openldap-technical October 2008

openldap-technical@openldap.org

59 participants
63 discussions

Syncrepl question
by Ivan Ordonez 04 Dec '08

04 Dec '08

Hi all, We have a small size domain with about 500 users and computers. We are using Samba with Openldap integration to authenticate user login and file sharing. Our setup is consist of 3 servers running Gentoo Linux - 1PDC and 2BDCs. As for replication, we are still using "slurpd". Any changes or modification is done through the PDC which replicates the changes to BDC1, then from BDC1, it then goes down to BDC2 - it's like a chain. We want to start using "syncrepl" soon as a way to replicate our database but I'm not sure were to start. We want to setup all of our machine to sync with each other everyday, and not worry which machine is use to make changes, modification, etc.... I'm not sure which syncrepl function to use to achieve what we want to do. Is "N-Way Multi Master replication" the correct choice to do this? We are using "BDB" database on each servers, and would like to achieve this with minimal downtime if possible. What is the best way to do this? Please advise. Any help is greatly appreciated. -Ivan

3 12

GSSAPI Error: An invalid name was supplied (Not enough space)
by Ben Lentz 31 Oct '08

31 Oct '08

Greetings list, I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3 on an AIX 5.3, TL8, SP2 machine. Whenever I try to use GSSAPI with ldapsearch against a Microsoft Active Directory server, I get the following error: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) When I run the process through truss -rall -wall -f, I see the following error near the failure: GSSAPI Error: An invalid name was supplied (Not enough space) I am able to acquire a kerberos ticket, I can list the GSSAPI plugin using pluginviewer, and I can ldapsearch against the MSAD server using simple authentication. I have searched Google and can find no reference to the "Not enough space" error. Has anyone else seen this before or can anyone shed any light on this? Thanks in advance.

1 0

Password hash in openldap
by Paul Lee 31 Oct '08

31 Oct '08

Dear all, Last time I changes the slapd.conf to restrict anonymous user to see the userPassword attribute from 3rd party LDAP browser. However, our client still wants to encrypt/hash the password stored in LDAP because he says that he can user other users auth to the LDAP and then can see other users' password (e.g. he can see his boss's password). Since we have the admin portal to change the user password as well, seems it can't restrict userpassword attribute by self read/write. Also, we will use the password policy and restrict users to re-use the last 12 passwords. So, my question is that is it possible to hash the password stored in openldap, also, the password stored in the password history is also hashed so that even other users can't see the password of others. Thanks Confidential Communication - This e-mail (including any attachments) is confidential and may be legally privileged. If this e-mail has been sent to you by mistake please inform us by reply e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the information in it.

2 1

create quota to openldap group
by Kermito le kermit 29 Oct '08

29 Oct '08

hello all, I am use openldap to debian all work fine i use openldap +samba pdc to my domain. now i wabt to add a quota to the groupe in my openldap which a tool quota (edquota etc ..). I can but quota to sambausers but no for other groups any ideas

1 0

difference between /etc/ldap.conf /etc/openldap/ldap.conf
by GanGan 29 Oct '08

29 Oct '08

hello all one question ! What is the difference between /etc/ldap.conf and /etc/openldap/ldap.conf ? thanks in advance -- - GanGan -

4 7

ldap queries to AD server
by Lynn York 28 Oct '08

28 Oct '08

Hello, I am seeing a large amount of queries for users such as vpopmail, postmaster, anonymous and a few other users being sent to the AD server via the openldap proxy. Below is a snippet of the log, I was curious how I could stop the servers from searching for these users via ldap? [ snippet ] Oct 28 14:32:54 ldap-proxy slapd[21165]: conn=2828 op=56 SRCH base="ou=Internal,dc=mgmt,dc=test,dc=net" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=vpopmail))" Oct 28 14:32:54 ldap-proxy slapd[21165]: conn=2828 op=56 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag [ end snippet ]

