openldap-technical June 2008

openldap-technical@openldap.org

73 participants
83 discussions

Re: ppolicy by group
by Jeroen van Aart 26 Jun '08

26 Jun '08

(I originally posted this on openldap-software, posting it to technical, since it seems to allow this type of discussion) Gavin Henry wrote: > If you don't have a default ppolicy defined and no pwdPolicySubentry > then slapd will perform as it is currently configured. Thanks I got it more or less working. But only ssh seems to obey it so far (I set pam_lookup_policy to yes). I would like to know if anyone had success to make other frequently used software to obey the password policy. Such as imap, MTAs, webservers, especially if used through pam. Thank you, Jeroen

3 7

Re: slapd replication (push based)
by Martin Simovic 26 Jun '08

26 Jun '08

On Thu, 2008-06-26 at 14:06 +0100, Gavin Henry wrote: > msimovic(a)concurrent-thinking.com wrote: > > > > On Tue, 24 Jun 2008 09:40:24 -0700, Howard Chu <hyc(a)symas.com> wrote: > >> Martin Simovic wrote: > >>> Hi, > >>> > >>> I have the following setup > >>> > >>> LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave) > >>> > >>> I'm trying to achieve replication from master to slave. > >>> the firewall policy is LAN-->DMZ allow > >>> DMZ-->LAN reject > >>> > >>> this was actually very easy with slurpd (removed from 2.4) as the only > >>> need was to allow TCP traffic from master to slave > >>> > >>> with syncrepl it seems to me that no matter if I use push/pull method > >>> the client (slave) is the one that binds to the master (provider). this > >>> means that firewall rule that allows TCP traffic to LAN is needed - this > >>> is very ugly. > >>> > >>> is there a way to workaround this (or did i just misunderstand the whole > >>> problem) > >> See the configuration used in test045 in the test suite. > > > > thanks for the answer. > > > > the truth is, i´ve alrady been through the test045 but can´t understand > > what > > is going on there. the openldap admin guide seems to be a lot more verbose > > about much simpler subjects and very sparse about something which does not > > seem so straightforward (and used to be so simple in slurpd times). > > > > my scenario seems pretty usual (like secured rw copy of DIT on lan, while > > read > > only copy on dmz - for mail server, apache auth, etc.) > > in this very usual and IMHO wise setup the DMZtoLAN traffic is undesirable. > > > > and yet there is no solid documentation in admin guide. > > > > any pointers to documentation would be much appreciated. > > > > Did you see: > > http://www.openldap.org/doc/admin24/replication.html#Push%20Based > > It really does need cleaning up. > > Thanks. > Yes, it's really messy. actually my desperate need for this made me overcome my laziness. i compiled the slapd from source, run the tests, immediately after the test045 copied the slapd.1. ...slapd.3.conf files. this made me understand what is really going on there. my understanding is that i need to run two instances of slapd on master (master + proxy) proxy is pulling down changes from master and stores them in it's backend (ldap backend pointing to slave server) all the rest is question of acl's. can you correct me please, if i'm wrong. trying to implement it right now. M.

1 0

contextCSN question, three attributes on single naming context
by Josh Miller 25 Jun '08

25 Jun '08

I'm chasing down an issue with multi-master replication on OpenLDAP 2.4.10 and I issue the following search to compare the contextCSN. Is there any reason to have 3 contextCSN attributes, and one of them looks like a base64 encoded string, that doesn't look right. Is this expected behavior? -4- user@f8-workstation ~ > > ldapsearch -xZZH ldap://server01.example.com -D "cn=manager,dc=openldap,dc=example,dc=com" -W -z 1 contextCSN dn: dc=openldap,dc=example,dc=com -LLL Enter LDAP Password: dn: dc=openldap,dc=example,dc=com contextCSN: 20080527205300.158966Z#000000#000#000000 contextCSN: 20080619202050.412763Z#000000#004#000000 contextCSN: 20080623172814.327835Z#000000#003#000000 Size limit exceeded (4) -4- user@f8-workstation ~ > > ldapsearch -xZZH ldap://server03.example.com -D "cn=manager,dc=openldap,dc=example,dc=com" -W -z 1 contextCSN dn: dc=openldap,dc=example,dc=com -LLL Enter LDAP Password: dn: dc=openldap,dc=example,dc=com contextCSN:: qBiaszA2MTIxNzMyMzMuMTA1MTA2WiMwMDAwMDAjMDAzIzAwMDAwMA== contextCSN: 20080620213035.498183Z#000000#004#000000 contextCSN: 20080527205300.158966Z#000000#000#000000 Size limit exceeded (4) TIA, -- Josh Miller, RHCE

2 1

Re: Need to configure openLDAP client to request authenication in LDAP version 2 format
by kenglund 25 Jun '08

25 Jun '08

Thank you all for your help. I found out the out mail server is a CommuniGate Pro version 4.x - an old version. This is why we have had to modify our code to work with its weird format. The code I need to change is down in the Plone "LDAP User Folder" software - written in Python. It is apparently not using openLDAP at all. I would love to either upgrade our Communigate Pro software to the newest release (which would work, but is costly), or go to openLDAP for authentication (which is free, but takes more time than we have right now). Sorry to take up your time and energies. Ken

