July 2007 - openldap-software

How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?

by Comisario, Alejandro

Hello everyone. I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ, managing external users for an application. But at the same time i want this openLDAP to comunicate when given for a specific DN with another directory service on my internal network. The connection between the two machines passing thru the firewall is correct. The reference are: openLDAP machine : doldap.sc.com with domain dc=si,dc=com the other directory : adldap.adsc.com with domain dc=adsc,dc=com I defined the referral like this: dn: ou=test,dc=adsc,dc=com objectClass: referral objectClass: extensibleObject dc: prueba ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com So, when i query something like this (anonymous): ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x I get this response: # extended LDIF # # LDAPv3 # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 10 Referral ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub # numResponses: 1 So, apparently the referral for that query is found, next i tell ldapsearch to follow it: ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C The openLDAP try to follow the referral and get this response from the other service: # extended LDIF # # LDAPv3 # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece # numResponses: 1 So, How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral? Hope someone can helpme. Regards. .A l e j a n d r o.

14 years, 6 months

4
5
0 / 0

multiple servers in DNS and TLS

by manu＠netbsd.org

Hi I hope this is not covered in a FAQ (I searched without success): how do I configure clients to query multiple LDAP servers while using TLS? Listing the servers in ldap.conf's URI works, but I'd prefer to have the server list stored in DNS, as it would allow adding a server without the need to change all clients configuration. Having a rotative DNS for ldap.example.net cause the TLS checks to fail. And OpenLDAP client library does not perform DNS SRV lookups. Is there some kind of trick to get this done properly? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

14 years, 6 months

5
9
0 / 0

LDAP Convention 2007

by Dieter Kluenter

Hello, this years LDAPcon is beeing helt at Cologne, Germany. You are all invited to attend this Convention. http://www.guug.de/veranstaltungen/ldapcon2007/ The registration is now open. -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

14 years, 6 months

1
0
0 / 0

slapd slave becoming a master

by Maria McKinley

Are there instructions (yes, I did look, didn't find, and want to make sure I didn't overlook) on how to convert a slave slapd created with slurpd to a master. Ie, if something catastrophic happens to the server the master is on, is there a quick guide to converting a slave to be the new master? thanks, maria

14 years, 6 months

2
1
0 / 0

Access to Schema

by Ron Parker

Now that I can log in as a user: How do I give a user access to schema? This is what I'm trying now (but not working): access to dn.subtree="cn=schema,dc=example,dc=com" by dn="cn=Ron,ou=Zimbra,dc=example,dc=com" read What am I missing? Thanks! -ron -- Ron Parker Software Creations http://www.scbbs.com Self-Administration Web Site http://saw.scbbs.com SDSS Subscription Mgmt Service http://sdss.scbbs.com Central Ave Dance Ensemble http://www.centralavedance.com R & B Salsa http://www.randbsalsa.com

14 years, 6 months

3
5
0 / 0

TLS and CRL

by manu＠netbsd.org

Hello Another dumb question: -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

