openldap-technical May 2008

openldap-technical@openldap.org

62 participants
56 discussions

Re: Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager
by Luke Lee 12 May '08

12 May '08

My access rules in the slapd.conf are the following: access to attrs=userPassword by self write by anonymous auth by dn.base="cn=sysadmin,dc=mydomain,dc=com" write by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write by * none access to * by self write by dn.base="cn=sysadmin,dc=mydomain,dc=com" write by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write by * read If I don't have the following entries in a client's /etc/ldap.conf, when I login the client by using ssh I will get the "Access denied" message: binddn cn=Manager,dc=mydomain,dc=com bindpw secret The ldap log is the following: May 11 16:08:18 ldapm slapd[24629]: conn=0 fd=13 ACCEPT from IP=192.168.2.161:33801 (IP=0.0.0.0:389) May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 BIND dn="" method=128 May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 RESULT tag=97 err=0 text= May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))" May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))" May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= May 11 16:08:23 ldapm slapd[24629]: conn=1 fd=16 ACCEPT from IP=192.168.2.161:33802 (IP=0.0.0.0:389) May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 BIND dn="" method=128 May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 RESULT tag=97 err=0 text= May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)" May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= If I have the binddn and bindpw using the distinguished name, Manager, the login will succeed. The ldap log is the following:May 11 17:22:32 ldapm slapd[24629]: conn=20 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)" May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luke_l)(uniqueMember=uid=luke_l,ou=people,dc=mydomain,dc=com)))" May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH attr=cn userPassword memberUid uniqueMember gidNumber May 11 17:22:32 ldapm slapd[24629]: <= bdb_equality_candidates: (uniqueMember) not indexed May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=20 op=6 UNBIND May 11 17:22:32 ldapm slapd[24629]: conn=20 fd=18 closed May 11 17:22:32 ldapm slapd[24629]: conn=21 fd=16 ACCEPT from IP=192.168.2.161:33816 (IP=0.0.0.0:389) May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118 May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 RESULT tag=97 err=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))" May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))" May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=22 fd=18 ACCEPT from IP=192.168.2.161:33817 (IP=0.0.0.0:389) May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118 May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 RESULT tag=97 err=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))" May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 ACCEPT from IP=192.168.2.161:33818 (IP=0.0.0.0:389) May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118 May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 RESULT tag=97 err=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))" May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 closed (connection lost) What should I do to fix the problem and bind the server anonymously but get the authetication working? Thanks. Luke ----- Original Message ---- From: Dieter Kluenter <dieter(a)dkluenter.de> To: openldap-technical(a)openldap.org Sent: Saturday, May 10, 2008 1:32:58 AM Subject: Re: Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager Hi, Luke Lee <leeluke77(a)yahoo.com> writes: > I am running OpenLDAP 2.3.39 on RedHat. My login authentication on a client > system will fail if I don't configure the optional binddn and bindpw by using > cn=Manager. > > Can anyone please enlighten me what could cause the strange problem? Thanks! Could you be a bit more specific and could you provide the access rules of slapd.conf? -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6 ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Any success story using syncRepl with postgresql backend?
by Tommy Ho 12 May '08

12 May '08

I was wondering if anyone had success with using multi-master replication (syncrepl with mirrormode enabled) using postgresql as the backend? I had this working using BDB but when I switched over to use postgres as the backend, the synchronization becomes very erratic and inconsistent, deleted data from one master never gets propagated and newly added data will sometimes get sync'd and sometimes it doesn't. Thanks for any input, \Tommy

2 2

DHCP breaks LDAP?
by John Oliver 12 May '08

12 May '08

On two RHEL4u5 lab machines, LDAP authentication stopped working. The only thing that was done was DHCP was enabled on a previously-unconfigured interface. That messed up ntpd.conf, so I know that weird stuff was going on. Anyway, all attempts to log in with an LDAP user result in ldap_simple_bind: Can't contact LDAP server However, the machines can ping the LDAP server, and nmap shows 389 and 636 as open. /etc/ldap.conf has not changed. /etc/nsswitch.conf has not changed. I ran "authconfig" and the server line was empty, so I filled it in. No dice. I am completely stumped. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

2 1

Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager
by Luke Lee 10 May '08

10 May '08

I am running OpenLDAP 2.3.39 on RedHat. My login authentication on a client system will fail if I don't configure the optional binddn and bindpw by using cn=Manager. Can anyone please enlighten me what could cause the strange problem? Thanks! Luke ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

2 1

migration question
by Gordon 09 May '08

09 May '08

Our users have Thunderbird configured to search for email addressed in ldap our old ldap has a base DN of dc=sbg,dc=com our new ldap has a base DN of ou=people,dc=sbg,dc=com Is there a way to provide a view or alias of the new system so clients do not have to be updated to the new base DN?

