Importing of data
by Naufal Sheikh
Hi,
I am totally new to openldap. I have an openldap 2.2.20 running on
solaris 8. I needed to install and migrate it to linux. I have
suuceesfully comiled and installed openldap 2.2.20 on redhat linux.
Now I am unable to understand what do I have to do inorder to migrate
all the data. I have already copied the schema files and edited the
slapd.conf file according to what it was on the solaris machine. I
have a vague idea that I will have to migrate the db files some how,
may be using ldiff...On my solaris machine I do have the data folder
which contains all the db files, should I just copy those in the
openldap-data folder on linux machine? If any one can please point me
into right direction...
thanks and regards
15 years, 12 months
syncrepl only updates after consumer restart
by Robert Fitzpatrick
I have 2.3.38 running on a provider and two consumers. Not every time,
but most of the time, when I make an update to the provider, the
consumers do not receive until I manually go there and restart the
consumer, then all updates. I have loglevel set to 512 on both machines,
is this enough to catch the problem. I have grep'd the debug.log on
these FreeBSD machines and can't find any warn or error messages.
What is the best way for me to find the problem? Also, I'd like to know
if by merely replacing the syncrepl parameters from slapd.conf with the
overlay parameters, will this will make a consumer a master server in
the event of the provider going down indefinitely? And then be able to
redirect other consumers to this new provider?
Provider:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Consumer 1:
syncrepl rid=123
provider=ldap://ldap.example.com:389
type=refreshOnly
interval=00:00:05:00
searchbase="dc=example,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=slurpd,ou=Services,dc=example,dc=com"
credentials=<password>
Consumer 2:
syncrepl rid=125
provider=ldap://ldap.example.com:389
type=refreshOnly
interval=00:00:05:00
searchbase="dc=example,dc=com"
filter="(objectClass=*)"
scope=sub
schemachecking=off
bindmethod=simple
binddn="uid=slurpd,ou=Services,dc=example,dc=com"
credentials=<password>
--
Robert
15 years, 12 months
Two instances of openldap access one kerberos database
by Ezra Taylor
Hello all:
Can I have two instances of Openldap on one machine accessing
one Kerberos database? The first instance of Openldap is version 2.2.13 and
the second instance would be 2.3.38.
--
Ezra Taylor
15 years, 12 months
syncrepl refreshing data from new master
by Arunachalam Parthasarathy
Hello all,
I am using openldap 2.3.36 In normal refresh and persist mode of sync
replication, when I dynamically change the uri of the master server in
slave, how to instruct the slave server to refresh the whole data from the
new master server
Thanks in advance,
Arunachalam.
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
15 years, 12 months
Is one-way replication possible?
by Mariano Aliaga
Hi,
I have the following situation:
ServerA:
It is not managed by me and I can just take user and group
information from it.
dc=foo,dc=com
|_ ou=Groups
|_ ou=Users
ServerB:
Managed by me, it's a Samba PDC backend and account database for
several services.
dc=bar,dc=com
|_ ou=Computers
|_ ou=Groups
|_ ou=Users
.
.
.
On ServerB I have the same users (uid's) as ServerA AND users from my
location. What I need is to sync just the userPassword attribute from
users on ServerA to the same users on ServerB.
Now, I thought about using syncrepl, but I have several problems:
a. The BaseDN's are different. I would manage to change it on
ServerB if have no choice, but would rather "suffixmassage" it in some
way if possible.
b. If I configure ServerB as a slave, then I can't modify it any
more, cause it referres modifications to the master. I just want the
userPassword synced from ServerA, but I need to be able to manage the
other users and objects on the tree. So, the replication should be
kind of "one-way only", but don't know if such thing is possible.
I would be very grateful if someone could help me with pointers or
suggestions about how to accomplish this, or what alternatives do I
have for a schema like this.
Thanks in advance.-
16 years
Center for Internet Security benchmark for OpenLDAP
by Buchan Milne
I just wanted to note that the Center for Internet Security recently published
a security benchmark for OpenLDAP (based on 2.3):
http://www.cisecurity.org/bench_openldap.html
A lot of the content seems to cover standard practise (e.g. what you get by
default on most Linux distributions in terms of who slapd is run as,
permissions on important files etc.), but there seem to be some sections
worth reading.
