openldap-software September 2007

openldap-software@openldap.org

74 participants
88 discussions

Importing of data
by Naufal Sheikh 30 Sep '07

30 Sep '07

Hi, I am totally new to openldap. I have an openldap 2.2.20 running on solaris 8. I needed to install and migrate it to linux. I have suuceesfully comiled and installed openldap 2.2.20 on redhat linux. Now I am unable to understand what do I have to do inorder to migrate all the data. I have already copied the schema files and edited the slapd.conf file according to what it was on the solaris machine. I have a vague idea that I will have to migrate the db files some how, may be using ldiff...On my solaris machine I do have the data folder which contains all the db files, should I just copy those in the openldap-data folder on linux machine? If any one can please point me into right direction... thanks and regards

6 6

syncrepl only updates after consumer restart
by Robert Fitzpatrick 30 Sep '07

30 Sep '07

I have 2.3.38 running on a provider and two consumers. Not every time, but most of the time, when I make an update to the provider, the consumers do not receive until I manually go there and restart the consumer, then all updates. I have loglevel set to 512 on both machines, is this enough to catch the problem. I have grep'd the debug.log on these FreeBSD machines and can't find any warn or error messages. What is the best way for me to find the problem? Also, I'd like to know if by merely replacing the syncrepl parameters from slapd.conf with the overlay parameters, will this will make a consumer a master server in the event of the provider going down indefinitely? And then be able to redirect other consumers to this new provider? Provider: overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Consumer 1: syncrepl rid=123 provider=ldap://ldap.example.com:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="uid=slurpd,ou=Services,dc=example,dc=com" credentials=<password> Consumer 2: syncrepl rid=125 provider=ldap://ldap.example.com:389 type=refreshOnly interval=00:00:05:00 searchbase="dc=example,dc=com" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="uid=slurpd,ou=Services,dc=example,dc=com" credentials=<password> -- Robert

5 4

Two instances of openldap access one kerberos database
by Ezra Taylor 29 Sep '07

29 Sep '07

Hello all: Can I have two instances of Openldap on one machine accessing one Kerberos database? The first instance of Openldap is version 2.2.13 and the second instance would be 2.3.38. -- Ezra Taylor

2 1

syncrepl refreshing data from new master
by Arunachalam Parthasarathy 29 Sep '07

29 Sep '07

Hello all, I am using openldap 2.3.36 In normal refresh and persist mode of sync replication, when I dynamically change the uri of the master server in slave, how to instruct the slave server to refresh the whole data from the new master server Thanks in advance, Arunachalam. **************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

2 2

Is one-way replication possible?
by Mariano Aliaga 29 Sep '07

29 Sep '07

Hi, I have the following situation: ServerA: It is not managed by me and I can just take user and group information from it. dc=foo,dc=com |_ ou=Groups |_ ou=Users ServerB: Managed by me, it's a Samba PDC backend and account database for several services. dc=bar,dc=com |_ ou=Computers |_ ou=Groups |_ ou=Users . . . On ServerB I have the same users (uid's) as ServerA AND users from my location. What I need is to sync just the userPassword attribute from users on ServerA to the same users on ServerB. Now, I thought about using syncrepl, but I have several problems: a. The BaseDN's are different. I would manage to change it on ServerB if have no choice, but would rather "suffixmassage" it in some way if possible. b. If I configure ServerB as a slave, then I can't modify it any more, cause it referres modifications to the master. I just want the userPassword synced from ServerA, but I need to be able to manage the other users and objects on the tree. So, the replication should be kind of "one-way only", but don't know if such thing is possible. I would be very grateful if someone could help me with pointers or suggestions about how to accomplish this, or what alternatives do I have for a schema like this. Thanks in advance.-