14 years, 6 months

1
1
0 / 0

ACL Assistance Requested

by Joshua M. Miller

I'm attempting to grant permission to a user account object in my OpenLDAP directory to write to an OU and I can't yet figure out the proper ACL to use. If I grant write access to everybody on everything it works, but with the following configuration it does not. I'm using OpenLDAP 2.3.34 on CentOS 4.5. I'm using the following ACLs: access to attrs=userPassword by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read by dn.exact="cn=Manager,dc=example,dc=org" write by self write by anonymous auth by * none access to dn="ou=printers,dc=example,dc=org" by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write by dn.exact="cn=manager,dc=example,dc=org" write by * read access to * by dn.exact="uid=replicator,ou=People,dc=example,dc=org" read by self write by * read I'm trying to give write permission to the cupsd object: uid=cupsd,ou=people,dc=example,dc=org I can authenticate using ldapsearch, but I'm unable to add any objects to this OU (confirming read, authenticated access), getting the following results: $ ldapadd -x -H ldaps://ldap-server.example.org -f add-printer.ldif -D "uid=cupsd,ou=people,dc=example,dc=org" -W Enter LDAP Password: adding new entry "cn=<printer IP>,ou=printers,dc=example,dc=org" ldap_add: Insufficient access (50) additional info: no write access to entry A verbose log indicates the following: conn=2 op=3 MOD dn="cn=<printer IP>,ou=printers,dc=example,dc=org" conn=2 op=3 MOD attr=cn printerDescription printerURI printerLocation printerMakeAndModel printerType objectClass bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get found entry "cn=<printer IP>,ou=printers,dc=example,dc=org" bdb_entry_get rc=0 => bdb_entry_get ndn "cn=default,ou=policies,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=default,ou=policies,dc=example,dc=org") => bdb_entry_get found entry "cn=default,ou=policies,dc=example,dc=org" bdb_entry_get rc=0 => bdb_entry_get ndn "cn=<printer IP>,ou=printers,dc=example,dc=org" => bdb_entry_get oc "(null)", at "(null)" bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") => bdb_entry_get found entry "cn=<printer IP>,ou=printers,dc=example,dc=org" bdb_entry_get rc=0 bdb_modify cn=<printer IP>,ou=printers,dc=example,dc=org bdb_dn2entry("cn=<printer IP>,ou=printers,dc=example,dc=org") bdb_modify_internal 0x00000096 cn=<printer IP>,ou=printers,dc=example,dc=org => access_allowed delete access to "cn=<printer IP>,ou=printers,dc=example,dc=org" "cn" requested => dn [2] ou=printers,dc=example,dc=org => acl_get [3] attr cn access_allowed no res from state (cn) => acl_mask access to entry "cn=<printer IP>,ou=printers,dc=example,dc=org", attr "cn" requested => acl_mask to all values by "uid=cupsd,ou=people,dc=example,dc=org", (=0) <= check a_dn_pat uid=replicator,ou=people,dc=example,dc=org <= check a_dn_pat self <= check a_dn_pat * <= acl_mask [3] applying read(=rscxd) (stop) <= acl_mask [3] mask read(=rscxd) => access_allowed delete access denied by read(=rscxd) bdb_modify modify failed (50) So it looks like a read ACL is preventing the write. What would be the proper way to write the ACLs for this task? TIA, -- Joshua M. Miller - RHCE,VCP

14 years, 6 months

2
3
0 / 0

parsing logs, trace replay

by Kelly, Terence P

Hi, Question 1: Is there any documentation available on the OpenLDAP access log format? I wasn't able to find any via Google or on the OpenLDAP Web site. I looked at how ldap-stats.pl version 5.2 parses logs but I see discrepancies between the operation counts returned by ldap-stats and counts obtained by independent means (e.g., simple AWK scripts), so I'm not very confident that it's doing the right thing. I can try to reverse-engineer the log format but if there's good documentation and/or a good parser out there I'd prefer that. Question 2: My goal is to replay traces of accesses to an LDAP server to a replica of the server itself. I want the exercise to be reasonably realistic, e.g., I want to achieve the same throughputs and level of concurrency as the real server. At the moment I'm planning to write my own trace-replay tool. I have investigated two trace-replay tools: dupetrace.pl and slamd. The former passes the buck to a shell utility which probably won't achieve the performance I need; the latter seems formidably difficult to set up and use. Are you aware of any LDAP trace replay tools that are as capable yet as simple as httperf? Many thanks for any pointers you can provide! -- Terence

14 years, 6 months

3
3
0 / 0

RE: How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?

