LDAP add fails with Protocol Error
by Alexander Hartner
After generating an LDIF file using ldapsearch having a direct fast
connect to the LDAP directory, attempt to re-import the file have
succeeded while being on the local network. However attempt to import
the same LDIF file over a WAN connection fail with the following error:
ldapadd -c -D "..." -w ... -x -h ... -p 389 -f test2.ldif
adding new entry "..."
ldap_add: Already exists (68)
adding new entry "..."
ldap_add: Already exists (68)
adding new entry "..."
ldap_add: Protocol error (2)
additional info: no attributes provided
adding new entry "..."
ldap_add: Already exists (68)
..
adding new entry "..."
adding new entry "..."
..
adding new entry "..."
ldapadd: update failed: ...
ldap_add: Can't contact LDAP server (-1)
..
All messages after this file with the same error (-1).
It seems that the slower connection is causing a Protocol error which
results in LDAP falling over, or at least becoming un-available.
Any ideas what could be causing this problem and what I could to
address this.
Regards
Alex
15 years, 6 months
nss_ldap periodic errors
by Kamil Kisiel
I'm using nss_ldap on a whole bunch of machines on the network, and
while it works great most of the time, I continuously get errors in my
syslog. A sampling from today (these are actually from different
machines, but I have anonymized the hostnames to be the same.):
Feb 25 09:30:25 server.example.com sshd[17495]: nss_ldap: could not
search LDAP server - Server is unavailable
Feb 25 11:11:08 server.example.com -bash: nss_ldap: could not search
LDAP server - Server is unavailable
Feb 25 21:50:01 server.example.com automount[5030]: nss_ldap: could
not search LDAP server - Server is unavailable
Feb 25 21:55:16 server.example.com nscd: nss_ldap: could not search
LDAP server - Server is unavailable
I get a few of these errors in our syslogs every hour, and
occasionally it seems I can't log in via SSH. However typically when I
log in to the machine and do a "getent passwd" everything is fine. The
LDAP server is from Open Directory in OS X Server 10.5.2. The version
of nss_ldap is the one from Gentoo Linux, version nss_ldap-258.
My /etc/ldap.conf looks like this:
uri ldap://ldap1.example:389
base dc=example,dc=com
timelimit 30
bind_timelimit 30
bind_policy soft
nss_reconnect_maxconntries 5
idle_timelimit 3600
pam_password_prohibit_message Please use System Preferences on your
Mac to change your directory password.
nss_base_group cn=Groups,dc=zymeworks,dc=com
nss_base_passwd cn=Users,dc=zymeworks,dc=com
Does anyone have any suggestions as to what I can try to do to debug
and fix this ? It's really becoming irritating.
--
Kamil
15 years, 6 months
log fields
by Gustavo Mendes de Carvalho
Hi there,
I would like to get some documentation that can describe, in details,
which fiileds there are present in ldap.log file, and the meaning of
each field.
I need some information about 7th field (op=33 in first line). Where
can I find all codes used in this field ?
Jan 10 11:50:21 ldap01 slapd[10819]: conn=1702 op=33 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jan 10 11:50:25 ldap01 slapd[10819]: conn=1702 op=34 SRCH
base="uid=gustavo,ou=company,c=org" scope=0 deref=0
filter="(objectClass=*)"
Jan 10 11:50:25 ldap01 slapd[10819]: conn=1702 op=34 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jan 10 11:50:26 ldap01 slapd[10819]: conn=1702 op=35 SRCH
base="uid=gustavo,ou=company,c=org" scope=0 deref=0
filter="(objectClass=*)"
Jan 10 11:50:26 ldap01 slapd[10819]: conn=1702 op=35 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jan 10 12:28:13 ldap01 slapd[10819]: conn=1702 op=36 UNBIND
Jan 10 12:28:13 ldap01 slapd[10819]: conn=1702 fd=21 closed
Thanks
---
Gustavo
e-mail: gmcarvalho(a)gmail.com
15 years, 7 months
Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei
Hey Buchan,
Thanks alot for your help... it make sense now....during the configuration process , I modified the NSS service to consult the OpenLDAP server by adding the following lines in the /etc/nsswitch.conf file
passwd: files ldap
shadow: files ldap
group: files ldap
So ldap server is called for NSS lookup regardless of what authentication mechanism is used. got it
Again, thanks alot
~Hamid
----- Original Message ----
From: Buchan Milne <bgmilne(a)staff.telkomsa.net>
To: openldap-technical(a)openldap.org
Cc: Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com>
Sent: Tuesday, February 26, 2008 1:13:56 AM
Subject: Re: using LDAP as central authentication unit
On
Monday
25
February
2008
20:52:08
Hamidreza
Hamedtoolloei
wrote:
>
so
if
a
user
is
in
both
/etc/passwd
and
ldap,
linux
authentication
is
used.
>
However,
if
a
user
is
ONLY
in
ldap
directory,
linux
authentication
fails
>
and
ldap
is
called.
Analysing
the
case
that
a
user
is
only
in
the
>
etc/passwd:
>
In
this
case,
there
are
some
activities
in
the
ldap
site
which
I
dont
>
understand.
If
a
user
is
only
in
etc/passwd
and
pam.d/system.auth
file
>
says
call
ldap
only
if
linux
fails,
then
why
ldap
is
called
when
linux
>
authentication
is
successful?
Because,
this
is
NOT
PAM.
It
is
a
NSS
lookup.
For
example,
when
you
type
'ls',
the
filesystem
returns
the
uid
that
owns
the
files.
To
show
the
username
of
the
owner,
the
c
library
invokes
a
function
from
nss,
to
look
up
the
username.
This
has
nothing
to
do
with
pam.
In
a
similar
way,
group
memberships
have
nothing
(much)
to
do
with
PAM,
but
with
nss.
>
You
say
this
is
expected...
but
if
I
understood
the
pam.d/system.auth
file
>
correctly,
ldap
should
not
be
called
if
a
user
is
only
in
etc/passwd
We
can't
tell,
as
you
haven't
provided
your
/etc/nsswitch.conf
file,
and
none
of
the
queries
from
your
log
look
like
pam_ldap,
they
look
more
like
nss_ldap
...
Regards,
Buchan
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
15 years, 7 months
OpenLDAP Support for cpCPS objectClass??
by Patrick Patterson
Hi All;
I am working on a PKI project, and would like to be able to use OpenLDAP,
however, the certificate policy that we have to conform to mandates that CA
entries be a member of pkiCA and cpCps auxiliary object classes. Now, the
pkiCA requirement is easy, as it looks like OpenLDAP supports that just
fine, however, I'm wondering if cpCPS is able to be supported.
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class (I
presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP, and if
so, does anyone happen to have a schema file available so that I don't have
to write one myself to add this objectClass to OpenLDAP.
If not, is it possible to add these syntax checking routines in the same way
as one can extend the schema for object classes and attributes?
(I know that I could probably cheat, turn schema checking off and just build
have the server support the attributes in a somewhat custom fashion, but
since this is for a PKI system that needs a certain level of trust, I am a
bit loath to do this).
Thanks in advance.
--
Personal Mail from Patrick Patterson
No company affiliation
15 years, 7 months
Re: Limit daily query number
by cariparo@libero.it
Overlays seems to be the right way to follow.
Now I perform some investigation...
Grazie!
---------- Initial Header -----------
>From : "Pierangelo Masarati" ando(a)sys-net.it
To : "cariparo(a)libero.it" cariparo(a)libero.it
Cc : openldap-technical(a)openldap.org
Date : Mon, 25 Feb 2008 15:06:57 +0100
Subject : Re: Limit daily query number
> Gavin Henry wrote:
> > <quote who="cariparo\(a)libero\.it">
> >> Thanks Gavin,
> >> We have a LDAP service for out customers, under subscription, and we want
> >> to release a light free service for everyone on Internet, by narrowing the
> >> daily queries number.
> >> I'm thinking to create a PHP bridge, so free customers call a php page
> >> instead to connecting directly to LDAP server, and mantain an IP list on
> >> MySQL. Any other idea?
>
> What you need would best be dealt with by a custom overlay. I suggest
> you look at overlay development (servers/slapd/overlays/slapover.txt,
> <http://www.openldap.org/faq/data/cache/1169.html>), or hire someone
> that can develop it for you.
>
> <advertisement>
> One of SysNet's specialties is custom overlay development
> <http://open.sys-net.it>
> </advertisement>
>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ---------------------------------------
> Office: +39 02 23998309
> Mobile: +39 333 4963172
> Email: pierangelo.masarati(a)sys-net.it
> ---------------------------------------
>
>
>
15 years, 7 months
Change LDAP User's Password
by Le Trung Kien
Hi, I'm confused about ldap authentication.
I'm attempting to use ldap with kerberos 5, when changing an user's
password,
I issused:
user1]$ passwd
Kerberos 5 Password: ******
New UNIX password: ******
Retype new UNIX password: ******
All things go well, however, still have a password don't change, and I don't
know
what this password is. And how to change it.
Still that user, I can't use 'ldappasswd'
user1]$ ldappasswd
SASL/GSSAPI authentication started
SASL username: user1(a)MYREALM.COM
SASL SSF: 56
SASL installing layers
New password: yPYNAgvO <--- this changes frequently
Result: Internal (implementation specific) error (80)
Additional info: SASL(-7): invalid parameter supplied: Error putting OTP
secret
I should emphasize that the user1 has two passwords, the first one can be
changed with 'passwd' or 'kpasswd', the other I don't know how to access it,
although this second password still works and it's can be used to login.
More information:
user1]$ passwd
Kerberos 5 Password: <--- type a wrong password and got following (only the
first password works here)
Enter login(LDAP) password: <--- the second password works here
New UNIX password: ******
Retype new UNIX password: ******
LDAP password information update failed: Insufficient access
passwd: Permission denied
Best Regards.
--
Le Trung Kien.
15 years, 7 months
Redirect bind requests to another server
by Andreas Moroder
Hello,
we have a web application that autenticates via openldap. Now a second
hospital should use this same application, but they have their own
autentication server, active directory in this case.
In our network the users authenticate giving their username ( amoroder
in my case ) and password. Is it possible to configure openldap to
redirect the bind request to the remote server when the username
contains an extension like jsmith@remote ? Does this work with AD as
second/remote authentication server ?
Thank you very much
Andreas
15 years, 7 months
Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei
Hey Buchan,
Sorry for not answering your question.. I must have overlooked your response. My ultimate goal is to use LDAP for user authentication and resource authorization in a grid computing environment. As a starting point, I tried to use ldap as a centralized linux user account management mechanism. So I configured my LDAP to act as linux user authentication using this link:
http://www.ibm.com/developerworks/library/l-openldap/index.html
during analyzing the behavior of ldap I came up with the below observation:
/etc/pam.d/system.auth file has the following content which suggests that linux authentication is used first and it it fails ldap is used.
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
so if a user is in both /etc/passwd and ldap, linux authentication is used. However, if a user is ONLY in ldap directory, linux authentication fails and ldap is called.
Analysing the case that a user is only in the etc/passwd:
In this case, there are some activities in the ldap site which I dont understand. If a user is only in etc/passwd and pam.d/system.auth file says call ldap only if linux fails, then why ldap is called when linux authentication is successful?
You say this is expected... but if I understood the pam.d/system.auth file correctly, ldap should not be called if a user is only in etc/passwd
Thanks,
~Hamid
----- Original Message ----
From: Buchan Milne <bgmilne(a)staff.telkomsa.net>
To: openldap-technical(a)openldap.org
Cc: Hamidreza Hamedtoolloei <hamedtoolloei(a)yahoo.com>
Sent: Sunday, February 24, 2008 11:02:04 PM
Subject: Re: using LDAP as central authentication unit
On
Saturday
23
February
2008
03:09:33
Hamidreza
Hamedtoolloei
wrote:
>
Dear
Tony,
>
Thanks
for
your
comment..I
played
more
with
my
ldap
and
here
is
what
I
>
found
out..
If
a
user
in
in
both
/etc/passwd
and
ldap
directory
with
the
>
same
password,
linux
authentication
is
used.
However,
if
user
etc/passwd
is
>
different
than
the
ldap
passwd,
depending
on
what
passwd
is
used
during
the
>
login,
appropriate
authentication
is
used(i.e
both
passwords
work
just
>
fine)
However,
here
is
what
I
still
dont
understand:
>
if
a
user
is
only
in
etc/passwd,
after
executing
su
user,
it
seems
that
>
there
are
still
some
activities
in
the
ldap
site.
This
is
to
be
expected.
But,
since
you
did
not
answer
my
previous
question
(asking
about
what
you
are
trying
to
achieve,
not
every
single
question
you
have
on
how
user
information
and
authentication
technologies
work),
I
am
not
sure
how
to
answer
some
of
your
questions.
