OpenLDAP 2.4.7 Bug?
by Allan E. Johannesen
I'm not runing a 2.3 server for comparison, but is this a bug or is it expected
behavior to have this sort of error?
In a program, which had constructed the ** due to a missing first name, it also
was found to break the connection to the server...
CCC5:~> ldapsearch '(cn=** VERNON-GERSTENFELD*)'
SASL/GSSAPI authentication started
SASL username: aej(a)WPI.EDU
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=WPI, dc=EDU> (default) with scope subtree
# filter: (cn=** VERNON-GERSTENFELD*)
# requesting: ALL
#
# extended result response
extended: 1.3.6.1.4.1.1466.20036
result: 2 Protocol error
text: unexpected data in PDU
# numResponses: 1
# numExtended: 1
CCC5:~> ldapsearch -VV
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.4.7 (Dec 17 2007 09:23:50) $
aej@CCC1.WPI.EDU:/tools/src/openldap/RHEL4-i686/openldap-2.4.7/clients/tools
(LDAP library: OpenLDAP 20407)
15 years, 11 months
How to generate an LDIF file?
by canaparo
Hi everyone,
I have to write a program in C++ that generates a valid LDIF file (both
related to the LDIF syntax and LDAP schema). It is possibile to do
without having a running LDAP server? Any suggestion for libraries that
helps for this task? (e.g. something similar to Xerces-C++ for XML).
Thanks,
Marco
15 years, 11 months
rebind-as-user for reconnecting broken backend connection
by Andrew Bidwell
Hi,
I'm using openldap 2.4.7 as a proxy to backend ldap servers. I've enabled "rebind-as-user" ("rebind-as-user yes" on "database ldap" definition) to allow for connections to reconnect when the backend is restarted or connection is lost. Which works fine in certain situations, but not in others.
It seems that when a search operation (I haven't tested any other operations, but I can replicate a search operation) is performed when the backend is down, and then performed again when the backend is back up (both over an already bound connection), a rebind operation is not sent from openldap to the backend.
But if no searches were performed against openldap while the backend was down and came up again and a search was performed against openldap, the rebind is successful.
To explain I'll detail the scenarios:
This works fine -
1) client binds
2) ldap search
3) backend is restarted
4) ldap search (bind operation is made from openldap to backend to re-establish authenticated connection)
This fails -
1) client binds
2) ldap search
3) backend is down
4) ldap search (fails as expected)
5) backend is up
6) ldap search (no bind operation is made, search is performed on unauthenticated connection)
Given that the rebind-as-user is specified, and that the client connection to openldap is still valid, I would have expected openldap to rebind at step 6 of the failing scenario as it does in step 4 of the working scenario.
Is this behaviour expected, or is there a configuration option that will allow a rebind to take place in my failing case? I apologise if this question has been asked before - I searched through the archives, but couldn't find any related threads.
Please let me know if you require further details.
Thanks for your help!
Andrew
15 years, 11 months
Re: Issue using ldapadd
by Gavin Henry
<quote who="Jonathan Wage">
> Uncommented and restarted ldap with the following command:
>
> sudo ./slapd -d 256 -f /private/etc/openldap/slapd.conf
Can you start up with -d -1 and just paste the first say 50 lines.
and CC your reply to openldap-software(a)openldap.org
>
> Then when I run this command:
>
> sudo ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f example.ldif
>
> I get this in the screen with slapd running:
>
> conn=0 fd=12 ACCEPT from IP=127.0.0.1:64609 (IP=0.0.0.0:389)
> conn=0 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
> conn=0 op=0 RESULT tag=97 err=49 text=
> conn=0 fd=12 closed (connection lost)
>
> The error code translates to incorrect DN or password.
>
> - Jon
>
> On Dec 21, 2007 1:52 PM, Gavin Henry <ghenry(a)suretecsystems.com> wrote:
>
>> Uncommment:
>>
>> # modulepath /usr/libexec/openldap
>> # moduleload back_bdb.la
>>
>> --
>> Kind Regards,
>>
>> Gavin Henry.
>> Managing Director.
>>
>> T +44 (0) 1224 279484
>> M +44 (0) 7930 323266
>> F +44 (0) 1224 824887
>> E ghenry(a)suretecsystems.com
>>
>> Open Source. Open Solutions(tm).