1 0

schema file
by Aravind Arjunan 25 Jun '08

25 Jun '08

hi, I tried to extend my schema but getting errors.I had created a separate schema file called attr.schema file. This is the schema file, in that i had mentioned mailbox location and mailQuota and mailalternateaddress attribute. But when i restart the ldap service, i get [root@master schema]# service ldap restart Stopping slapd: [FAILED] Checking configuration files for slapd: /etc/openldap/schema/att.schema: line 3 : AttributeType SYNTAX or SUPerior required: "1.3.6.1.4.1.4203.666.1.100.124" slaptest: bad configuration file! [FAILED] # New attribute definitions: attributetype ( 1.3.6.1.4.1.4203.666.1.100.124 ) NAME 'mailboxlocation' DESC 'RFC2798: Where the mails are located' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE attributetype ( 1.3.6.1.4.1.4203.666.1.100.125 ) NAME 'mailQuota' DESC 'RFC2798: User level Quota' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE attributetype ( 1.3.6.1.4.1.4203.666.1.100.125 NAME 'mailalternateaddress' SUP mail ) objectClass ( 1.3.6.1.4.1.4203.666.1.100 NAME 'YoLinuxPerson' DESC 'X-Person' SUP inetOrgPerson STRUCTURAL MAY ( mailboxlocation $ mailQuota $ birthdate ) )

2 1

Issue with Referral+pwdReset
by Anthony Porcano 25 Jun '08

25 Jun '08

I am having a problem that I am hoping the list can help with. When using the pwdReset attribute to force a password change the user receives the following error when trying to reset the password on SSH login: LDAP password information update failed: Can't contact LDAP server passwd: Permission denied This only occurs for clients using a slave to authenticate, and only when changing the password on login in combination with the pwdReset attribute. A non-forced password change works fine when a user runs the passwd command manually on one of the slave clients. So it seems referrals by themselves work OK. Forced password changes using the pwdReset attr also work for clients that use the master directly, so the issue is specific to slave-authentication+pwdReset+referral. The debug log on the master shows that it is being reached by the client, but slapd refused to perform the action: slapd[1079]: conn=1 op=1 BIND dn="uid=jschmo,ou=users,dc=example,dc=com" method=128 slapd[1079]: conn=1 op=1 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed The debug log on the slave shows the following error: slapd[11339]: conn=5 op=10 MOD dn="uid=jschmo,ou=users,dc=example,dc=com" slapd[11339]: conn=5 op=10 MOD attr=userPassword slapd[11339]: conn=5 op=10 RESULT tag=103 err=10 text= I've tried searching for information on this, but to date nothing I have found resolved the issue. One attempt involved setting an allow statement in the master slapd.conf for "bind_anon_dn". This did prevent the err=53, but produced another error: Jun 19 12:21:12 admin5-ash slapd[30555]: conn=4 op=2 RESULT tag=103 err=8 text=modifications require authentication The following applies to both master and slave servers: OpenLDAP: openldap-2.3.39-3.rhel5 (Buchan's Packages) OS: Centos 5.1 For the client I have tried the following configurations: OpenLDAP: openldap-2.2.13-8 (RH Stock) PAM_LDAP: nss_ldap-226-20 (RH Stock) OS: RHEL4.6 OpenLDAP version: openldap-2.3.39-3.rhel5 (Buchan's Packages) PAM_LDAP: nss_ldap-253-5.el5 (Centos Stock) OS: Centos 5.1 If any other information is needed let me know. Thanks to all. --AP

2 2

LDAP Update Script
by Aravind Arjunan 25 Jun '08

25 Jun '08

Dear all, I had configured openldap in RHEL 5 operating system in master slave. Its working fine and entries are also adding without any problem. But i need to add entries for 15000 users. So it is hard for me to add in ldap browser or in command line for these much users. So i need to know is there any script or utility is there to add all the users entries at a time like adding all the entries in text file and update it by a command. if it so plz tell me it will be very helpfull for me.

2 1

Need to configure openLDAP client to request authenication in LDAP version 2 format
by kenglund 24 Jun '08

24 Jun '08

Hello, I am installing a new version of our Zope/Plone software for hosting our web portal. The new software is using a product called PloneLDAP, which (I think) in turn requests authentication using openLDAP client. openLDAP is authenticating through our mail server, which wants bind requests in version 2 format. Modification of the mail server software to use version 3 authentication does not seem to be an option, as (according to my Tech guy) it is "really not LDAP", but has an "LDAP Like" interface. The interface requires the bind to look like this: ldapConnection, userid, password not in version 3 format, which looks like this: ldapConnection, uid="userid", password I have tried to force openLDAP client to perform bind requests using the "ldap_version 2" parameter in the /usr/local/etc/openldap/ldap.conf system-wide ldap configuration file, and also in a .ldaprc file stored in the Zope working directory. Neither seem to work. Can anyone tell me how to successfully configure openLDAP to send a version 2 bind request? Thanks! Ken

7 10

slapd replication (push based)
by Martin Simovic 24 Jun '08

24 Jun '08

Hi, I have the following setup LAN --- slapd 2.4.7 (master) --- DMZ ---slapd 2.3.30 (slave) I'm trying to achieve replication from master to slave. the firewall policy is LAN-->DMZ allow DMZ-->LAN reject this was actually very easy with slurpd (removed from 2.4) as the only need was to allow TCP traffic from master to slave with syncrepl it seems to me that no matter if I use push/pull method the client (slave) is the one that binds to the master (provider). this means that firewall rule that allows TCP traffic to LAN is needed - this is very ugly. is there a way to workaround this (or did i just misunderstand the whole problem) thanks, Martin.

3 2

Odd password reset issue
by Kevin Brammer 21 Jun '08

21 Jun '08

Running the OpenLDAP server bundled with RH ES3. I had OpenLDAP running successfully. I could authenticate, pull information from the directory - everything seemed great! After the 90 day password rule I had put in place, I got the "your password has expired" message. I tried to change it, said it was successful. A subsequent login received the same message. Again I changed it, and it said successful. Now, I can't even login. I changed my user's password as root using ldappasswd, and a check of the entry shows the hash changing accordingly. However, I still can't login as the user. Any ideas?

3 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2008