openldap-software August 2007

openldap-software@openldap.org

77 participants
93 discussions

is this possible
by D'Arcy Smith 22 Aug '07

22 Aug '07

Hi, I have been looing into LDAP for a few days now (I am fairly new to it) and here is what I am attempting to do (but I haven't figured out if it is possible). Currently I have access to an LDAP server that I use with apache/subversion to control access. This works but I would like to add some things, such as group information into LDAP to simplify some configuration (I have more applciations other than apache/subversion that need LDAP authendication). I am not able to get changes made to the server that I have access to so what I figured would make sense is to inplement my own openldap server and add the group info there. I don't want to have the passwords in my own LDAP server, I want to pass password requests onto the upstream server. So, is it possible for an openldap server to pass some requests onto another server and still provide other information to clients? Hopefully that is clear :-) Thanks, ..darcy

4 3

proxy auth and userpassword access
by Dieter Kluenter 22 Aug '07

22 Aug '07

Hi, when using proxy authentication with strong bind, the attribute userPassword has to have read access, that is, auth access is not sufficient Is there any particular reason for this potential security hole? slapd[7028]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci,c=de", attr "userPassword" requested slapd[7028]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) slapd[7028]: <= check a_dn_pat: self slapd[7028]: <= check a_dn_pat: * slapd[7028]: <= acl_mask: [2] applying auth(=xd) (stop) slapd[7028]: <= acl_mask: [2] mask: auth(=xd) slapd[7028]: => slap_access_allowed: read access denied by auth(=xd) slapd[7028]: => access_allowed: no more rules slapd[7028]: send_search_entry: conn 3 access to attribute userPassword, value #0 not allowed -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

3 2

strong bind with back-ldap
by Dieter Kluenter 21 Aug '07

21 Aug '07

Hi, I have some problems understanding strong binds and proxy authc with back-ldap. It seems that back-ldap is not passing the bind credentials to the remote server, thus only an anonymous bind is enforced. On the other hand, a ldapwhoami results in success ,----[ ldapwhoami on back-ldap ] | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004 | SASL/DIGEST-MD5 authentication started | SASL username: dieter | SASL SSF: 128 | SASL data security layer installed. | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de `---- while a ldapsearch results in no success ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004 -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber ,----[ log with loglevel acl ] | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo | Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested | Slapd[7050]: => Acl_Mask: To All Values By "", (=0) | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De | Slapd[7050]: <= Check A_Dn_Pat: Users | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop) | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0 | Slapd[7050]: => Access_Allowed: No More Rules `---- the back-ldap configuration, ,----[ back-ldap slapd.conf ] | ..... | modulepath /opt/openldap/libexec/openldap | moduleload back_meta.la | moduleload back_ldap.la | moduleload pcache.la | moduleload rwm.la | authz-regexp uid=(.*),cn=.*,cn=auth | ldap:///dc=dkluenter,dc=de??sub?uid=$1 | | access to * by * read | database ldap | suffix dc=dkluenter,dc=de | rootdn cn=admin,dc=dkluenter,dc=de | uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager | authz=native | credentials=mailer | proxy-whoami yes | overlay rwm | rwm-rewriteEngine on | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de" | overlay pcache | proxycache bdb 10000 22 50 3600 | proxycachequeries 10000 | proxyattrset 0 mail telephonenumber | proxyattrset 1 mobile homephone | proxytemplate (sn=) 0 3600 | proxytemplate (cn=) 1 3600 | directory /opt/openldap/var/cache | cachesize 1000 | dbconfig set_cachesize 0 1048576 0 | index objectClass,queryid eq | index telephonenumber pres,eq | index cn,sn,mail pres,eq,sub | # | database monitor `---- the relevant access rules on the remote server ,----[ slapd.conf access rules ] | access to dn.subtree="ou=adressbuch,o=avci,c=de" | by dn.exact="cn=adManager,o=avci,c=de" write | by users read `---- Not to mention that the same search operation on the remote server is successful -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

