is this possible
by D'Arcy Smith
Hi,
I have been looing into LDAP for a few days now (I am fairly new to
it) and here is what I am attempting to do (but I haven't figured out
if it is possible).
Currently I have access to an LDAP server that I use with
apache/subversion to control access. This works but I would like to
add some things, such as group information into LDAP to simplify some
configuration (I have more applciations other than apache/subversion
that need LDAP authendication).
I am not able to get changes made to the server that I have access to
so what I figured would make sense is to inplement my own openldap
server and add the group info there. I don't want to have the
passwords in my own LDAP server, I want to pass password requests onto
the upstream server.
So, is it possible for an openldap server to pass some requests onto
another server and still provide other information to clients?
Hopefully that is clear :-)
Thanks,
..darcy
14 years, 11 months
proxy auth and userpassword access
by Dieter Kluenter
Hi,
when using proxy authentication with strong bind, the attribute
userPassword has to have read access, that is, auth access is not
sufficient Is there any particular reason for this potential security
hole?
slapd[7028]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "userPassword" requested
slapd[7028]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0)
slapd[7028]: <= check a_dn_pat: self
slapd[7028]: <= check a_dn_pat: *
slapd[7028]: <= acl_mask: [2] applying auth(=xd) (stop)
slapd[7028]: <= acl_mask: [2] mask: auth(=xd)
slapd[7028]: => slap_access_allowed: read access denied by auth(=xd)
slapd[7028]: => access_allowed: no more rules
slapd[7028]: send_search_entry: conn 3 access to attribute userPassword, value #0 not allowed
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
14 years, 11 months
strong bind with back-ldap
by Dieter Kluenter
Hi,
I have some problems understanding strong binds and proxy authc with
back-ldap. It seems that back-ldap is not passing the bind credentials
to the remote server, thus only an anonymous bind is enforced. On the
other hand, a ldapwhoami results in success
,----[ ldapwhoami on back-ldap ]
| ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004
| SASL/DIGEST-MD5 authentication started
| SASL username: dieter
| SASL SSF: 128
| SASL data security layer installed.
| dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de
`----
while a ldapsearch results in no success
ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004
-b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
,----[ log with loglevel acl ]
| Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo
| Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested
| Slapd[7050]: => Acl_Mask: To All Values By "", (=0)
| Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De
| Slapd[7050]: <= Check A_Dn_Pat: Users
| Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop)
| Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0
| Slapd[7050]: => Access_Allowed: No More Rules
`----
the back-ldap configuration,
,----[ back-ldap slapd.conf ]
| .....
| modulepath /opt/openldap/libexec/openldap
| moduleload back_meta.la
| moduleload back_ldap.la
| moduleload pcache.la
| moduleload rwm.la
| authz-regexp uid=(.*),cn=.*,cn=auth
| ldap:///dc=dkluenter,dc=de??sub?uid=$1
|
| access to * by * read
| database ldap
| suffix dc=dkluenter,dc=de
| rootdn cn=admin,dc=dkluenter,dc=de
| uri ldap://localhost:389
| acl-bind
| bindmethod=sasl
| saslmech=digest-md5
| authcId=admanager
| credentials=mailer
| #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
| idassert-bind
| bindmethod=sasl
| saslmech=digest-md5
| authzId=u:admanager
| authz=native
| credentials=mailer
| proxy-whoami yes
| overlay rwm
| rwm-rewriteEngine on
| rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
| overlay pcache
| proxycache bdb 10000 22 50 3600
| proxycachequeries 10000
| proxyattrset 0 mail telephonenumber
| proxyattrset 1 mobile homephone
| proxytemplate (sn=) 0 3600
| proxytemplate (cn=) 1 3600
| directory /opt/openldap/var/cache
| cachesize 1000
| dbconfig set_cachesize 0 1048576 0
| index objectClass,queryid eq
| index telephonenumber pres,eq
| index cn,sn,mail pres,eq,sub
| #
| database monitor
`----
the relevant access rules on the remote server
,----[ slapd.conf access rules ]
| access to dn.subtree="ou=adressbuch,o=avci,c=de"
| by dn.exact="cn=adManager,o=avci,c=de" write
| by users read
`----
Not to mention that the same search operation on the remote server is
successful
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
14 years, 12 months
Deleting subtree - server side
by Arunachalam Parthasarathy
Hello all,
Is the openldap2.3.36 server supports, deleting a subtree. I mean, I know
that through -r option to ldapdelete, this is possible. Using HDB, as
openldap server is supporting move, is delete subtree possible in server
side?
