openldap-technical March 2008

openldap-technical@openldap.org

55 participants
54 discussions

date/time attributes
by Ildar Mulyukov 03 Apr '08

03 Apr '08

Hello again! Can anyone point me to attributes designating date or/and time? For example, is there a counterpart of VCard BDAY attribute? Thanks! Regards, Ildar -- Ildar Mulyukov, free SW designer/programmer ================================================ email: ildar(a)users.sourceforge.net home: http://tuganger.narod.ru/ ALT Linux Sisyphus ================================================

4 5

Blank Password for a ldap user
by Rocky S 01 Apr '08

01 Apr '08

I am very new ldap programming, so bear with me if my query is naive. I am trying to write a program using the OpenLDAP SDK. The program should take an LDAP servername/port, a CN & a password. The program should then report if the CN/password combination is correct or incorrect. This is how I am trying to do this. [ error checks removed for making it simple] LDAP *pldap; ldap_initialize(&pldap, "ldap://myhost:389) ; int desired_version = LDAP_VERSION3; ldap_set_option(pldap, LDAP_OPT_PROTOCOL_VERSION, &desired_version); int ret = ldap_bind_s(pldap, "uid=Jack,ou=People,dc=vss,dc=veritas,dc=com", "jack123", LDAP_AUTH_SIMPLE); if(ret == LDAP_SUCCESS) puts("VERIFIED"); else puts("FAILURE"); This works fine for for Jack/jack123. I have another user in the directory - John who has a null/empty password I tried both ldap_bind_s(pldap, "uid=John,ou=People,dc=vss,dc=veritas,dc=com", NULL, LDAP_AUTH_SIMPLE); ldap_bind_s(pldap, "uid=John,ou=People,dc=vss,dc=veritas,dc=com", "", LDAP_AUTH_SIMPLE); Both cases ldap_bind_s returns 53 - which I think means LDAP UNWILLING TO PERFORM I know the server allows null passwords.

2 2

logs and I/O Performances
by Andre Stoffel 31 Mar '08

31 Mar '08

Hi all, We are using 3 LDAP Directories based on Openldap 2.2.23 (number of objects : between 4000 and 11000 in the DBs) . The hardware is based on HP servers correctly dimensioned but not oversized disks resided on an EMC Symmetrix We try to implement the ldap logs but we have to stop after the first test: a common request taking between 1 up to 2 seconds instead of some milliseconds. Has anybody an idea of whats going wrong: setting, architecture Thanks. André.

2 1

OpenLDAP as a Meta directory for eDirectory and Active Directory
by Jon Gerdes 30 Mar '08