>>
>> http://www.suretecsystems.com/
>>
>> <quote who="Jonathan Wage">
>> > When I start slapd like you said above I am able to see the logs. I
>> then
>> > run
>> > the same command where I get the invalid credentials and I get the
>> > following:
>> >
>> > ------------------
>> >
>> > daemon: activity on 1 descriptor
>> > daemon: listen=7, new connection on 13
>> > daemon: added 13r
>> > conn=1 fd=13 ACCEPT from IP=127.0.0.1:63502 (IP=0.0.0.0:389)
>> > daemon: select: listen=6 active_threads=0 tvp=NULL
>> > daemon: select: listen=7 active_threads=0 tvp=NULL
>> > daemon: activity on 1 descriptor
>> > daemon: activity on: 13r
>> > daemon: read activity on 13
>> > connection_get(13)
>> > connection_get(13): got connid=1
>> > connection_read(13): checking for input on id=1
>> > ber_get_next
>> > ldap_read: want=8, got=8
>> > 0000: 30 2e 02 01 01 60 29 02
>> > 0....`).
>> > ldap_read: want=40, got=40
>> > 0000: 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65 72 2c 64
>> > ....cn=Manager,d
>> > 0010: 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d
>> > c=example,dc=com
>> > 0020: 80 06 73 65 63 72 65 74
>> > ..secret
>> > ber_get_next: tag 0x30 len 46 contents:
>> > ber_dump: buf=0x003451d0 ptr=0x003451d0 end=0x003451fe len=46
>> > 0000: 02 01 01 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e
>> > ...`).....cn=Man
>> > 0010: 61 67 65 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c
>> > ager,dc=example,
>> > 0020: 64 63 3d 63 6f 6d 80 06 73 65 63 72 65 74
>> > dc=com..secret
>> > ber_get_next
>> > ldap_read: want=8 error=Resource temporarily unavailable
>> > ber_get_next on fd 13 failed errno=35 (Resource temporarily
>> unavailable)
>> > daemon: select: listen=6 active_threads=0 tvp=NULL
>> > daemon: select: listen=7 active_threads=0 tvp=NULL
>> > do_bind
>> > ber_scanf fmt ({imt) ber:
>> > ber_dump: buf=0x003451d0 ptr=0x003451d3 end=0x003451fe len=43
>> > 0000: 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65
>> > `).....cn=Manage
>> > 0010: 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d
>> > r,dc=example,dc=
>> > 0020: 63 6f 6d 80 06 73 65 63 72 65 74
>> > com..secret
>> > ber_scanf fmt (m}) ber:
>> > ber_dump: buf=0x003451d0 ptr=0x003451f6 end=0x003451fe len=8
>> > 0000: 00 06 73 65 63 72 65 74
>> > ..secret
>> >>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com>
>> > => ldap_bv2dn(cn=Manager,dc=example,dc=com,0)
>> > <= ldap_bv2dn(cn=Manager,dc=example,dc=com)=0
>> > => ldap_dn2bv(272)
>> > <= ldap_dn2bv(cn=Manager,dc=example,dc=com)=0
>> > => ldap_dn2bv(272)
>> > <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
>> > <<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>,
>> > <cn=manager,dc=example,dc=com>
>> > do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128
>> > conn=1 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
>> > ==> bdb_bind: dn: cn=Manager,dc=example,dc=com
>> > bdb_dn2entry("cn=manager,dc=example,dc=com")
>> > => bdb_dn2id("dc=example,dc=com")
>> > <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
>> > (-30990)
>> > send_ldap_result: conn=1 op=0 p=3
>> > send_ldap_result: err=49 matched="" text=""
>> > send_ldap_response: msgid=1 tag=97 err=49
>> > ber_flush: 14 bytes to sd 13
>> > 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00
>> > 0....a...1....
>> > ldap_write: want=14, written=14
>> > 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00
>> > 0....a...1....
>> > conn=1 op=0 RESULT tag=97 err=49 text=
>> > daemon: activity on 1 descriptor
>> > daemon: activity on: 13r
>> > daemon: read activity on 13
>> > connection_get(13)
>> > connection_get(13): got connid=1
>> > connection_read(13): checking for input on id=1
>> > ber_get_next
>> > ldap_read: want=8, got=0
>> >
>> > ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
>> > connection_read(13): input error=-2 id=1, closing.
