Re: Client connect issues with OpenLDAP 2.3 on RHEL 4
by Gustavo Mendes de Carvalho
Hi Martin,
Upgrade your RHEL from 4 to 5 that will work. I faced exactly same situation
earlier.
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
> Date: Mon, 21 Jul 2008 18:33:42 +0100
> From: "Martin Benson" <martin_benson1972(a)hotmail.com>
> Subject: Client connect issues with OpenLDAP 2.3 on RHEL 4
> To: <openldap-technical(a)openldap.org>
> Message-ID: <BLU120-DAV199BFEDE2D0B7E6F309718B8A0(a)phx.gbl>
> Content-Type: text/plain; charset="us-ascii"
>
> I have a Red Hat Enterprise Linux v4.4 installation that runs OpenLDAP 2.2
> using the provided Red Hat rpm's. I want to upgrade this to OpenLDAP 2.3
and
> have created an LDAP server using the packages from
>
>
> Thanks Martin
15 years, 4 months
password changing problems
by Ron Echeverri
I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user
management. The machines in our QA environment are set up to allow LDAP
users to log in, and they are also able to change their password via the
passwd command. However, they are only able to do this once; if they
attempt it again, it bounces back with "LDAP Password incorrect: try
again". They are able to log out and in regardless, but passwd will not
accept their password in order to change it. If the user's password is
reset in phpldapadmin, again they are able to change the password once,
and no more. There is no password policy configured in slapd; should
there be?
I have loglevel set to 296, but i'm not sure what to look for.
thanks
rone
15 years, 4 months
Automatically create home directory uppon Email login
by Stelios A.
Hello all,
I've migrate an old Sun Directory Server to OpenLDAP (version 2.4.9 on
Ubuntu 8.04 server) and setup a master/slave with syncrepl for data
replication betwwen 2 servers.
1st server hold the master ldap and second the slave along with the
email server (Sendmail + Dovecot).
Email server requires ofcourse a home directory with a mbox file etc.
Is there a way to avoid creating each users home directory and setup
then his/her permissions?
There are 980 users in the base dc and trying to figure out a way to
avoid creating all this directories along with chmod manually.
I've already setup pam to auto create home directory uppon user login
but problem is that only 5 users will have access via ssh.
Any ideas?
Thanks a lot
15 years, 4 months
Client connect issues with OpenLDAP 2.3 on RHEL 4
by Martin Benson
I have a Red Hat Enterprise Linux v4.4 installation that runs OpenLDAP 2.2
using the provided Red Hat rpm's. I want to upgrade this to OpenLDAP 2.3 and
have created an LDAP server using the packages from
http://staff.telkomsa.net/packages/rhel4/openldap/i386 . The problem I have
is that I cannot get a client to attach or query the server. I have
installed the openldap2.3-clients and openldap2.3 packages and the server
with logging enabled does not even show a connection. I suspect it is a
problem with the nss_ldap package that comes bundled with RHEL 4.4.
I cannot compile the software on my system as it is a partial install for
clients of ours and does not get delivered with compiler software.
Does anyone know of an updated rpm for nss_ldap to be compatible with
openldap2.3 and RHEL 4?
Has anyone done the install and written an install guide?
Thanks Martin
15 years, 4 months
Reg:Design of openldap
by Chakri
Hi,
i'm a newbie to this ldap world.But i have been spending so much time to
understand the design of openldap-2.3.39. I wanted to understand the process
flow during the functioning of slapd. can some one tell me where can i get
the design documents of openldap....plz help...
15 years, 4 months
memberOf search ACLs
by Andrew Bartlett
I've recently been trying to lock down Samba4's default ACLs, in it's
generated LDAP backend configuration.
I have memberOf configured to 'error' on dangling links, which I need
for Samba.
But I seem to be having some trouble with ACLs. I've attached my full
config file, but the key part is:
access to dn.base=""
by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read
access to dn.subtree="cn=samba"
by anonymous auth
access to dn.subtree="${DOMAINDN}"
by dn=cn=samba-admin,cn=samba manage
by * none
If I change the last line to 'by * read', then the error is returned,
but otherwise (due apparently to "" being unable to read the entry to
validate it's existence).