30 Mar '08

I have a requirement to link up the contents of an AD and an eDir into a single meta dir. I am testing all this on a small system. The basic idea is that a user will be able to do a search on their uid and then bind to it. Their account could be in either the AD or the eDir. I would want to support both simple and digest-md5 binds. Both eDir and AD support SASL digest md5 binds but AD does not allow simple binds. I do not wish to change the back ends but just work with what is there. In my test system I have dc=blueloop,dc=net at the top with ou=edir and ou=ad to be mapped under the top level. My gerdesj account has all the relavent rights in all cases. I have gone around in circles on this several times! I can do a browse of the edir container fine ie a search of the ou=edir,dc=blueloop,dc=net as anon returns stuff as I would expect. This seems to work OK: ldapsearch -h localhost '(objectclass=*)' -D "cn=gerdesj,ou=edir,dc=blueloop,dc=net" -b "ou=edir,dc=blueloop,dc=net" -x -W Trying to use SASL fails: ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' '(objectclass=*)' -Y DIGEST-MD5 -U "dn:cn=gerdesj,ou=edir,dc=blueloop,dc=net" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database This seems to imply to me that the OpenLDAP box is trying to auth me rather than passing this off to the system it is proxying. Why ? I would also like to make the AD side of things such that it will allow a simple anonymous connection to search and then allow through a simple bind I've read everything I can find but have run out of steam. Thanks for any advice or pointers. Cheers Jon Here is a chunk out of my slapd.conf ##### eDir #ldapsearch -h localhost -b 'ou=edir,dc=blueloop,dc=net' -s sub -x -D '' '(objectclass=*)' database ldap suffix "ou=edir,dc=blueloop,dc=net" uri "ldap://port.blueloop.net/" subordinate overlay rwm rwm-suffixmassage "ou=edir,dc=blueloop,dc=net" "ou=users,o=blueloop" ##### AD database ldap suffix "ou=ad,dc=blueloop,dc=net" uri "ldap://baileys.blueloop.net/" subordinate idassert-authzFrom "dn:regex=.*" acl-bind bindmethod=sasl saslmech=DIGEST-MD5 authcId=gerdesj authzId=gerdesj credentials="{SSHA}xxxxxx" idassert-bind bindmethod=sasl saslmech=DIGEST-MD5 binddn="cn=gerdesj,ou=users,ou=blueloop,dc=blueloop,dc=net" credentials="{SSHA}xxxxxxxxxxxxxx" mode=self overerlay rwm rwm-suffixmassage "ou=ad,dc=blueloop,dc=net" "ou=users,ou=blueloop,dc=blueloop,dc=net" Registered Address : 7 Manor Buildings, North Perrott, Crewkerne, Somerset, TA18 7ST Registered England & Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission. Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail.

2 1

DSMLReader(dsmlFile) gives Invalid beginning tag :attr error
by Hamidreza Hamedtoolloei 29 Mar '08

29 Mar '08

var YAHOO = {'Shortcuts' : {}}; YAHOO.Shortcuts.hasSensitiveText = false; YAHOO.Shortcuts.sensitivityType = []; YAHOO.Shortcuts.doUlt = false; YAHOO.Shortcuts.location = "us"; YAHOO.Shortcuts.document_id = 0; YAHOO.Shortcuts.document_type = ""; YAHOO.Shortcuts.document_title = "DSMLReader(dsmlFile) gives Invalid beginning tag :attr error"; YAHOO.Shortcuts.document_publish_date = ""; YAHOO.Shortcuts.document_author = "hamedtoolloei(a)yahoo.com"; YAHOO.Shortcuts.document_url = ""; YAHOO.Shortcuts.document_tags = ""; YAHOO.Shortcuts.annotationSet = { "lw_1206833257_0": { "text": "prabbit(a)dsml.org", "extended": 0, "startchar": 1507, "endchar": 1522, "start": 1507, "end": 1522, "extendedFrom": "", "predictedCategory": "", "predictionProbability": "0", "weight": 1, "type": ["shortcuts:/us/instance/identifier/email_address"], "category": ["IDENTIFIER"], "context": "" } }; Hey guys, I am using jldap to communicate with ldap, and I get an exception when I am parsing a dsml file. In more details, the following line of code LDAPReader in = new DSMLReader(dsmlFile); gives the following error Thefollowing error occured handling a DSML file:LDAPLocalException: Thefollowing error occured while parsing DSML: org.xml.sax.SAXException:Invalid beginning tag :attr (84) Decoding Error org.xml.sax.SAXException: Invalid beginning tag :attr when dsmlFile is <dsml:directory-entries> <dsml:entry dn="uid=prabbit,ou=development,o=bowstreet,c=us"> <dsml:objectclass> <dsml:oc-value>top</dsml:oc-value> <dsml:oc-value>person</dsml:oc-value> <dsml:oc-value>organizationalPerson</dsml:oc-value> <dsml:oc-value>inetOrgPerson</dsml:oc-value> </dsml:objectclass> <dsml:attr name="sn"><dsml:value>Rabbit</dsml:value></dsml:attr> <dsml:attr name="uid"><dsml:value>prabbit</dsml:value></dsml:attr> <dsml:attr name="mail"><dsml:value>prabbit(a)dsml.org</dsml:value></dsml:attr> <dsml:attr name="givenname"><dsml:value>Peter</dsml:value></dsml:attr> <dsml:attr name="cn"><dsml:value>Peter Rabbit</dsml:value></dsml:attr> </dsml:entry> </dsml:directory-entries> </dsml:dsml> Any suggestions?? thanks Never miss a thing. Make Yahoo your homepage. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

