openldap-technical February 2008

openldap-technical@openldap.org

57 participants
79 discussions

LDAP replication
by Rui Ramos 25 Feb '08

25 Feb '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello * I'm having troubles setting the following LDAP arquitecture. And desperatly need some advices. The architecture is formed by a master ldap server (CORE) and several slaves (EDGES). They all have a non standard schema that is required for the project we are working on. So one of my questions is: Is it possible to replicate data from CORE to EDGEs machines using slurpd or syncrepl, and still have the abbility to change some atributes in slaves directly ? if not what could be a possible solution for this ? One of this EDGE machine require atribute translation. We manage to set this working with slurpd replogfile. So we can have this: B -> C Where B replicates LDAP data to C slave using slurpd. But when we try to add the Master server to this: A -> B -> C Where A replicates to B with synrepl. replog isn't created for the B -> C replication. So my other questions are: - Can slurpd and syncrepl be used in the same server ? - Can a ldap server be configured as master/slave ? - What would be your sugestions for solving this issue ? Using openldap 2.3.27-8 Best Regards, Rui - -- Rui Ramos ============================================== Universidade do Porto - IRICUP Praça Gomes Teixeira, 4099-002 Porto, Portugal email: rramos[at]reit.up.pt phone: +351 22 040 8164 ============================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBR8KHsb1uR0bdnTWSAQKgGwgAku13Z8pmx4H5R0IxqQ7iQ5ptM2y3WQ13 3nEK9awE84hFRGkFcjiXfrq8O9U/WiAbpTjQw/E+hPczK0JccgzawErIfQgcqZsn FhtD3sBInkDHLd5JZYiva3TdZ0phnng+tBd1Otrr+ZeSrWF77UaA/kfj0/tSwOEo 1p1eGrmwheu7c6Gjd18cwN+/ox+phS7nDjHPWS3cew5e4YY/02FtjrXWtUWC5GLv VSA/QAjd9kmXA/Q7ihXkVkyQbBStvcRDXNWR6F8URK3/Sk9rKBsZ4fteTpBzwC/4 lpPf0Q2ctfteMd8sqR1qVdFVikgpxMBHJ/bj3W9X5yimTQiJmrZNqw== =LuwH -----END PGP SIGNATURE-----

2 1

Re: Limit daily query number
by Gavin Henry 25 Feb '08

25 Feb '08

<quote who="cariparo\(a)libero\.it"> > Thanks Gavin, > We have a LDAP service for out customers, under subscription, and we want > to release a light free service for everyone on Internet, by narrowing the > daily queries number. > I'm thinking to create a PHP bridge, so free customers call a php page > instead to connecting directly to LDAP server, and mantain an IP list on > MySQL. Any other idea? Please keep replies on list ;-) Don't store sensitive data, setup the usual security things, DMZ etc. and check out: conn_max_pending conn_max_pending_auth and sizelimit/timelimit make it readonly too. via "man slapd.conf" Cheers.

2 4

question about object classes
by VaraPrasad Yalla 25 Feb '08

25 Feb '08

Hello Ldapusers, In the slapd.conf file I made sure to include /etc/openldap/schema/inetorgperson.schema But when I use the password migration script to convert password map to ldif format I always see that only 'account' comes up as the default object class in the ldif files . Here is an example of what one of the ldif entries looks like : -------------------------------------------- dn: uid=axe,ou=People,dc=example,dc=com uid: axe cn: axe objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {crypt}$1$8EJTU0c0$O2oc9gwyMJZl0hFg7x6Y7. shadowLastChange: 12371 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 500 homeDirectory: /home/axe -------------------------------------------- How do I make sure that inetorgperson comes up as the default object class without having to add it manually . Also is it possible to modify the object class of a record that has already been added to the database ? Please let me know . Thanks .

