 AM, Gavin Henry <ghenry(a)suretecsystems.com> >> wrote: >> > >> >> <quote who="Jonathan Wage"> >> >> > Here is my slapd.conf >> >> > >> >> > # >> >> > # See slapd.conf(5) for details on configuration options. >> >> > # This file should NOT be world readable. >> >> > # >> >> > include /private/etc/openldap/schema/core.schema >> >> > >> >> > # Define global ACLs to disable default read access. >> >> > >> >> > # Do not enable referrals until AFTER you have a working directory >> >> > # service AND an understanding of referrals. >> >> > #referral ldap://root.openldap.org >> >> > >> >> > pidfile /private/var/db/openldap/run/slapd.pid >> >> > argsfile /private/var/db/openldap/run/slapd.args >> >> > >> >> > # Load dynamic backend modules: >> >> > # modulepath /usr/libexec/openldap >> >> > # moduleload back_bdb.la >> >> > # moduleload back_ldap.la >> >> > # moduleload back_ldbm.la >> >> > # moduleload back_passwd.la >> >> > # moduleload back_shell.la >> >> > >> >> > # Sample security restrictions >> >> > # Require integrity protection (prevent hijacking) >> >> > # Require 112-bit (3DES or better) encryption for updates >> >> > # Require 63-bit encryption for simple bind >> >> > # security ssf=1 update_ssf=112 simple_bind=64 >> >> > >> >> > # Sample access control policy: >> >> > # Root DSE: allow anyone to read it >> >> > # Subschema (sub)entry DSE: allow anyone to read it >> >> > # Other DSEs: >> >> > # Allow self write access >> >> > # Allow authenticated users read access >> >> > # Allow anonymous users to authenticate >> >> > # Directives needed to implement policy: >> >> > # access to dn.base="" by * read >> >> > # access to dn.base="cn=Subschema" by * read >> >> > # access to * >> >> > # by self write >> >> > # by users read >> >> > # by anonymous auth >> >> > # >> >> > # if no access controls are present, the default policy >> >> > # allows anyone and everyone to read anything but restricts >> >> > # updates to rootdn. (e.g., "access to * by * read") >> >> > # >> >> > # rootdn can always read and write EVERYTHING! >> >> > >> >> > >> ####################################################################### >> >> > # BDB database definitions >> >> > >> ####################################################################### >> >> > >> >> > database bdb >> >> > suffix "dc=example,dc=com" >> >> > rootdn "cn=Manager,dc=example,dc=com" >> >> > # Cleartext passwords, especially for the rootdn, should >> >> > # be avoid. See slappasswd(8) and slapd.conf(5) for details. >> >> > # Use of strong authentication encouraged. >> >> > rootpw secret >> >> > # The database directory MUST exist prior to running slapd AND >> >> > # should only be accessible by the slapd and slap tools. >> >> > # Mode 700 recommended. >> >> > directory /private/var/db/openldap/openldap-data >> >> > # Indices to maintain >> >> > index objectClass eq >> >> > >> >> > >> >> > Which logs are you referring to? The openldap log? >> >> >> >> Start slapd by hand with -d -1 >> >> >> >> and then bind via ldapsearch. >> >> >> >> >> >> >> > >> > >> > -- >> > Jonathan Wage >> > http://www.jwage.com >> > http://www.centresource.com >> > >> >> > > > -- > Jonathan Wage > http://www.jwage.com > http://www.centresource.com >