>> > connection_closing: readying conn=1 sd=13 for close
>> > connection_close: deferring conn=1 sd=13
>> > daemon: select: listen=6 active_threads=0 tvp=NULL
>> > daemon: select: listen=7 active_threads=0 tvp=NULL
>> > daemon: activity on 1 descriptor
>> > daemon: waked
>> > daemon: select: listen=6 active_threads=0 tvp=NULL
>> > daemon: select: listen=7 active_threads=0 tvp=NULL
>> > connection_resched: attempting closing conn=1 sd=13
>> > connection_close: conn=1 sd=13
>> > daemon: removing 13
>> > conn=1 fd=13 closed (connection lost)
>> >
>> > - Jon
>> >
>> > On Dec 21, 2007 10:54 AM, Gavin Henry <ghenry(a)suretecsystems.com>
>> wrote:
>> >
>> >> <quote who="Jonathan Wage">
>> >> > Here is my slapd.conf
>> >> >
>> >> > #
>> >> > # See slapd.conf(5) for details on configuration options.
>> >> > # This file should NOT be world readable.
>> >> > #
>> >> > include /private/etc/openldap/schema/core.schema
>> >> >
>> >> > # Define global ACLs to disable default read access.
>> >> >
>> >> > # Do not enable referrals until AFTER you have a working directory
>> >> > # service AND an understanding of referrals.
>> >> > #referral ldap://root.openldap.org
>> >> >
>> >> > pidfile /private/var/db/openldap/run/slapd.pid
>> >> > argsfile /private/var/db/openldap/run/slapd.args
>> >> >
>> >> > # Load dynamic backend modules:
>> >> > # modulepath /usr/libexec/openldap
>> >> > # moduleload back_bdb.la
>> >> > # moduleload back_ldap.la
>> >> > # moduleload back_ldbm.la
>> >> > # moduleload back_passwd.la
>> >> > # moduleload back_shell.la
>> >> >
>> >> > # Sample security restrictions
>> >> > # Require integrity protection (prevent hijacking)
>> >> > # Require 112-bit (3DES or better) encryption for updates
>> >> > # Require 63-bit encryption for simple bind
>> >> > # security ssf=1 update_ssf=112 simple_bind=64
>> >> >
>> >> > # Sample access control policy:
>> >> > # Root DSE: allow anyone to read it
>> >> > # Subschema (sub)entry DSE: allow anyone to read it
>> >> > # Other DSEs:
>> >> > # Allow self write access
>> >> > # Allow authenticated users read access
>> >> > # Allow anonymous users to authenticate
>> >> > # Directives needed to implement policy:
>> >> > # access to dn.base="" by * read
>> >> > # access to dn.base="cn=Subschema" by * read
>> >> > # access to *
>> >> > # by self write
>> >> > # by users read
>> >> > # by anonymous auth
>> >> > #
>> >> > # if no access controls are present, the default policy
>> >> > # allows anyone and everyone to read anything but restricts
>> >> > # updates to rootdn. (e.g., "access to * by * read")
>> >> > #
>> >> > # rootdn can always read and write EVERYTHING!
>> >> >
>> >> >
>> #######################################################################
>> >> > # BDB database definitions
>> >> >
>> #######################################################################
>> >> >
>> >> > database bdb
>> >> > suffix "dc=example,dc=com"
>> >> > rootdn "cn=Manager,dc=example,dc=com"
>> >> > # Cleartext passwords, especially for the rootdn, should
>> >> > # be avoid. See slappasswd(8) and slapd.conf(5) for details.
>> >> > # Use of strong authentication encouraged.
>> >> > rootpw secret
>> >> > # The database directory MUST exist prior to running slapd AND
>> >> > # should only be accessible by the slapd and slap tools.
>> >> > # Mode 700 recommended.
>> >> > directory /private/var/db/openldap/openldap-data
>> >> > # Indices to maintain
>> >> > index objectClass eq
>> >> >
>> >> >
>> >> > Which logs are you referring to? The openldap log?
