openldap-technical March 2008

openldap-technical@openldap.org

55 participants
54 discussions

LDAP replication when NTP server sets the time ahead
by Lucky Y 03 Mar '08

03 Mar '08

Hi, I have a system in GMT timezone and the NTP server in GMT-2hrs time zone. In this case when the system time syncs with NTP time(for example the first when the system comes up after configuration ), the time in the system will be set 2hours behind the current time in the system. In this case, LDAP relication is failing. What is the dependancy between LDAP replication and NTP servers ? Thanks in adavce. Regards, Lucky

5 7

ldap group name resolving problem
by Christian Weihrauch 03 Mar '08

03 Mar '08

Hi, I have problems with debian etch Linux clients resolving group names served by our LDAP server. user and passwd work because I can login properly. "getent group" properly shows the group served by the LDAP server. eg: #getent group mygroup:x:1000:chris However "id username" only shows LDAP served groupIDs but not their names. eg: #id chris uid=1002(chris) gid=1000 groups=1000,20(dialout) This means that I can't do things like chgrp eg: "chgroup mygroup directoryname" gives: "chgrp: invalid group `mygroup'" I am using nscd and nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap Any ideas? Thanks! -- Christian Weihrauch, The University of Reading

3 4

Not able to load the LDIF file onto the LDAP server
by divya shree 02 Mar '08

02 Mar '08

Hi I am trying to load my ldif file onto the server using the command ldapadd -x -D "cn=Manager,dc=example,dc=net" -W -f example.ldif For which i am prompted 4 the password enter LDAP password: When i give the password: secret....i.e., the same as in slapd.conf file... i am getting an error tat says LDAP_BIND: invalid credentials(49) Plz help ASAP Thanks n Regards Divya --------------------------------- Why delete messages? Unlimited storage is just a click away.

3 2

Help with SASL/GSSAPI to remote Kerberos server
by Wes Modes 01 Mar '08

01 Mar '08

I am using *SASL/GSSAPI* to authenticate to* Kerberos* from *OpenLDAP*. I haven't gotten that to work yet. To separate and modularize some of these services, we have three servers: A file server running Samba; A directory server running OpenLDAP to provide personal and group identities; and an authentication server running Kerberos (administered by another group). Samba connects to OpenLDAP through smbldap-tools. And OpenLDAP connects to the Kerberos server via SASL/GSSAPI. When someone requests a Samba logon, Samba requests an LDAP bind, which in turn should use SASL to authenticate via Kerberos. The connection between Samba and OpenLDAP is working swell. It is the Kerberos connection that has me flummoxed. *Simply put, OpenLDAP with SASL2 and GSSAPI support will be running on one server, while the Kerberos KDC will be running on another server.* I haven't found any documents that address this not-so-wacky design. Almost all of the docs I found presume that I am setting up the KDC on the same server at OpenLDAP. In my case, the KDC is administered by another group who is willing to grant me access to Kerberos. However, none of the docs I've found offer help in setting up SASL/GSSAPI here and the Kerberos server elsewhere. So when a document says, run /kadmin.local/, to generate a principle, that is not available to me. If I can ask specifically for what I want, I might be able to convince the kerberos administrators to do it for me, but I have to be pretty specific about what I want. The docs I'm referring to are Cyrus SASL for System Administrators http://www.sendmail.org/~ca/email/cyrus/sysadmin.html <http://www.sendmail.org/%7Eca/email/cyrus/sysadmin.html> OpenLDAP 2.2 Administrator's Guide - Using SASL http://www.openldap.org/doc/admin22/guide.html#Using%20SASL In several documents, it was suggested that before you try connecting OpenLDAP to Kerberos that you test to make sure your Kerberos configuration is working. That makes a lot of sense to me. So I want to perform a series of checks, but I don't know what those tests might be. Here's what I would like to test: * Can I connect to the Kerberos server directly? (kinit) * Is direct authentication to the Kerberos server working? * Am I getting returned a proper ticket? (klist) * Is the keytab file on my OpenLDAP server being recognized and accepted by the Kerberos server? * Is my machine being authenticated as a principle? Does it need to be? * How do I test SASL2 before getting OpenLDAP involved? * After making changes to my OpenLDAP config, how do I test the Kerberos connection through OpenLDAP? Do you have any pointers here? This project has been delayed weeks and weeks while I climb and climb up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your prompt response will be hugely helpful. Thanks in advance, Wes Specifics of my configuration: * OS: Red Hat Enterprise 4 v2.6.9 * OpenLDAP v2.2.13 * Local MIT Kerberos5 v1.3.4 * KDC: MIT Kerberos5 v? * Cyrus SASL v2.1.19 -- Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208

5 11

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2008