openldap-software May 2008

openldap-software@openldap.org

64 participants
55 discussions

result: 32 No such object
by Arjan Hulshoff 05 May '08

05 May '08

Hi all, I am trying to learn how to use OpenLDAP in combination with Cyrus SASL and MIT Kerberos 5. While testing I got the following error: result: 32 No such object. Below you can see that the response with simple bind works flawless, but as soon as I am trying to use SASL and Kerberos I get the previous mentioned response. Everything I could find on google didn't help. So I hope someone can point me in the right direction. I am not sure what extra information you need. I am clueless as you might have understood. TIA, Arjan. [root@ldapserver ~]# ldapsearch -ZZ -W -D 'cn=Manager,dc=example,dc=com' -s base -x Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope baseObject # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com description: Example.Com, your trusted non-existent corporation. dc: example o: Example.Com objectClass: top objectClass: dcObject objectClass: organization # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ldapserver ~]# ldapsearch -ZZ -W -D 'cn=Manager,dc=example,dc=com' -s base Enter LDAP Password: SASL/GSSAPI authentication started SASL username: matt(a)EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope baseObject # filter: (objectclass=*) # requesting: ALL # # search result search: 5 result: 32 No such object # numResponses: 1

2 2

Re: Tony Earnshaw, 29/02/40 - 29/04/08]
by Dieter Kluenter 05 May '08

05 May '08

Hello, the following has been posted on the postfix-users mailinglist. -Dieter > From: Ace Suares <ace(a)suares.an> > Subject: Tony Earnshaw, 29/02/40 - 29/04/08 > To: postfix-users(a)postfix.org > Date: Sun, 4 May 2008 09:24:59 -0400 > Reply-To: ace(a)suares.an > > > > Dear List, > > Tony Earnshaw, active member of this list, has passed away last Tuesday. > > About a month ago he was diagnosed with stage 5 lung cancer and within a > very short time Tony left us. > > Tony's body will be cremated Monday 5th of May in Amsterdam. > > For those who want to express their feelings, please visit > > http://www.xs4all.nl/~snore/tony > > If among you there are people who want to have more information, send me > an email at ace(a)suares.an and I will forward it to the kind people that > take care of his affairs. > > With Sadness, > > Ace Suares > > > ---------- -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6

1 0

A question about {CLEARTEXT} hash
by Anderson Medeiros Gomes 01 May '08

01 May '08

I am using OpenLDAP 2.4.7 in an Ubuntu 8.04 server. I have in my tree an user whose "userPassword" attribute is "{CLEARTEXT}testpass". This command works: $ ldapwhoami -U testuser -w testpass SASL/DIGEST-MD5 authentication started SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn:uid=testuser,ou=people,dc=cefetrs,dc=tche,dc=br But I don't know why this one doesn't work... $ ldapwhoami -x -D 'uid=testuser,ou=people,dc=cefetrs,dc=tche,dc=br' -w testpass ldap_bind: Invalid credentials (49) The command above works only after removing the "{CLEARTEXT}" string before the real password: $ ldapmodify -U testuser -w testpass SASL/DIGEST-MD5 authentication started SASL username: testuser SASL SSF: 128 SASL data security layer installed. dn: uid=testuser,ou=people,dc=cefetrs,dc=tche,dc=br changetype: modify replace: userPassword userPassword: testpass modifying entry "uid=testuser,ou=people,dc=cefetrs,dc=tche,dc=br" $ ldapwhoami -x -D 'uid=testuser,ou=people,dc=cefetrs,dc=tche,dc=br' -w testpass dn:uid=testuser,ou=people,dc=cefetrs,dc=tche,dc=br ------------------- My doubt is: if an user have his password set to "{CLEARTEXT}<real password>", it should be able to authenticate itself either with simple authentication or with SASL, doesn't it? -- Anderson Medeiros Gomes amg1127(a)cefetrs.tche.br Coordenadoria de Manutenção e Redes Centro Federal de Educação Tecnológica de Pelotas http://www.cefetrs.tche.br/

1 0

overlay "syncprov" not found
by Jonathan Dobbie 01 May '08

01 May '08

I'm trying to set up syncprov on Ubuntu's 2.4.7, but slaptest returns: root@higgsboson:~# slaptest overlay "syncprov" not found slaptest: bad configuration file! As far as I can tell, the module is there: root@higgsboson:~# ls /usr/lib/ldap/syncprov* /usr/lib/ldap/syncprov-2.4.so.2 /usr/lib/ldap/syncprov-2.4.so.2.0.3 / usr/lib/ldap/syncprov.la /usr/lib/ldap/syncprov.so Below is a slightly trimmed version of slapd.conf: allow bind_v2 readonly off include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /usr/local/etc/ldap/schema/samba.schema include /usr/local/etc/ldap/schema/apple.schema include /usr/local/etc/ldap/schema/mcadmail.schema include /usr/local/etc/ldap/schema/mcad.schema include /usr/local/etc/ldap/schema/mcad.radmind.schema TLSCACertificateFile /etc/ldap/ssl/higgsboson.pem TLSCertificateFile /etc/ldap/ssl/higgsboson.pem TLSCertificateKeyFile /etc/ldap/ssl/higgsboson.pem authz-regexp uid=([^,]*),cn=PLAIN,cn=auth uid= $1,dc=users,dc=accounts,dc=mcad,dc=edu sasl-secprops none pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 128 threads 10 modulepath /usr/lib/ldap moduleload back_bdb defaultsearchbase "dc=accounts,dc=ldap,dc=mcad,dc=edu" idletimeout 600 password-hash {SSHA} backend bdb database bdb suffix "dc=mcad,dc=edu" checkpoint 512 30 cachesize 2000 idlcachesize 6000 directory "/var/lib/ldap" index objectClass eq index cn,sn,uid pres,eq,approx,sub index givenName eq,sub index displayName eq,sub index mail,mailAlias eq,sub index activePopImap eq index activeSmtp eq index ceridianID eq index jenzabarID eq index ou eq index employeeNumber eq index employeeType eq index uidNumber,gidNumber eq index memberUid eq index macAddress eq index apple-generateduid eq index apple-group-realname eq index apple-computers eq index apple-mcxflags sub index apple-category eq index apple-networkview eq index apple-group-memberguid eq index apple-group-nestedgroup eq index entryUUID eq index entryCSN eq index mailbox eq overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 lastmod on And then all of the ACLs

4 5

Add attribute with static value to search results
by Andy Cobaugh 01 May '08

01 May '08

Is it possible to somehow add a statically defined attribute to all search results. For example, if I wanted to add "authAuthority: ;Kerberosv5;;" to all entries with "(objectClass=posixAccount)". I've looked at slapo-rwm, and its rwm-map directive, but that only seems to map one attribute to another. I'm thinking there must be a way to do this, or perhaps it would be simple enough add this functionality to slapo-rwm. It seems like this is something that could be fairly useful, so perhaps this should be considered a feature request. Note: I don't control the upstream ldap server in my organization (I'm using a local proxying server with the translucent overlay). I could add this attribute to every entry in the upstream server, but that's several tens of thousands of entries that I would need to locally modify. -- Andy Cobaugh

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software May 2008