by Gavin Henry

<quote who="Comisario, Alejandro"> > OK!!! My boss calls me! > Let finish some work and I'll post you the debug!!! > From now, VERY VERY THANKS FOR YOUR HELP!!! Stop shouting and please CC openldap-software(a)openldap.org !!! ;-) Gavin. > > -- > Alejandro D. Comisario > Sistemas Catastrales S.A. > Depto. Tecnología y Seguridad Informática > (5411) 4326.4002 int. 273 > Buenos Aires, Argentina > acomisario(a)siscat.com.ar > > > -----Mensaje original----- > De: Gavin Henry [mailto:ghenry@suretecsystems.com] > Enviado el: martes, 17 de julio de 2007 15:15 > Para: Comisario, Alejandro > CC: openldap-software(a)openldap.org > Asunto: RE: How do I tell ldapsearch to authenticate to the referred to > LDAP > server when chasing a referral? > > <quote who="Comisario, Alejandro"> >> YES! >> It is, if i query the AD directly, it Works. >> >> Ldapsearch -b "ou=prueba,dc=adsc,dc=com" -H ldap://adldap.adsc.com -D >> "cn=admin,cn=users,dc=adsc,dc=com" -W >> >> WORKS!!! >> But the referral don't > > Try my verbose logging and paste in your reply > >> >> -- >> Alejandro D. Comisario >> Sistemas Catastrales S.A. >> Depto. Tecnología y Seguridad Informática >> (5411) 4326.4002 int. 273 >> Buenos Aires, Argentina >> acomisario(a)siscat.com.ar >> >> >> -----Mensaje original----- >> De: Gavin Henry [mailto:ghenry@suretecsystems.com] >> Enviado el: martes, 17 de julio de 2007 15:08 >> Para: Comisario, Alejandro >> CC: openldap-software(a)openldap.org >> Asunto: RE: How do I tell ldapsearch to authenticate to the referred to >> LDAP >> server when chasing a referral? >> >> <quote who="Comisario, Alejandro"> >>> Gavin. >>> Thanks for the answer, the thing is, and i could't say it befote, on >>> the >>> other side of the openLDAP is an Active Directory, when i try what you >>> say, >>> it gave me. >>> >>> doldap@root # ldapsearch -b "ou=prueba,dc=adsc,dc=com" \ >>> -H ldap://doldap.sc.com -D "cn=admin,cn=users,dc=adsc,dc=com" -W -x >>> Enter LDAP Password: >>> ldap_bind: Invalid credentials (49) >>> >>> >>> Any Ideas? >> >> Is cn=admin,cn=users,dc=adsc,dc=com in AD? >> >> Gavin. >> >>> >>> >>> -----Mensaje original----- >>> De: Gavin Henry [mailto:ghenry@suretecsystems.com] >>> Enviado el: martes, 17 de julio de 2007 13:59 >>> Para: Comisario, Alejandro >>> CC: openldap-software(a)openldap.org >>> Asunto: Re: How do I tell ldapsearch to authenticate to the referred to >>> LDAP >>> server when chasing a referral? >>> >>> <quote who="Comisario, Alejandro"> >>>> Hello everyone. >>>> >>>> I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ, >>>> managing >>>> external users for an application. >>>> But at the same time i want this openLDAP to comunicate when given for >>>> a >>>> specific DN with another directory service on my internal network. >>>> The connection between the two machines passing thru the firewall is >>>> correct. >>>> >>>> The reference are: >>>> openLDAP machine : doldap.sc.com with domain dc=si,dc=com >>>> the other directory : adldap.adsc.com with domain dc=adsc,dc=com >>>> >>>> I defined the referral like this: >>>> dn: ou=test,dc=adsc,dc=com >>>> objectClass: referral >>>> objectClass: extensibleObject >>>> dc: prueba >>>> ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com >>>> >>>> So, when i query something like this (anonymous): >>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x >>>> >>>> I get this response: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: >>>> (objectclass=*) # requesting: ALL # >>>> >>>> # search result >>>> search: 2 >>>> result: 10 Referral >>>> ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub >>>> >>>> # numResponses: 1 >>>> >>>> So, apparently the referral for that query is found, next i tell >>>> ldapsearch >>>> to follow it: >>>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C >>>> >>>> The openLDAP try to follow the referral and get this response from the >>>> other >>>> service: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: >>>> (objectclass=*) # requesting: ALL # >>>> >>>> # search result >>>> search: 2 >>>> result: 1 Operations error >>>> text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform >>>> this >>>> operation a successful bind must be completed on the connection., data >>>> 0, >>>> vece >>>> >>>> # numResponses: 1 >>>> >>>> So, How do I tell ldapsearch to authenticate to the referred to LDAP >>>> server >>>> when chasing a referral? >>>> Hope someone can helpme. >>> >>> You need to actually bind as a user, e.g.: >>> >>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C -D >>> "uid=blah,dc=adsc,dc=com" -W >>> >>> Gavin. >>> >>>> >>>> Regards. >>>> >>>> .A l e j a n d r o. >>>> >>>> >>>> >>>> >>> >> >

14 years, 6 months

1
0
0 / 0

RE: How do I tell ldapsearch to authenticate to the referred to LDAP server when chasing a referral?