>> >>
>> >> Start slapd by hand with -d -1
>> >>
>> >> and then bind via ldapsearch.
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Jonathan Wage
>> > http://www.jwage.com
>> > http://www.centresource.com
>> >
>>
>>
>
>
> --
> Jonathan Wage
> http://www.jwage.com
> http://www.centresource.com
>
15 years, 11 months
Re: Issue using ldapadd
by Gavin Henry
Uncommment:
# modulepath /usr/libexec/openldap
# moduleload back_bdb.la
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
<quote who="Jonathan Wage">
> When I start slapd like you said above I am able to see the logs. I then
> run
> the same command where I get the invalid credentials and I get the
> following:
>
> ------------------
>
> daemon: activity on 1 descriptor
> daemon: listen=7, new connection on 13
> daemon: added 13r
> conn=1 fd=13 ACCEPT from IP=127.0.0.1:63502 (IP=0.0.0.0:389)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read activity on 13
> connection_get(13)
> connection_get(13): got connid=1
> connection_read(13): checking for input on id=1
> ber_get_next
> ldap_read: want=8, got=8
> 0000: 30 2e 02 01 01 60 29 02
> 0....`).
> ldap_read: want=40, got=40
> 0000: 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65 72 2c 64
> ....cn=Manager,d
> 0010: 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d 63 6f 6d
> c=example,dc=com
> 0020: 80 06 73 65 63 72 65 74
> ..secret
> ber_get_next: tag 0x30 len 46 contents:
> ber_dump: buf=0x003451d0 ptr=0x003451d0 end=0x003451fe len=46
> 0000: 02 01 01 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e
> ...`).....cn=Man
> 0010: 61 67 65 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c
> ager,dc=example,
> 0020: 64 63 3d 63 6f 6d 80 06 73 65 63 72 65 74
> dc=com..secret
> ber_get_next
> ldap_read: want=8 error=Resource temporarily unavailable
> ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> do_bind
> ber_scanf fmt ({imt) ber:
> ber_dump: buf=0x003451d0 ptr=0x003451d3 end=0x003451fe len=43
> 0000: 60 29 02 01 03 04 1c 63 6e 3d 4d 61 6e 61 67 65
> `).....cn=Manage
> 0010: 72 2c 64 63 3d 65 78 61 6d 70 6c 65 2c 64 63 3d
> r,dc=example,dc=
> 0020: 63 6f 6d 80 06 73 65 63 72 65 74
> com..secret
> ber_scanf fmt (m}) ber:
> ber_dump: buf=0x003451d0 ptr=0x003451f6 end=0x003451fe len=8
> 0000: 00 06 73 65 63 72 65 74
> ..secret
>>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com>
> => ldap_bv2dn(cn=Manager,dc=example,dc=com,0)
> <= ldap_bv2dn(cn=Manager,dc=example,dc=com)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=Manager,dc=example,dc=com)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
> <<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>,
> <cn=manager,dc=example,dc=com>
> do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128
> conn=1 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
> ==> bdb_bind: dn: cn=Manager,dc=example,dc=com
> bdb_dn2entry("cn=manager,dc=example,dc=com")
> => bdb_dn2id("dc=example,dc=com")
> <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
> (-30990)
> send_ldap_result: conn=1 op=0 p=3
> send_ldap_result: err=49 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=49
> ber_flush: 14 bytes to sd 13
> 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00
> 0....a...1....
> ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00
> 0....a...1....
> conn=1 op=0 RESULT tag=97 err=49 text=
> daemon: activity on 1 descriptor
> daemon: activity on: 13r
> daemon: read activity on 13
> connection_get(13)
> connection_get(13): got connid=1
> connection_read(13): checking for input on id=1
> ber_get_next
> ldap_read: want=8, got=0
>
> ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
> connection_read(13): input error=-2 id=1, closing.
> connection_closing: readying conn=1 sd=13 for close
> connection_close: deferring conn=1 sd=13
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> daemon: activity on 1 descriptor
> daemon: waked
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
> connection_resched: attempting closing conn=1 sd=13
> connection_close: conn=1 sd=13
> daemon: removing 13
> conn=1 fd=13 closed (connection lost)
>
> - Jon
>
> On Dec 21, 2007 10:54 AM, Gavin Henry <ghenry(a)suretecsystems.com> wrote:
>
>> <quote who="Jonathan Wage">
>> > Here is my slapd.conf
>> >
>> > #
>> > # See slapd.conf(5) for details on configuration options.
