openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

Re: ACL Help Please
by david stackis 28 Jul '08

28 Jul '08

Hi Andrew - I unsubscribe to the openldap-software(a)openldap.org, but subscribe again today. I thought I had this ACL figured out. I'm trying to have users be able to add entries and to access their own address book. I think I have a pretty good start so far, but I'm having difficulty adding entries that only authenticated users have access to. I can add entries using "cn=root,dc=university,dc=edu" without any problems. Right now I have two users, but I'm confused as to how I get entries into their address book. Attached are both my init.ldif, and the slapd.conf I'm using. Any help is appreciated. My init.ldif # # Initialize the suffix entry defined in slapd.conf # dn: dc=University,dc=edu objectclass: top objectclass: dcObject objectclass: organization dc: university o: office # # Initialize the AddressBooks heirarchy # dn: ou=AddressBooks,dc=University,dc=edu objectclass: top objectclass: organizationalUnit ou: AddressBooks # # Define individual address books # dn: o=me,ou=AddressBooks,dc=University,dc=edu objectclass: top objectclass: organization o: me dn: o=you,ou=AddressBooks,dc=University,dc=edu objectclass: top objectclass: organization o: you # # Initialize the Users heirarchy # dn: ou=Users,dc=University,dc=edu objectclass: top objectclass: organizationalUnit ou: Users # # Define individual users # dn: cn=me,ou=Users,dc=University,dc=edu objectclass: top objectclass: person cn: me sn: Person userPassword: {crypt}XXXXXXX dn: cn=you,ou=Users,dc=University,dc=edu objectclass: top objectclass: person cn: you sn: Lastname userPassword: {crypt}XXXXXXX My slapd.conf... # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # # # Allow users to authenticate access to attrs=userPassword by self write by anonymous auth # Allow authenticated users access to their own address book access to dn.regex="o=(.+),ou=AddressBooks,dc=University,dc=edu" by users.expand="cn=$1,ou=Users,dc=University,dc=edu" write # Allow authenticated users to read the resource to which # they have access by logging in with an empty Bind DN access to dn.base="ou=AddressBooks,dc=University,dc=edu" by * read access to dn.base="" by * read # Allow authenticated users to read the Subschema of the # resources to which they have access access to dn.base="cn=Subschema" by * read # Disallow anonymous access (binds) # With this policy in effect, unathenticated users receive a response of # Error 48: Inappropiate authentication disallow bind_anon # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=University,dc=edu" rootdn "cn=root,dc=University,dc=edu" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq Thanks ------------------- david stackis uc santa barbara

1 0

id returns no such user
by Stelios A. 28 Jul '08

28 Jul '08

Hello, I have 2 servers, one act as master and other as slave syncing data with syncrepl user without a problem. Suddenly and after adding an index to the slapd.conf (the problem is probably somewhere else but just mentioning the last thing that I did) on the slave server where email is running I'm getting a: id: shipsec: No such user wherever I'm trying to see a users details. Then webmail, pop etc are not working because machine is not able to resolve the users from ldap. Howver, the getent passwd command return with all users from ldap like been local without a problem. All users under /home are like 1700:users insteed of username:users. The problem is only at the slave as If I stop the ldap on the slave then everything works as it use the master for getting the ids. Any idea? -- Stelios A

3 2

Re: N-way multimaster
by Miguel Jinez 25 Jul '08

25 Jul '08

Yes, deletes are performed in one node 2008/7/25 Gavin Henry <ghenry(a)openldap.org> > <quote who="Miguel Jinez"> > > Sorry I have a mistake, changing words: > > It should be like this: > > > > syncrepl rid=001 > > provider=ldap://10.100.130.164 > > type=refreshAndPersist > > retry="5 5 300 +" > > searchbase="dc=dominio" > > attrs="*" > > bindmethod=simple > > binddn="cn=admin,dc=dominio" > > credentials=secret > > > > syncrepl rid=002 > > provider=ldap://10.100.130.181 > > type=refreshAndPersist > > retry="5 5 300 +" > > searchbase="dc=dominio" > > attrs="*" > > bindmethod=simple > > binddn="cn=admin,dc=dominio" > > credentials=secret > > > > mirrormode TRUE > > > > In addition when I add "schemachecking=on" syncrinization doesn't works. > > > > With the configurations file that I have made, works adds, updates, but > no > > deletes > > Can you confirm deletes work on one node? > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ >

1 0

Re: N-way multimaster
by Miguel Jinez 25 Jul '08

25 Jul '08

Sorry I have a mistake, changing words: It should be like this: syncrepl rid=001 provider=ldap://10.100.130.164 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=dominio" attrs="*" bindmethod=simple binddn="cn=admin,dc=dominio" credentials=secret syncrepl rid=002 provider=ldap://10.100.130.181 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=dominio" attrs="*" bindmethod=simple binddn="cn=admin,dc=dominio" credentials=secret mirrormode TRUE In addition when I add "schemachecking=on" syncrinization doesn't works. With the configurations file that I have made, works adds, updates, but no deletes 2008/7/25 Gavin Henry <ghenry(a)openldap.org> > Miguel Jinez wrote: > >> Hello, yes "dies" means shutdown >> I have made some changes in my config file, but the problem is the same, >> now I'm with openladap-2.4.11. >> Here my config file: >> Master A >> slapd.conf >> >> # Global Directives: >> # Schema and objectClass definitions >> include /etc/ldap/schema/core.schema >> include /etc/ldap/schema/cosine.schema >> include /etc/ldap/schema/nis.schema >> include /etc/ldap/schema/inetorgperson.schema >> include /etc/ldap/schema/samba.schema >> >> pidfile /var/run/slapd/slapd.pid >> argsfile /var/run/slapd/slapd.args >> loglevel 256 >> sizelimit 500 >> tool-threads 1 >> >> backend bdb >> >> database bdb >> suffix "dc=ar" >> >> overlay syncprov >> syncprov-sessionlog 100 >> syncprov-nopresent TRUE >> syncprov-reloadhint TRUE >> syncprov-checkpoint 1 1 >> rootdn "cn=admin,dc=dominio" >> rootpw secret >> >> directory "/usr/local/var/openldap-data" >> >> dbconfig set_cachesize 0 2097152 0 >> >> dbconfig set_lk_max_objects 1500 >> dbconfig set_lk_max_locks 1500 >> dbconfig set_lk_max_lockers 1500 >> >> index cn,sn,uid pres,sub,eq >> index uidNumber,gidNumber eq >> index sambaSID eq >> index sambaPrimaryGroupSID eq >> index sambaDomainName eq >> index objectClass pres,eq >> >> lastmod on >> access to attrs=userPassword,shadowLastChange >> by dn="cn=admin,dc=ar" write >> by anonymous auth >> by self write >> by * none >> access to * >> by dn="cn=admin,dc=ar" write >> by * read >> >> access to * >> by dn.base="cn=admin,dc=ar" read >> by * break >> serverID 3 >> >> syncrepl rid=001 >> provider=ldap://10.100.130.164 <http://10.100.130.164> >> type=refreshAndPersist >> retry="5 5 300 +" >> searchbase="dc=ar" >> attrs="*" >> bindmethod=simple >> binddn="cn=admin,dc=ar" >> credentials=osde >> > > Are you searching for the right attributes here? Just use the defaults like > in the docs: > > syncrepl rid=001 > provider=ldap://ldap-ridr1.example.com > bindmethod=simple > binddn="cn=mirrormode,dc=example,dc=com" > credentials=mirrormode > searchbase="dc=example,dc=com" > schemachecking=on > type=refreshAndPersist > retry="60 +" > > > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ >

1 0

Re: openLDAP, DCHP and DNS
by Bjørn Ruberg 25 Jul '08

25 Jul '08

On Wed, 23 Jul 2008 07:56:44 -0700, "Lawrence Anthony" <lanthony(a)postlogic.com> wrote: > Is there any documentation that you can point me too that explains this to > me? I need to make management understand. Most primers and/or SSL/TLS howtos should cover this, as it is rather essential for making certificates work. A Google search will help you :-) And please post/quote correctly, i.e. stop top-posting. It breaks context and readability. See http://www.greenend.org.uk/rjk/2000/06/14/quoting.html for further information. -- Bjørn

1 0

Setting up syncrepl, replicated LDAP doesn't work
by John Oliver 25 Jul '08

25 Jul '08

On my working master server openldap-2.3.27-8 under CentOS 5, I added: overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 On the slave server openldap-2.3.27-8.el5_2.4 under CentOS 5.2, I added: syncrepl rid=123 provider=ldaps://primary-ldap-server:636 type=refreshOnly interval=01:00:00:00 searchbase="dc=mydomain,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=syncuser,dc=mydomain,dc=com" credentials=mysecret ldap started on the slave server OK, and /var/lib/ldap has all of the database files. On that server, from the command line, I can: [root@ldap2 ~]# ldapsearch -xLLL -b "dc=mydomain,dc=com" uid=joliver sn givenName cn dn: uid=joliver,ou=People,dc=mydomain,dc=com givenName: John sn: Oliver cn: John Oliver But when I point another machine at that slave server, it won't authenticate: Jul 23 03:06:28 localhost login(pam_unix)[9475]: check pass; user unknown Jul 23 03:06:28 localhost login(pam_unix)[9475]: authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= Jul 23 03:06:28 localhost login[9475]: pam_ldap: ldap_search_s No such object Jul 23 03:06:30 localhost login[9475]: FAILED LOGIN 1 FROM (null) FOR joliver, Authentication failure [root@localhost ~]# ldapsearch -H ldaps://ldap2.mydomain.com -b "dc=mydomain,dc=com" uid=joliver sn givenName cn ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [root@localhost ~]# ldapsearch -H ldap://ldap2.mydomain.com -b "dc=mydomain,dc=com" uid=joliver sn givenName cn SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database When using just ldap:// with ldapsearch, I don't know what password it's asking for. My LDAP password doesn't work, the LDAP admin password doesn't work, the local root password doesn't work... Here's the odd thing. When I started setting this up, the machine that's the primary (and working) LDAP server now was running fedora-ds. I set up OpenLDAP on what is now the slave server, and it worked perfectly. I slapcat'ed it, installed OpenLDAP on the primary server, and slapadded the db. I never generated any certificates on it at all, and it works perfectly. I just regenerated the cert on the slave server, but no joy. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * ***********************************************************************