by Gavin Henry

<quote who="Comisario, Alejandro"> > YES! > It is, if i query the AD directly, it Works. > > Ldapsearch -b "ou=prueba,dc=adsc,dc=com" -H ldap://adldap.adsc.com -D > "cn=admin,cn=users,dc=adsc,dc=com" -W > > WORKS!!! > But the referral don't Try my verbose logging and paste in your reply > > -- > Alejandro D. Comisario > Sistemas Catastrales S.A. > Depto. Tecnología y Seguridad Informática > (5411) 4326.4002 int. 273 > Buenos Aires, Argentina > acomisario(a)siscat.com.ar > > > -----Mensaje original----- > De: Gavin Henry [mailto:ghenry@suretecsystems.com] > Enviado el: martes, 17 de julio de 2007 15:08 > Para: Comisario, Alejandro > CC: openldap-software(a)openldap.org > Asunto: RE: How do I tell ldapsearch to authenticate to the referred to > LDAP > server when chasing a referral? > > <quote who="Comisario, Alejandro"> >> Gavin. >> Thanks for the answer, the thing is, and i could't say it befote, on the >> other side of the openLDAP is an Active Directory, when i try what you >> say, >> it gave me. >> >> doldap@root # ldapsearch -b "ou=prueba,dc=adsc,dc=com" \ >> -H ldap://doldap.sc.com -D "cn=admin,cn=users,dc=adsc,dc=com" -W -x >> Enter LDAP Password: >> ldap_bind: Invalid credentials (49) >> >> >> Any Ideas? > > Is cn=admin,cn=users,dc=adsc,dc=com in AD? > > Gavin. > >> >> >> -----Mensaje original----- >> De: Gavin Henry [mailto:ghenry@suretecsystems.com] >> Enviado el: martes, 17 de julio de 2007 13:59 >> Para: Comisario, Alejandro >> CC: openldap-software(a)openldap.org >> Asunto: Re: How do I tell ldapsearch to authenticate to the referred to >> LDAP >> server when chasing a referral? >> >> <quote who="Comisario, Alejandro"> >>> Hello everyone. >>> >>> I have an OpenLDAP 2.3.30 running on Debian Etch Stable in a DMZ, >>> managing >>> external users for an application. >>> But at the same time i want this openLDAP to comunicate when given for >>> a >>> specific DN with another directory service on my internal network. >>> The connection between the two machines passing thru the firewall is >>> correct. >>> >>> The reference are: >>> openLDAP machine : doldap.sc.com with domain dc=si,dc=com >>> the other directory : adldap.adsc.com with domain dc=adsc,dc=com >>> >>> I defined the referral like this: >>> dn: ou=test,dc=adsc,dc=com >>> objectClass: referral >>> objectClass: extensibleObject >>> dc: prueba >>> ref: ldap://adldap.adsc.com/ou=test,dc=adsc,dc=com >>> >>> So, when i query something like this (anonymous): >>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x >>> >>> I get this response: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: >>> (objectclass=*) # requesting: ALL # >>> >>> # search result >>> search: 2 >>> result: 10 Referral >>> ref: ldap://adldap.adsc.com/ou=prueba,dc=adsc,dc=com??sub >>> >>> # numResponses: 1 >>> >>> So, apparently the referral for that query is found, next i tell >>> ldapsearch >>> to follow it: >>> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C >>> >>> The openLDAP try to follow the referral and get this response from the >>> other >>> service: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <ou=prueba,dc=adsc,dc=com> with scope subtree # filter: >>> (objectclass=*) # requesting: ALL # >>> >>> # search result >>> search: 2 >>> result: 1 Operations error >>> text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform >>> this >>> operation a successful bind must be completed on the connection., data >>> 0, >>> vece >>> >>> # numResponses: 1 >>> >>> So, How do I tell ldapsearch to authenticate to the referred to LDAP >>> server >>> when chasing a referral? >>> Hope someone can helpme. >> >> You need to actually bind as a user, e.g.: >> >> ldapsearch -b "ou=test,dc=adsc,dc=com" -H ldap://doldap.sc.com -x -C -D >> "uid=blah,dc=adsc,dc=com" -W >> >> Gavin. >> >>> >>> Regards. >>> >>> .A l e j a n d r o. >>> >>> >>> >>> >> >

14 years, 6 months

1
0
0 / 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software July 2007