1 0

"bulk-reload" of database and replication
by Sebastian Benoit 28 Oct '08

28 Oct '08

Hi, we are developing a application using openldap and have the following problem: We plan a setup using one master-ldap server (with normally few write operations). The database will be replicated to (initially) two slave-servers using syncrepl replication. Now, at the beginning (until the complete system is set up to work with the ldap-server) we will need to re-initialize the complete database from scratch. This reload takes about 10 minutes using perl-ldap and a tcp-connection to the server. During this time the application accessing the slave servers should still see the old view of the database. The switch from old data to new data on the slave-servers should be as fast as possible to avoid clients seeing wrong (or not existing) data. I thought about writing data in LDIF format and the create a new database from that using slapadd. But then there still is the replication problem. What methods to others use to solve this? Thanks for you help, /Benno -- Sebastian Benoit <benoit-lists(a)fb12.de>

3 2

slurpd replication problem.
by Choi, Justin 28 Oct '08

28 Oct '08

I am seeing invalid credential error logs a lot. Could you guys let me know how to solve this issue? Thanks. Server Log(slurpd -d 2) Replicated Log (/usr/sbin/slapd -u ldap -d 2 -h ldap:///) Slapd.conf database bdb suffix "dc=ijji,dc=com" rootdn "cn=Manager,dc=ijji,dc=com" rootpw {SSHA}EpkPadkANDlpX7yfcsa2WbA+bSssh0S4 # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/ijji.com # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub #updatedn cn=Replication Manager,dc=ijji,dc=com #updateref ldap://ca1xc115.ijji.com access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=ijji,dc=com" write by * none access to * by self write by dn.base="cn=Manager,dc=ijji,dc=com" write by * read access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Replication Manager,dc=ijji,dc=com" write by * none access to * by self write by dn.base="cn=Replication Manager,dc=ijji,dc=com" write by * read # Replicas of this database replogfile /var/lib/ldap/openldap-master-replog replica host=ca1xc115.ijji.com:389 binddn="cn=Replication Manager,dc=ijji,dc=com" bindmethod=simple credentials=skdltmwkq loglevel -1 database bdb suffix "dc=ijji,dc=com" rootdn "cn=Manager,dc=ijji,dc=com" rootpw {SSHA}EpkPadkANDlpX7yfcsa2WbA+bSssh0S4 # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/ijji.com # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub updatedn "cn=Replication Manager,dc=ijji,dc=com" updateref ldap://ca1xc124.ijji.com access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=ijji,dc=com" write by * none access to * by self write by dn.base="cn=Manager,dc=ijji,dc=com" write by * read access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Replication Manager,dc=ijji,dc=com" write by * none access to * by self write by dn.base="cn=Replication Manager,dc=ijji,dc=com" write by * read # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com(a)EXAMPLE.COM loglevel -1 Justin Choi Sr. Security Engineer NHN USA, Inc. 3353 Michelson Suite 250 Irvine, CA 92612 Mobile (408) 329-8554 MSN iD: counterhacker(a)live.com <mailto:amyoh79@hotmail.com> Office (949) 863-1292 ext 256 Fax (949) 863-9418

2 1

nss_initgroups_ignoreusers
by Lynn York 26 Oct '08

26 Oct '08

Hello, I seem to be having an issue with nss_initgroups_ignoreusers. I have the following line in my /etc/ldap.conf file but it still seems to search ldap for the users. Can anyone shed some light on this issue for me? Also, I am running nss_ldap version >= 2.53. I have supplied a snippet of the sldap log. [ /etc/ldap.conf ] nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,postm aster,anonymous,apache [end ] [ log snippet ] Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=140 fd=48 ACCEPT from IP=127.0.0.1:59736 (IP=0.0.0.0:389) Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SRCH base="ou=Internal,dc=mgmt,dc=test,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=postmaster))" Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 op=0 STARTTLS Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 op=0 RESULT oid= err=0 text= Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SEARCH RESULT tag=101 err=0 nentries=0 text= Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=28 SRCH base="ou=Internal,dc=mgmt, dc=test,dc=com " scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=postmaster))" Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=28 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 fd=62 TLS established tls_ssf=256 ssf=256 [ end snippet ] Thanks

1 0

active option crypt
by Kermito le kermit 26 Oct '08

26 Oct '08

hello all, i am to know how to activate option crypt in install of open ldap when i make this commande i see in the log crypt ..... no ./configure --enable-crypt

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2008