15 years, 11 months

2
3
0 / 0

Re: Issue using ldapadd

by Gavin Henry

Uncommment: # modulepath /usr/libexec/openldap # moduleload back_bdb.la -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ <quote who="Jonathan Wage"> > When I start slapd like you said above I am able to see the logs. I then > run > the same command where I get the invalid credentials and I get the > following: > > ------------------ > > daemon: activity on 1 descriptor > daemon: listen=7, new connection on 13 > daemon: added 13r > conn=1 fd=13 ACCEPT from IP=127.0.0.1:63502 (IP=0.0.0.0:389) > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > daemon: activity on 1 descriptor > daemon: activity on: 13r > daemon: read activity on 13 > connection_get(13) > connection_get(13): got connid=1 > connection_read(13): checking for input on id=1 > ber_get_next > ldap_read: want=8, got=8 > 0000: 30 2e 02 01 01 60 29 02 > 0....`). > ldap_read: want=40, got=40 > 0000: 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65 72 2c 64 > ....cn=Manager,d > 0010: 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d > c=example,dc=com > 0020: 80 06 73 65 63 72 65 74 > ..secret > ber_get_next: tag 0x30 len 46 contents: > ber_dump: buf=0x003451d0 ptr=0x003451d0 end=0x003451fe len=46 > 0000: 02 01 01 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e > ...`).....cn=Man > 0010: 61 67 65 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c > ager,dc=example, > 0020: 64 63 3d 63 6f 6d 80 06 73 65 63 72 65 74 > dc=com..secret > ber_get_next > ldap_read: want=8 error=Resource temporarily unavailable > ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable) > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > do_bind > ber_scanf fmt ({imt) ber: > ber_dump: buf=0x003451d0 ptr=0x003451d3 end=0x003451fe len=43 > 0000: 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65 > `).....cn=Manage > 0010: 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d > r,dc=example,dc= > 0020: 63 6f 6d 80 06 73 65 63 72 65 74 > com..secret > ber_scanf fmt (m}) ber: > ber_dump: buf=0x003451d0 ptr=0x003451f6 end=0x003451fe len=8 > 0000: 00 06 73 65 63 72 65 74 > ..secret >>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com> > => ldap_bv2dn(cn=Manager,dc=example,dc=com,0) > <= ldap_bv2dn(cn=Manager,dc=example,dc=com)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=Manager,dc=example,dc=com)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0 > <<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, > <cn=manager,dc=example,dc=com> > do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128 > conn=1 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128 > ==> bdb_bind: dn: cn=Manager,dc=example,dc=com > bdb_dn2entry("cn=manager,dc=example,dc=com") > => bdb_dn2id("dc=example,dc=com") > <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found > (-30990) > send_ldap_result: conn=1 op=0 p=3 > send_ldap_result: err=49 matched="" text="" > send_ldap_response: msgid=1 tag=97 err=49 > ber_flush: 14 bytes to sd 13 > 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 > 0....a...1.... > ldap_write: want=14, written=14 > 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 > 0....a...1.... > conn=1 op=0 RESULT tag=97 err=49 text= > daemon: activity on 1 descriptor > daemon: activity on: 13r > daemon: read activity on 13 > connection_get(13) > connection_get(13): got connid=1 > connection_read(13): checking for input on id=1 > ber_get_next > ldap_read: want=8, got=0 > > ber_get_next on fd 13 failed errno=0 (Undefined error: 0) > connection_read(13): input error=-2 id=1, closing. > connection_closing: readying conn=1 sd=13 for close > connection_close: deferring conn=1 sd=13 > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > daemon: activity on 1 descriptor > daemon: waked > daemon: select: listen=6 active_threads=0 tvp=NULL > daemon: select: listen=7 active_threads=0 tvp=NULL > connection_resched: attempting closing conn=1 sd=13 > connection_close: conn=1 sd=13 > daemon: removing 13 > conn=1 fd=13 closed (connection lost) > > - Jon > > On Dec 21, 2007 10:54 AM, Gavin Henry <ghenry(a)suretecsystems.com> wrote: > >> <quote who="Jonathan Wage"> >> > Here is my slapd.conf >> > >> > # >> > # See slapd.conf(5) for details on configuration options. >> > # This file should NOT be world readable. >> > # >> > include /private/etc/openldap/schema/core.schema >> > >> > # Define global ACLs to disable default read access. >> > >> > # Do not enable referrals until AFTER you have a working directory >> > # service AND an understanding of referrals. >> > #referral ldap://root.openldap.org >> > >> > pidfile /private/var/db/openldap/run/slapd.pid >> > argsfile /private/var/db/openldap/run/slapd.args >> > >> > # Load dynamic backend modules: >> > # modulepath /usr/libexec/openldap >> > # moduleload back_bdb.la >> > # moduleload back_ldap.la >> > # moduleload back_ldbm.la >> > # moduleload back_passwd.la >> > # moduleload back_shell.la >> > >> > # Sample security restrictions >> > # Require integrity protection (prevent hijacking) >> > # Require 112-bit (3DES or better) encryption for updates >> > # Require 63-bit encryption for simple bind >> > # security ssf=1 update_ssf=112 simple_bind=64 >> > >> > # Sample access control policy: >> > # Root DSE: allow anyone to read it >> > # Subschema (sub)entry DSE: allow anyone to read it >> > # Other DSEs: >> > # Allow self write access >> > # Allow authenticated users read access >> > # Allow anonymous users to authenticate >> > # Directives needed to implement policy: >> > # access to dn.base="" by * read >> > # access to dn.base="cn=Subschema" by * read >> > # access to * >> > # by self write >> > # by users read >> > # by anonymous auth >> > # >> > # if no access controls are present, the default policy >> > # allows anyone and everyone to read anything but restricts >> > # updates to rootdn. (e.g., "access to * by * read") >> > # >> > # rootdn can always read and write EVERYTHING! >> > >> > ####################################################################### >> > # BDB database definitions >> > ####################################################################### >> > >> > database bdb >> > suffix "dc=example,dc=com" >> > rootdn "cn=Manager,dc=example,dc=com" >> > # Cleartext passwords, especially for the rootdn, should >> > # be avoid. See slappasswd(8) and slapd.conf(5) for details. >> > # Use of strong authentication encouraged. >> > rootpw secret >> > # The database directory MUST exist prior to running slapd AND >> > # should only be accessible by the slapd and slap tools. >> > # Mode 700 recommended. >> > directory /private/var/db/openldap/openldap-data >> > # Indices to maintain >> > index objectClass eq >> > >> > >> > Which logs are you referring to? The openldap log? >> >> Start slapd by hand with -d -1 >> >> and then bind via ldapsearch. >> >> >> > > > -- > Jonathan Wage > http://www.jwage.com > http://www.centresource.com >