1 0

Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 24 Feb '08

24 Feb '08

Dear Tony, Thanks for your comment..I played more with my ldap and here is what I found out.. If a user in in both /etc/passwd and ldap directory with the same password, linux authentication is used. However, if user etc/passwd is different than the ldap passwd, depending on what passwd is used during the login, appropriate authentication is used(i.e both passwords work just fine) However, here is what I still dont understand: if a user is only in etc/passwd, after executing su user, it seems that there are still some activities in the ldap site. fir instance when I do su karan where karan ONLY exists in the etc/passwd, I get the following in the logfile(/vat/log/local4) Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 fd=20 ACCEPT from IP=127.0.0.1:33277 (IP=0.0.0.0:389) Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=0 BIND dn="" method=128 Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=0 RESULT tag=97 err=0 text= Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=502))" Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 22 14:54:03 gamaalien slapd[7896]: <= bdb_equality_candidates: (uidNumber) not indexed Feb 22 14:54:03 gamaalien slapd[7896]: conn=42 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 ACCEPT from IP=127.0.0.1:33278 (IP=0.0.0.0:389) Feb 22 14:55:04 gamaalien slapd[7896]: conn=42 fd=20 closed (connection lost) Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=0 BIND dn="" method=128 Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=0 RESULT tag=97 err=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=karan))" Feb 22 14:55:04 gamaalien slapd[7896]: <= bdb_equality_candidates: (uid) not indexed Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SRCH base="ou=People,dc=ibm,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=karan))" Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SRCH attr=gidNumber Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 22 14:55:04 gamaalien slapd[7896]: conn=43 fd=21 closed (connection lost) do you know whats going on here? if linux authentication is used and karan is not in the ldap directory then why ldap is called? thanks for your help ----- Original Message ---- From: Tony Earnshaw <tonni(a)hetnet.nl> To: openldap-technical(a)openldap.org Sent: Friday, February 22, 2008 2:12:36 AM Subject: Re: using LDAP as central authentication unit Hamidreza Hamedtoolloei skrev, on 22-02-2008 09:49: > http://www.linux.com/articles/113567 describes the "sufficient" modifier > as follows: > If a sufficient module succeeds, it is enough to satisfy the > requirements of sufficient modules in that realm for use of the service, > and modules below it that are also listed as 'sufficient' are not invoked. > > given the following /etc/pam.d/system.auth file: > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > I think LDAP is used ONLY if the unix authentication fails?? right??? am > I missing something??? I don't suppose that, reading the article you quote, you're missing anything, but I've just played around with my test machine's FC6 /etc/pam.d/system-auth and found the following for the auth service: 1: Where a user is in both LDAP and /etc/{passwd,shadow} only the pam_unix.so password counts, even though the position of the pam_unix.so and pam_ldap.so lines is swapped. Changing the LDAP entry's password doesn't make any difference to pam; 2: Where a user is only in LDAP the pam_unix.so auth entry is ignored, whatever its position; 3: Commenting out the pam_unix.so line results in all login attempts by everyone to be invalid. So not even root can log in any longer. So I'd say that the stuff is far more complicated than the author states. Perhaps people are thinking about the nsswitch.conf entries. However, a recent thread in the pam_ldap mailing list hinted that things might be different for systems on which Padl's CNS pam_ldap library is installed, rather than Red Hat's version - as on my machines. To avoid completely "missing something" I suggest you try it out for yourself ;) Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

4 3

Limit daily query number
by cariparo＠libero.it 24 Feb '08

24 Feb '08

Hi All, I have a OpenLDAP implementation with anonymous read access enabled, so I want to limit the numbers of the query that each computer (IP) can perform on a specified time windows. For example: allow each IP to perform max 300 queries per day. I have a huge amount of users, and a database of abt 1M objects. Can anyone give me a suggestion, i can't find any specific setting. Thanks Carip

2 2

extend remote server with local (subordinate) entries
by Oren Laadan 24 Feb '08

24 Feb '08

Hi, I use the configuration below to extend a given remote LDAP database with a relatively small number of local records. Specifically, the local database adds new (posix) groups and new autofs maps, adding to the ones already given by the remote server. (see the original thread at: http://www.openldap.org/lists/openldap-software/200802/msg00128.html) > ... > moduleload back_ldap > moduleload back_bdb > ... > backend bdb > backend ldap > ... > # bdb backend, configured as a subordinate of the main server > database bdb > suffix "dc=SUB,dc=EXAMPLE,dc=COM" > readonly on > subordinate > ... > # ldap backend, with the right DN base > database ldap > lastmod off > suffix "dc=EXAMPLE,dc=COM" > uri "ldaps://REMOTE_SERVER/" > ... > The extension of groups works like charm, without any modification to the clients' setup (/etc/ldap/ldap.conf). However, the additional maps aren't observed by the autofs-ldap method and are therefore not working for users. Running on Debian (unstable), autofs-ldap-auto-master gives: /home ldap:ou=auto.home,ou=AutoFS,dc=EXANPLE,dc=COM /proj ldap:ou=auto.proj,ou=AutoFS,dc=EXAMPLE,dc=COM A remote LDAP entry for /proj looks like: dn: cn=blast,ou=auto.proj,ou=AutoFS,dc=EXAMPLE,dc=COM objectClass: automount cn: blast automountInformation: -rw blast:/export/blast A local (added to the subtree SUB) entry for /proj looks like: dn: cn=extra,ou=auto.proj,ou=AutoFS,dc=SUB,dc=EXAMPLE,dc=COM objectClass: automount cn: extra automountInformation: -rw extra:/export/extra Problem is, that autofs only "sees" entries of the first type; if I run automount manually (prepending "dc=SUB," to the default way it is otherwise invoked): /usr/sbin/automount --pid-file=/var/run/autofs/_proj.pid --timeout=300 /proj ldap ou=auto.proj,ou=AutoFS,dc=SUB,dc=EXAMPLE,dc=COM then I can make it see the second type, but then it ignores the first type. Note that the same technique works for adding more groups. So I suspect the problem is that somehow autofs does not consider subtrees as valid results for its query to ldap. Any ideas how to fix this ? (or perhaps suggestion how to arrange the entire setup differently and still have the same end result). Thanks, Oren.

