openldap-technical August 2008

openldap-technical@openldap.org

63 participants
81 discussions

How To (correctly) reference an LDAP entry
by Christian Marg 20 Aug '08

20 Aug '08

Hello, I have some entries in my own OpenLDAP server (Server A, Base: dc=tu-clausthal,dc=de) and would like to link each of them to entries stored on a foreign LDAP Server (Server B, Base: ou=X,o=Y,c=Z). I have added the "seeAlso"-attribute containing the DNs I want to link my LDAP-entries to, but since they are in another name space and on a foreign Server, they point to "nil". Do I have to rebuild the foreign namespace to just add a reference to the other server? How would I do that most cleverly on OpenLDAP? Or is there another way to create (correct) external references? Am I even using the "seeAlso" attribute correctly? bye Christian -- Christian Marg mail : mailto:marg@rz.tu-clausthal.de Rechenzentrum TU Clausthal web : http://www.tu-clausthal.de D-38678 Clausthal-Zellerfeld fon : 05323/72-2626 Germany jabber: ifcma(a)jabber.tu-clausthal.de

2 3

Re: translucent overlay with local-only entries
by Sven Ulland 20 Aug '08

20 Aug '08

Gavin Henry wrote: > ----- "Sven Ulland" <sveniu(a)ifi.uio.no> wrote: > >> Gavin Henry wrote: >> [...] >>>> Are they really correct? With local-only entries working well (as >>>> they should, with my recent version of openldap), I would assume >>>> that local-only would return local-only entries, and that >>>> local-and-remote would return both remote and local entries. >>> So are you getting local entries at all? >> I see local *modifications*, yes. Example: A remote entry with >> uid=andrew is edited on the translucent extension with a new >> description. When searching, I see the locally changed description >> without problems. >> >> On the other hand, when I create *entries* that only exist on the >> translucent extension, I never see any sign of them when searching. >> I do see them when running slapcat, so they are indeed present in >> the local database. >> >> This should be fixed with Howard's 2.4.8 patch some time ago, so I >> can only assume there's something strange with my config or the >> 2.4.10 Debian build. I will try to build a vanilla OpenLDAP from >> source as soon as I have time. > > OK, thanks. Does a slapcat of the local db show the new entries > you've added to existing remote ones? I assume you mean new and/or modified attributes. Yes, those are shown as well, with all the needed glue records in place. So as far as I can see, writing new entries/attributes works perfectly fine, but the searching does not. I'll send an update after trying the vanilla distr. sven

1 0

Re: Help with authz-regexp mapping kerberos
by Chavez, James R. 20 Aug '08

20 Aug '08

Rahul, Sorry I am not clear in my explanations. What I am trying to achieve is to login to my linux and solaris boxes from the console or through a remote ssh session using Active directory or kerberos credentials and have that effectively map to my users that exist in the LDAP directory. And this works with a catch.. If the username in LDAP (joe_montana) matches the kerberos principal name (joe_montana) I have no issue.. I login using the kerberos username and password and the uid, gid, for that user in LDAP is correct when issuing the id command. So effectively it uses the kerberos credentials and logs me in as that ldap user. Pam-krb is used for authentication and things seem beautiful. However in this case, I have user's with the 8 character unix naming convention(migrated from NIS). I am trying to find the correct way to map that username to the kerberos username. There has got to be a way!! Actually reading over the openldap Admin guide, I see that it mentions using passthrough authentication to an Active directory server. Seems this is done by modifying the userPassword attribute of the ldap dn. As I understand from reading the guide, for my user jmontana the entry should look something like this.. dn: cn=jmontana,ou-People,dc=example,dc=com userPassword: {SASL}joe_montana(a)EXAMPLE.COM However all the userPassword attributes for the users are encrypted. I delete the dn's userPassword attribute first off. But when I attempt to add the userPassword attribute with the ldif below I still get an encrypted password in the userPassword attribute. How can I get the entry to show {SASL}joe_montana(a)EXAMPLE.COM? Is there something in slapd.conf or ldap.conf I need to modify? I may be barking up the wrong tree but it sounds like what I need. dn: uid=jmontana,ou=People,dc=example,dc=com changetype: modify add: userPassword userPassword: {SASL}joe_montana(a)EXAMPLE.COM Also the Openldap Admin guide mentions that "the server must be built with the --enable-spasswd configuration option to enable pass-through authentication." I am not sure how to check if this is the case. This is a RHEL5 box with openldap-servers-2.3.27-8 rpm. I did not install from source, I used Red Hat's precompiled RPM. Having to install from source is a whole other can of worms. But I will do what I have to. Thank you much James 1. Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL (Rahul Amaram) ---------------------------------------------------------------------- Message: 1 Date: Sun, 17 Aug 2008 11:30:25 +0530 From: Rahul Amaram <rahul(a)synovel.com> Subject: Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL To: openldap-technical(a)openldap.org Message-ID: <48A7BE79.2080704(a)synovel.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed This is the flow of events. 1. First GSSAPI (Kerberos) authentication takes place using the id "joe_montana". 2. Then LDAP gives this the DN "uid=joe_montana,cn=REALM,cn=gssapi,cn=auth". 3. Using authz-regexp, we can map this to another DN such as "uid=jomontana,ou=People,dc=company,dc=com" which I believe makes sense only to LDAP. Getting back to your query, could you precisely define what is it that you are trying to achieve? If you could give a clear step-to-step example of the workflow, then I might be able to be of some assistance. Regards, Rahul. Chavez, James R. wrote: > > Rahul, > Thank you again..I will try this expression you have provided. > Am I going about this in the correct way? What I want is to login > through ssh or even the local box and be authenticated by the kerberos > credentials. But I want the effective uid or account to be that of the > ldap user in the openldap directory. > I want my kerberos credentials to authorize my ldap login even though > the account names do not match. Is it possible with this authz-regexp? > Or is this simply for services. > Sorry for all the questions. > > Thanks > James > > > > Message: 1 > Date: Wed, 13 Aug 2008 15:08:43 +0530 > From: Rahul Amaram <rahul(a)synovel.com> > Subject: Re: Subject: Re: Help with authz-regexp mapping kerberos > identity to dn --RAHUL > Cc: openldap-technical(a)openldap.org > Message-ID: <48A2ABA3.9090900(a)synovel.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi Chavez, > Try this expression. It should work. > > authz-regexp uid=(.).*_([^,]*),cn=company.com,cn=gssapi,cn=auth > uid=$1$2,ou=People,dc=company,dc=com > > > The "sasl-realm" parameter is set in /etc/slapd/slapd.conf (main > slapd.conf file). You might also be interested in sasl-host (for > hard-coding the host sasl fqdn name to be used while fetching > ldap/<fqdn>@<REALM> password from the keytab file) and sasl-secprops > parameters. > > Regards, > Rahul. > > Chavez, James R. wrote: > >> >> Rahul, >> My friend finally a response. >> Thank you for the input I had also read that link you provided, it >> was >> > > >> somewhat helpful. If the usernames were identical that would work >> great I believe. However the source name is coming in as joe_montana >> and I need it to map to jmontana. >> So I need only the first character of the first name and everything >> after the underscore (last name). I am looking for the expression >> that >> > > >> would give me that. I am not too familiar with the expressions syntax >> or how to manipulate them. I see there is an option to search ldap >> using ldap:///ou=people,dc=example,dc=com??one?(uid=$1), maybe I >> should look into that. Do you have any suggestions or source for >> reading on authz-regexp? I have been looking. If it was shell >> scripting I could manage another way. >> >> When you say the SASL Realm would that go in the main slapd.conf or >> the /usr/lib/sasl2/slapd.conf? >> >> I am indeed using GSSAPI for the SASL-auth-mechanism. I am getting >> close,just gotta get past this. :) >> >> Thank you again. >> James >> >> >> >> >> ------------------------------ >> CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

2 1

Cannot find 2 particular users
by Stelios A. 19 Aug '08

19 Aug '08

Hello all, I'm going mad with this problem. Suddenly and without doing any modification 2 particular users cannot bind on slave ldap. Example: root@slaveldap:~# id user1 id: psamara: No such user root@slaveldap:~# id user2 id: idanias: No such user root@slaveldap:~# id stelios uid=1000(stelios) gid=100(users) groups=100(users) root@slaveldap:~# The above commands run fine on the master ldap server. Doing a search on slaveldap finds both user1 and user2. Because of the above lookup problem I cannot send emails to those 2 users as I'm getting the following error from the email server which is running on the same machine. Requested action not taken: mailbox unavailable 550 5.1.1 <user1(a)mydomain.com>: Recipient address rejected: User unknown in local recipient table I have no clue what is going on and how to solve it. I also try to delete and re-create the users but with same results. Any ideas? Thanks a lot

3 3

Re: translucent overlay with local-only entries
by Sven Ulland 19 Aug '08

19 Aug '08

Gavin Henry wrote: > ----- "Sven Ulland" <sveniu(a)ifi.uio.no> wrote: >> Gavin Henry wrote: >>> Did you read the man page? man slapo-translucent >> I did, but the significance of translucent_local and _remote didn't >> strike me. Unfortunately it seems that enabling local+remote >> searching doesn't change the result. I must have a silly bug in my >> configuration, but I cannot figure out where. >> >> Various combinations of translucent_local and _remote give different, >> but consistent, results: >> >> neither local nor remote: only remote entries returned >> local only: no entries returned >> remote only: only remote entries returned >> local and remote: only remote entries returned > > These are corrent results and are documented in the slapo-translucent man page. Are they really correct? With local-only entries working well (as they should, with my recent version of openldap), I would assume that local-only would return local-only entries, and that local-and-remote would return both remote and local entries. >> I use the following in my slapd.conf[1]: >> >> translucent_remote uid >> translucent_local uid > > Do you have uid indexed? Yes, and I have tried rebuilding the index (and set proper file ownership afterwards) several times. 'uid' is indexed on the main ldap and on the translucent one, using 'index uid eq,sub'. No effect. I search using equality with ldapsearch. I tried switching between bdb and hdb, also without any effect. It seems I have to dive into the code to resolve this one. sven

1 0

slapadd error when I add ldif file which export from Windows AD
by 绍庚曾 19 Aug '08

19 Aug '08

Hello ,all! First, I'm sorry for my poor english. In windowsXP, I export whole Windows AD as a ldif file by a tool called "Softerra LDAP Browser 2.6". But in my CentOS4.6, when I import this ldif file, It occured an error message: slapadd: could not parse entry (line=56) I find this ldif file contains some private objectclass, so I try to search the corresponding schema files in Windows AD server, but I find nothing.Whether the is a way to directly import the ldif file to OpenLDAP which export from a Windows AD server? By the way ,my OpenLDAP version is 2.2.13. Any help will be really appreciated. With Best regards!

1 0

Re: Proxying data for syncrepl
by ghenry＠OpenLDAP.org 18 Aug '08

18 Aug '08

----- "Gavin Henry" <ghenry(a)suretecsystems.com> wrote: > Yes, and that it is "proxying" data. Openldap as the remove has what > is needed, domino does not. Bonnie, that meant to say, "as the remote". For example, the OpenLDAP remote side might have an entry like so: # gavin.henry(a)suretecsystems.com, MailAliases, suretecsystems.com dn: cn=gavin.henry(a)suretecsystems.com,ou=MailAliases,dc=suretecsystems,dc=com structuralObjectClass: suretecMailAlias entryUUID: fdbf98ca-3118-102c-9eee-c3b0278f5eab creatorsName: cn=admin,dc=suretecsystems,dc=com createTimestamp: 20071127094345Z entryCSN: 20071127130047.357178Z#000000#000#000000 modifiersName: cn=admin,dc=suretecsystems,dc=com modifyTimestamp: 20071127130047Z entryDN: cn=gavin.henry(a)suretecsystems.com,ou=MailAliases,dc=suretecsystems,dc =com subschemaSubentry: cn=Subschema hasSubordinates: FALSE Note the entryCSN and entryUUID as per: RFC 4533 LDAP Content Synchronization Operation June 2006 [Page 28] Appendix A. CSN-based Implementation Considerations ...the server not only maintains a CSN for each directory entry (the entry CSN) but also maintains a value that we will call the context CSN. The context CSN is the greatest committed entry CSN that is not greater than any outstanding (uncommitted) entry CSNs for all entries in a directory context. The values of context CSN are used in syncCookie values as synchronization state indicators. These are what Syncrepl needs, and because the remote side you are proxying has them, all is well. Now take an entry from Active Directory on Windows Server 2008: dn: CN=Administrator,CN=Users,DC=ad,DC=suretecsystems,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain distinguishedName: CN=Administrator,CN=Users,DC=ad,DC=suretecsystems,DC=com instanceType: 4 whenCreated: 20080818193354.0Z whenChanged: 20080818195251.0Z uSNCreated: 8194 memberOf: CN=Group Policy Creator Owners,CN=Users,DC=ad,DC=suretecsystems,DC=com memberOf: CN=Domain Admins,CN=Users,DC=ad,DC=suretecsystems,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=ad,DC=suretecsystems,DC=com memberOf: CN=Schema Admins,CN=Users,DC=ad,DC=suretecsystems,DC=com memberOf: CN=Administrators,CN=Builtin,DC=ad,DC=suretecsystems,DC=com uSNChanged: 12715 name: Administrator objectGUID:: vuyXNovZB06PgC486y0UjA== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 128635631238177500 lastLogoff: 0 lastLogon: 128635645180075000 logonHours:: //////////////////////////// pwdLastSet: 128635613297241250 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA4IX8iXHsQkLUe6ZE9AEAAA== adminCount: 1 accountExpires: 0 logonCount: 13 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=suretecsystems,DC=com isCriticalSystemObject: TRUE dSCorePropagationData: 20080818193742.0Z dSCorePropagationData: 16010101000005.0Z lastLogonTimestamp: 128635619492443750 There is no entryCSN or entryUUID. -- Kind Regards, Gavin Henry. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

Re: Re: Proxying data for syncrepl
by Gavin Henry 18 Aug '08

18 Aug '08

Yes, and that it is "proxying" data. Openldap as the remove has what is needed, domino does not. ---- Original Message ---- From: Luca <luca.scamoni(a)sys-net.it> To: Bonnie <Bonnie.Oostenbrug(a)indaal.de>, Cc: openldap-technical <openldap-technical(a)openldap.org>, Sent: Mon, 18 Aug 2008 19:07 (GMT +0100) GMT+01:00 Subject: Re: Proxying data for syncrepl Because syncrepl depends heavily on entryUUID and entryCSN that are not provided by domino?

1 0

Proxying data for syncrepl
by Bonnie.Oostenbrug＠indaal.de 18 Aug '08

18 Aug '08

Hi, I am trying to set up the following configuration. Unfortunately, without much luck so far. 1. A Directory Server capable of LDAP e.g. LotusDomino, OpenLDAP, AD, etc.... (This Server isn't/can't be specially configured for replication. I can only ensure that the schema is correct. That is the whole point of my undertaking - because Lotus Domino/AD support it. 2. OpenLDAP configured as Proxy with a database of type LDAP with overlay syncprov configured and a uri that points to my Directory Server 3. A Consumer with a database of type BDB configured for syncrepl with my proxy as provider The whole idea is to be able to use this setup to incorporate information from diverse legacy directory servers and get it into a manageable standard OpenLDAP Directory. Without exports etc. I need to have the data replicated down local to my consumer due to Network restrictions. I want to be able to point my Proxy at 3 different Directory Servers and replicate this content down to a single consumer. If I set up the configuration using an OpenLDAP Server as my Directory Server it works. (more or less*) But when I change the proxy to point to e.g. