Use translucent with back-meta in one single slapd instance
by Daniel Montero Motilla
Hi, I'm very interested on using the translucent overlay features on
my preexisting metadirectory implemented via back-meta (openldap
2.3.27). With my setup, the solution would be using translucent with
back-meta or indirectly using back-relay, but the translucent overlay
only supports back-ldap (any plans to change this in the future?).
As a workaround, I am using another slapd instance listening on a
different port, configured with translucent pointing to the other
slapd instance serving the metadirectory. This setup works as
expected, but it would be great if I could implement the same
behaviour using only one slapd instance. Do you have any idea about
how to implement that? maybe using some magic with slapo-rwm?
Thank you very much,
Dani.
16 years
sets and groupOfNames groups
by Andreas Hasenack
openldap-2.3.38
I have this ACL:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
attrs=children,entry,@sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,dc=example,dc=com"
write
by * read
The group is:
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
cn: Sudo Admins
objectClass: groupOfNames
description: Members can administer ou=sudoers entries and attributes
owner: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
It works as expected if I place some user in the sudo admins group and
add an entry under ou=sudoers. If the user is not a member of this
group, the add operation fails.
Now I want to be able to use nested groups, so I follow the FAQ and do a
test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
attrs=children,entry,@sudoRole
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*"
write
by * read
Without changing anything in the sudo admins group entry, suddenly I can
create new entries under ou=sudoers as any authenticated user. That is,
the group still only has the "uid=sudo admin" member, but I can add a
new sudo entry as another user:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif
adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
The ACL logs show:
=> dnpat: [18] ^([^,]+,)?ou=sudoers,dc=example,dc=com$ nsub: 1
=> acl_get: [18] matched
=> acl_get: [18] attr children
=> acl_mask: access to entry "ou=sudoers,dc=example,dc=com", attr "children" requested
=> acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0)
<= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*
=> bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com"
=> bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com"
<= acl_mask: [1] applying write(=wrscxd) (stop)
<= acl_mask: [1] mask: write(=wrscxd)
=> access_allowed: add access granted by write(=wrscxd)
(...)
=> acl_mask: access to entry "cn=iurt,ou=sudoers,dc=example,dc=com", attr "entry" requested
=> acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0)
<= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*
=> bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com"
=> bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com"
<= acl_mask: [1] applying write(=wrscxd) (stop)
<= acl_mask: [1] mask: write(=wrscxd)
=> access_allowed: add access granted by write(=wrscxd)
So why was "jsmith" allowed to create a new entry under ou=sudoers? He
is not a member of any of the special groups, and I only changed the ACL
line from "by group" to "by set".
$ ldapsearch -x -LLL -h localhost member=uid=jsmith,ou=people,dc=example,dc=com cn
$
16 years
Can't start with DB_BUFFER_SMALL error
by Jason Lixfeld
Anyone know what caused this, or how to fix? Google hasn't told me
anything I can understand about this error.
=> bdb_last_id: get failed: DB_BUFFER_SMALL: User memory too small
for return value (-30999)
bdb_db_open: last_id(/var/db/openldap-data/ario) failed:
DB_BUFFER_SMALL: User memory too small for return value (-30999)
Running:
openldap-client-2.3.37
openldap-server-2.3.37
db44-4.4.20.4
FreeBSD 6.1-RELEASE-p3
16 years
configure OpenLDAP to allow directory users - change pass
by Anne Moore
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to
change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and
the security department isn't liking it.
Thank you for your help.
Anne
16 years
updatedn and refreshAndPersist in slapd.conf(5) in HEAD
by Gavin Henry
Hi Again.
I'm pretty sure updatedn is left over in slapd.conf(5) from slurpd days.
I can't see it in and test scripts or defines.
Is it only used in MirrorMode?
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
16 years
Confidentiality required question
by Richard smith
Before I post all the config files, I thought I'd start by showing
the output of some commands.
I put a slappasswd password in the slapd.conf file. When prompted for
this password, I've entered the correct password, the incorrect password,
and no password by just pressing return. In these cases,
with -x,
the 'ldap_bind: Confidentiality required (13)' message appears.
Without -x,
the 'ldap_sasl_interactive_bind_s: Confidentiality required (13)'
message appears.
I've thought of a few things I could try, but thought I'd ask
if anyone might have any suggestions first about why
these 'Confidentiality required (13)' messages appear,
and how to fix it.
Thanks very much in advance
[dir ~]#
[dir ~]#
[dir ~]# ldapsearch -x -b 'dc=mydomainname,dc=name,dc=example,dc=com' '(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=mydomainname,dc=name,dc=example,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#
# search result
search: 2
result: 13 Confidentiality required
text: confidentiality required
# numResponses: 1
[dir ~]#
[dir ~]#
[dir ~]#
[dir ~]# ldapsearch -b 'dc=mydomainname,dc=name,dc=example,dc=com' '(objectClass=*)'
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: confidentiality required
[dir ~]#
[dir ~]#
[dir ~]# cat ldap_test_add_file
dn: dc=mydomainname,dc=name,dc=example,dc=com
dc: mydomainname
objectClass: top
objectClass: domain
[dir ~]#
[dir ~]#
[dir ~]#
[dir ~]# /usr/bin/ldapadd -h myserver \
-D "cn=manager,dc=mydomainname,dc=name,dc=example,dc=com" \
-x -W -f ldap_test_add_file
Enter LDAP Password: CORRECT pw given
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
[dir ~]#
[dir ~]#
[dir ~]# /usr/bin/ldapadd -h myserver \
-D "cn=manager,dc=mydomainname,dc=name,dc=example,dc=com" \
-x -W -f ldap_test_add_file
Enter LDAP Password: INCORRECT pw given
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
[dir ~]#
[dir ~]#
[dir ~]# /usr/bin/ldapadd -h myserver \
-D "cn=manager,dc=mydomainname,dc=name,dc=example,dc=com" \
-x -W -f ldap_test_add_file
Enter LDAP Password: NO pw given, just pressed return
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
[dir ~]#
[dir ~]#
[dir ~]#
[dir ~]#
[dir ~]# /usr/bin/ldapadd -h myserver \
-D "cn=manager,dc=mydomainname,dc=name,dc=example,dc=com" \
-W -f ldap_test_add_file
Enter LDAP Password: CORRECT pw given
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: confidentiality required
[dir ~]#
[dir ~]#
[dir ~]# /usr/bin/ldapadd -h myserver \
-D "cn=manager,dc=mydomainname,dc=name,dc=example,dc=com" \
-W -f ldap_test_add_file
Enter LDAP Password: INCORRECT pw given
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: confidentiality required
[dir ~]#
[dir ~]#
[dir ~]# /usr/bin/ldapadd -h myserver \
-D "cn=manager,dc=mydomainname,dc=name,dc=example,dc=com" \
-W -f ldap_test_add_file
Enter LDAP Password: NO pw given, just pressed return
ldap_sasl_interactive_bind_s: Confidentiality required (13)
additional info: confidentiality required
[dir ~]#
[dir ~]#
---------------------------------
Got a little couch potato?
Check out fun summer activities for kids.
16 years
RE: configure OpenLDAP to allow directory users - change password
by Gavin Henry
<quote who="Anne Moore">
> Hi Milne
>
> <<Or, if you've set pam up correctly, passwd.>>
>
> You're probably right on this. Any idea how to set it up to work with
> OpenLdap correctly?
That's a different mailing list I'm afraid.
>
> Thanks
>
> Anne
>
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
> Sent: Friday, September 14, 2007 2:58 AM
> To: openldap-software(a)openldap.org
> Cc: Gavin Henry; Anne Moore
> Subject: Re: configure OpenLDAP to allow directory users - change password
>
> On Thursday 13 September 2007 22:54:45 Gavin Henry wrote:
>> <quote who="Anne Moore">
>>
>> > HI Gavin
>> >
>> > The clients we use are Red Hat ES 4.0 systems (40 of them).
>> >
>> > Any ideas on how to allow my users to change their own passwords?
>>
>> ldappasswd?
>
> Or, if you've set pam up correctly, passwd.
>
>> > Thank you for the help!
>> >
>> > Anne
>> >
>> > Gavin Henry <ghenry(a)suretecsystems.com> wrote:
>> >> Hi All
>> >>
>> >> Does anyone know how to configure OpenLDAP to allow directory users
>> >> to change their own passwords?
>> >
>> > You don't mention anything about the clients you are using or your
>> > ACLs
>
> The default ACLs shipped in most default slapd.conf files usually has
> something like this, which would be sufficient:
>
> access to attrs=userPassword
> by self write
> by * auth
>
>
>> >> I've using Openldap-2.2.13-7.4E (on my RedHat server)
>> >
>> > See the our recommendations of using Red Hat OpenLDAP software in
>> > the archives.
>
> 2.2 is deprecated. 2.3 is current, and has some features (for example
> password policy enforcement) that you may desire/require.
>
> Packages are available that install cleanly in parallel, such as mine:
>
> http://staff.telkomsa.net/packages/rhel4/openldap/
>
>
16 years
Re: Startup time
by Sumith Narayanan
Thanks Everyone !
Here is my system configuration :
OpenLDAP version : 2.3.27
Berkeley DB Version: 4.4.20
Server : Mac OSX Tiger in Power PC
Memory : 8 GB
Number of physical DB : 3
Size of each DB : 4 , 12 and 24 each.