Thanks in advance,
Arunachalam
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
14 years, 12 months
refint monitoring changes made to parent node?
by Zhang Weiwu
Dear all
As in manual:
Integrity is maintained by updating database records which contain the
named attributes to match the results of a modrdn or delete operation.
Is it feasible and possible the future version also maintain referential
integrity by "updating database records which contain the named
attributes to match /and subtree match/ the results of a modrdn or
delete operation."
Which means:
entry:
dn: cn=Wang,ou=sales,o=example.com
...
dn: o=Su,ou=sales,o=example.com
manager: cn=Wang,ou=sales,o=example.com
now:
$ ldapmodrdn ou=sales,o=example.com ou=sales,ou=marketing,o=example.com
Currently the referential integrity is not maintained in such case,
value of 'manager' attribute of "o=Su,ou=sales,o=example.com" is not
changed, resulting to an invalid manager attribute value. Would it be
interesting in such case to have updated 'manager' attribute too? e.g.
as a feature request.
Thanks. Might be stupid idea but would love to know why it's stupid
(probably "non-leaf node should be changed as less as possible or not at
all, re-construct your LDAP structure.")
14 years, 12 months
overlay dynlist not found
by Pablo Daniel Rey
hello.
i'm trying to configure dynlist overlay into slapd.
my slapd.conf
-----------------------------------------------------------------------
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/dyngroup.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
overlay dynlist
dynlist-attrset groupOfURLs memberURL
backend bdb
checkpoint 512 30
database bdb
suffix "dc=casa"
rootdn "cn=admin,dc=casa"
rootpw *****
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=casa" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to dn.regex="^(.+,)?uid=([^,]+),ou=Users,dc=casa$"
by dn="cn=admin,dc=casa" write
by dn.exact,expand="uid=$2,ou=Users,dc=casa" write
by * none
access to *
by dn="cn=admin,dc=casa" write
by self write
by users read
by * none
----------------------------------------------------------------------------------------
when i run slapd -d -1 i get the folowing error.
.......
.........
loaded module back_bdb
bdb_back_initialize: initialize BDB backend
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
module back_bdb: null module registered
line 33 (sizelimit 500)
line 37 (tool-threads 1)
line 42 (overlay dynlist)
overlay "dynlist" not found
/etc/ldap/slapd.conf: line 42: <overlay> handler exited with 1!
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
i've tried searching in the internet and the lists but 've found nothing.
if i remove the lines :
overlay dynlist
dynlist-attrset groupOfURLs memberURL
slapd runs ok, but without dynlist of course.
dynlist.la and dynlist.so are in /usr/lib/ldap
thank's in advance.
-------------------------------------------------------
--
Pablo Daniel Rey
Área Redes y Servidores
Departamento de Informática.
Facultad de Ciencias Económicas UNLP
Oficina 520 (5to piso)
Tels: 0221-4236769/71/71 Interno (42)
E-mail: pablo(a)econo.unlp.edu.ar
14 years, 12 months
objectClass names in ACLs
by Thierry Lacoste
Hello,
After careful testing I came up with explicit ACLs.
For example I have:
access to dn.one="ou=Groups,o=test"
attrs=entry,objectClass,gidNumber,cn,memberUid
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by * read
access to dn.one="ou=Groups,o=test"
attrs=sambaSID,sambaGroupType,displayName
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by dn.exact="cn=sambamgr,ou=Managers,o=test" read
by * none
Then I saw that I can use an objectClass name as a shorthand for all
the attributes in the class. Here I could use:
access to dn.one="ou=Groups,o=test"
attrs=entry,objectClass,posixGroup
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by * read
access to dn.one="ou=Groups,o=test"
attrs=sambaGroupMapping
by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write
by dn.exact="cn=sambamgr,ou=Managers,o=test" read
by * none
I like the explicit form because it requires one to know exactly what
is needed and it gives access to no more than that.