1 0

Unable to add attribute to cn
by Frank, Hans, 232 28 Mar '08

28 Mar '08

Hi there, I would like to add the attribute "orclnetdescstring" to the following ldap object: cn=TESTDB,cn=OracleContext,dc=test,dc=de When trying this, I get the following error message: 09:44:42 AM: Failed to add 'orclnetdescstring' attribute for ldap://***:389/cn=TESTDB,cn=OracleContext,dc=test,dc=de Root error: [LDAP: error code 65 - attribute 'orclnetdescstring' not allowed] I did include the attributetype into the core.schema, which is included in slapd.conf the following way: attributetype ( 1.3.6.1.4.1.9232.6 NAME 'orclnetdescstring' DESC 'Oracle-OID spezific A-Type' SUP name ) or: attributetype ( 1.3.6.1.4.1.9232.6 NAME 'orclnetdescstring' SUP name ) But that doesn't change anything. I am very new to openldap, so if there are any good tutorials which describe such simple things (I suppose this is something simple), please let me know. I just need this object with some specific attributes, how can I realise this? Best Regards Hans Frank

3 2

Re: NIS to ldap layout
by Eric Ritchie 28 Mar '08

28 Mar '08

Gavin Henry wrote: > Eric Ritchie wrote: >> I have 3 NIS domains I wish to convert to ldap. I would like to keep >> 3 separate areas in ldap since the NIS domains have different >> accounts. I created a base dn and loaded data under 3 higher levels, >> such as base is dc=xyz,dc=com and dc=a,dc=xyz,dc=com >> dc=b,dc=xyz,dc=com dc=c,dc=xyz,dc=com. Then if I want client one to >> be in domain a, I set its base to dc=a,dc=xyz,dc=com. This works for >> host name lookups but when another host tries to login to the box via >> telnet or rsh, the login hangs after the password is entered, ssh >> works though. If I specify a binddn on the client with >> dc=a,dc=xyz,dc=com, I can login via telnet and rsh but name lookups >> fail on the host. Any idea what is causing this? Is this the best way >> to have separate DBs for clients? >> >> Thanks >> > > Sounds like you are using pam_ldap? I would post to their lists with > you configurations etc. > > Gavin. > I emptied my ldap database to start fresh. I created a base of dc=ibg,dc=com and loaded 2 hostname/IPs. I configured my client to use ldap for hosts in /etc/nsswitch.conf. Its using ldap for host lookups only, nothing else. The client works fine, it can find the 2 hosts in ldap. If I try to telnet from a host not in ldap it works but if I try to telnet from one of the hosts in ldap to my client, it hangs. If I set binddn on the client, then the hosts in ldap can telnet to the client but the client can't lookup host names. I'm new to ldap so I'm not sure if this is a pam or ldap issue. I don't understand why enabling the binddn allows the remote host to telnet but breaks local name lookups. Thanks -- Eric Ritchie Interactive Brokers LLC 203-618-5868

