Syncrepl question
by Ivan Ordonez
Hi all,
We have a small size domain with about 500 users and computers. We are
using Samba with Openldap integration to authenticate user login and
file sharing. Our setup is consist of 3 servers running Gentoo Linux -
1PDC and 2BDCs. As for replication, we are still using "slurpd". Any
changes or modification is done through the PDC which replicates the
changes to BDC1, then from BDC1, it then goes down to BDC2 - it's like a
chain.
We want to start using "syncrepl" soon as a way to replicate our
database but I'm not sure were to start. We want to setup all of our
machine to sync with each other everyday, and not worry which machine is
use to make changes, modification, etc.... I'm not sure which syncrepl
function to use to achieve what we want to do. Is "N-Way Multi Master
replication" the correct choice to do this? We are using "BDB" database
on each servers, and would like to achieve this with minimal downtime if
possible. What is the best way to do this? Please advise.
Any help is greatly appreciated.
-Ivan
14 years, 12 months
GSSAPI Error: An invalid name was supplied (Not enough space)
by Ben Lentz
Greetings list,
I am using openldap-2.4.12 with cyrus-sasl 2.1.22 with mit krb5-1.6.3
on an AIX 5.3, TL8, SP2 machine.
Whenever I try to use GSSAPI with ldapsearch against a Microsoft
Active Directory server, I get the following error:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
When I run the process through truss -rall -wall -f, I see the
following error near the failure:
GSSAPI Error: An invalid name was supplied (Not enough space)
I am able to acquire a kerberos ticket, I can list the GSSAPI plugin
using pluginviewer, and I can ldapsearch against the MSAD server using
simple authentication.
I have searched Google and can find no reference to the "Not enough
space" error. Has anyone else seen this before or can anyone shed any
light on this?
Thanks in advance.
15 years, 1 month
Password hash in openldap
by Paul Lee
Dear all,
Last time I changes the slapd.conf to restrict anonymous user to see the
userPassword attribute from 3rd party LDAP browser. However, our client
still wants to encrypt/hash the password stored in LDAP because he says
that he can user other users auth to the LDAP and then can see other
users' password (e.g. he can see his boss's password).
Since we have the admin portal to change the user password as well,
seems it can't restrict userpassword attribute by self read/write.
Also, we will use the password policy and restrict users to re-use the
last 12 passwords.
So, my question is that is it possible to hash the password stored in
openldap, also, the password stored in the password history is also
hashed so that even other users can't see the password of others.
Thanks
Confidential Communication - This e-mail (including any attachments) is confidential and may be
legally privileged. If this e-mail has been sent to you by mistake please inform us by reply
e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the
information in it.
15 years, 1 month
create quota to openldap group
by Kermito le kermit
hello all,
I am use openldap to debian all work fine i use openldap +samba pdc to my domain. now i wabt to add a quota to the groupe in my openldap which a tool quota (edquota etc ..). I can but quota to sambausers but no for other groups
any ideas
15 years, 1 month
ldap queries to AD server
by Lynn York
Hello,
I am seeing a large amount of queries for users such as vpopmail,
postmaster, anonymous and a few other users being sent to the AD server via
the openldap proxy. Below is a snippet of the log, I was curious how I
could stop the servers from searching for these users via ldap?
[ snippet ]
Oct 28 14:32:54 ldap-proxy slapd[21165]: conn=2828 op=56 SRCH
base="ou=Internal,dc=mgmt,dc=test,dc=net" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=vpopmail))"
Oct 28 14:32:54 ldap-proxy slapd[21165]: conn=2828 op=56 SRCH attr=uid
userPassword shadowLastChange shadowMax shadowMin shadowWarning
shadowInactive shadowExpire shadowFlag
[ end snippet ]
15 years, 1 month
"bulk-reload" of database and replication
by Sebastian Benoit
Hi,
we are developing a application using openldap and have the following
problem:
We plan a setup using one master-ldap server (with normally few write
operations). The database will be replicated to (initially) two
slave-servers using syncrepl replication.
