How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?
by Comisario, Alejandro
Hello everyone.
I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ, managing
external users for an application.
But at the same time i want this openLDAP to comunicate when given for a
specific DN with another directory service on my internal network.
The connection between the two machines passing thru the firewall is
correct.
The reference are:
openLDAP machine : doldap.sc.com with domain dc=si,dc=com
the other directory : adldap.adsc.com with domain dc=adsc,dc=com
I defined the referral like this:
dn: ou=test,dc=adsc,dc=com
objectClass: referral
objectClass: extensibleObject
dc: prueba
ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com
So, when i query something like this (anonymous):
ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x
I get this response:
# extended LDIF
#
# LDAPv3
# base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
(objectclass=*) # requesting: ALL #
# search result
search: 2
result: 10 Referral
ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub
# numResponses: 1
So, apparently the referral for that query is found, next i tell ldapsearch
to follow it:
ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C
The openLDAP try to follow the referral and get this response from the other
service:
# extended LDIF
#
# LDAPv3
# base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
(objectclass=*) # requesting: ALL #
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
vece
# numResponses: 1
So, How do I tell ldapsearch to authenticate to the referred to LDAP server
when chasing a referral?
Hope someone can helpme.
Regards.
.A l e j a n d r o.
14 years, 11 months
multiple servers in DNS and TLS
by manu@netbsd.org
Hi
I hope this is not covered in a FAQ (I searched without success): how do
I configure clients to query multiple LDAP servers while using TLS?
Listing the servers in ldap.conf's URI works, but I'd prefer to have the
server list stored in DNS, as it would allow adding a server without the
need to change all clients configuration.
Having a rotative DNS for ldap.example.net cause the TLS checks to fail.
And OpenLDAP client library does not perform DNS SRV lookups.
Is there some kind of trick to get this done properly?
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org
14 years, 11 months
slapd slave becoming a master
by Maria McKinley
Are there instructions (yes, I did look, didn't find, and want to make
sure I didn't overlook) on how to convert a slave slapd created with
slurpd to a master. Ie, if something catastrophic happens to the
server the master is on, is there a quick guide to converting a slave
to be the new master?
thanks,
maria
14 years, 11 months
ACL Assistance Requested
by Joshua M. Miller
I'm attempting to grant permission to a user account object in my
OpenLDAP directory to write to an OU and I can't yet figure out the
proper ACL to use. If I grant write access to everybody on everything
it works, but with the following configuration it does not.
I'm using OpenLDAP 2.3.34 on CentOS 4.5.
I'm using the following ACLs:
access to attrs=userPassword
by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read
by dn.exact="cn=Manager,dc=example,dc=org" write
by self write
by anonymous auth
by * none
access to dn="ou=printers,dc=example,dc=org"
by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write
by dn.exact="cn=manager,dc=example,dc=org" write
by * read
access to *
by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read
by self write
by * read
I'm trying to give write permission to the cupsd object:
uid=cupsd,ou=people,dc=example,dc=org
I can authenticate using ldapsearch, but I'm unable to add any objects
to this OU (confirming read, authenticated access), getting the
following results:
$ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D
"uid=cupsd,ou=people,dc=example,dc=org" -W
Enter LDAP Password:
adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org"
ldap_add: Insufficient access (50)
additional info: no write access to entry
A verbose log indicates the following:
conn=2 op=3 MOD dn="cn=<printer IP>,ou=printers,dc=example,dc=org"
conn=2 op=3 MOD attr=cn printerDescription printerURI printerLocation