2 4

Deleting subtree - server side
by Arunachalam Parthasarathy 21 Aug '07

21 Aug '07

Hello all, Is the openldap2.3.36 server supports, deleting a subtree. I mean, I know that through -r option to ldapdelete, this is possible. Using HDB, as openldap server is supporting move, is delete subtree possible in server side? Thanks in advance, Arunachalam **************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

4 13

refint monitoring changes made to parent node?
by Zhang Weiwu 21 Aug '07

21 Aug '07

Dear all As in manual: Integrity is maintained by updating database records which contain the named attributes to match the results of a modrdn or delete operation. Is it feasible and possible the future version also maintain referential integrity by "updating database records which contain the named attributes to match /and subtree match/ the results of a modrdn or delete operation." Which means: entry: dn: cn=Wang,ou=sales,o=example.com ... dn: o=Su,ou=sales,o=example.com manager: cn=Wang,ou=sales,o=example.com now: $ ldapmodrdn ou=sales,o=example.com ou=sales,ou=marketing,o=example.com Currently the referential integrity is not maintained in such case, value of 'manager' attribute of "o=Su,ou=sales,o=example.com" is not changed, resulting to an invalid manager attribute value. Would it be interesting in such case to have updated 'manager' attribute too? e.g. as a feature request. Thanks. Might be stupid idea but would love to know why it's stupid (probably "non-leaf node should be changed as less as possible or not at all, re-construct your LDAP structure.")

2 3

overlay dynlist not found
by Pablo Daniel Rey 20 Aug '07

20 Aug '07

hello. i'm trying to configure dynlist overlay into slapd. my slapd.conf ----------------------------------------------------------------------- include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/dyngroup.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 0 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 overlay dynlist dynlist-attrset groupOfURLs memberURL backend bdb checkpoint 512 30 database bdb suffix "dc=casa" rootdn "cn=admin,dc=casa" rootpw ***** directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=casa" write by anonymous auth by self write by * none access to dn.base="" by * read access to dn.regex="^(.+,)?uid=([^,]+),ou=Users,dc=casa$" by dn="cn=admin,dc=casa" write by dn.exact,expand="uid=$2,ou=Users,dc=casa" write by * none access to * by dn="cn=admin,dc=casa" write by self write by users read by * none ---------------------------------------------------------------------------------------- when i run slapd -d -1 i get the folowing error. ....... ......... loaded module back_bdb bdb_back_initialize: initialize BDB backend bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) module back_bdb: null module registered line 33 (sizelimit 500) line 37 (tool-threads 1) line 42 (overlay dynlist) overlay "dynlist" not found /etc/ldap/slapd.conf: line 42: <overlay> handler exited with 1! slapd destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. i've tried searching in the internet and the lists but 've found nothing. if i remove the lines : overlay dynlist dynlist-attrset groupOfURLs memberURL slapd runs ok, but without dynlist of course. dynlist.la and dynlist.so are in /usr/lib/ldap thank's in advance. ------------------------------------------------------- -- Pablo Daniel Rey Área Redes y Servidores Departamento de Informática. Facultad de Ciencias Económicas UNLP Oficina 520 (5to piso) Tels: 0221-4236769/71/71 Interno (42) E-mail: pablo(a)econo.unlp.edu.ar

2 1

objectClass names in ACLs
by Thierry Lacoste 19 Aug '07

19 Aug '07

Hello, After careful testing I came up with explicit ACLs. For example I have: access to dn.one="ou=Groups,o=test" attrs=entry,objectClass,gidNumber,cn,memberUid by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by * read access to dn.one="ou=Groups,o=test" attrs=sambaSID,sambaGroupType,displayName by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by dn.exact="cn=sambamgr,ou=Managers,o=test" read by * none Then I saw that I can use an objectClass name as a shorthand for all the attributes in the class. Here I could use: access to dn.one="ou=Groups,o=test" attrs=entry,objectClass,posixGroup by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by * read access to dn.one="ou=Groups,o=test" attrs=sambaGroupMapping by dn.exact="cn=smbldapmgr,ou=Managers,o=test" write by dn.exact="cn=sambamgr,ou=Managers,o=test" read by * none I like the explicit form because it requires one to know exactly what is needed and it gives access to no more than that. Are there advantages to the short form (performance, readability, ease of maintenance and/or evolution)? What about attributes like gidNumber which are in both classes? I guess that if I swap the two short ACLs I change the access to gidNumber. Am I right? With the short form should I protect expicitly attributes (like userPassword of posixGroup) which do not appear currently in my directory but may be added later? Any advice would be appreciated. Regards, Thierry.