Are there advantages to the short form (performance, readability,
ease of maintenance and/or evolution)?
What about attributes like gidNumber which are in both classes?
I guess that if I swap the two short ACLs I change the access to gidNumber.
Am I right?
With the short form should I protect expicitly attributes (like userPassword
of posixGroup) which do not appear currently in my directory but may be
added later?
Any advice would be appreciated.
Regards,
Thierry.
14 years, 12 months
sometimes I can search, some times not...
by Jason Dusek
I can search by some attributes -- (loginShell=/bin/bash), (cn=jsn) --
but not by others -- (uid=jsn), (gidNumber=81) -- and I have *no*
access statements in my slapd.conf. What am I doing wrong? I'm using
ldbm -- could that be it?
--
_jsn
14 years, 12 months
x-ordered extension doesn't work (openldap2-2.3.27)
by Zhang Weiwu
Hello.
In order to find a pure and clean test environment to let me experiment
x-ordered extension, this what I did:
I. on SuSE 10.2, install openldap2-2.3.27-25 (official suse
package)
II. start the service by running /etc/init.d/ldap start
III. run slapadd to add the test entry given in
http://www.highlandsun.com/hyc/drafts/draft-chu-ldap-xordered-xx.html
joe # ldapadd -D cn=Manager,dc=my-domain,dc=com -w secret -x
dn: olcDatabase={1}bdb,dc=my-domain,dc=com
olcDatabase: {1}bdb
objectClass: olcDatabaseConfig
olcSuffix: {0}dc=example,dc=com
olcSuffix: {1}o=example.com
olcSuffix: {2}o=The Example Company
olcSuffix: {3}o=example,c=us
adding new entry "olcDatabase={1}bdb,dc=my-domain,dc=com"
ldap_add: Invalid syntax (21)
additional info: olcSuffix: value #0 invalid per syntax
So it seems not working. No clue, clean environment. Can someone hint me
how to futher test?
Note:
I. /etc/openlda/slapd.conf is not modified at all to give a pure
and clean test environment; default SuSE 10.2 openldap package
is pre-configured to work out-of-the-box;
II. The test entry is taken from Internet draft with only one
modification to replace dn suffix to dc=my-domain,dc=com which
is OpenSuSE openldap package's default value;
III. I tried to include the attached schema file to slapd.conf but
keep getting "Inconsistent duplicate attributeType" error which
seems to suggest definition of olcDatabase, olcSuffic and
olcDatabaseConfig are embeded in openldap source code. Above
test is done without attached schema included in slapd.conf.
IV. Similiar test had been done on my usual testbed which runs
Gentoo Linux and openldap-2.3.37, that gave same result ("value
#0 invalid per syntax"), which motivated me to do this cleaner
test in simplist environment.
14 years, 12 months
TLS verify errors
by Quanah Gibson-Mount
I've run into an interesting issue where if I set up a .ldaprc for the user
running slapd with:
BASE ""
TLS_CACERT /opt/zimbra/conf/ca/ca.pem
slapd will fail to start with:
TLS: could not load client CA list
(file:`/opt/zimbra/conf/ca/ca.pem',dir:`').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
It is not an issue with being able to read the cert as:
cat /opt/zimbra/conf/ca/ca.pem
-----BEGIN TRUSTED CERTIFICATE-----
.....
-----END TRUSTED CERTIFICATE-----
works just fine. If I change it to TLSCACERTDIR and adjust to a path, then
slapd starts just fine, but I can't negotiate STARTTLS for the same reason.
Using openssl to verify the slapd cert (which is signed by this CA) shows
everything is correct, as well:
/usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose
sslclient /opt/zimbra/conf/slapd.crt
/opt/zimbra/conf/slapd.crt: OK
I'm not really sure why defining a CA cert for the client to use stops
slapd from working, either. Seems rather odd to me.
Thoughts appreciated. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
15 years