2 1

Center for Internet Security benchmark for OpenLDAP
by Buchan Milne 28 Sep '07

28 Sep '07

I just wanted to note that the Center for Internet Security recently published a security benchmark for OpenLDAP (based on 2.3): http://www.cisecurity.org/bench_openldap.html A lot of the content seems to cover standard practise (e.g. what you get by default on most Linux distributions in terms of who slapd is run as, permissions on important files etc.), but there seem to be some sections worth reading. Unfortunately, they show configuration for slurpd in their section on "Redundant LDAP Servers". I wonder if it is worthwhile providing CIS with feedback? Regards, Buchan

6 9

URL extensions, rfc 2255 vs 4516, 4521
by Dieter Kluenter 27 Sep '07

27 Sep '07

Hi, RFC 2255 describes URL extensions like bindname and x-foo. RFC 4516 only shows a hypothetical example with e- extension. Part A1 of RFC 4516 says that bindname had been removed due to lack of known implementations. sdb-ldap from Stig Venaas is such an implementation. Now my question: is OpenLDAP-2.4 still honoring bindname and x-bindpw extensions? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

2 1

troubles with automatic chaining
by alamar 27 Sep '07

27 Sep '07

Hello, I'm trying to use slapo-chain to do automatic chaining on the slave.. I see the howto about this, I think my configuration is correct, but is doesn't work all times!! I have a strange problem..It work correctly for some times, but if modify my configuration for otherthing, example to add ppolicy and restart the servers, it stop working Even if I delete the last modification, I can't get it working again.. For some reasons that I ignore, the slave some time send the correct bind, for other time, it bind to the master anonymously!! In this last case, I have error: To password change : LDAP password information update failed: Proxy Authorization Failure To do ldapmodify: ldap_modify: Strong(er) authentication required (8) If I comment security parameter in the master, I doesn't change anything.. My setup: - version 2.3.38 - 1 master - 2 slaves as replicas using syncrepl and authenticate to the master by sasl external In the master, I have added this entries: -------------------------------------------------------------- dn: cn=referral1,ou=system,dc=example,dc=com objectClass: organizationalRole cn: referral1 ou: system authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$ dn: cn=referral2,ou=system,dc=example,dc=com objectClass: organizationalRole cn: referral2 ou: system authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$ -------------------------------------------------------------- -------------------- Master config: ------------------ moduleload back_ldap.la moduleload ppolicy.la moduleload syncprov.la moduleload unique.la moduleload accesslog.la moduleload auditlog.la moduleload lastmod.la ## TLSCertificateFile /etc/ssl/openldap2.3/master.crt TLSCertificateKeyFile /etc/ssl/openldap2.3/private/master.key TLSCACertificateFile /etc/ssl/openldap2.3/CA.crt TLSVerifyClient allow ## sasl-secprops none # logging loglevel 256 security ssf=1 update_ssf=112 simple_bind=64 ## authz-policy to authz-regexp cn=slave1 cn=referral1,ou=system,dc=example,dc=com authz-regexp cn=slave2 cn=referral2,ou=system,dc=example,dc=com #### database bdb suffix "dc=example,dc=com" rootdn "cn=admin,ou=system,dc=example,dc=com" rootpw toto directory /usr/local/ldap mode 0600 # overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ## lastmod on cachesize 2000 checkpoint 256 5 # index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index entryCSN,entryUUID eq ## limits dn.onelevel="ou=system,dc=example,dc=com" size=unlimited time=unlimited limits dn.regex="cn=slave1.example.com" size=unlimited time=unlimited limits dn.regex="cn=slave1.example.com" size=unlimited time=unlimited ------------------------------ Slave1 Config ----------------------------- moduleload back_ldap.la moduleload accesslog.la moduleload auditlog.la moduleload unique.la moduleload lastmod.la # TLSCertificateFile /etc/ssl/openldap2.3/slave1.crt TLSCertificateKeyFile /etc/ssl/openldap2.3/private/slave1.key TLSCACertificateFile /etc/ssl/openldap2.3/CA.crt TLSVerifyClient allow sasl-secprops none loglevel 256 security ssf=0 update_ssf=156 simple_bind=64 ##chasing referrals overlay chain chain-uri ldap://master.example.com chain-idassert-bind bindmethod=sasl saslmech="EXTERNAL" binddn="cn=bugworkaround" mode="self" starttls="critical" min_ssf="163" chain-tls start chain-return-error TRUE #chain-idassert-authzFrom "*" # database bdb suffix "dc=example,dc=com" ## rootdn "cn=admin,ou=system,dc=example,dc=com" rootpw secret directory /env/database/ldap lastmod off checkpoint 256 5 index objectClass eq index cn,mail,surname,givenname eq,subinitial index uidNumber,gidNumber,memberuid,member,uniqueMember eq index uid eq,subinitial index entryCSN,entryUUID eq # limits dn.onelevel="ou=system,dc=example,dc=com" size=unlimited time=unlimited # syncrepl rid=23 provider=ldap://master.example.com type=refreshAndPersist retry=3,1,10,2,60,+ searchbase="dc=example,dc=com" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=sasl saslmech=EXTERNAL starttls=critical ## updateref "ldap://master.example.com" Any help will be appreciated...