>> > # This file should NOT be world readable.
>> > #
>> > include /private/etc/openldap/schema/core.schema
>> >
>> > # Define global ACLs to disable default read access.
>> >
>> > # Do not enable referrals until AFTER you have a working directory
>> > # service AND an understanding of referrals.
>> > #referral ldap://root.openldap.org
>> >
>> > pidfile /private/var/db/openldap/run/slapd.pid
>> > argsfile /private/var/db/openldap/run/slapd.args
>> >
>> > # Load dynamic backend modules:
>> > # modulepath /usr/libexec/openldap
>> > # moduleload back_bdb.la
>> > # moduleload back_ldap.la
>> > # moduleload back_ldbm.la
>> > # moduleload back_passwd.la
>> > # moduleload back_shell.la
>> >
>> > # Sample security restrictions
>> > # Require integrity protection (prevent hijacking)
>> > # Require 112-bit (3DES or better) encryption for updates
>> > # Require 63-bit encryption for simple bind
>> > # security ssf=1 update_ssf=112 simple_bind=64
>> >
>> > # Sample access control policy:
>> > # Root DSE: allow anyone to read it
>> > # Subschema (sub)entry DSE: allow anyone to read it
>> > # Other DSEs:
>> > # Allow self write access
>> > # Allow authenticated users read access
>> > # Allow anonymous users to authenticate
>> > # Directives needed to implement policy:
>> > # access to dn.base="" by * read
>> > # access to dn.base="cn=Subschema" by * read
>> > # access to *
>> > # by self write
>> > # by users read
>> > # by anonymous auth
>> > #
>> > # if no access controls are present, the default policy
>> > # allows anyone and everyone to read anything but restricts
>> > # updates to rootdn. (e.g., "access to * by * read")
>> > #
>> > # rootdn can always read and write EVERYTHING!
>> >
>> > #######################################################################
>> > # BDB database definitions
>> > #######################################################################
>> >
>> > database bdb
>> > suffix "dc=example,dc=com"
>> > rootdn "cn=Manager,dc=example,dc=com"
>> > # Cleartext passwords, especially for the rootdn, should
>> > # be avoid. See slappasswd(8) and slapd.conf(5) for details.
>> > # Use of strong authentication encouraged.
>> > rootpw secret
>> > # The database directory MUST exist prior to running slapd AND
>> > # should only be accessible by the slapd and slap tools.
>> > # Mode 700 recommended.
>> > directory /private/var/db/openldap/openldap-data
>> > # Indices to maintain
>> > index objectClass eq
>> >
>> >
>> > Which logs are you referring to? The openldap log?
>>
>> Start slapd by hand with -d -1
>>
>> and then bind via ldapsearch.
>>
>>
>>
>
>
> --
> Jonathan Wage
> http://www.jwage.com
> http://www.centresource.com
>
15 years, 11 months
Issue using ldapadd
by Jonathan Wage
Using the following command:
ldapadd -x -D "cn=Manager,dc=example,dc=com" -f example.ldif -w secret
No matter what I do, it says: ldap_bind: Invalid credentials (49)
Here is my slapd.conf
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
Here is example.ldif:
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
I saw another person with the same issue but it was because the
slapd.confinformation did not match the information being passed to
ldapadd, I already
correct that as you can see and it still does not work. What else am I
missing?
Thanks, Jon
--
Jonathan Wage
http://www.jwage.com
http://www.centresource.com
15 years, 11 months
Sync Replication via TLS/SSL - get bind err
by Chris G. Sellers
I have setup sync replication on two OpenLDAP servers. I have it
successfully working via ldap://:389
I then setup TLS for SSL connections. I used a self signed cert
(using the OpenLDAP how-to) as well as a CAsigned cert from
cacert.org. I've setup the ca.crt in the ldap.conf file on both the
master and slave. I've also setup the ca.cert in the TLS for the
master server that the sync repl host connects to.