2 1

sometimes I can search, some times not...
by Jason Dusek 18 Aug '07

18 Aug '07

I can search by some attributes -- (loginShell=/bin/bash), (cn=jsn) -- but not by others -- (uid=jsn), (gidNumber=81) -- and I have *no* access statements in my slapd.conf. What am I doing wrong? I'm using ldbm -- could that be it? -- _jsn

1 1

x-ordered extension doesn't work (openldap2-2.3.27)
by Zhang Weiwu 17 Aug '07

17 Aug '07

Hello. In order to find a pure and clean test environment to let me experiment x-ordered extension, this what I did: I. on SuSE 10.2, install openldap2-2.3.27-25 (official suse package) II. start the service by running /etc/init.d/ldap start III. run slapadd to add the test entry given in http://www.highlandsun.com/hyc/drafts/draft-chu-ldap-xordered-xx.html joe # ldapadd -D cn=Manager,dc=my-domain,dc=com -w secret -x dn: olcDatabase={1}bdb,dc=my-domain,dc=com olcDatabase: {1}bdb objectClass: olcDatabaseConfig olcSuffix: {0}dc=example,dc=com olcSuffix: {1}o=example.com olcSuffix: {2}o=The Example Company olcSuffix: {3}o=example,c=us adding new entry "olcDatabase={1}bdb,dc=my-domain,dc=com" ldap_add: Invalid syntax (21) additional info: olcSuffix: value #0 invalid per syntax So it seems not working. No clue, clean environment. Can someone hint me how to futher test? Note: I. /etc/openlda/slapd.conf is not modified at all to give a pure and clean test environment; default SuSE 10.2 openldap package is pre-configured to work out-of-the-box; II. The test entry is taken from Internet draft with only one modification to replace dn suffix to dc=my-domain,dc=com which is OpenSuSE openldap package's default value; III. I tried to include the attached schema file to slapd.conf but keep getting "Inconsistent duplicate attributeType" error which seems to suggest definition of olcDatabase, olcSuffic and olcDatabaseConfig are embeded in openldap source code. Above test is done without attached schema included in slapd.conf. IV. Similiar test had been done on my usual testbed which runs Gentoo Linux and openldap-2.3.37, that gave same result ("value #0 invalid per syntax"), which motivated me to do this cleaner test in simplist environment.

2 3

TLS verify errors
by Quanah Gibson-Mount 16 Aug '07

16 Aug '07

I've run into an interesting issue where if I set up a .ldaprc for the user running slapd with: BASE "" TLS_CACERT /opt/zimbra/conf/ca/ca.pem slapd will fail to start with: TLS: could not load client CA list (file:`/opt/zimbra/conf/ca/ca.pem',dir:`'). TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642 It is not an issue with being able to read the cert as: cat /opt/zimbra/conf/ca/ca.pem -----BEGIN TRUSTED CERTIFICATE----- ..... -----END TRUSTED CERTIFICATE----- works just fine. If I change it to TLSCACERTDIR and adjust to a path, then slapd starts just fine, but I can't negotiate STARTTLS for the same reason. Using openssl to verify the slapd cert (which is signed by this CA) shows everything is correct, as well: /usr/bin/openssl verify -CAfile /opt/zimbra/conf/ca/ca.pem -purpose sslclient /opt/zimbra/conf/slapd.crt /opt/zimbra/conf/slapd.crt: OK I'm not really sure why defining a CA cert for the client to use stops slapd from working, either. Seems rather odd to me. Thoughts appreciated. ;) --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

3 5

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software August 2007