openldap-technical February 2008

openldap-technical@openldap.org

57 participants
79 discussions

LDAP add fails with Protocol Error
by Alexander Hartner 27 Feb '08

27 Feb '08

After generating an LDIF file using ldapsearch having a direct fast connect to the LDAP directory, attempt to re-import the file have succeeded while being on the local network. However attempt to import the same LDIF file over a WAN connection fail with the following error: ldapadd -c -D "..." -w ... -x -h ... -p 389 -f test2.ldif adding new entry "..." ldap_add: Already exists (68) adding new entry "..." ldap_add: Already exists (68) adding new entry "..." ldap_add: Protocol error (2) additional info: no attributes provided adding new entry "..." ldap_add: Already exists (68) .. adding new entry "..." adding new entry "..." .. adding new entry "..." ldapadd: update failed: ... ldap_add: Can't contact LDAP server (-1) .. All messages after this file with the same error (-1). It seems that the slower connection is causing a Protocol error which results in LDAP falling over, or at least becoming un-available. Any ideas what could be causing this problem and what I could to address this. Regards Alex

2 1

nss_ldap periodic errors
by Kamil Kisiel 27 Feb '08

27 Feb '08

I'm using nss_ldap on a whole bunch of machines on the network, and while it works great most of the time, I continuously get errors in my syslog. A sampling from today (these are actually from different machines, but I have anonymized the hostnames to be the same.): Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could not search LDAP server - Server is unavailable Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search LDAP server - Server is unavailable I get a few of these errors in our syslogs every hour, and occasionally it seems I can't log in via SSH. However typically when I log in to the machine and do a "getent passwd" everything is fine. The LDAP server is from Open Directory in OS X Server 10.5.2. The version of nss_ldap is the one from Gentoo Linux, version nss_ldap-258. My /etc/ldap.conf looks like this: uri ldap://ldap1.example:389 base dc=example,dc=com timelimit 30 bind_timelimit 30 bind_policy soft nss_reconnect_maxconntries 5 idle_timelimit 3600 pam_password_prohibit_message Please use System Preferences on your Mac to change your directory password. nss_base_group cn=Groups,dc=zymeworks,dc=com nss_base_passwd cn=Users,dc=zymeworks,dc=com Does anyone have any suggestions as to what I can try to do to debug and fix this ? It's really becoming irritating. -- Kamil

3 4

log fields
by Gustavo Mendes de Carvalho 26 Feb '08

26 Feb '08

Hi there, I would like to get some documentation that can describe, in details, which fiileds there are present in ldap.log file, and the meaning of each field. I need some information about 7th field (op=33 in first line). Where can I find all codes used in this field ? Jan 10 11:50:21 ldap01 slapd[10819]: conn=1702 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 10 11:50:25 ldap01 slapd[10819]: conn=1702 op=34 SRCH base="uid=gustavo,ou=company,c=org" scope=0 deref=0 filter="(objectClass=*)" Jan 10 11:50:25 ldap01 slapd[10819]: conn=1702 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 10 11:50:26 ldap01 slapd[10819]: conn=1702 op=35 SRCH base="uid=gustavo,ou=company,c=org" scope=0 deref=0 filter="(objectClass=*)" Jan 10 11:50:26 ldap01 slapd[10819]: conn=1702 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 10 12:28:13 ldap01 slapd[10819]: conn=1702 op=36 UNBIND Jan 10 12:28:13 ldap01 slapd[10819]: conn=1702 fd=21 closed Thanks --- Gustavo e-mail: gmcarvalho(a)gmail.com

5 7

Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 26 Feb '08

26 Feb '08

Hey Buchan, Thanks alot for your help... it make sense now....during the configuration process , I modified the NSS service to consult the OpenLDAP server by adding the following lines in the /etc/nsswitch.conf file passwd: files ldap shadow: files ldap group: files ldap So ldap server is called for NSS lookup regardless of what authentication mechanism is used. got it Again, thanks alot ~Hamid ----- Original Message ---- From: Buchan Milne <bgmilne(a)staff.telkomsa.net> To: openldap-technical(a)openldap.org Cc: Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com> Sent: Tuesday, February 26, 2008 1:13:56 AM Subject: Re: using LDAP as central authentication unit On Monday 25 February 2008 20:52:08 Hamidreza Hamedtoolloei wrote: > so if a user is in both /etc/passwd and ldap, linux authentication is used. > However, if a user is ONLY in ldap directory, linux authentication fails > and ldap is called. Analysing the case that a user is only in the > etc/passwd: > In this case, there are some activities in the ldap site which I dont > understand. If a user is only in etc/passwd and pam.d/system.auth file > says call ldap only if linux fails, then why ldap is called when linux > authentication is successful? Because, this is NOT PAM. It is a NSS lookup. For example, when you type 'ls', the filesystem returns the uid that owns the files. To show the username of the owner, the c library invokes a function from nss, to look up the username. This has nothing to do with pam. In a similar way, group memberships have nothing (much) to do with PAM, but with nss. > You say this is expected... but if I understood the pam.d/system.auth file > correctly, ldap should not be called if a user is only in etc/passwd We can't tell, as you haven't provided your /etc/nsswitch.conf file, and none of the queries from your log look like pam_ldap, they look more like nss_ldap ... Regards, Buchan ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