DB_CONFIG file for one DB , others are also set simillarly :
==========
# $OpenLDAP: pkg/ldap/servers/slapd/DB_CONFIG,v 1.1.2.3 2006/08/17
17:36:19 kurt Exp $
# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
#
# See Sleepycat Berkeley DB documentation
# <http://www.sleepycat.com/docs/ref/env/db_config.html>
# for detail description of DB_CONFIG syntax and semantics.
#
# Hints can also be found in the OpenLDAP Software FAQ
# <http://www.openldap.org/faq/index.cgi?file=2>
# in particular:
# <http://www.openldap.org/faq/index.cgi?file=1075>
# Note: most DB_CONFIG settings will take effect only upon rebuilding
# the DB environment.
# one 0.20 GB cache
set_cachesize 0 42428800 0
# Data Directory
#set_data_dir db
#set db flags
#only use when using slapdADD
set_flags DB_TXN_NOSYNC
set_lk_max_locks 2000
# Transaction Log settings
set_lg_regionmax 1048576
set_lg_max 20485760
set_lg_bsize 2097152
set_lg_dir
/Volumes/ngs/app/ldapp/openldap/var/openldap-data/db/externals/
# Automatically remove log files that are no longer needed.
set_flags DB_LOG_AUTOREMOVE
# Note: special DB_CONFIG flags are no longer needed for "quick"
# slapadd(8) or slapindex(8) access (see their -q option).
==========
slapd.conf file :
---------------------
====
# Do not enable referrals until AFTER you have a working directory
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /Volumes/ngs/app/ldapp/openldap/etc/openldap/schema/core.schema
include
/Volumes/ngs/app/ldapp/openldap/etc/openldap/schema/cosine.schema
include
/Volumes/ngs/app/ldapp/openldap/etc/openldap/schema/inetorgperson.schema
# Custom Schema
include /Volumes/ngs/app/ldapp/openldap/etc/openldap/schema/ist.schema
# Define global ACLs to disable default read access.
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /Volumes/ngs/app/ldapp/openldap//var/run/slapd.pid
argsfile /Volumes/ngs/app/ldapp/openldap//var/run/slapd.args
replogfile
/Volumes/ngs/app/ldapp/openldap/var/openldap-slurp/replogfile.log
# Give the replicator account the ability to update and everyone read access.
access to attrs=userpassword
by * auth
access to *
by dn.base="cn=replicator,o= Computer" write
by * read
access to * by * write
by dn.base="cn=manager,o= computer" write
readonly off
loglevel 256
#conn_max_pending 300
defaultsearchbase "o= Computer"
gentlehup on
idletimeout 300
sizelimit 2000000
timelimit 300
password-hash {SSHA}
allow bind_v2
threads 32
database bdb
suffix "ou=externals,o= Computer"
subordinate "o= Computer"
rootdn "cn=Manager,o= Computer"
dbcachesize 10000000
cachesize 100000000
directory /Volumes/ngs/app/ldapp/openldap/var/openldap-data/db/externals
index objectClass eq
index dsid eq
index cn eq,sub
index givenName eq,sub
index mail eq,sub
index sn eq,sub
index telephonenumber eq,sub
index entryUUID eq
replica uri=ldap://ldapws1.corp.computer.com:3893/
binddn="cn=Replicator,o= Computer"
bindmethod=simple
credentials=******
============
We are planning to upgrade to 64 bit Mac Intel processors, but till
then we need this to be up and running.
Any suggesstions for an optimal configuration will be appreciated.
Thanks, Sumith.
On 9/11/07, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, September 11, 2007 8:59 AM -0400 Aaron Richton
> <richton(a)nbcs.rutgers.edu> wrote:
>
> > It's almost certain that this configuration is inappropriate. You're
> > unlikely to get a decently tuned cache for a database that size in 32-bit
> > process space.
> >
> > As for your "crashes," you're likely OOM running into the DN cache issues
> > previously discussed
> >
> > http://www.openldap.org/lists/openldap-software/200708/msg00106.html
> >
> > and you may find help with a 64-bit platform, OpenLDAP 2.4, or some
> > combination thereof.
>
> I think it is a little premature for OpenLDAP 2.4, but definitely go
> 64-bit, do some tuning, and actually provide useful details. You don't
> note the OS either, but if it is Linux, you probably want to use something
> like tcmalloc instead of glibc for memory management as well.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
16 years
Re: configure OpenLDAP to allow directory users - change password
by Gavin Henry
<quote who="Anne Moore">
> HI Gavin
>
> The clients we use are Red Hat ES 4.0 systems (40 of them).
>
> Any ideas on how to allow my users to change their own passwords?
ldappasswd?
>
> Thank you for the help!
>
> Anne
>
> Gavin Henry <ghenry(a)suretecsystems.com> wrote:
>> Hi All
>>
>> Does anyone know how to configure OpenLDAP to allow directory users to
>> change their own passwords?
>
> You don't mention anything about the clients you are using or your ACLs
>
>>
>> I've using Openldap-2.2.13-7.4E (on my RedHat server)
>
> See the our recommendations of using Red Hat OpenLDAP software in the
> archives.
>
>>
>> As it is now, I have to change everyone's directory password for them
>> and
>> the security department isn't liking it.
>>
>> Thank you for your help.
>>
>> Anne
>>
>
>
>
16 years
