Fwd: Ldap ppolicy schema entries
by Aravind Arjunan
---------- Forwarded message ----------
From: Aravind Arjunan <aravind.arjunan(a)gmail.com>
Date: 9 Feb 2008 11:19
Subject: Re: Ldap ppolicy schema entries
To: Buchan Milne <bgmilne(a)staff.telkomsa.net>
Am trying to confiure the ldap in master-slave
It was mentioned in the document that after configuring the master and slave
slapd.conf file
for replication, shutdown the master slapd,so you can copy the database.
I cant understand in this part,how to copy the database.
where to copy?tell me how to check that my slave slapd is working?
wheather by giving ldapsearch command in slave instance or by any other.
am attaching the master and slave conf file for reference,please mention me
if
there is any mistake.
14 years, 9 months
tips in ldappasswd
by Gustavo Mendes de Carvalho
Hi there,
I have an OpenLDAP Server authenticating with TLSv1, but I ´foound
some probelms when I have to change my ldap user´s password. I use the
following command to try to change it
[ming@ldap-cli ~]$ ldappasswd -AS -ZZ -H ldaps://ldap.server/ -D
uid=ming,ou=org-unit,o=org,c=br
Old password:
Re-enter old password:
New password:
Re-enter new password:
ldap_start_tls: Operations error (1)
additional info: TLS already started
[ming@ldap-cli ~]$ ldappasswd -AS -H ldaps://ldap.server/ -D
uid=ming,ou=org-unit,o=org,c=br
Old password:
Re-enter old password:
New password:
Re-enter new password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (No credentials cache found)
I store only password's hashes in my ldap database, so I need to know
how to replace this hash.
If I connect to my ldap server using some ldap browser, like
ldapadmin, I can change my user´s password, but I need to change it
using some command line, like ldappasswd.
Do you have some examples about how to use ldappasswd ? I already
search it in Google, but all expamples that I found tells me that to
use same command that I'm already using.
Thanks iin advance
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
14 years, 9 months
2.3.39 vs 2.3.40 (as Re: (ITS#5354) slapd repeatedly hangs and stops reponding)
by Buchan Milne
On Friday 08 February 2008 03:35:54 quanah(a)zimbra.com wrote:
> --On Thursday, February 07, 2008 8:13 PM -0500 Oren Laadan
>
> <orenl(a)cs.columbia.edu> wrote:
> > will fix the symbols now. thanks.
> >
> > as for the patch, it seems unrelated as it fixes a problem during the
> > start-up of the daemon; also, it's for 2.4.7, and I just downgraded
> > back to 2.4.49 (which I was using originally). the decision to move
> > up was because I hoped that the problem would disappear when using a
> > more recent version of openldap. as it turns out, it didn't :(
>
> There's no such thing as 2.4.49. I assume you mean 2.3.40? Or 2.3.39? I
> would use 2.3.40 over 2.3.39
Quoting Howard:
"While ITS#5342 is still being investigated, I would recommend that everyone
use 2.3.39 and not 2.3.40. Sorry for the trouble."
ITS#5342 is still open, and while the last two followups seem to indicate that
the corruption was not the fault of 2.3.40 ... I'm planning an upgrade for
this weekend (from 2.3.34 for one set of servers, and from 2.3.11 for
another), and thus far I'm hoping to run with 2.3.39 with most fixes in
2.3.40 (plus #5358's fix), but not the dn2id lock fix ...
Maybe I should make provision for an export/import during my upgrade?
Regards,
Buchan
14 years, 9 months
Re: Ldap ppolicy schema entries
by Ljunghammar, Darryl K
Hi Tonni,
Could you give me an example of what you meant by putting a + at the end
of the ldapsearch command? When I tried putting a plus at the end it
didn't give me any found results so I must be doing something wrong with
the syntax.
I used:
[root@alph bin]# ldapsearch -x -H ldaps://alph/ -D
"cn=Manager,dc=dst,dc=boeing,dc=com" -W -b
"ou=people,dc=dst,dc=boeing,dc=com" "(uid=darryl+)"
Enter LDAP Password: xxxxxx
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=dst,dc=boeing,dc=com> with scope sub
# filter: (uid=darryl+)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
But if I leave off the + I do get the user fields so I know it has data.
