openldap-technical July 2008

openldap-technical@openldap.org

67 participants
78 discussions

Re: Client connect issues with OpenLDAP 2.3 on RHEL 4
by Gustavo Mendes de Carvalho 22 Jul '08

22 Jul '08

Hi Martin, Upgrade your RHEL from 4 to 5 that will work. I faced exactly same situation earlier. --- Gustavo Mendes de Carvalho email: gmcarvalho(a)gmail.com > Date: Mon, 21 Jul 2008 18:33:42 +0100 > From: "Martin Benson" <martin_benson1972(a)hotmail.com> > Subject: Client connect issues with OpenLDAP 2.3 on RHEL 4 > To: <openldap-technical(a)openldap.org> > Message-ID: <BLU120-DAV199BFEDE2D0B7E6F309718B8A0(a)phx.gbl> > Content-Type: text/plain; charset="us-ascii" > > I have a Red Hat Enterprise Linux v4.4 installation that runs OpenLDAP 2.2 > using the provided Red Hat rpm's. I want to upgrade this to OpenLDAP 2.3 and > have created an LDAP server using the packages from > > > Thanks Martin

1 0

password changing problems
by Ron Echeverri 22 Jul '08

22 Jul '08

I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow LDAP users to log in, and they are also able to change their password via the passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will not accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more. There is no password policy configured in slapd; should there be? I have loglevel set to 296, but i'm not sure what to look for. thanks rone

5 8

Automatically create home directory uppon Email login
by Stelios A. 22 Jul '08

22 Jul '08

Hello all, I've migrate an old Sun Directory Server to OpenLDAP (version 2.4.9 on Ubuntu 8.04 server) and setup a master/slave with syncrepl for data replication betwwen 2 servers. 1st server hold the master ldap and second the slave along with the email server (Sendmail + Dovecot). Email server requires ofcourse a home directory with a mbox file etc. Is there a way to avoid creating each users home directory and setup then his/her permissions? There are 980 users in the base dc and trying to figure out a way to avoid creating all this directories along with chmod manually. I've already setup pam to auto create home directory uppon user login but problem is that only 5 users will have access via ssh. Any ideas? Thanks a lot

3 4

Client connect issues with OpenLDAP 2.3 on RHEL 4
by Martin Benson 21 Jul '08

21 Jul '08

I have a Red Hat Enterprise Linux v4.4 installation that runs OpenLDAP 2.2 using the provided Red Hat rpm's. I want to upgrade this to OpenLDAP 2.3 and have created an LDAP server using the packages from http://staff.telkomsa.net/packages/rhel4/openldap/i386 . The problem I have is that I cannot get a client to attach or query the server. I have installed the openldap2.3-clients and openldap2.3 packages and the server with logging enabled does not even show a connection. I suspect it is a problem with the nss_ldap package that comes bundled with RHEL 4.4. I cannot compile the software on my system as it is a partial install for clients of ours and does not get delivered with compiler software. Does anyone know of an updated rpm for nss_ldap to be compatible with openldap2.3 and RHEL 4? Has anyone done the install and written an install guide? Thanks Martin

2 1

Reg:Design of openldap
by Chakri 21 Jul '08

21 Jul '08

Hi, i'm a newbie to this ldap world.But i have been spending so much time to understand the design of openldap-2.3.39. I wanted to understand the process flow during the functioning of slapd. can some one tell me where can i get the design documents of openldap....plz help...