2 1

Re: OpenLDAP Group ACL
by Luke Lee 28 Mar '08

28 Mar '08

Sir, I modified my settings and added the following group: dn: cn=pwmanager,ou=Group,dc=mydomain,dc=com objectClass: posixGroup objectClass: top cn: pwmanager userPassword: {crypt}x gidNumber: 550 memberUid: l_luke memberUid: w_smith I also modified my ACL in the slapd.conf: access to attr=userPassword by self write by anonymous auth by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write by * none access to * by self write by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write by * read I used the same command trying to change the user's password but received the exact same error. Would you please help? You mentioned that the nisNetgroup object doesn't fit in the ACL configuration in your previous reply. I had defined netgroups looked like the following: dn: cn=Sales,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: Sales nisNetgroupTriple: (,c_parks,mydomain.com) nisNetgroupTriple: (,j_berryhill,mydomain.com) nisNetgroupTriple: (,b_chen,mydomain.com) Would there be a way for me to use the netgroup and its members for any ACL type of access? Your help will be highly appreciated! ----- Original Message ---- From: Pierangelo Masarati <ando(a)sys-net.it> To: Luke Lee <leeluke77(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Thursday, March 27, 2008 12:35:16 PM Subject: Re: OpenLDAP Group ACL > Hello, > > I'll appreciate it if any of you are willing to take time and share with > me your experience with OpenLDAP running on a RedHat server configured > with group ACL. > > I'm trying to grant a group of people (including myself) the permission to > change user LDAP passwords. However, when I try to change a user's LDAP > password, I received the following message: > > Result: Insufficient access (50) > > The command that I used was: > > ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S > "uid=w_smith,ou=People,dc=mydomain,dc=com" > > My ACL settings in the slapd.conf file are: > > access to attr=userPassword > by self write > by anonymous auth > by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write > by * none > access to * > by self write > by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write > by * read > > My netgroup has been defined as the following: > > dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com > objectClass: nisNetgroup > objectClass: top > cn: ITgroup > nisNetgroupTriple: (,l_luke,mydomain.com) > nisNetgroupTriple: (,w_smith,mydomain.com) > nisNetgroupTriple: (,g_baker,mydomain.com) > description: Password Keepers > > My user entry is: > > # l_luke, People mydomain.com > dn: uid=l_luke,ou=People,dc=mydomain,dc=com > uid: l_luke > cn: l_luke > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > shadowLastChange: 13958 > shadowMax: 99999 > shadowWarning: 7 > loginShell: /bin/bash > uidNumber: 10005 > gidNumber: 10005 > homeDirectory: /home/l_luke > gecos: Luke Lee > > Can anyone point me to the right direction or share with me the correct > group ACL settings that you have? Thanks! As indicated in slapd.access(5), the member attribute must have either distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated from memberURL; it defaults to "member". It appears from your message that you expect "nisNetgroupTriple" to be used as member attribute, but you should specify that attribute in the ACL clause. However, "nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the above restrictions. You need to use LDAP groups for access control; nisNetGroup objects don't fit. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it --------------------------------------- ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping

2 1

OpenLDAP Group ACL
by Luke Lee 27 Mar '08

27 Mar '08

Hello, I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL. I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message: Result: Insufficient access (50) The command that I used was: ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com" My ACL settings in the slapd.conf file are: access to attr=userPassword by self write by anonymous auth by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * none access to * by self write by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * read My netgroup has been defined as the following: dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: ITgroup nisNetgroupTriple: (,l_luke,mydomain.com) nisNetgroupTriple: (,w_smith,mydomain.com) nisNetgroupTriple: (,g_baker,mydomain.com) description: Password Keepers My user entry is: # l_luke, People mydomain.com dn: uid=l_luke,ou=People,dc=mydomain,dc=com uid: l_luke cn: l_luke objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13958 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/l_luke gecos: Luke Lee Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks! ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs

2 1

ways to connect to IBM Lotus Directory
by Ildar Mulyukov 27 Mar '08

27 Mar '08

Hello, I want to replicate an IBM Lotus Directory version 8 to my OpenLDAP server. Does anyone have such an experience? Anyone to give me a good advice? Thank you. I was thinking of several questions: 1. I need IBM attributes, objectClasses etc. to use as an additional OpenLDAP schema. 1a. Is it possible to create a schema file using LDAP schema discovery? 2. Is Syncrepl of any use here? 3. As a last resort I could use ldapsearch+ldapadd as soon as I get Lotus schema. Thanks for any help. Best regards, Ildar -- Ildar Mulyukov, free SW designer/programmer ================================================ email: ildar(a)users.sourceforge.net home: http://tuganger.narod.ru/ ALT Linux Sisyphus ================================================

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2008