sles 10 synchronize 2 ldapservers
by bakkerru
Question:
How can i sychronize the users and groups of 2 ldap servers. 1 is setup as
pdc with samba and openldap (SLES10) domain "off.company.nl" and the other
is our mailserver installed with ldap and openexchange (SLES9.3) domain
mail.company.nl. how can i sync the users between both. The mailserver is in
a DMZ.
thanks in advantage
Ruurd
13 years, 10 months
objectIdentifier Macros?
by Gavin Henry
Evening all,
Are OID Macros specific to slapd?
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
13 years, 10 months
update with perl
by alois blasbichler
Hello list
We use openldap 2.3.39.
I want to add with a perl-script to all my users this attributes :
objectClass: orcluser
orclpassword: xxxxxxxxx
I dont now how do that with a script.
Actually my users haves this objectClasses :
objectClass: top
objectClass: hordePerson
objectClass: shadowAccount
objectClass: posixAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: SuSEeMailObject
objectClass: sambaSamAccount
I defined an :
objectclass ( 1.1.2.881.881.555.666
NAME 'inetorcluser'
DESC 'inetorcluser'
SUP ( inetOrgPerson $ orcluser ) STRUCTURAL
)
And so when i with an ldap-browser export an user, then after
deleting this user i add in the ldif-datei the followings attributes:
objectClass: inetorcluser
objectClass: orcluser
orclpassword: xxxxxxxxx
then i can import this user fine.
That for one user is ok but for a lot of users how can i do that - i
tried with perl - but without success.
Thanks in advanced for any help.
luis
13 years, 10 months
Silly details like CN= v cn=
by Andrew Bartlett
I've been working on making Samba4 pass it's testsuite with OpenLDAP as
a backend.
One of my tests does what no LDAP client should do - it applies a case
sensitive comparison of the returned DN, compared with what we expect
and get from AD.
For example, we search for cn=ldaptestmachine and then ensure we get:
CN=ldaptestmachine,CN=Users,DC=samba,DC=example,DC=com
OpenLDAP returns
cn=ldaptestmachine,cn=users,dc=samba,dc=example,dc=com
which I'm sure is perfectly valid, but if I can write a bodgy script
with case sensitive comparisons, so can an admin or sloppy app. Working
in the windows space makes me like to eliminate differences where I
can.
Can the case of the attribute names (CN and DC) in that DN be made to be
UPPER case easily? (Alternately I'll write a filter module on the
Samba4 side to do that).
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
13 years, 10 months
Chain authentication bind configuration
by Dave Stoll
Hello -
I seem to have run into a bit of a roadblock with my configuration. I am
trying to build an OpenLDAP server which uses ref: entries to chain to two
other LDAP servers for user authorization. I have been able to get
everything working fine so long as I allow anonymous binding on the servers
referenced from OpenLDAP. Unfortunately, the security folks are requesting
the OpenLDAP server to force bind credentials for the particular ldap uri.
>From man slapd-ldap(5) I see the following:
acl-bind
...
This identity is by no means implicitly used by the proxy
when
the client connects anonymously. The idassert-bind
feature,
instead, in some cases can be crafted to implement
that
behavior, which is intrinsically unsafe and should be used
with
extreme care. This directive obsoletes acl-authcDN, and
acl-
passwd.
...
Unfortunately, I¹m having a bit of difficulty finding any documentation
supporting the ability to implicitly use a particular bindDN and simple
authentication password, regardless of whether the query is anonymous or
authenticated.
Any help would be welcome.
Cheers,
Dave
--
Dave Stoll
echo mac | sed 's/^/dave.stoll(a)/;s/$/.com/'
13 years, 10 months
NOOP and case change renames
by Andrew Bartlett
I'm up against my next challenge in the great challenge of Samba4 and
OpenLDAP.
As metioned on openldap-devel, I've hit up against renaming DNs onto
themselves.
For example, I previously mentioned
cn=ldaptestuser2,cn=users,DC=samba,DC=example,DC=com into
cn=ldaptestuser3,cn=users,DC=samba,DC=example,DC=com
This should become:
dn: cn=ldaptestuser2,cn=users,DC=samba,DC=example,DC=com
changetype: modrdn
newrdn: cn=ldaptestuser2
deleteoldrdn: 1
> RFC 4511 states that a modify DN operation must fail with the
> entryAlreadyExists result code if there was already an entry with that
> name. However, a broad interpretation would recognize that such a
> modify DN operation is going to be a no-op and simply ignore it. The
> specific case doesn't seem to be explicitly dealt with in RFC 4511.