printerMakeAndModel printerType objectClass
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
=> bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org"
=> bdb_entry_get oc "(null)", at "(null)"
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
=> bdb_entry_get found entry "cn=<printer
IP>,ou=printers,dc=example,dc=org"
bdb_entry_get rc=0
=> bdb_entry_get ndn "cn=default,ou=policies,dc=example,dc=org"
=> bdb_entry_get oc "(null)", at "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=example,dc=org")
=> bdb_entry_get found entry "cn=default,ou=policies,dc=example,dc=org"
bdb_entry_get rc=0
=> bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org"
=> bdb_entry_get oc "(null)", at "(null)"
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
=> bdb_entry_get found entry "cn=<printer
IP>,ou=printers,dc=example,dc=org"
bdb_entry_get rc=0
bdb_modify cn=<printer IP>,ou=printers,dc=example,dc=org
bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org")
bdb_modify_internal 0x00000096 cn=<printer
IP>,ou=printers,dc=example,dc=org
=> access_allowed delete access to "cn=<printer
IP>,ou=printers,dc=example,dc=org" "cn" requested
=> dn [2] ou=printers,dc=example,dc=org
=> acl_get [3] attr cn
access_allowed no res from state (cn)
=> acl_mask access to entry "cn=<printer
IP>,ou=printers,dc=example,dc=org", attr "cn" requested
=> acl_mask to all values by "uid=cupsd,ou=people,dc=example,dc=org", (=0)
<= check a_dn_pat uid=replicator,ou=people,dc=example,dc=org
<= check a_dn_pat self
<= check a_dn_pat *
<= acl_mask [3] applying read(=rscxd) (stop)
<= acl_mask [3] mask read(=rscxd)
=> access_allowed delete access denied by read(=rscxd)
bdb_modify modify failed (50)
So it looks like a read ACL is preventing the write. What would be the
proper way to write the ACLs for this task?
TIA,
--
Joshua M. Miller - RHCE,VCP
14 years, 11 months
parsing logs, trace replay
by Kelly, Terence P
Hi,
Question 1:
Is there any documentation available on
the OpenLDAP access log format? I wasn't
able to find any via Google or on the
OpenLDAP Web site.
I looked at how ldap-stats.pl version 5.2
parses logs but I see discrepancies between
the operation counts returned by ldap-stats
and counts obtained by independent means
(e.g., simple AWK scripts), so I'm not very
confident that it's doing the right thing.
I can try to reverse-engineer the log
format but if there's good documentation
and/or a good parser out there I'd prefer
that.
Question 2:
My goal is to replay traces of accesses
to an LDAP server to a replica of the
server itself. I want the exercise to
be reasonably realistic, e.g., I want
to achieve the same throughputs and
level of concurrency as the real server.
At the moment I'm planning to write my
own trace-replay tool.
I have investigated two trace-replay
tools: dupetrace.pl and slamd. The
former passes the buck to a shell
utility which probably won't achieve
the performance I need; the latter
seems formidably difficult to set up
and use.
Are you aware of any LDAP trace replay
tools that are as capable yet as simple
as httperf?
Many thanks for any pointers you can
provide!
-- Terence
14 years, 11 months
RE: How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?
by Gavin Henry
<quote who="Comisario, Alejandro">
> OK!!! My boss calls me!
> Let finish some work and I'll post you the debug!!!
> From now, VERY VERY THANKS FOR YOUR HELP!!!
Stop shouting and please CC openldap-software(a)openldap.org !!! ;-)
Gavin.
>
> --
> Alejandro D. Comisario
> Sistemas Catastrales S.A.
> Depto. Tecnología y Seguridad Informática
> (5411) 4326.4002 int. 273
> Buenos Aires, Argentina
> acomisario(a)siscat.com.ar
>
>
> -----Mensaje original-----
> De: Gavin Henry [mailto:ghenry@suretecsystems.com]
> Enviado el: martes, 17 de julio de 2007 15:15
> Para: Comisario, Alejandro
> CC: openldap-software(a)openldap.org
> Asunto: RE: How do I tell ldapsearch to authenticate to the referred to
> LDAP
> server when chasing a referral?
>
> <quote who="Comisario, Alejandro">
>> YES!
>> It is, if i query the AD directly, it Works.
>>
>> Ldapsearch -b "ou=prueba,dc=adsc,dc=com" -H ldap://adldap.adsc.com -D
>> "cn=admin,cn=users,dc=adsc,dc=com" -W
>>
>> WORKS!!!