Shouldn't the search operations happen as the rootdn or memberof-dn, or
am I missing some other configuration element here?
In trying to fix this, I looked at what seemed to by typos in
memberof.c, the patch of which I attach, but this didn't help.
Any thoughts?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
15 years, 4 months
Re: BDB selection, et al.
by William Jojo
---- Original message ----
>Date: Sat, 19 Jul 2008 04:33:46 -0700
>From: Howard Chu <hyc(a)symas.com>
>Subject: Re: BDB selection, et al.
>To: Quanah Gibson-Mount <quanah(a)zimbra.com>
>Cc: William Jojo <jojowil(a)hvcc.edu>,openldap-technical(a)openldap.org
>
>Quanah Gibson-Mount wrote:
>> --On Friday, July 18, 2008 9:11 PM -0400 William Jojo<jojowil(a)hvcc.edu>
>> wrote:
>
>>> I have noticed that the Symas packages user BDB 4.2 (with 2.3.42) as does
>>> Ubuntu with 2.4.9+. I was wondering what the preference is over 4.4
>>> (which I use) and 4.[67].
>>
>> 4.2.52 + patches has the longest history of being solid.
>>
>> 4.3 was a disaster
>>
>> 4.4 was likely okay
>>
>> 4.5 was likely okay
>>
>> 4.6 also seems okay, and has some useful improvements
>>
>> 4.7 is not yet supported, but will be in a future release, and has
>> additional useful improvements over 4.6.
>
>4.7 can be made to work, if you're willing to tweak things a bit. The memory
>manager in 4.6 is much improved over earlier versions; the memory manager in
>4.7 is slightly better still. The lock manager in 4.7 is more efficient in
>multi-core systems than in previous versions.
>
Do you, Howard, consider BDB 4.4 stable? I originally worked on 4.2 for initial rollout some years ago. Admittedly, I have no problems at present with 4.4, and I could be convinced to step backward if there is a compelling reason to do so.
>>> I ask because I build OpenLDAP (among other things) for AIX 5.2/5.3/6.1
>>> at (shameless plug) http://pware.hvcc.edu/ and I was considering moving
>>> to 2.4.10 with BDB 4.6, but now I am not certain where to go for a few of
>>> reasons:
>>>
>>> * Why the choice to stay with BDB 4.2?
>>
>> Proven track record over later releases (4.4, 4.5) for stability and
>> performance.
>>
>>> * And OpenSSL 0.9.7l (over the 0.9.8 series)?
>>
>> I use OpenSSL 0.9.8 in my builds and have for ages.
>
>The Symas OpenLDAP 2.4 packages also use OpenSSL 0.9.8. However, the OpenSSL
>build system changed, making it more difficult to complete the Windows build.
>That's one of the reasons we stayed with 0.9.7 for so long in our OpenLDAP 2.3
>packages.
>>
>>> * 2.3.39 has been *stable* since 11/2007 and I have not moved from that
>>> point within the software suite offered. Is a later version of 2.3 going
>>> to be marked stable (like 2.3.42.1 is in the Symas prodcut).
>>
>> Not likely.
>
>True, no further 2.3.x release will be marked Stable.
>
>> Stable is really a fairly meaningless term.
>
>False. At the time that a release was marked stable, it was considered the
>most stable release. I.e., after sufficient amount of time in release, no
>major issues were discovered.
>
>> Assigning meaning
>> to it as a guideline as to what version to build is a very bad idea.
>> There's a major DoS vulnerability in 2.3.39, for example, that was fixed in
>> 2.3.43 and 2.4.11.
>
>It's important to note that the Stable marker only changes if there's a new
>release that we consider stable. The subsequent discovery of bugs in a Stable
>release won't trigger the removal of that marker. So 2.3.39 is still marked
>Stable, even though important bug fixes are in 2.3.43, because those bugs were
>discovered long after 2.3.39 was released.