Unfortunately, they show configuration for slurpd in their section
on "Redundant LDAP Servers".
I wonder if it is worthwhile providing CIS with feedback?
Regards,
Buchan
16 years
URL extensions, rfc 2255 vs 4516, 4521
by Dieter Kluenter
Hi,
RFC 2255 describes URL extensions like bindname and x-foo. RFC 4516
only shows a hypothetical example with e- extension. Part A1 of RFC
4516 says that bindname had been removed due to lack of known
implementations. sdb-ldap from Stig Venaas is such an
implementation. Now my question: is OpenLDAP-2.4 still honoring bindname
and x-bindpw extensions?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
16 years
troubles with automatic chaining
by alamar
Hello,
I'm trying to use slapo-chain to do automatic chaining on the slave..
I see the howto about this, I think my configuration is correct, but is
doesn't work all times!!
I have a strange problem..It work correctly for some times, but if
modify my configuration for otherthing, example to add ppolicy and
restart the servers, it stop working
Even if I delete the last modification, I can't get it working again..
For some reasons that I ignore, the slave some time send the correct
bind, for other time, it bind to the master anonymously!!
In this last case, I have error:
To password change : LDAP password information update failed: Proxy
Authorization Failure
To do ldapmodify: ldap_modify: Strong(er) authentication required (8)
If I comment security parameter in the master, I doesn't change anything..
My setup:
- version 2.3.38
- 1 master
- 2 slaves as replicas using syncrepl and authenticate to the master by
sasl external
In the master, I have added this entries:
--------------------------------------------------------------
dn: cn=referral1,ou=system,dc=example,dc=com
objectClass: organizationalRole
cn: referral1
ou: system
authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
dn: cn=referral2,ou=system,dc=example,dc=com
objectClass: organizationalRole
cn: referral2
ou: system
authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
--------------------------------------------------------------
--------------------
Master config:
------------------
moduleload back_ldap.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload unique.la
moduleload accesslog.la
moduleload auditlog.la
moduleload lastmod.la
##
TLSCertificateFile /etc/ssl/openldap2.3/master.crt
TLSCertificateKeyFile /etc/ssl/openldap2.3/private/master.key
TLSCACertificateFile /etc/ssl/openldap2.3/CA.crt
TLSVerifyClient allow
##
sasl-secprops none
# logging
loglevel 256
security ssf=1 update_ssf=112 simple_bind=64
##
authz-policy to
authz-regexp cn=slave1
cn=referral1,ou=system,dc=example,dc=com
authz-regexp cn=slave2
cn=referral2,ou=system,dc=example,dc=com
####
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,ou=system,dc=example,dc=com"
rootpw toto
directory /usr/local/ldap
mode 0600
#
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
##
lastmod on
cachesize 2000
checkpoint 256 5
#
index objectClass eq
index cn,mail,surname,givenname
eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
index uid
eq,subinitial
index entryCSN,entryUUID eq
##
limits dn.onelevel="ou=system,dc=example,dc=com"
size=unlimited
time=unlimited
limits dn.regex="cn=slave1.example.com"
size=unlimited
time=unlimited
limits dn.regex="cn=slave1.example.com"
size=unlimited
time=unlimited
------------------------------
Slave1 Config
-----------------------------
moduleload back_ldap.la
moduleload accesslog.la
moduleload auditlog.la
moduleload unique.la
moduleload lastmod.la
#
TLSCertificateFile /etc/ssl/openldap2.3/slave1.crt
TLSCertificateKeyFile /etc/ssl/openldap2.3/private/slave1.key
TLSCACertificateFile /etc/ssl/openldap2.3/CA.crt
TLSVerifyClient allow
sasl-secprops none
loglevel 256
security ssf=0 update_ssf=156 simple_bind=64
##chasing referrals
overlay chain
chain-uri ldap://master.example.com
chain-idassert-bind bindmethod=sasl
saslmech="EXTERNAL"
binddn="cn=bugworkaround"
mode="self"
starttls="critical"
min_ssf="163"
chain-tls start
chain-return-error TRUE
#chain-idassert-authzFrom "*"
#
database bdb
suffix "dc=example,dc=com"
##
rootdn "cn=admin,ou=system,dc=example,dc=com"
rootpw secret
directory /env/database/ldap
lastmod off
checkpoint 256 5
index objectClass eq
index cn,mail,surname,givenname
eq,subinitial
index uidNumber,gidNumber,memberuid,member,uniqueMember eq
index uid
eq,subinitial
index entryCSN,entryUUID eq
#
limits dn.onelevel="ou=system,dc=example,dc=com"
size=unlimited
time=unlimited
#
syncrepl rid=23
provider=ldap://master.example.com
type=refreshAndPersist
retry=3,1,10,2,60,+
searchbase="dc=example,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=sasl
saslmech=EXTERNAL
starttls=critical
##
updateref "ldap://master.example.com"
Any help will be appreciated...