>> But the referral don't
>
> Try my verbose logging and paste in your reply
>
>>
>> --
>> Alejandro D. Comisario
>> Sistemas Catastrales S.A.
>> Depto. Tecnología y Seguridad Informática
>> (5411) 4326.4002 int. 273
>> Buenos Aires, Argentina
>> acomisario(a)siscat.com.ar
>>
>>
>> -----Mensaje original-----
>> De: Gavin Henry [mailto:ghenry@suretecsystems.com]
>> Enviado el: martes, 17 de julio de 2007 15:08
>> Para: Comisario, Alejandro
>> CC: openldap-software(a)openldap.org
>> Asunto: RE: How do I tell ldapsearch to authenticate to the referred to
>> LDAP
>> server when chasing a referral?
>>
>> <quote who="Comisario, Alejandro">
>>> Gavin.
>>> Thanks for the answer, the thing is, and i could't say it befote, on
>>> the
>>> other side of the openLDAP is an Active Directory, when i try what you
>>> say,
>>> it gave me.
>>>
>>> doldap@root # ldapsearch -b "ou=prueba,dc=adsc,dc=com" \
>>> -H ldap://doldap.sc.com -D "cn=admin,cn=users,dc=adsc,dc=com" -W -x
>>> Enter LDAP Password:
>>> ldap_bind: Invalid credentials (49)
>>>
>>>
>>> Any Ideas?
>>
>> Is cn=admin,cn=users,dc=adsc,dc=com in AD?
>>
>> Gavin.
>>
>>>
>>>
>>> -----Mensaje original-----
>>> De: Gavin Henry [mailto:ghenry@suretecsystems.com]
>>> Enviado el: martes, 17 de julio de 2007 13:59
>>> Para: Comisario, Alejandro
>>> CC: openldap-software(a)openldap.org
>>> Asunto: Re: How do I tell ldapsearch to authenticate to the referred to
>>> LDAP
>>> server when chasing a referral?
>>>
>>> <quote who="Comisario, Alejandro">
>>>> Hello everyone.
>>>>
>>>> I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ,
>>>> managing
>>>> external users for an application.
>>>> But at the same time i want this openLDAP to comunicate when given for
>>>> a
>>>> specific DN with another directory service on my internal network.
>>>> The connection between the two machines passing thru the firewall is
>>>> correct.
>>>>
>>>> The reference are:
>>>> openLDAP machine : doldap.sc.com with domain dc=si,dc=com
>>>> the other directory : adldap.adsc.com with domain dc=adsc,dc=com
>>>>
>>>> I defined the referral like this:
>>>> dn: ou=test,dc=adsc,dc=com
>>>> objectClass: referral
>>>> objectClass: extensibleObject
>>>> dc: prueba
>>>> ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com
>>>>
>>>> So, when i query something like this (anonymous):
>>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x
>>>>
>>>> I get this response:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
>>>> (objectclass=*) # requesting: ALL #
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 10 Referral
>>>> ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub
>>>>
>>>> # numResponses: 1
>>>>
>>>> So, apparently the referral for that query is found, next i tell
>>>> ldapsearch
>>>> to follow it:
>>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C
>>>>
>>>> The openLDAP try to follow the referral and get this response from the
>>>> other
>>>> service:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
>>>> (objectclass=*) # requesting: ALL #
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 1 Operations error
>>>> text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
>>>> this
>>>> operation a successful bind must be completed on the connection., data
>>>> 0,
>>>> vece
>>>>
>>>> # numResponses: 1
>>>>
>>>> So, How do I tell ldapsearch to authenticate to the referred to LDAP
>>>> server
>>>> when chasing a referral?
>>>> Hope someone can helpme.
>>>
>>> You need to actually bind as a user, e.g.:
>>>
>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C -D
>>> "uid=blah,dc=adsc,dc=com" -W
>>>
>>> Gavin.
>>>
>>>>
>>>> Regards.
>>>>
>>>> .A l e j a n d r o.
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
14 years, 11 months
RE: How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?
by Gavin Henry
<quote who="Comisario, Alejandro">
> YES!
