openldap-technical January 2008

openldap-technical@openldap.org

48 participants
57 discussions

sles 10 synchronize 2 ldapservers
by bakkerru 15 Jan '08

15 Jan '08

Question: How can i sychronize the users and groups of 2 ldap servers. 1 is setup as pdc with samba and openldap (SLES10) domain "off.company.nl" and the other is our mailserver installed with ldap and openexchange (SLES9.3) domain mail.company.nl. how can i sync the users between both. The mailserver is in a DMZ. thanks in advantage Ruurd

4 3

objectIdentifier Macros?
by Gavin Henry 15 Jan '08

15 Jan '08

Evening all, Are OID Macros specific to slapd? Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

2 4

update with perl
by alois blasbichler 15 Jan '08

15 Jan '08

Hello list We use openldap 2.3.39. I want to add with a perl-script to all my users this attributes : objectClass: orcluser orclpassword: xxxxxxxxx I dont now how do that with a script. Actually my users haves this objectClasses : objectClass: top objectClass: hordePerson objectClass: shadowAccount objectClass: posixAccount objectClass: person objectClass: inetOrgPerson objectClass: SuSEeMailObject objectClass: sambaSamAccount I defined an : objectclass ( 1.1.2.881.881.555.666 NAME 'inetorcluser' DESC 'inetorcluser' SUP ( inetOrgPerson $ orcluser ) STRUCTURAL ) And so when i with an ldap-browser export an user, then after deleting this user i add in the ldif-datei the followings attributes: objectClass: inetorcluser objectClass: orcluser orclpassword: xxxxxxxxx then i can import this user fine. That for one user is ok but for a lot of users how can i do that - i tried with perl - but without success. Thanks in advanced for any help. luis

3 3

Silly details like CN= v cn=
by Andrew Bartlett 13 Jan '08

13 Jan '08

I've been working on making Samba4 pass it's testsuite with OpenLDAP as a backend. One of my tests does what no LDAP client should do - it applies a case sensitive comparison of the returned DN, compared with what we expect and get from AD. For example, we search for cn=ldaptestmachine and then ensure we get: CN=ldaptestmachine,CN=Users,DC=samba,DC=example,DC=com OpenLDAP returns cn=ldaptestmachine,cn=users,dc=samba,dc=example,dc=com which I'm sure is perfectly valid, but if I can write a bodgy script with case sensitive comparisons, so can an admin or sloppy app. Working in the windows space makes me like to eliminate differences where I can. Can the case of the attribute names (CN and DC) in that DN be made to be UPPER case easily? (Alternately I'll write a filter module on the Samba4 side to do that). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

4 11

Chain authentication bind configuration
by Dave Stoll 13 Jan '08

13 Jan '08

Hello - I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri. >From man slapd-ldap(5) I see the following: acl-bind ... This identity is by no means implicitly used by the proxy when the client connects anonymously. The idassert-bind feature, instead, in some cases can be crafted to implement that behavior, which is intrinsically unsafe and should be used with extreme care. This directive obsoletes acl-authcDN, and acl- passwd. ... Unfortunately, I¹m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated. Any help would be welcome. Cheers, Dave -- Dave Stoll echo mac | sed 's/^/dave.stoll(a)/;s/$/.com/'

2 6

NOOP and case change renames
by Andrew Bartlett 10 Jan '08

10 Jan '08

I'm up against my next challenge in the great challenge of Samba4 and OpenLDAP. As metioned on openldap-devel, I've hit up against renaming DNs onto themselves. For example, I previously mentioned cn=ldaptestuser2,cn=users,DC=samba,DC=example,DC=com into cn=ldaptestuser3,cn=users,DC=samba,DC=example,DC=com This should become: dn: cn=ldaptestuser2,cn=users,DC=samba,DC=example,DC=com changetype: modrdn newrdn: cn=ldaptestuser2 deleteoldrdn: 1 > RFC 4511 states that a modify DN operation must fail with the > entryAlreadyExists result code if there was already an entry with that > name. However, a broad interpretation would recognize that such a > modify DN operation is going to be a no-op and simply ignore it. The > specific case doesn't seem to be explicitly dealt with in RFC 4511. I've written a module to cause this to never reach the DB, but my next test (which AD also permits) is: cn=ldaptestuser3,cn=users,DC=samba,DC=example,DC=com into cn=ldaptestUSER3,cn=users,DC=samba,DC=example,DC=com So it seems I need some backend help. Is there another way I should be handling case changes in a DN, or could/should the DB be modified to allow these operations? (These tests arose because a user tried to do exactly this from the windows management tools, and we also failed to allow it in ldb). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