16 years
toubles using ppolicy to lock account
by Guillaume Rousse
Hello.
I'm looking for a solution allowing to lock user accounts stored in
LDAP, whatever kind of client using LDAP for autenticating (the same as
shadowAccount class allows, but only for PAM. Buchan suggested me to try
to use ppolicy overlay.
I'm not really interested in what seems to be the main goal of password
policy: as I'm importing passwords automatically from another LDAP
system, that's not the right place to impose constraints on them. So my
main interest is in operational attribute pwdAccountLockedTime,
described in slapo-ppolicy: if set to 0, the user should not be able to
bind.
So, I set up a very minimal default password policy object, as it seems
to be quite mandatory:
dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr
cn: default
objectClass: pwdPolicy
objectClass: organizationalRole
pwdAttribute: userPassword
pwdMaxAge: 0
pwdInHistory: 0
pwdCheckQuality: 0
Then I tried to add a pwdAccountLockedTime attribute to a user:
dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTime: 0
Error: pwdAccountLockedTime: value #0 invalid per syntax
Then I read the schema, additionaly to the man page, and I found
additional (and potentially contradictory information), such as using
something described a subtype to declaring which password attribute is
really affected, and I tried:
dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr
changetype: modify
add: pwdAccountLockedTime;pwd-userPassword
pwdAccountLockedTime;pwd-userPassword: 0
Error: additional info: pwdAccountLockedTime;pwd-userPassword:
operational attribute with options undefined
Additionaly, I found the definition of those operational attributes were
commented in the schema file...
So, here is a list of questions I can't find a valid answer for:
1) do you need a policy entry if you're only interested in user entries
operational attributes ?
According to the man page, yes: If there is no specific policy for
an entry and no default is given, then no policies will be enforced
2) do you need to add a new class to users account to be able to use
those additional operational attributes, or just loading the overlay is
enough ?
According to examples found in thread
http://www.openldap.org/lists/openldap-software/200706/msg00285.html, no
3) does the definition of those attributes need to exist in the schema
(thus uncommented) or are they defined in the overlay ?
4) which is right between the man page or the schema comment for the
attribute name (pwdAccountLockedTime vs
pwdAccountLockedTime;pwd-userPassword) and the value to lock an account
(0 vs 000001010000Z)
As the comments seems to comes from the RFC directly, I'd rather trust
the man page, but i've been unsucessful with both...
If it matters, i'm using openldap-servers-2.3.27 on mandriva linux 2007.0.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
16 years
Links about integration
by Gabriel Stein
There´s no problem with my ego, is just a annouce:
I´m promised to me to post constantly posts to Integration section of FAQ.
Every week I wiil check the links consistency and make all necessary updates
to the links.
Cheers.
--
/\
Gabriel Stein
gabrielstein(a)gmail.com
MSN: gabrielstein(a)hotmail.com
Administrador de Redes -
Network Administrador
Linux User #223750
51-92796310
Porto Alegre - RS - Brasil
16 years