I've written a module to cause this to never reach the DB, but my next
test (which AD also permits) is:
cn=ldaptestuser3,cn=users,DC=samba,DC=example,DC=com into
cn=ldaptestUSER3,cn=users,DC=samba,DC=example,DC=com
So it seems I need some backend help. Is there another way I should be
handling case changes in a DN, or could/should the DB be modified to
allow these operations?
(These tests arose because a user tried to do exactly this from the
windows management tools, and we also failed to allow it in ldb).
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
13 years, 10 months
Newbie - how to change display name settings
by Winanjaya - CBN
Hello All,
I am very new with this, I have configured openldap on my FC1 ..
Currently, the Display name settings is Last Name, First Name .. how to change it to FirstName, Last Name?
Please help
Thanks & Regards
Winanjaya
***********************
Our outgoing mail has been scanned by MSS.
***********-***********
13 years, 10 months
simple-auth to SASL mapping?
by Stefan Palme
Hi all,
I have setup an OpenLDAP server for users authenticating
using SASL. The authz-regexp "converts" the SASL identity
into a DN which is used only for authorization purposes
- there are no real LDAP entries with these DNs. This setup
works fine.
Now I have some LDAP client applications that only support
simple authentication, but no SASL authentication. So I am
looking for a way to "map" simple authentication to SASL
authentication, e.g. when a user uses simple auth with
DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should
authenticate this user via SASL using username "user1"
and the provided password.
I absolutely DO NOT WANT to create real LDAP entries for
these users, because the user database is an external one
accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I
dont want to manage user accounts in two places :-)
Is this possible?
I already thought about using an "ldap"-backend to proxy
simple-auth-connections, but I did not found a way to just
"rewrite" the authentication information and make the proxy
server using SASL with a username extracted from the simple
auth DN...
Thanks and best regards
-stefan-
13 years, 10 months
Regarding ldap client library with php ldap exop patch
by Faraz Khan
This is regarding the php ldap exop patch published by Pierangelo
Masarati at :
http://www.sys-net.it/~ando/Download/#PHP%3E
I BADLY require paged results for my ldap based application. The patch
applies fine to
PHP 5_2 HEAD. However, two things need to be changed.
1. the zstr struct does not exist, which needs to be defined. This is
not a problem.
Solved with some help from PHP developers on what zstr is.
2. In the function php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS,
int scope) in
ldap.c, timelimit is set to -1 as follows:
int ldap_attrsonly = 0;
int ldap_sizelimit = -1;
int ldap_timelimit = -1;
The ldap_search operation keeps on returning a LDAP ERROR : Timeout in
this case.
Modifying timelimit to :
int ldap_timelimit = 300;
for example fixes the issue and pagination works. I'm guessing the
following is what
causes problems:
#ifdef HAVE_LDAP_SEARCH_EXT_S
/* Run the actual search */
{
int rc;
struct timeval tv;
tv.tv_sec = ldap_timelimit;
tv.tv_usec = 0;
rc = ldap_search_ext(ld->link,
ldap_base_dn, scope,
ldap_filter, ldap_attrs, ldap_attrsonly,
NULL, NULL, &tv,
ldap_sizelimit, &rcs[i] );
/* TODO: check rc == LDAP_SUCCESS */
}
the tv.tv_usec=0 when tv.tv_sec = -1
Just a hunch. How does ldap_search_ext handle timelimit? Thank you. I
currently have it
set to 300, which is bad, and it seems to be working fine.
Please remember the problem (with the patch applied) happens not only
to paged requests
but any ldap_search request (keeps timing out instantaneously)
--
Faraz R Khan
Chief Architect
Emergen Consulting Pvt Ltd
www.emergen.biz
13 years, 10 months
Password expiration question (ppolicy and smbk5wpd interaction)
by Pat Riehecky
Like many before me I would love to get the smbk5pwd module up and
running, but I have a question.
In OpenLDAP 2.4.7:
If I set a password expiration time up (with ppolicy), and the user's
password expires, does it lock the Heimdal, Samba, and ldap passwords?
On the flip side, if I set a password expiration time up (with
smbk5pwd), and the user's password expires, does it lock the Heimdal,
Samba, and ldap passwords?
Or perhaps more to the point, what can I do to keep all three of these
passwords either all valid or all expired at the same time?
The documentation is a bit vague on this one point, and the archives
left me still in confusion.....
Pat
13 years, 10 months