2 1

mailHost
by Aravind Arjunan 24 Jul '08

24 Jul '08

hi, i had configured openldap in RHEL 5.1 operating system as master/slave for replication. It is working fine without any problem I had integrated openldap with my mailserver. mail server is in RHEL 5.1 OS and am using postfix. I have two mail box server in different location and two mail servers. unique users are existing in different mail servers The problem is when mail comes for a particular user it must go the respective mail box server. For that i need to mention in openldap a mailHost attribute. as you all know mailHost attribute is for specifying the location of mailbox. But in openldap misc.schema mailHoat attribute exits. When i add the misc.schema in slapd.conf file and if i add the mailHost attribute am getting error when i was restarting. And i had downloaded the qmail.schema from google and added that in schema directory as well as in slapd.conf Then i added the mailHost attribute. But when i specify the mailHost attribute as IP of my mailbox location, the mail is dropping by creating the IP as name.

2 1

Single master/multislave and passwords
by Bryan Payne 23 Jul '08

23 Jul '08

Our master is in dallas. One slave is in ohio. Our ohio users bind to their local server for speed's sake. This is obviously a problem if they change their password. Is there a way to bind locally but when it comes to updating passwords, it inform the master instead?

2 1

Re: N-way multimaster
by Miguel Jinez 23 Jul '08

23 Jul '08

Hello, yes "dies" means shutdown I have made some changes in my config file, but the problem is the same, now I'm with openladap-2.4.11. Here my config file: Master A slapd.conf # Global Directives: # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 sizelimit 500 tool-threads 1 backend bdb database bdb suffix "dc=ar" overlay syncprov syncprov-sessionlog 100 syncprov-nopresent TRUE syncprov-reloadhint TRUE syncprov-checkpoint 1 1 rootdn "cn=admin,dc=dominio" rootpw secret directory "/usr/local/var/openldap-data" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index cn,sn,uid pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass pres,eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=ar" write by anonymous auth by self write by * none access to * by dn="cn=admin,dc=ar" write by * read access to * by dn.base="cn=admin,dc=ar" read by * break serverID 3 syncrepl rid=001 provider=ldap://10.100.130.164 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=ar" attrs="*" bindmethod=simple binddn="cn=admin,dc=ar" credentials=osde syncrepl rid=002 provider=ldap://10.100.130.181 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=ar" attrs="*" bindmethod=simple binddn="cn=admin,dc=dominio" credentials=secret mirrormode TRUE ##Accesslog overlay overlay accesslog logdb "cn=accesslog" logops writes logold (objectclass=auditModify) logoldattr reqOld logold (objectclass=auditDelete) logoldattr reqOld logsuccess TRUE logpurge 2+00:00 06:00 ##AccessLog DB database bdb suffix cn=accesslog rootdn "cn=accesslog" directory "/usr/local/var/access" index reqStart eq index default eq index entryUUID eq index entryCSN eq index objectClass,reqEnd,reqResult,reqDN,reqType access to * by dn="cn=admin,dc=dominio" read database monitor #******* 2008/7/23 Gavin Henry <ghenry(a)openldap.org>: > Miguel Jinez wrote: > >> Hello, I have upgrated openLDAP to 2.4.10, and I can t fix that situation >> Someone know what is the problem? or really is a bug? >> >> > Hi, > > I'm replying to this thread instead of: > > (ITS#5617) N-way multimaster replication problem > > Can we see your complete config? Also, "dies", do you mean shutdown? > > -- > Kind Regards, > > Gavin Henry. > OpenLDAP Engineering Team. > > E ghenry(a)OpenLDAP.org > > Community developed LDAP software. > > http://www.openldap.org/project/ >

1 0

openLDAP, DCHP and DNS
by openLDAP 23 Jul '08

23 Jul '08

I would like to configure my openLDAP network using DHCP for my client machines. Is it necessary to have DNS names for all my clients, e.g. something.domain.com, for OpenLDAP to work properly or will it work as long as my openldap servers have fully qualified domain names?

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008