Now, at the beginning (until the complete system is set up to work with the
ldap-server) we will need to re-initialize the complete database from
scratch.
This reload takes about 10 minutes using perl-ldap and a tcp-connection to
the server. During this time the application accessing the slave servers
should still see the old view of the database. The switch from old data to
new data on the slave-servers should be as fast as possible to avoid clients
seeing wrong (or not existing) data.
I thought about writing data in LDIF format and the create a new database
from that using slapadd. But then there still is the replication problem.
What methods to others use to solve this?
Thanks for you help,
/Benno
--
Sebastian Benoit <benoit-lists(a)fb12.de>
15 years, 1 month
slurpd replication problem.
by Choi, Justin
I am seeing invalid credential error logs a lot.
Could you guys let me know how to solve this issue?
Thanks.
Server Log(slurpd -d 2)
Replicated Log (/usr/sbin/slapd -u ldap -d 2 -h ldap:///)
Slapd.conf
database bdb
suffix "dc=ijji,dc=com"
rootdn "cn=Manager,dc=ijji,dc=com"
rootpw {SSHA}EpkPadkANDlpX7yfcsa2WbA+bSssh0S4
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/ijji.com
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
#updatedn cn=Replication Manager,dc=ijji,dc=com
#updateref ldap://ca1xc115.ijji.com
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=ijji,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=ijji,dc=com" write
by * read
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Replication Manager,dc=ijji,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Replication Manager,dc=ijji,dc=com" write
by * read
# Replicas of this database
replogfile /var/lib/ldap/openldap-master-replog
replica host=ca1xc115.ijji.com:389
binddn="cn=Replication Manager,dc=ijji,dc=com"
bindmethod=simple credentials=skdltmwkq
loglevel -1
database bdb
suffix "dc=ijji,dc=com"
rootdn "cn=Manager,dc=ijji,dc=com"
rootpw {SSHA}EpkPadkANDlpX7yfcsa2WbA+bSssh0S4
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap/ijji.com
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
updatedn "cn=Replication Manager,dc=ijji,dc=com"
updateref ldap://ca1xc124.ijji.com
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=ijji,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=ijji,dc=com" write
by * read
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Replication Manager,dc=ijji,dc=com" write
by * none
access to *
by self write
by dn.base="cn=Replication Manager,dc=ijji,dc=com" write
by * read
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
loglevel -1
Justin Choi
Sr. Security Engineer
NHN USA, Inc.
3353 Michelson Suite 250
Irvine, CA 92612
Mobile (408) 329-8554
MSN iD: counterhacker(a)live.com <mailto:amyoh79@hotmail.com>
Office (949) 863-1292 ext 256
Fax (949) 863-9418
15 years, 1 month
nss_initgroups_ignoreusers
by Lynn York
Hello,
I seem to be having an issue with
nss_initgroups_ignoreusers. I have the following line in my /etc/ldap.conf
file but it still seems to search ldap for the users. Can anyone shed some
light on this issue for me? Also, I am running nss_ldap version >= 2.53.
I have supplied a snippet of the sldap log.
[ /etc/ldap.conf ]
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,postm
aster,anonymous,apache
[end ]
[ log snippet ]
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=140 fd=48 ACCEPT from
IP=127.0.0.1:59736 (IP=0.0.0.0:389)
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SRCH
base="ou=Internal,dc=mgmt,dc=test,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postmaster))"
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 op=0 STARTTLS
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 op=0 RESULT oid= err=0
text=
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=27 SEARCH RESULT tag=101
err=0 nentries=0 text=
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=28 SRCH
base="ou=Internal,dc=mgmt, dc=test,dc=com " scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=postmaster))"
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=69 op=28 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Oct 24 12:15:33 ldap-proxy slapd[10000]: conn=139 fd=62 TLS established
tls_ssf=256 ssf=256
[ end snippet ]
Thanks
15 years, 1 month
active option crypt
by Kermito le kermit
hello all,
i am to know how to activate option crypt in install of open ldap
when i make this commande i see in the log
crypt ..... no
./configure --enable-crypt
15 years, 1 month