>
So, I guess I will stay where I am in production and prepare for a 2.4 upgrade at some soon time after I finish my testing in 2.4 and when a stable release is announced.
>In the meantime, when moving the Stable marker, the Project's practice has
>been that it can only be moved to the Current release stream, which is 2.4.
>But we haven't yet seen a 2.4 release remain long enough in public use without
>new issues quickly being discovered. So there is not yet a new Stable release.
>
>>> * 2.4.x seems stable enough to me and certainly to Ubuntu x86[_64], but I
>>> would like some other indication that I should make the leap before I
>>> begin to change dependencies to several of the products I produce. Is
>>> 2.4.x going to be marked stable in the near future?
>
>> Hopefully. Note that stable does not remotely mean bug free (or relatively
>> low in bug count). It simply means stable as far as core (i.e., not new)
>> functionality is concerned.
>
>No. It means low bug count as of a particular point in time, e.g., within a
>couple weeks after the release.
>
>And as I recall, we need to get to a feature freeze in the core code first. I
>think 2.4 is just about at this point now.
>
Superb. Thank you very much, Quanah and Howard. It has been a very enlightening discussion.
Cheers,
Bill
>--
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
15 years, 4 months
Please help me with ppolicy pwdReset
by Scott Classen
Hi All,
this is my default ppolicy:
dn: cn=default,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: device
pwdAttribute: userPassword
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdAllowUserChange: TRUE
cn: default
pwdSafeModify: FALSE
pwdExpireWarning: 0
pwdInHistory: 1
pwdMinLength: 7
pwdGraceAuthNLimit: 1
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 63072000
pwdCheckQuality: 2
pwdMustChange: TRUE
pwdMinAge: 0
Here is an example of a user with their pwdReset attribute set to
TRUE. I've only included the relevant lines:
dn: uid=newguy,ou=People,dc=example,dc=com
pwdChangedTime: 20080718234642Z
pwdReset: TRUE
pwdPolicySubentry: cn=default,ou=Policies,dc=example,dc=com
Shouldn't this user be requested to change their password the next
time the log in?
Well they're not. logins a successful and there is no prompting for a
new password.
Can someone please help me trouble shoot this?
Thanks,
Scott
15 years, 4 months
RES: ppolicy woes
by Gustavo Mendes de Carvalho
Hi Bob,
Some months ago I had similar problem trying to use Password Policy. I was
using RHAS4 Up6, and my client machines was using RHES4 Up2, and for some
unknown reason, no matter waht configuration I did, client machines did not
recognizes ppolicy arguments sent from ldap server.
I just solved this situation doing some upgrade in client machines, from Up2
to Up5. After this upgrade, everithing was OK.
Did you try this client configuration in some other linux distribution ?
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
15 years, 4 months
BDB selection, et al.
by William Jojo
I have noticed that the Symas packages user BDB 4.2 (with 2.3.42) as does Ubuntu with 2.4.9+. I was wondering what the preference is over 4.4 (which I use) and 4.[67].
I ask because I build OpenLDAP (among other things) for AIX 5.2/5.3/6.1 at (shameless plug) http://pware.hvcc.edu/ and I was considering moving to 2.4.10 with BDB 4.6, but now I am not certain where to go for a few of reasons:
* Why the choice to stay with BDB 4.2?
* And OpenSSL 0.9.7l (over the 0.9.8 series)?
* 2.3.39 has been *stable* since 11/2007 and I have not moved from that point within the software suite offered. Is a later version of 2.3 going to be marked stable (like 2.3.42.1 is in the Symas prodcut).
* 2.4.x seems stable enough to me and certainly to Ubuntu x86[_64], but I would like some other indication that I should make the leap before I begin to change dependencies to several of the products I produce. Is 2.4.x going to be marked stable in the near future?
I appreciate all of the work of the OpenLDAP team and the community. I welcome any suggestions to help me make the right decision.
In the meantime, my own production servers remain at 2.3.39-stable, but I can be persuaded to upgrade. :-)
Cheers,
Bill
15 years, 4 months