I've tested the cert with a connection via ldap -Z and -d debug option
and seen that the cert appears to be validated.
So, when I turn on ldaps:// for the syncrepl section of the slave
server, and use port 389 I get a bind error
Dec 20 11:01:43 IdP slapd[11717]: do_syncrep1: rid 123
ldap_sasl_bind_s failed (-1)
Dec 20 11:01:43 IdP slapd[11717]: do_syncrepl: rid 123 quitting
which suggests that the connection could not be made on port 389 via
TLS. I can't figure out how to tell the repl connection to send a
certificate. Do I have to setup a user in LDAP with a cert? Do I
put a client cert into the syncrepl section of the slapd.conf file on
the slave? Please advise.
Thanks
Sellers
|----------------------------------------------------------------------|
Chris G. Sellers, MLS Lead Internet Engineer
National Institute for Technology & Liberal Education
535 West William Street, Ann Arbor, Michigan 48103
chris.sellers(a)nitle.org 734.661.2318
15 years, 11 months
Re: Issue using ldapadd
by Gavin Henry
<quote who="Jonathan Wage">
> Here is my slapd.conf
>
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /private/etc/openldap/schema/core.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /private/var/db/openldap/run/slapd.pid
> argsfile /private/var/db/openldap/run/slapd.args
>
> # Load dynamic backend modules:
> # modulepath /usr/libexec/openldap
> # moduleload back_bdb.la
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
> database bdb
> suffix "dc=example,dc=com"
> rootdn "cn=Manager,dc=example,dc=com"
> # Cleartext passwords, especially for the rootdn, should
> # be avoid. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw secret
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /private/var/db/openldap/openldap-data
> # Indices to maintain
> index objectClass eq
>
>
> Which logs are you referring to? The openldap log?
Start slapd by hand with -d -1
and then bind via ldapsearch.
15 years, 11 months
Re: Issue using ldapadd
by Gavin Henry
<quote who="Jonathan Wage">
> Hmmm, that didn't help anything either:
Check your logs and also paste your slapd.conf
Thanks.
>
> dutchy:/usr/share/openldap jwage$ ldapadd -W -D
> cn=Manager,dc=example,dc=com
> -f example.ldif -x -H ldap://localhost
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> Tried this too:
>
> dutchy:/usr/share/openldap jwage$ ldapadd -W -D
> cn=Manager,dc=example,dc=com
> -f example.ldif -x -h 127.0.0.1 -p 389
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> I have to be overlooking something simple about my setup. I followed all
> the
> instructions in the quick start guide.
>
> - Jon
>
> On Dec 21, 2007 9:42 AM, Gavin Henry <ghenry(a)suretecsystems.com> wrote:
>
>> <quote who="Jonathan Wage">
>> > Using the following command:
>> >
>> > ldapadd -x -D "cn=Manager,dc=example,dc=com" -f example.ldif -w secret
>>
>> Make sure you are pointing to the correct directory server by specifing:
>>
>> -H ldap://server_ip
>>
>> and see "man ldapadd" or ldapadd -? for more info.
>>
>
>
>
> --
> Jonathan Wage
> http://www.jwage.com
> http://www.centresource.com
>
15 years, 11 months
authz-regexp in slapd.conf
by Jyotishmaan Ray
Hi All,
For user having the dn: uid=jmaan,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
and base=nits.ac.in
is this acl enough or i need to change this in my slapd.conf file
# lenient auth-request DN to user-auth DN
authz-regexp
uid=([^,]*),dc=[^,]*,cn=auth
uid=$1,stornt=non-teach,bn=compcen,dc=nits,dc=ac,dc=in
Which way of mapping is the best:- direct or search based ?
What can be the reason for unsuccesfull ldap authentication in my server machine, When i try to login using this uid (among others) through the console (GUI). my ldap server is running in fedora 7.
With Thanks and Regards,
Jyotishmaan Ray
Moderator Of Paradise Groups
http://yahoogroups.com/group/Spirituality-Paradise
Are You Spiritually Aware !!! Are You Enjoying Yourself !!! See What All You Had Been Missing !!!!
Please Join Immediately By Sending A Blank Mail @
Spirituality-Paradise-subscribe(a)yahoogroups.com
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
15 years, 11 months