>
fir
instance
when
I
do
su
>
karan
where
karan
ONLY
exists
in
the
etc/passwd,
I
get
the
following
in
>
the
logfile(/vat/log/local4)
>
>
>
Feb
22
14:54:03
gamaalien
slapd[7896]:
conn=42
fd=20
ACCEPT
from
>
IP=127.0.0.1:33277
(IP=0.0.0.0:389)
Feb
22
14:54:03
gamaalien
slapd[7896]:
>
conn=42
op=0
BIND
dn=""
method=128
Feb
22
14:54:03
gamaalien
slapd[7896]:
>
conn=42
op=0
RESULT
tag=97
err=0
text=
Feb
22
14:54:03
gamaalien
>
slapd[7896]:
conn=42
op=1
SRCH
base="ou=People,dc=ibm,dc=com"
scope=2
>
deref=0
filter="(&(objectClass=posixAccount)(uidNumber=502))"
Feb
22
>
14:54:03
gamaalien
slapd[7896]:
conn=42
op=1
SRCH
attr=uid
userPassword
>
uidNumber
gidNumber
cn
homeDirectory
loginShell
gecos
description
>
objectClass
This
is
a
typical
search
from
nss_ldap,
*not*
pam_ldap.
As
such,
it
has
nothing
to
do
with
your
PAM
configuration,
but
your
nss
configuration,
which
I
don't
believe
you
have
provided.
>
Feb
22
14:54:03
gamaalien
slapd[7896]:
<=
>
bdb_equality_candidates:
(uidNumber)
not
indexed
You
should
tell
slapd
to
index
uidNUmber
(in
slapd.conf),
and
run
slapindex
to
ensure
that
the
existing
entries
are
indexed.
>
Feb
22
14:54:03
gamaalien
>
slapd[7896]:
conn=42
op=1
SEARCH
RESULT
tag=101
err=0
nentries=1
text=
Feb
>
22
14:55:04
gamaalien
slapd[7896]:
conn=43
fd=21
ACCEPT
from
>
IP=127.0.0.1:33278
(IP=0.0.0.0:389)
Feb
22
14:55:04
gamaalien
slapd[7896]:
>
conn=42
fd=20
closed
(connection
lost)
Feb
22
14:55:04
gamaalien
>
slapd[7896]:
conn=43
op=0
BIND
dn=""
method=128
Feb
22
14:55:04
gamaalien
>
slapd[7896]:
conn=43
op=0
RESULT
tag=97
err=0
text=
Feb
22
14:55:04
>
gamaalien
slapd[7896]:
conn=43
op=1
SRCH
base="ou=People,dc=ibm,dc=com"
>
scope=2
deref=0
filter="(&(objectClass=posixAccount)(uid=karan))"
Feb
22
>
14:55:04
gamaalien
slapd[7896]:
<=
bdb_equality_candidates:
(uid)
not
>
indexed
Samething
with
uid.
>
Feb
22
14:55:04
gamaalien
slapd[7896]:
conn=43
op=1
SEARCH
RESULT
>
tag=101
err=0
nentries=0
text=
Feb
22
14:55:04
gamaalien
slapd[7896]:
>
conn=43
op=2
SRCH
base="ou=People,dc=ibm,dc=com"
scope=2
deref=0
>
filter="(&(objectClass=posixGroup)(memberUid=karan))"
Feb
22
14:55:04
>
gamaalien
slapd[7896]:
conn=43
op=2
SRCH
attr=gidNumber
Feb
22
14:55:04
>
gamaalien
slapd[7896]:
conn=43
op=2
SEARCH
RESULT
tag=101
err=0
nentries=0
>
text=
Feb
22
14:55:04
gamaalien
slapd[7896]:
conn=43
fd=21
closed
>
(connection
lost)
>
>
do
you
know
whats
going
on
here?
if
linux
authentication
is
used
and
karan
>
is
not
in
the
ldap
directory
then
why
ldap
is
called?
thanks
for
your
help
Let's
see
your
/etc/nsswitch.conf
first
...
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
15 years, 7 months
REF: Getting Started - LDAP+PDC
by Teddy L. Nyambe
Hi All,
Am new. I have LDAP running on a server and created accounts using OXAdmin
tool form Openxchange, now I want to integrate samba as a PDC and I have
noticed there are no home directories for users created using the tool.
Should I create users in /etc/passwd, I want to use the already existing
users in LDAP and have them log in to the domain. How can I setup this
please help!?
Kind regards
Teddy L.
............................................................................
...........
Teddy Lubasi Nyambe
Assistant Principal Clerk ICT - Applications
National Assembly of Zambia
P.O. Box 31299
Lusaka, ZAMBIA
Phone: +260 1 292425
Cell: +260 97 7760473
~/
Human Knowledge belongs to the world! - AntiTrust
Man is a tool-using animal. Without tools he is nothing, with tools he is
all - Thomas Carlyle 1795-1881
As we enjoy great advantages from inventions of others, we should be glad of
an opportunity to serve others by any invention of ours; and this we should
do freely and generously. Benjamin Franklin
/~
15 years, 7 months