1 0

memberOf search ACLs
by Andrew Bartlett 21 Jul '08

21 Jul '08

I've recently been trying to lock down Samba4's default ACLs, in it's generated LDAP backend configuration. I have memberOf configured to 'error' on dangling links, which I need for Samba. But I seem to be having some trouble with ACLs. I've attached my full config file, but the key part is: access to dn.base="" by dn=cn=samba-admin,cn=samba manage by anonymous read by * read access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="${DOMAINDN}" by dn=cn=samba-admin,cn=samba manage by * none If I change the last line to 'by * read', then the error is returned, but otherwise (due apparently to "" being unable to read the entry to validate it's existence). Shouldn't the search operations happen as the rootdn or memberof-dn, or am I missing some other configuration element here? In trying to fix this, I looked at what seemed to by typos in memberof.c, the patch of which I attach, but this didn't help. Any thoughts? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

2 5

Re: BDB selection, et al.
by William Jojo 20 Jul '08

20 Jul '08

---- Original message ---- >Date: Sat, 19 Jul 2008 04:33:46 -0700 >From: Howard Chu <hyc(a)symas.com> >Subject: Re: BDB selection, et al. >To: Quanah Gibson-Mount <quanah(a)zimbra.com> >Cc: William Jojo <jojowil(a)hvcc.edu>,openldap-technical(a)openldap.org > >Quanah Gibson-Mount wrote: >> --On Friday, July 18, 2008 9:11 PM -0400 William Jojo<jojowil(a)hvcc.edu> >> wrote: > >>> I have noticed that the Symas packages user BDB 4.2 (with 2.3.42) as does >>> Ubuntu with 2.4.9+. I was wondering what the preference is over 4.4 >>> (which I use) and 4.[67]. >> >> 4.2.52 + patches has the longest history of being solid. >> >> 4.3 was a disaster >> >> 4.4 was likely okay >> >> 4.5 was likely okay >> >> 4.6 also seems okay, and has some useful improvements >> >> 4.7 is not yet supported, but will be in a future release, and has >> additional useful improvements over 4.6. > >4.7 can be made to work, if you're willing to tweak things a bit. The memory >manager in 4.6 is much improved over earlier versions; the memory manager in >4.7 is slightly better still. The lock manager in 4.7 is more efficient in >multi-core systems than in previous versions. > Do you, Howard, consider BDB 4.4 stable? I originally worked on 4.2 for initial rollout some years ago. Admittedly, I have no problems at present with 4.4, and I could be convinced to step backward if there is a compelling reason to do so. >>> I ask because I build OpenLDAP (among other things) for AIX 5.2/5.3/6.1 >>> at (shameless plug) http://pware.hvcc.edu/ and I was considering moving >>> to 2.4.10 with BDB 4.6, but now I am not certain where to go for a few of >>> reasons: >>> >>> * Why the choice to stay with BDB 4.2? >> >> Proven track record over later releases (4.4, 4.5) for stability and >> performance. >> >>> * And OpenSSL 0.9.7l (over the 0.9.8 series)? >> >> I use OpenSSL 0.9.8 in my builds and have for ages. > >The Symas OpenLDAP 2.4 packages also use OpenSSL 0.9.8. However, the OpenSSL >build system changed, making it more difficult to complete the Windows build. >That's one of the reasons we stayed with 0.9.7 for so long in our OpenLDAP 2.3 >packages. >> >>> * 2.3.39 has been *stable* since 11/2007 and I have not moved from that >>> point within the software suite offered. Is a later version of 2.3 going >>> to be marked stable (like 2.3.42.1 is in the Symas prodcut). >> >> Not likely. > >True, no further 2.3.x release will be marked Stable. > >> Stable is really a fairly meaningless term. > >False. At the time that a release was marked stable, it was considered the >most stable release. I.e., after sufficient amount of time in release, no >major issues were discovered. > >> Assigning meaning >> to it as a guideline as to what version to build is a very bad idea. >> There's a major DoS vulnerability in 2.3.39, for example, that was fixed in >> 2.3.43 and 2.4.11. > >It's important to note that the Stable marker only changes if there's a new >release that we consider stable. The subsequent discovery of bugs in a Stable >release won't trigger the removal of that marker. So 2.3.39 is still marked >Stable, even though important bug fixes are in 2.3.43, because those bugs were >discovered long after 2.3.39 was released. > So, I guess I will stay where I am in production and prepare for a 2.4 upgrade at some soon time after I finish my testing in 2.4 and when a stable release is announced. >In the meantime, when moving the Stable marker, the Project's practice has >been that it can only be moved to the Current release stream, which is 2.4. >But we haven't yet seen a 2.4 release remain long enough in public use without >new issues quickly being discovered. So there is not yet a new Stable release. > >>> * 2.4.x seems stable enough to me and certainly to Ubuntu x86[_64], but I >>> would like some other indication that I should make the leap before I >>> begin to change dependencies to several of the products I produce. Is >>> 2.4.x going to be marked stable in the near future? > >> Hopefully. Note that stable does not remotely mean bug free (or relatively >> low in bug count). It simply means stable as far as core (i.e., not new) >> functionality is concerned. > >No. It means low bug count as of a particular point in time, e.g., within a >couple weeks after the release. > >And as I recall, we need to get to a feature freeze in the core code first. I >think 2.4 is just about at this point now. > Superb. Thank you very much, Quanah and Howard. It has been a very enlightening discussion. Cheers, Bill >-- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >

1 0

Please help me with ppolicy pwdReset
by Scott Classen 19 Jul '08

19 Jul '08

Hi All, this is my default ppolicy: dn: cn=default,ou=Policies,dc=example,dc=com objectClass: pwdPolicy objectClass: top objectClass: device pwdAttribute: userPassword pwdMaxFailure: 3 pwdFailureCountInterval: 0 pwdAllowUserChange: TRUE cn: default pwdSafeModify: FALSE pwdExpireWarning: 0 pwdInHistory: 1 pwdMinLength: 7 pwdGraceAuthNLimit: 1 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 63072000 pwdCheckQuality: 2 pwdMustChange: TRUE pwdMinAge: 0 Here is an example of a user with their pwdReset attribute set to TRUE. I've only included the relevant lines: dn: uid=newguy,ou=People,dc=example,dc=com pwdChangedTime: 20080718234642Z pwdReset: TRUE pwdPolicySubentry: cn=default,ou=Policies,dc=example,dc=com Shouldn't this user be requested to change their password the next time the log in? Well they're not. logins a successful and there is no prompting for a new password. Can someone please help me trouble shoot this? Thanks, Scott

1 1

RES: ppolicy woes
by Gustavo Mendes de Carvalho 19 Jul '08

19 Jul '08

Hi Bob, Some months ago I had similar problem trying to use Password Policy. I was using RHAS4 Up6, and my client machines was using RHES4 Up2, and for some unknown reason, no matter waht configuration I did, client machines did not recognizes ppolicy arguments sent from ldap server. I just solved this situation doing some upgrade in client machines, from Up2 to Up5. After this upgrade, everithing was OK. Did you try this client configuration in some other linux distribution ? --- Gustavo Mendes de Carvalho email: gmcarvalho(a)gmail.com

1 0

BDB selection, et al.
by William Jojo 19 Jul '08

19 Jul '08

I have noticed that the Symas packages user BDB 4.2 (with 2.3.42) as does Ubuntu with 2.4.9+. I was wondering what the preference is over 4.4 (which I use) and 4.[67]. I ask because I build OpenLDAP (among other things) for AIX 5.2/5.3/6.1 at (shameless plug) http://pware.hvcc.edu/ and I was considering moving to 2.4.10 with BDB 4.6, but now I am not certain where to go for a few of reasons: * Why the choice to stay with BDB 4.2? * And OpenSSL 0.9.7l (over the 0.9.8 series)? * 2.3.39 has been *stable* since 11/2007 and I have not moved from that point within the software suite offered. Is a later version of 2.3 going to be marked stable (like 2.3.42.1 is in the Symas prodcut). * 2.4.x seems stable enough to me and certainly to Ubuntu x86[_64], but I would like some other indication that I should make the leap before I begin to change dependencies to several of the products I produce. Is 2.4.x going to be marked stable in the near future? I appreciate all of the work of the OpenLDAP team and the community. I welcome any suggestions to help me make the right decision. In the meantime, my own production servers remain at 2.3.39-stable, but I can be persuaded to upgrade. :-) Cheers, Bill

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2008