3 2

AD + Openldap integration
by Rich West 07 May '08

07 May '08

I am not entirely sure where to ask this particular question, and I apologize in advance if this is not the correct forum... We have an AD infrastructure and we'd like to get all of our unix boxes to authenticate against the AD servers. I'm able to query against our AD servers by hand using: ldapsearch -x -LLL -E pr=200/noprompt -h ouradhost -D "CN=Administrator,OU=IT Department,OU=Users,OU=My Business,DC=ourdomain,DC=dotcom" -W -b "dc=ourdomain, dc=dotcom" -s sub "(cn=*)" And that gives me the entire tree, but I haven't made much progress from there. Honestly, I am unsure what 'right' resulting architecture would be: have each unix (linux, CentOS) system, using nss_ldap, authenticate against AD directly, or build an openldap replica of the AD contents (just user accounts) and have the unix boxes authenticate against that. Because of the AD layout, I'm not sure nss_ldap is even configurable enough to map users from the mess of groups within AD to one layer of users. The AD layout is messy.. the users are broken up in to different groups ("IT Department", "Executives", etc., etc) within AD, and it isn't straightforward on how to do a query just to get all users (regardless of the group). (unfortunately, I have no ability at this time to re-work the AD architecture, nor do I take responsibility for its current layout) Thanks! -Rich

3 4

change berkeley version
by Benjamin Bellec 07 May '08

07 May '08

Hello, I am new on this list. I am currently configuring a server (virtual machine) to use OpenLDAP 2.2.13 (must use this version) with Berkeley DB 4.2 (must use this version too). BDB 4.2 is the problem. My server use BDB 4.3 and I don't now how to tell OpenLDAP to use BDB 4.2 instead of 4.3. Any idea ? Thanks, Benjamin.

3 4

Examples of back-meta with more than one AD domains
by Vittore Zen 07 May '08

07 May '08

Hi, I need some help to configure a solution to this problem: 1. Some Windows 2000/2003 AD domains 2. A unique openLDAP server I want that openLDAP server contains all users account for every domains (the next step is setup a RADIUS server that use openLDAP as authentication source). I'm looking for a working examples of back-meta with more than one AD domains. Any ideas? Thanks in advance. v.

2 1

Re: How do I add multiple users to a group ldif file ?
by Pooja S 07 May '08

07 May '08

Thanks a lot. posixGroup worked with memberUid attribute.. Thank you so much.. Thanks, Pooja ----- Original Message ---- From: Javier Barroso <javibarroso(a)gmail.com> To: Pooja S <ldapuser(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Wednesday, May 7, 2008 4:31:40 AM Subject: Re: How do I add multiple users to a group ldif file ? On Tue, May 6, 2008 at 11:09 PM, Pooja S <ldapuser(a)yahoo.com> wrote: Hi All, Please help me setting up my groups with multiple group members. ... gidNumber: root,adm,daemon I understand gidNumber is the primary group of the user. If you want the user on several groups, you should look for "PosixGroup" object (or groupOfUniqueNames?) ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

Re: How do I add multiple users to a group ldif file ?
by Pooja S 07 May '08

07 May '08

Hi , Thank you for your reply to my query. I am still doing something wrong and it still doesnt work for me. Can you please replace the wrong with the correct attribute and objectclass: This is what I am using : dn: uid=adm,ou=Groups,dc=grow,dc=lan uid: adm cn: adm objectClass: account objectClass: posixAccount objectClass: PosixGroup objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson userPassword: {crypt}* shadowLastChange: 12864 shadowMax: 99999 shadowWarning: 7 uidNumber: 4 gidNumber: 4 memberuid: 0 homeDirectory: Thanks, Pooja ----- Original Message ---- From: Javier Barroso <javibarroso(a)gmail.com> To: Pooja S <ldapuser(a)yahoo.com> Cc: openldap-technical(a)openldap.org Sent: Wednesday, May 7, 2008 4:31:40 AM Subject: Re: How do I add multiple users to a group ldif file ? On Tue, May 6, 2008 at 11:09 PM, Pooja S <ldapuser(a)yahoo.com> wrote: Hi All, Please help me setting up my groups with multiple group members.. ... gidNumber: root,adm,daemon I understand gidNumber is the primary group of the user. If you want the user on several groups, you should look for "PosixGroup" object (or groupOfUniqueNames?) ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2008