Thanks,
Darryl
________________________________________________________________________
___________
Ljunghammar, Darryl K skrev, on 23-01-2008 21:56:
I would like to view the ppolicy schema attributes for a user
when I do
a "ldapsearch" but they don't show up. For example, I would like
to see
the "pwdHistory" attribute for a user. I know it is being
updated
because if I enter a previously used password it tells me it
can't be
reused.
I am using openldap 2.3.39-3 on a Redhat 5.1 system.
Put a '+' at the end of your ldapsearch string and you'll see only the
operational attributes, *if* your ACLs permit this. You will not see
empty attributes, only those with values.
Best,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
14 years, 9 months
Openldap and last logon
by Ljunghammar, Darryl K
Hi,
I there a way to record the last logon and hostname into a user's record
in openldap?
I am using openldap 2.3.27-8 on a Rh5.1 system.
Thanks,
Darryl
14 years, 9 months
Trouble Installing LDAP Client On Ubuntu Linux
by Ldap Newbie
Hi,
I have some trouble with the installation of the LDAP client on Ubuntu Linux.
I followed the instructions as described the articles below.
1. <http://www.linux.com/feature/114074>
2. <http://mcwhirter.com.au/node/25>
Although I followed the steps in the article my Ubuntu keeps running exactly
as before, authenticating without using LDAP. Problem is that I don't have
a clue what's happening. So any suggestions on what files to check or what
commands to run to test things are appreciated.
What I do know about this configuration problem is:
* The LDAP server is up and running, it's usable from another application
* I don't see any incoming traces when I run slapd in full debug mode
and try some actions like rebooting or getent passwd from the client
* The getent passwd <username> test as described in article .2 fails
So likely something went wrong with the configuration of
$ apt-get install libpam-ldap libnss-ldap
Is there a way I can rerun the installer so that I can verify the configuration
data I entered. What other things should I try ?
All suggestions apprectiated.
Thanks,
Carl
_________________________________________________________________
Who's friends with who and co-starred in what?
http://www.searchgamesbox.com/celebrityseparation.shtml
14 years, 9 months
openldap - missing modules - how / where to find them
by Charlie Reddington
Hi Everyone,
I'm working on setting up openldap on a few of my linux servers. I was
working on setting up the slapd.conf file, and I ran the slaptest against
it.
I was returned with this.
1t_dlopenext failed: (back_bdb) back_bdb.so: cannont open shared object
file: no file or directory found.
Okay, simple enough, I'm trying to use the bdb backend, so I need the module
that is called in my file back_bdb.so. I did a search on the system and that
is not found.
I installed the openldap stuff via yum. I installed the following.
openldap
openldap-servers
openldap-cleints
openldap-devel
I've reinstalled, I've searched for just the backend module itself, all
coming up empty handed.
Can someone point me to what I'm doing wrong to get these files?
Charlie
14 years, 10 months
Timeouts over LDAPS
by Martin Sandsmark
Hi!
I'm having some trouble with time-outs when using ldaps with pam.
If the slapd opens an incoming ssl connection, but do not respond correctly
(like if the Berkley database breaks down, which unfortunately seems to
happen from time to time), the ldap-pam-module will hang more or less
indefinitely. This is rather unfortunate, since it makes logging in and
repairing the database much more tedious.
If we use just plain ldap (not using openssl), the connection times out
rather quickly, and pam tries the next authentication method which works
as expected, and the problem can be fixed. But unfortunately that also opens
up some security risks, since we can't be sure we connect to the proper ldap
server.
--
Martin Sandsmark
IT-Komiteen, Samfundet
"Capital letters were always the best way of dealing
with things you didn't have a good answer to."
- Douglas Adams
14 years, 10 months
LDAP Master/Slave replication
by Alain Siani
Hello,
Do you think the version of ldap must be equal ?
I use openldap-2.3.27-8 on server and openldap-2.2.23-5 on client.
Do you think it is syncrepl compatible ?
thanks,
Alain
I don't found the solution... do you know a french document for
installation of "syncrpl" ?