2 3

Re: using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 22 Feb '08

22 Feb '08

Dear Tony, Thanks for your prompt response.. http://www.linux.com/articles/113567 describes the "sufficient" modifier as follows: If a sufficient module succeeds, it is enough to satisfy the requirements of sufficient modules in that realm for use of the service, and modules below it that are also listed as 'sufficient' are not invoked. given the following /etc/pam.d/system.auth file: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so I think LDAP is used ONLY if the unix authentication fails?? right??? am I missing something??? ----- Original Message ---- From: Tony Earnshaw <tonni(a)hetnet.nl> To: openldap-technical(a)openldap.org Sent: Thursday, February 21, 2008 9:58:57 PM Subject: Re: using LDAP as central authentication unit Hamidreza Hamedtoolloei skrev, on 22-02-2008 03:21: > I've followed one of the online instructions on how to configure my > system to use ldap as the user authentication mechanism. below is > partial content of my /etc/pam.d/system.auth file: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > looking at some online resources about how pam works, it seems that unix > authentication is being applied first, and only if it fails, ldap > authentication is applied. Am I correct here? In other words if all the > users are still in /etc/shadow and /etc/passd files.... ldap is NOT > being used for authentication. If I delete the users from /etc/passwd... > then LDAP is used.... right>? No, all the modules will be used, but the way they are treated depends on the modifiers {sufficient,required,requisite} and {use_first_pass,try_first_pass,null} (unless you're using Solaris >= 10 where they've been obsoleted). Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