1 0

toubles using ppolicy to lock account
by Guillaume Rousse 27 Sep '07

27 Sep '07

Hello. I'm looking for a solution allowing to lock user accounts stored in LDAP, whatever kind of client using LDAP for autenticating (the same as shadowAccount class allows, but only for PAM. Buchan suggested me to try to use ppolicy overlay. I'm not really interested in what seems to be the main goal of password policy: as I'm importing passwords automatically from another LDAP system, that's not the right place to impose constraints on them. So my main interest is in operational attribute pwdAccountLockedTime, described in slapo-ppolicy: if set to 0, the user should not be able to bind. So, I set up a very minimal default password policy object, as it seems to be quite mandatory: dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr cn: default objectClass: pwdPolicy objectClass: organizationalRole pwdAttribute: userPassword pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 Then I tried to add a pwdAccountLockedTime attribute to a user: dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 0 Error: pwdAccountLockedTime: value #0 invalid per syntax Then I read the schema, additionaly to the man page, and I found additional (and potentially contradictory information), such as using something described a subtype to declaring which password attribute is really affected, and I tried: dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr changetype: modify add: pwdAccountLockedTime;pwd-userPassword pwdAccountLockedTime;pwd-userPassword: 0 Error: additional info: pwdAccountLockedTime;pwd-userPassword: operational attribute with options undefined Additionaly, I found the definition of those operational attributes were commented in the schema file... So, here is a list of questions I can't find a valid answer for: 1) do you need a policy entry if you're only interested in user entries operational attributes ? According to the man page, yes: If there is no specific policy for an entry and no default is given, then no policies will be enforced 2) do you need to add a new class to users account to be able to use those additional operational attributes, or just loading the overlay is enough ? According to examples found in thread http://www.openldap.org/lists/openldap-software/200706/msg00285.html, no 3) does the definition of those attributes need to exist in the schema (thus uncommented) or are they defined in the overlay ? 4) which is right between the man page or the schema comment for the attribute name (pwdAccountLockedTime vs pwdAccountLockedTime;pwd-userPassword) and the value to lock an account (0 vs 000001010000Z) As the comments seems to comes from the RFC directly, I'd rather trust the man page, but i've been unsucessful with both... If it matters, i'm using openldap-servers-2.3.27 on mandriva linux 2007.0. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

2 2

Links about integration
by Gabriel Stein 26 Sep '07

26 Sep '07

There´s no problem with my ego, is just a annouce: I´m promised to me to post constantly posts to Integration section of FAQ. Every week I wiil check the links consistency and make all necessary updates to the links. Cheers. -- /\ Gabriel Stein gabrielstein(a)gmail.com MSN: gabrielstein(a)hotmail.com Administrador de Redes - Network Administrador Linux User #223750 51-92796310 Porto Alegre - RS - Brasil

3 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software September 2007