Re: ACL Help Please
by david stackis
Hi Andrew -
I unsubscribe to the openldap-software(a)openldap.org, but subscribe again
today. I thought I had this ACL figured out.
I'm trying to have users be able to add entries and to access their own
address book. I think I have a pretty good start so far, but I'm having
difficulty adding entries that only authenticated users have access to. I
can add entries using "cn=root,dc=university,dc=edu" without any problems.
Right now I have two users, but I'm confused as to how I get entries into
their address book. Attached are both my init.ldif, and the slapd.conf I'm
using.
Any help is appreciated.
My init.ldif
#
# Initialize the suffix entry defined in slapd.conf
#
dn: dc=University,dc=edu
objectclass: top
objectclass: dcObject
objectclass: organization
dc: university
o: office
#
# Initialize the AddressBooks heirarchy
#
dn: ou=AddressBooks,dc=University,dc=edu
objectclass: top
objectclass: organizationalUnit
ou: AddressBooks
#
# Define individual address books
#
dn: o=me,ou=AddressBooks,dc=University,dc=edu
objectclass: top
objectclass: organization
o: me
dn: o=you,ou=AddressBooks,dc=University,dc=edu
objectclass: top
objectclass: organization
o: you
#
# Initialize the Users heirarchy
#
dn: ou=Users,dc=University,dc=edu
objectclass: top
objectclass: organizationalUnit
ou: Users
#
# Define individual users
#
dn: cn=me,ou=Users,dc=University,dc=edu
objectclass: top
objectclass: person
cn: me
sn: Person
userPassword: {crypt}XXXXXXX
dn: cn=you,ou=Users,dc=University,dc=edu
objectclass: top
objectclass: person
cn: you
sn: Lastname
userPassword: {crypt}XXXXXXX
My slapd.conf...
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
#
#
# Allow users to authenticate
access to attrs=userPassword
by self write
by anonymous auth
# Allow authenticated users access to their own address book
access to dn.regex="o=(.+),ou=AddressBooks,dc=University,dc=edu"
by users.expand="cn=$1,ou=Users,dc=University,dc=edu" write
# Allow authenticated users to read the resource to which
# they have access by logging in with an empty Bind DN
access to dn.base="ou=AddressBooks,dc=University,dc=edu" by * read
access to dn.base="" by * read
# Allow authenticated users to read the Subschema of the
# resources to which they have access
access to dn.base="cn=Subschema" by * read
# Disallow anonymous access (binds)
# With this policy in effect, unathenticated users receive a response of
# Error 48: Inappropiate authentication
disallow bind_anon
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=University,dc=edu"
rootdn "cn=root,dc=University,dc=edu"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
Thanks
-------------------
david stackis
uc santa barbara
15 years, 4 months
id returns no such user
by Stelios A.
Hello,
I have 2 servers, one act as master and other as slave syncing data
with syncrepl user without a problem.
Suddenly and after adding an index to the slapd.conf (the problem is
probably somewhere else but just mentioning the last thing that I did)
on the slave server where email is running I'm getting a:
id: shipsec: No such user
wherever I'm trying to see a users details.
Then webmail, pop etc are not working because machine is not able to
resolve the users from ldap.
Howver, the getent passwd command return with all users from ldap like
been local without a problem.
All users under /home are like 1700:users insteed of username:users.
The problem is only at the slave as If I stop the ldap on the slave
then everything works as it use the master for getting the ids.
Any idea?
--
Stelios A
15 years, 4 months
Re: N-way multimaster
by Miguel Jinez
Yes, deletes are performed in one node
2008/7/25 Gavin Henry <ghenry(a)openldap.org>
> <quote who="Miguel Jinez">
> > Sorry I have a mistake, changing words:
> > It should be like this:
> >
> > syncrepl rid=001
> > provider=ldap://10.100.130.164
> > type=refreshAndPersist
> > retry="5 5 300 +"
> > searchbase="dc=dominio"
> > attrs="*"
> > bindmethod=simple
> > binddn="cn=admin,dc=dominio"
> > credentials=secret
> >
> > syncrepl rid=002
> > provider=ldap://10.100.130.181
> > type=refreshAndPersist
> > retry="5 5 300 +"
> > searchbase="dc=dominio"
> > attrs="*"
> > bindmethod=simple
> > binddn="cn=admin,dc=dominio"
> > credentials=secret
> >
> > mirrormode TRUE
> >
> > In addition when I add "schemachecking=on" syncrinization doesn't works.
> >
> > With the configurations file that I have made, works adds, updates, but
> no
> > deletes
>
> Can you confirm deletes work on one node?
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
15 years, 4 months
Re: N-way multimaster
by Miguel Jinez
Sorry I have a mistake, changing words:
It should be like this:
syncrepl rid=001
provider=ldap://10.100.130.164
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=dominio"
attrs="*"
bindmethod=simple
binddn="cn=admin,dc=dominio"
credentials=secret
syncrepl rid=002
provider=ldap://10.100.130.181
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=dominio"
attrs="*"
bindmethod=simple
binddn="cn=admin,dc=dominio"
credentials=secret
mirrormode TRUE
In addition when I add "schemachecking=on" syncrinization doesn't works.
With the configurations file that I have made, works adds, updates, but no
deletes
2008/7/25 Gavin Henry <ghenry(a)openldap.org>
> Miguel Jinez wrote:
>
>> Hello, yes "dies" means shutdown
>> I have made some changes in my config file, but the problem is the same,
>> now I'm with openladap-2.4.11.
>> Here my config file:
>> Master A
>> slapd.conf
>>
>> # Global Directives:
>> # Schema and objectClass definitions
>> include /etc/ldap/schema/core.schema
>> include /etc/ldap/schema/cosine.schema
>> include /etc/ldap/schema/nis.schema
>> include /etc/ldap/schema/inetorgperson.schema
>> include /etc/ldap/schema/samba.schema
>>
>> pidfile /var/run/slapd/slapd.pid
>> argsfile /var/run/slapd/slapd.args
>> loglevel 256
>> sizelimit 500
>> tool-threads 1
>>
>> backend bdb
>>
>> database bdb
>> suffix "dc=ar"
>>
>> overlay syncprov
>> syncprov-sessionlog 100
>> syncprov-nopresent TRUE
>> syncprov-reloadhint TRUE
>> syncprov-checkpoint 1 1
>> rootdn "cn=admin,dc=dominio"
>> rootpw secret
>>
>> directory "/usr/local/var/openldap-data"
>>
>> dbconfig set_cachesize 0 2097152 0
>>
>> dbconfig set_lk_max_objects 1500
>> dbconfig set_lk_max_locks 1500
>> dbconfig set_lk_max_lockers 1500
>>
>> index cn,sn,uid pres,sub,eq
>> index uidNumber,gidNumber eq
>> index sambaSID eq
>> index sambaPrimaryGroupSID eq
>> index sambaDomainName eq
>> index objectClass pres,eq
>>
>> lastmod on
>> access to attrs=userPassword,shadowLastChange
>> by dn="cn=admin,dc=ar" write
>> by anonymous auth
>> by self write
>> by * none
>> access to *
>> by dn="cn=admin,dc=ar" write
>> by * read
>>
>> access to *
>> by dn.base="cn=admin,dc=ar" read
>> by * break
>> serverID 3
>>
>> syncrepl rid=001
>> provider=ldap://10.100.130.164 <http://10.100.130.164>
>> type=refreshAndPersist
>> retry="5 5 300 +"
>> searchbase="dc=ar"
>> attrs="*"
>> bindmethod=simple
>> binddn="cn=admin,dc=ar"
>> credentials=osde
>>
>
> Are you searching for the right attributes here? Just use the defaults like
> in the docs:
>
> syncrepl rid=001
> provider=ldap://ldap-ridr1.example.com
> bindmethod=simple
> binddn="cn=mirrormode,dc=example,dc=com"
> credentials=mirrormode
> searchbase="dc=example,dc=com"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
>
>
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
15 years, 4 months
Re: openLDAP, DCHP and DNS
by Bjørn Ruberg
On Wed, 23 Jul 2008 07:56:44 -0700, "Lawrence Anthony"
<lanthony(a)postlogic.com> wrote:
> Is there any documentation that you can point me too that explains this
to
> me? I need to make management understand.
Most primers and/or SSL/TLS howtos should cover this, as it is rather
essential for making certificates work. A Google search will help you :-)
And please post/quote correctly, i.e. stop top-posting. It breaks context
and readability. See http://www.greenend.org.uk/rjk/2000/06/14/quoting.html
for further information.
--
Bjørn
15 years, 4 months
Setting up syncrepl, replicated LDAP doesn't work
by John Oliver
On my working master server openldap-2.3.27-8 under CentOS 5, I added:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
On the slave server openldap-2.3.27-8.el5_2.4 under CentOS 5.2, I added:
syncrepl rid=123
provider=ldaps://primary-ldap-server:636
type=refreshOnly
interval=01:00:00:00
searchbase="dc=mydomain,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=syncuser,dc=mydomain,dc=com"
credentials=mysecret
ldap started on the slave server OK, and /var/lib/ldap has all of the
database files. On that server, from the command line, I can:
[root@ldap2 ~]# ldapsearch -xLLL -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
dn: uid=joliver,ou=People,dc=mydomain,dc=com
givenName: John
sn: Oliver
cn: John Oliver
But when I point another machine at that slave server, it won't
authenticate:
Jul 23 03:06:28 localhost login(pam_unix)[9475]: check pass; user
unknown
Jul 23 03:06:28 localhost login(pam_unix)[9475]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jul 23 03:06:28 localhost login[9475]: pam_ldap: ldap_search_s No such
object
Jul 23 03:06:30 localhost login[9475]: FAILED LOGIN 1 FROM (null) FOR
joliver, Authentication failure
[root@localhost ~]# ldapsearch -H
ldaps://ldap2.mydomain.com -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[root@localhost ~]# ldapsearch -H
ldap://ldap2.mydomain.com -b
"dc=mydomain,dc=com" uid=joliver sn givenName cn
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
When using just ldap:// with ldapsearch, I don't know what password it's
asking for. My LDAP password doesn't work, the LDAP admin password
doesn't work, the local root password doesn't work...
Here's the odd thing. When I started setting this up, the machine
that's the primary (and working) LDAP server now was running fedora-ds.
I set up OpenLDAP on what is now the slave server, and it worked
perfectly. I slapcat'ed it, installed OpenLDAP on the primary server,
and slapadded the db. I never generated any certificates on it at all,
and it works perfectly. I just regenerated the cert on the slave
server, but no joy.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
15 years, 4 months
mailHost
by Aravind Arjunan
hi,
i had configured openldap in RHEL 5.1 operating system as master/slave for
replication.
It is working fine without any problem
I had integrated openldap with my mailserver.
mail server is in RHEL 5.1 OS and am using postfix.
I have two mail box server in different location and two mail servers.
unique users are existing in different mail servers
The problem is when mail comes for a particular user it must go the
respective mail box server.
For that i need to mention in openldap a mailHost attribute.
as you all know mailHost attribute is for specifying the location of
mailbox.
But in openldap misc.schema mailHoat attribute exits.
When i add the misc.schema in slapd.conf file and if i add the mailHost
attribute
am getting error when i was restarting.
And i had downloaded the qmail.schema from google and added that in schema
directory as well as in slapd.conf
Then i added the mailHost attribute.
But when i specify the mailHost attribute as IP of my mailbox location, the
mail is dropping by creating the IP as name.
15 years, 4 months
Single master/multislave and passwords
by Bryan Payne
Our master is in dallas. One slave is in ohio. Our ohio users bind to
their local server for speed's sake. This is obviously a problem if they
change their password. Is there a way to bind locally but when it comes
to updating passwords, it inform the master instead?
15 years, 4 months
Re: N-way multimaster
by Miguel Jinez
Hello, yes "dies" means shutdown
I have made some changes in my config file, but the problem is the same, now
I'm with openladap-2.4.11.
Here my config file:
Master A
slapd.conf
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
sizelimit 500
tool-threads 1
backend bdb
database bdb
suffix "dc=ar"
overlay syncprov
syncprov-sessionlog 100
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
syncprov-checkpoint 1 1
rootdn "cn=admin,dc=dominio"
rootpw secret
directory "/usr/local/var/openldap-data"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index cn,sn,uid pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass pres,eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=ar" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=ar" write
by * read
access to *
by dn.base="cn=admin,dc=ar" read
by * break
serverID 3
syncrepl rid=001
provider=ldap://10.100.130.164
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=ar"
attrs="*"
bindmethod=simple
binddn="cn=admin,dc=ar"
credentials=osde
syncrepl rid=002
provider=ldap://10.100.130.181
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=ar"
attrs="*"
bindmethod=simple
binddn="cn=admin,dc=dominio"
credentials=secret
mirrormode TRUE
##Accesslog overlay
overlay accesslog
logdb "cn=accesslog"
logops writes
logold (objectclass=auditModify)
logoldattr reqOld
logold (objectclass=auditDelete)
logoldattr reqOld
logsuccess TRUE
logpurge 2+00:00 06:00
##AccessLog DB
database bdb
suffix cn=accesslog
rootdn "cn=accesslog"
directory "/usr/local/var/access"
index reqStart eq
index default eq
index entryUUID eq
index entryCSN eq
index objectClass,reqEnd,reqResult,reqDN,reqType
access to *
by dn="cn=admin,dc=dominio" read
database monitor
#*******
2008/7/23 Gavin Henry <ghenry(a)openldap.org>:
> Miguel Jinez wrote:
>
>> Hello, I have upgrated openLDAP to 2.4.10, and I can t fix that situation
>> Someone know what is the problem? or really is a bug?
>>
>>
> Hi,
>
> I'm replying to this thread instead of:
>
> (ITS#5617) N-way multimaster replication problem
>
> Can we see your complete config? Also, "dies", do you mean shutdown?
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
15 years, 4 months
openLDAP, DCHP and DNS
by openLDAP
I would like to configure my openLDAP network using DHCP for my client
machines. Is it necessary to have DNS names for all my clients, e.g.
something.domain.com, for OpenLDAP to work properly or will it work as long
as my openldap servers have fully qualified domain names?
15 years, 4 months