> It is, if i query the AD directly, it Works.
>
> Ldapsearch -b "ou=prueba,dc=adsc,dc=com" -H ldap://adldap.adsc.com -D
> "cn=admin,cn=users,dc=adsc,dc=com" -W
>
> WORKS!!!
> But the referral don't
Try my verbose logging and paste in your reply
>
> --
> Alejandro D. Comisario
> Sistemas Catastrales S.A.
> Depto. Tecnología y Seguridad Informática
> (5411) 4326.4002 int. 273
> Buenos Aires, Argentina
> acomisario(a)siscat.com.ar
>
>
> -----Mensaje original-----
> De: Gavin Henry [mailto:ghenry@suretecsystems.com]
> Enviado el: martes, 17 de julio de 2007 15:08
> Para: Comisario, Alejandro
> CC: openldap-software(a)openldap.org
> Asunto: RE: How do I tell ldapsearch to authenticate to the referred to
> LDAP
> server when chasing a referral?
>
> <quote who="Comisario, Alejandro">
>> Gavin.
>> Thanks for the answer, the thing is, and i could't say it befote, on the
>> other side of the openLDAP is an Active Directory, when i try what you
>> say,
>> it gave me.
>>
>> doldap@root # ldapsearch -b "ou=prueba,dc=adsc,dc=com" \
>> -H ldap://doldap.sc.com -D "cn=admin,cn=users,dc=adsc,dc=com" -W -x
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>>
>> Any Ideas?
>
> Is cn=admin,cn=users,dc=adsc,dc=com in AD?
>
> Gavin.
>
>>
>>
>> -----Mensaje original-----
>> De: Gavin Henry [mailto:ghenry@suretecsystems.com]
>> Enviado el: martes, 17 de julio de 2007 13:59
>> Para: Comisario, Alejandro
>> CC: openldap-software(a)openldap.org
>> Asunto: Re: How do I tell ldapsearch to authenticate to the referred to
>> LDAP
>> server when chasing a referral?
>>
>> <quote who="Comisario, Alejandro">
>>> Hello everyone.
>>>
>>> I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ,
>>> managing
>>> external users for an application.
>>> But at the same time i want this openLDAP to comunicate when given for
>>> a
>>> specific DN with another directory service on my internal network.
>>> The connection between the two machines passing thru the firewall is
>>> correct.
>>>
>>> The reference are:
>>> openLDAP machine : doldap.sc.com with domain dc=si,dc=com
>>> the other directory : adldap.adsc.com with domain dc=adsc,dc=com
>>>
>>> I defined the referral like this:
>>> dn: ou=test,dc=adsc,dc=com
>>> objectClass: referral
>>> objectClass: extensibleObject
>>> dc: prueba
>>> ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com
>>>
>>> So, when i query something like this (anonymous):
>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x
>>>
>>> I get this response:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
>>> (objectclass=*) # requesting: ALL #
>>>
>>> # search result
>>> search: 2
>>> result: 10 Referral
>>> ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub
>>>
>>> # numResponses: 1
>>>
>>> So, apparently the referral for that query is found, next i tell
>>> ldapsearch
>>> to follow it:
>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C
>>>
>>> The openLDAP try to follow the referral and get this response from the
>>> other
>>> service:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter:
>>> (objectclass=*) # requesting: ALL #
>>>
>>> # search result
>>> search: 2
>>> result: 1 Operations error
>>> text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform
>>> this
>>> operation a successful bind must be completed on the connection., data
>>> 0,
>>> vece
>>>
>>> # numResponses: 1
>>>
>>> So, How do I tell ldapsearch to authenticate to the referred to LDAP
>>> server
>>> when chasing a referral?
>>> Hope someone can helpme.
>>
>> You need to actually bind as a user, e.g.:
>>
>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C -D
>> "uid=blah,dc=adsc,dc=com" -W
>>
>> Gavin.
>>
>>>
>>> Regards.
>>>
>>> .A l e j a n d r o.
>>>
>>>
>>>
>>>
>>
>
14 years, 11 months