15 years, 11 months

1
0
0 / 0

Issue using ldapadd

by Jonathan Wage

Using the following command: ldapadd -x -D "cn=Manager,dc=example,dc=com" -f example.ldif -w secret No matter what I do, it says: ldap_bind: Invalid credentials (49) Here is my slapd.conf database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret Here is example.ldif: dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: Example Company dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager I saw another person with the same issue but it was because the slapd.confinformation did not match the information being passed to ldapadd, I already correct that as you can see and it still does not work. What else am I missing? Thanks, Jon -- Jonathan Wage http://www.jwage.com http://www.centresource.com

15 years, 11 months

4
3
0 / 0

Sync Replication via TLS/SSL - get bind err

by Chris G. Sellers

I have setup sync replication on two OpenLDAP servers. I have it successfully working via ldap://:389 I then setup TLS for SSL connections. I used a self signed cert (using the OpenLDAP how-to) as well as a CAsigned cert from cacert.org. I've setup the ca.crt in the ldap.conf file on both the master and slave. I've also setup the ca.cert in the TLS for the master server that the sync repl host connects to. I've tested the cert with a connection via ldap -Z and -d debug option and seen that the cert appears to be validated. So, when I turn on ldaps:// for the syncrepl section of the slave server, and use port 389 I get a bind error Dec 20 11:01:43 IdP slapd[11717]: do_syncrep1: rid 123 ldap_sasl_bind_s failed (-1) Dec 20 11:01:43 IdP slapd[11717]: do_syncrepl: rid 123 quitting which suggests that the connection could not be made on port 389 via TLS. I can't figure out how to tell the repl connection to send a certificate. Do I have to setup a user in LDAP with a cert? Do I put a client cert into the syncrepl section of the slapd.conf file on the slave? Please advise. Thanks Sellers |----------------------------------------------------------------------| Chris G. Sellers, MLS Lead Internet Engineer National Institute for Technology & Liberal Education 535 West William Street, Ann Arbor, Michigan 48103 chris.sellers(a)nitle.org 734.661.2318