3 2

OpenLdap unstable on RHEL5 & Centos5 with db4
by Rohit B 22 Feb '08

22 Feb '08

Hello List members I am running Openldap and db4 [root@build ~]# slapd -V @(#) $OpenLDAP: slapd 2.3.27 (Mar 14 2007 17:44:50) $ mockbuild@builder4.centos.org:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd DB4 vcersion db4-4.3.29-9 We have a address book containing around 500 to 2000 addresses stored in it. Every thing works fine for some days and then it crashes. I see nothing in the logs. We are using a custom schema attached with this email. Before we upgraded from the default openldap in centos4.4 to Centos5.0 it was working perfectly, is there any compatibility issues with the schema & the new package. -- Regards, Rohit Baisakhiya attributetype ( 2.5.4.7.1 NAME ( 'location' 'subdomain' ) SUP name ) attributetype ( 2.5.4.7.2 NAME ( 'proxyflag' ) SUP name ) attributetype ( 2.5.4.7.3 NAME ( 'mailflag' ) SUP name ) attributetype ( 2.5.4.7.4 NAME ( 'incomingflag' ) SUP name ) attributetype ( 2.5.4.7.5 NAME ( 'outgoingflag' ) SUP name ) attributetype ( 2.5.4.7.6 NAME ( 'inmailsize' ) SUP name ) attributetype ( 2.5.4.7.7 NAME ( 'outmailsize' ) SUP name ) attributetype ( 2.5.4.7.8 NAME ( 'mailquota' ) SUP name ) attributetype ( 2.5.4.7.9 NAME ( 'globalquota' ) SUP name ) attributetype ( 2.5.4.7.10 NAME ( 'memOfGroup' ) SUP name ) attributetype ( 2.5.4.7.11 NAME ( 'autoDeleteMail' ) SUP name ) #attributetype ( 2.5.4.7.11 NAME ( 'mailsOlderThan' ) SUP name ) #attributetype ( 2.5.4.7.12 NAME ('lastModifiedTime') SUP name) #attributetype( 0.9.2342.19200300.100.1.23 NAME ('lastModifiedTime') SUP name) #attributetype ( 2.5.4.7.10 NAME 'member' SUP distinguishedName ) #attributetype ( 2.5.4.7.11 NAME 'owner' SUP distinguishedName ) #attributetype ( 2.5.4.7.12 NAME 'seeAlso' SUP distinguishedName ) #attributetype ( 2.5.4.7.13 NAME ( 'ou' 'organizationalUnitName' ) SUP name ) #attributetype ( 2.5.4.7.14 NAME ( 'o' 'organizationName' ) SUP name ) #attributetype ( 2.5.4.7.15 NAME 'description' # EQUALITY caseIgnoreMatch # SUBSTR caseIgnoreSubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} ) #attributetype ( 2.5.4.7.16 NAME 'businessCategory' # EQUALITY caseIgnoreMatch # SUBSTR caseIgnoreSubstringsMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) # # Netcore User objectclass # objectclass ( 1.3.6.1.4.1.4203.1.4.1.1 NAME ( 'Netcore' 'Netserv' ) DESC 'Netcore Netserv Ldap' SUP ( posixAccount $ inetLocalMailRecipient $ inetOrgPerson ) MAY ( location $ proxyflag $ mailflag $ incomingflag $ outgoingflag $ inmailsize $ outmailsize $ mailquota $ globalquota $ acctFlags $ description $ homeDrive $ kickoffTime $ lmPassword $ logoffTime $ logonTime $ ntPassword $ primaryGroupID $ profilePath $ pwdCanChange $ pwdLastSet $ pwdMustChange $ scriptPath $ smbHome $ rid $ ou $ memOfGroup $ autoDeleteMail $ calFBURL ) ) #attributetype (2.16.840.1.113730.3.1.13 #Conflicting hence changed this attributetype (2.16.840.1.113730.3.1.14 NAME 'mailAlternateAddress' DESC 'alternate RFC822 email addresses used to reach this person' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.23 NAME 'mgrpAllowedDomain' DESC 'allowed domains for sender of mail to group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.25 NAME 'mgrpDeliverTo' DESC 'LDAP Search URL to describe group membership' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match ) attributetype (2.16.840.1.113730.3.1.26 NAME 'mgrpErrorsTo' DESC 'person or group to receive error messages for this group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype (2.16.840.1.113730.3.1.28 NAME 'mgrpRejectAction' DESC 'The action to be taken for a rejected message to the group' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.29 NAME 'mgrpRejectText' DESC 'Text to be returned with a rejected message' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype (2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'RFC822 mail address of email only member of group' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) # # Netcore Group objectclass # ###### object class modified Manoj for version 2.1 of openldap ####### objectclass (2.16.840.1.113730.3.2.4 NAME 'mailGroup' SUP top STRUCTURAL MUST ( uid $ mail $ cn ) MAY ( mailAlternateAddress $ mailHost $ mgrpAllowedDomain $ mgrpDeliverTo $ mgrpRejectAction $ mgrpErrorsTo $ mgrpRFC822MailMember $ mgrpRejectText $ businessCategory $ seeAlso $ owner $ ou $ o $ description $ uniqueMember $ mailquota) )

3 6

me
by Aravind Arjunan 21 Feb '08

21 Feb '08

I had configured ldap in server-client I had created the ldif file also and added that file to the ldap database. It was working fine yesterday,but when i started the machine today and when i restarted the ldap service the stopping ldap is always coming failed. When starting ldap is always coming start,when i check by *service ldap status* it is showing slapd is stopped. [root@testnode ~]# service ldap restart Stopping slapd: [*FAILED*] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ *OK * ] [root@testnode ~]# service ldap restart Stopping slapd: [*FAILED*] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ *OK * ] [root@testnode ~]# service ldap restart Stopping slapd: [*FAILED*] Checking configuration files for slapd: config file testing succeeded Starting slapd: [ *OK *] [*root@testnode ~]# service ldap status slapd is stopped [root@testnode ~]# *

1 0

using LDAP as central authentication unit
by Hamidreza Hamedtoolloei 21 Feb '08

21 Feb '08

Hello, I've followed one of the online instructions on how to configure my system to use ldap as the user authentication mechanism. below is partial content of my /etc/pam.d/system.auth file: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so looking at some online resources about how pam works, it seems that unix authentication is being applied first, and only if it fails, ldap authentication is applied. Am I correct here? In other words if all the users are still in /etc/shadow and /etc/passd files.... ldap is NOT being used for authentication. If I delete the users from /etc/passwd... then LDAP is used.... right>? thx, ~Hamid ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2008