I tried english documentation :
http://www.openldap.org/doc/admin22/syncrepl.html
but no success...
thanks,
Alain
The log :
Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrepl
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: ndn:
"cn=syncrepl123,dc=myDomain,dc=com"
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: oc: "(null)", at:
"syncreplCookie"
Feb 5 13:11:37 dev5 slapd[2523]:
bdb_dn2entry("cn=syncrepl123,dc=myDomain,dc=com")
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_dn2id( "dc=myDomain,dc=com" )
Feb 5 13:11:37 dev5 slapd[2523]: <= bdb_dn2id: get failed: DB_NOTFOUND:
No matching key/data pair found (-30989)
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: cannot find entry:
"cn=syncrepl123,dc=myDomain,dc=com"
Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrep2
thanks for you help !
Alain
Hello,
I use the bottom file "slapd.conf" to mirror master server.
It was ok with 2.2.23-5 version of openldap.
I just installed a new version of openldap : 2.3.27-8
Now the slave server start ok... but slapcat is empty !!??
Do you have an idea ?
Thanks a lot,
Alain
slapd.conf
_________
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
database bdb
suffix "dc=myDomain,dc=com"
rootdn "cn=Manager,dc=myDomain,dc=com"
rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT
directory /var/lib/ldap/myDomain.com
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryUUID eq
access to *
by * read
syncrepl rid=123
provider=ldap://10.0.0.242:389
type=refreshOnly
interval=00:00:01:00
searchbase="dc=myDomain,dc=com"
filter="(objectclass=*)"
attrs="*"
scope=sub
bindmethod=simple
binddn="cn=Manager,dc=myDomain,dc=com"
credentials="myPassword"
---
Antivirus avast! : message Entrant sain.
Base de donnees virale (VPS) : 080204-0, 04/02/2008
Analyse le : 05/02/2008 19:55:34
avast! - copyright (c) 1988-2008 ALWIL Software.
http://www.avast.com
---
Antivirus avast! : message Sortant sain.
Base de donnees virale (VPS) : 080204-0, 04/02/2008
Analyse le : 05/02/2008 20:03:01
avast! - copyright (c) 1988-2008 ALWIL Software.
http://www.avast.com
14 years, 10 months
LDAP Master/Slave replication
by asiani@free.fr
I don't found the solution... do you know a french document for
installation of "syncrpl" ?
I tried english documentation :
http://www.openldap.org/doc/admin22/syncrepl.html
but no success...
thanks,
Alain
The log :
Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrepl
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: ndn:
"cn=syncrepl123,dc=myDomain,dc=com"
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: oc: "(null)", at:
"syncreplCookie"
Feb 5 13:11:37 dev5 slapd[2523]:
bdb_dn2entry("cn=syncrepl123,dc=myDomain,dc=com")
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_dn2id( "dc=myDomain,dc=com" )
Feb 5 13:11:37 dev5 slapd[2523]: <= bdb_dn2id: get failed: DB_NOTFOUND:
No matching key/data pair found (-30989)
Feb 5 13:11:37 dev5 slapd[2523]: => bdb_entry_get: cannot find entry:
"cn=syncrepl123,dc=myDomain,dc=com"
Feb 5 13:11:37 dev5 slapd[2523]: =>do_syncrep2
thanks for you help !
Alain
Hello,
I use the bottom file "slapd.conf" to mirror master server.
It was ok with 2.2.23-5 version of openldap.
I just installed a new version of openldap : 2.3.27-8
Now the slave server start ok... but slapcat is empty !!??
Do you have an idea ?
Thanks a lot,
Alain
slapd.conf
_________
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
loglevel 256
database bdb
suffix "dc=myDomain,dc=com"
rootdn "cn=Manager,dc=myDomain,dc=com"
rootpw {SSHA}wuapktMrH50PDG29WoffJcmvpblebsdT
directory /var/lib/ldap/myDomain.com
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryUUID eq
access to *
by * read
syncrepl rid=123
provider=ldap://10.0.0.242:389
type=refreshOnly
interval=00:00:01:00
searchbase="dc=myDomain,dc=com"
filter="(objectclass=*)"
attrs="*"
scope=sub
bindmethod=simple
binddn="cn=Manager,dc=myDomain,dc=com"
credentials="myPassword"
14 years, 10 months