15 years, 11 months

7
17
0 / 0

Re: Issue using ldapadd

by Gavin Henry

<quote who="Jonathan Wage"> > Here is my slapd.conf > > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /private/etc/openldap/schema/core.schema > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /private/var/db/openldap/run/slapd.pid > argsfile /private/var/db/openldap/run/slapd.args > > # Load dynamic backend modules: > # modulepath /usr/libexec/openldap > # moduleload back_bdb.la > # moduleload back_ldap.la > # moduleload back_ldbm.la > # moduleload back_passwd.la > # moduleload back_shell.la > > # Sample security restrictions > # Require integrity protection (prevent hijacking) > # Require 112-bit (3DES or better) encryption for updates > # Require 63-bit encryption for simple bind > # security ssf=1 update_ssf=112 simple_bind=64 > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access > # Allow authenticated users read access > # Allow anonymous users to authenticate > # Directives needed to implement policy: > # access to dn.base="" by * read > # access to dn.base="cn=Subschema" by * read > # access to * > # by self write > # by users read > # by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. (e.g., "access to * by * read") > # > # rootdn can always read and write EVERYTHING! > > ####################################################################### > # BDB database definitions > ####################################################################### > > database bdb > suffix "dc=example,dc=com" > rootdn "cn=Manager,dc=example,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > rootpw secret > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /private/var/db/openldap/openldap-data > # Indices to maintain > index objectClass eq > > > Which logs are you referring to? The openldap log? Start slapd by hand with -d -1 and then bind via ldapsearch.

15 years, 11 months

1
0
0 / 0

Re: Issue using ldapadd

by Gavin Henry

<quote who="Jonathan Wage"> > Hmmm, that didn't help anything either: Check your logs and also paste your slapd.conf Thanks. > > dutchy:/usr/share/openldap jwage$ ldapadd -W -D > cn=Manager,dc=example,dc=com > -f example.ldif -x -H ldap://localhost > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > Tried this too: > > dutchy:/usr/share/openldap jwage$ ldapadd -W -D > cn=Manager,dc=example,dc=com > -f example.ldif -x -h 127.0.0.1 -p 389 > Enter LDAP Password: > ldap_bind: Invalid credentials (49) > > I have to be overlooking something simple about my setup. I followed all > the > instructions in the quick start guide. > > - Jon > > On Dec 21, 2007 9:42 AM, Gavin Henry <ghenry(a)suretecsystems.com> wrote: > >> <quote who="Jonathan Wage"> >> > Using the following command: >> > >> > ldapadd -x -D "cn=Manager,dc=example,dc=com" -f example.ldif -w secret >> >> Make sure you are pointing to the correct directory server by specifing: >> >> -H ldap://server_ip >> >> and see "man ldapadd" or ldapadd -? for more info. >> > > > > -- > Jonathan Wage > http://www.jwage.com > http://www.centresource.com >

15 years, 11 months

1
0
0 / 0

authz-regexp in slapd.conf

by Jyotishmaan Ray

Hi All, For user having the dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in and base=nits.ac.in is this acl enough or i need to change this in my slapd.conf file # lenient auth-request DN to user-auth DN authz-regexp uid=([^,]*),dc=[^,]*,cn=auth uid=$1,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in Which way of mapping is the best:- direct or search based ? What can be the reason for unsuccesfull ldap authentication in my server machine, When i try to login using this uid (among others) through the console (GUI). my ldap server is running in fedora 7. With Thanks and Regards, Jyotishmaan Ray Moderator Of Paradise Groups http://yahoogroups.com/group/Spirituality-Paradise Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!! Please Join Immediately By Sending A Blank Mail @ Spirituality-Paradise-subscribe(a)yahoogroups.com ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

15 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software December 2007