2 5

Newbie - how to change display name settings
by Winanjaya - CBN 09 Jan '08

09 Jan '08

Hello All, I am very new with this, I have configured openldap on my FC1 .. Currently, the Display name settings is Last Name, First Name .. how to change it to FirstName, Last Name? Please help Thanks & Regards Winanjaya *********************** Our outgoing mail has been scanned by MSS. ***********-***********

4 7

simple-auth to SASL mapping?
by Stefan Palme 08 Jan '08

08 Jan '08

Hi all, I have setup an OpenLDAP server for users authenticating using SASL. The authz-regexp "converts" the SASL identity into a DN which is used only for authorization purposes - there are no real LDAP entries with these DNs. This setup works fine. Now I have some LDAP client applications that only support simple authentication, but no SASL authentication. So I am looking for a way to "map" simple authentication to SASL authentication, e.g. when a user uses simple auth with DN "cn=user1,ou=users,dc=domain,dc=com" this mechanism should authenticate this user via SASL using username "user1" and the provided password. I absolutely DO NOT WANT to create real LDAP entries for these users, because the user database is an external one accessed via SASL->PAM->COMPLICATED_PAM_MODULES, and I dont want to manage user accounts in two places :-) Is this possible? I already thought about using an "ldap"-backend to proxy simple-auth-connections, but I did not found a way to just "rewrite" the authentication information and make the proxy server using SASL with a username extracted from the simple auth DN... Thanks and best regards -stefan-

2 2

Regarding ldap client library with php ldap exop patch
by Faraz Khan 08 Jan '08

08 Jan '08

This is regarding the php ldap exop patch published by Pierangelo Masarati at : http://www.sys-net.it/~ando/Download/#PHP%3E I BADLY require paged results for my ldap based application. The patch applies fine to PHP 5_2 HEAD. However, two things need to be changed. 1. the zstr struct does not exist, which needs to be defined. This is not a problem. Solved with some help from PHP developers on what zstr is. 2. In the function php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope) in ldap.c, timelimit is set to -1 as follows: int ldap_attrsonly = 0; int ldap_sizelimit = -1; int ldap_timelimit = -1; The ldap_search operation keeps on returning a LDAP ERROR : Timeout in this case. Modifying timelimit to : int ldap_timelimit = 300; for example fixes the issue and pagination works. I'm guessing the following is what causes problems: #ifdef HAVE_LDAP_SEARCH_EXT_S /* Run the actual search */ { int rc; struct timeval tv; tv.tv_sec = ldap_timelimit; tv.tv_usec = 0; rc = ldap_search_ext(ld->link, ldap_base_dn, scope, ldap_filter, ldap_attrs, ldap_attrsonly, NULL, NULL, &tv, ldap_sizelimit, &rcs[i] ); /* TODO: check rc == LDAP_SUCCESS */ } the tv.tv_usec=0 when tv.tv_sec = -1 Just a hunch. How does ldap_search_ext handle timelimit? Thank you. I currently have it set to 300, which is bad, and it seems to be working fine. Please remember the problem (with the patch applied) happens not only to paged requests but any ldap_search request (keeps timing out instantaneously) -- Faraz R Khan Chief Architect Emergen Consulting Pvt Ltd www.emergen.biz

1 0

Password expiration question (ppolicy and smbk5wpd interaction)
by Pat Riehecky 07 Jan '08

07 Jan '08

Like many before me I would love to get the smbk5pwd module up and running, but I have a question. In OpenLDAP 2.4.7: If I set a password expiration time up (with ppolicy), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords? On the flip side, if I set a password expiration time up (with smbk5pwd), and the user's password expires, does it lock the Heimdal, Samba, and ldap passwords? Or perhaps more to the point, what can I do to keep all three of these passwords either all valid or all expired at the same time? The documentation is a bit vague on this one point, and the archives left me still in confusion..... Pat

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2008