1 0

OpenLDAP Support for cpCPS objectClass??
by Patrick Patterson 26 Feb '08

26 Feb '08

Hi All; I am working on a PKI project, and would like to be able to use OpenLDAP, however, the certificate policy that we have to conform to mandates that CA entries be a member of pkiCA and cpCps auxiliary object classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP supports that just fine, however, I'm wondering if cpCPS is able to be supported. I guess my question is twofold: Have the syntax checking routines mandated for the cpCps object class (I presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP, and if so, does anyone happen to have a schema file available so that I don't have to write one myself to add this objectClass to OpenLDAP. If not, is it possible to add these syntax checking routines in the same way as one can extend the schema for object classes and attributes? (I know that I could probably cheat, turn schema checking off and just build have the server support the attributes in a somewhat custom fashion, but since this is for a PKI system that needs a certain level of trust, I am a bit loath to do this). Thanks in advance. -- Personal Mail from Patrick Patterson No company affiliation

3 4

Re: Limit daily query number
by cariparo＠libero.it 26 Feb '08

26 Feb '08

Overlays seems to be the right way to follow. Now I perform some investigation... Grazie! ---------- Initial Header ----------- >From : "Pierangelo Masarati" ando(a)sys-net.it To : "cariparo(a)libero.it" cariparo(a)libero.it Cc : openldap-technical(a)openldap.org Date : Mon, 25 Feb 2008 15:06:57 +0100 Subject : Re: Limit daily query number > Gavin Henry wrote: > > <quote who="cariparo\(a)libero\.it"> > >> Thanks Gavin, > >> We have a LDAP service for out customers, under subscription, and we want > >> to release a light free service for everyone on Internet, by narrowing the > >> daily queries number. > >> I'm thinking to create a PHP bridge, so free customers call a php page > >> instead to connecting directly to LDAP server, and mantain an IP list on > >> MySQL. Any other idea? > > What you need would best be dealt with by a custom overlay. I suggest > you look at overlay development (servers/slapd/overlays/slapover.txt, > <http://www.openldap.org/faq/data/cache/1169.html>), or hire someone > that can develop it for you. > > <advertisement> > One of SysNet's specialties is custom overlay development > <http://open.sys-net.it> > </advertisement> > > p. > > > > Ing. Pierangelo Masarati > OpenLDAP Core Team > > SysNet s.r.l. > via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > --------------------------------------- > Office: +39 02 23998309 > Mobile: +39 333 4963172 > Email: pierangelo.masarati(a)sys-net.it > --------------------------------------- > > >

1 0

Change LDAP User's Password
by Le Trung Kien 26 Feb '08

26 Feb '08

Hi, I'm confused about ldap authentication. I'm attempting to use ldap with kerberos 5, when changing an user's password, I issused: user1]$ passwd Kerberos 5 Password: ****** New UNIX password: ****** Retype new UNIX password: ****** All things go well, however, still have a password don't change, and I don't know what this password is. And how to change it. Still that user, I can't use 'ldappasswd' user1]$ ldappasswd SASL/GSSAPI authentication started SASL username: user1(a)MYREALM.COM SASL SSF: 56 SASL installing layers New password: yPYNAgvO <--- this changes frequently Result: Internal (implementation specific) error (80) Additional info: SASL(-7): invalid parameter supplied: Error putting OTP secret I should emphasize that the user1 has two passwords, the first one can be changed with 'passwd' or 'kpasswd', the other I don't know how to access it, although this second password still works and it's can be used to login. More information: user1]$ passwd Kerberos 5 Password: <--- type a wrong password and got following (only the first password works here) Enter login(LDAP) password: <--- the second password works here New UNIX password: ****** Retype new UNIX password: ****** LDAP password information update failed: Insufficient access passwd: Permission denied Best Regards. -- Le Trung Kien.

2 7

Redirect bind requests to another server
by Andreas Moroder 26 Feb '08

26 Feb '08

Hello, we have a web application that autenticates via openldap. Now a second hospital should use this same application, but they have their own autentication server, active directory in this case. In our network the users authenticate giving their username ( amoroder in my case ) and password. Is it possible to configure openldap to redirect the bind request to the remote server when the username contains an extension like jsmith@remote ? Does this work with AD as second/remote authentication server ? Thank you very much Andreas

4 4

Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 26 Feb '08

26 Feb '08

Hey Buchan, Sorry for not answering your question.. I must have overlooked your response. My ultimate goal is to use LDAP for user authentication and resource authorization in a grid computing environment. As a starting point, I tried to use ldap as a centralized linux user account management mechanism. So I configured my LDAP to act as linux user authentication using this link: http://www.ibm.com/developerworks/library/l-openldap/index.html during analyzing the behavior of ldap I came up with the below observation: /etc/pam.d/system.auth file has the following content which suggests that linux authentication is used first and it it fails ldap is used. auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass so if a user is in both /etc/passwd and ldap, linux authentication is used. However, if a user is ONLY in ldap directory, linux authentication fails and ldap is called. Analysing the case that a user is only in the etc/passwd: In this case, there are some activities in the ldap site which I dont understand. If a user is only in etc/passwd and pam.d/system.auth file says call ldap only if linux fails, then why ldap is called when linux authentication is successful? You say this is expected... but if I understood the pam.d/system.auth file correctly, ldap should not be called if a user is only in etc/passwd Thanks, ~Hamid ----- Original Message ---- From: Buchan Milne <bgmilne(a)staff.telkomsa.net> To: openldap-technical(a)openldap.org Cc: Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com> Sent: Sunday, February 24, 2008 11:02:04 PM Subject: Re: using LDAP as central authentication unit On Saturday 23 February 2008 03:09:33 Hamidreza Hamedtoolloei wrote: > Dear Tony, > Thanks for your comment..I played more with my ldap and here is what I > found out.. If a user in in both /etc/passwd and ldap directory with the > same password, linux authentication is used. However, if user etc/passwd is > different than the ldap passwd, depending on what passwd is used during the > login, appropriate authentication is used(i.e both passwords work just > fine) However, here is what I still dont understand: > if a user is only in etc/passwd, after executing su user, it seems that > there are still some activities in the ldap site. This is to be expected. But, since you did not answer my previous question (asking about what you are trying to achieve, not every single question you have on how user information and authentication technologies work), I am not sure how to answer some of your questions. > fir instance when I do su > karan where karan ONLY exists in the etc/passwd, I get the following in > the logfile(/vat/log/local4) > > > Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 fd=20 ACCEPT from > IP=127.0.0.1:33277 (IP=0.0.0.0:389) Feb 22 14:54:03 gamaalien slapd[7896]: > conn=42 op=0 BIND dn="" method=128 Feb 22 14:54:03 gamaalien slapd[7896]: > conn=42 op=0 RESULT tag=97 err=0 text= Feb 22 14:54:03 gamaalien > slapd[7896]: conn=42 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 > deref=0 filter="(&(objectClass=posixAccount)(uidNumber=502))" Feb 22 > 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH attr=uid userPassword > uidNumber gidNumber cn homeDirectory loginShell gecos description > objectClass This is a typical search from nss_ldap, *not* pam_ldap. As such, it has nothing to do with your PAM configuration, but your nss configuration, which I don't believe you have provided. > Feb 22 14:54:03 gamaalien slapd[7896]: <= > bdb_equality_candidates: (uidNumber) not indexed You should tell slapd to index uidNUmber (in slapd.conf), and run slapindex to ensure that the existing entries are indexed. > Feb 22 14:54:03 gamaalien > slapd[7896]: conn=42 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb > 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 ACCEPT from > IP=127.0.0.1:33278 (IP=0.0.0.0:389) Feb 22 14:55:04 gamaalien slapd[7896]: > conn=42 fd=20 closed (connection lost) Feb 22 14:55:04 gamaalien > slapd[7896]: conn=43 op=0 BIND dn="" method=128 Feb 22 14:55:04 gamaalien > slapd[7896]: conn=43 op=0 RESULT tag=97 err=0 text= Feb 22 14:55:04 > gamaalien slapd[7896]: conn=43 op=1 SRCH base="ou=People,dc=ibm,dc=com" > scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=karan))" Feb 22 > 14:55:04 gamaalien slapd[7896]: <= bdb_equality_candidates: (uid) not > indexed Samething with uid. > Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SEARCH RESULT > tag=101 err=0 nentries=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: > conn=43 op=2 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 > filter="(&(objectClass=posixGroup)(memberUid=karan))" Feb 22 14:55:04 > gamaalien slapd[7896]: conn=43 op=2 SRCH attr=gidNumber Feb 22 14:55:04 > gamaalien slapd[7896]: conn=43 op=2 SEARCH RESULT tag=101 err=0 nentries=0 > text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 closed > (connection lost) > > do you know whats going on here? if linux authentication is used and karan > is not in the ldap directory then why ldap is called? thanks for your help Let's see your /etc/nsswitch.conf first ... ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

2 1

REF: Getting Started - LDAP+PDC
by Teddy L. Nyambe 26 Feb '08

26 Feb '08

Hi All, Am new. I have LDAP running on a server and created accounts using OXAdmin tool form Openxchange, now I want to integrate samba as a PDC and I have noticed there are no home directories for users created using the tool. Should I create users in /etc/passwd, I want to use the already existing users in LDAP and have them log in to the domain. How can I setup this please help!? Kind regards Teddy L. ............................................................................ ........... Teddy Lubasi Nyambe Assistant Principal Clerk ICT - Applications National Assembly of Zambia P.O. Box 31299 Lusaka, ZAMBIA Phone: +260 1 292425 Cell: +260 97 7760473 ~/ Human Knowledge belongs to the world! - AntiTrust Man is a tool-using animal. Without tools he is nothing, with tools he is all - Thomas Carlyle 1795-1881 As we enjoy great advantages from inventions of others, we should be glad of an opportunity to serve others by any invention of ours; and this we should do freely and generously. Benjamin Franklin /~

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2008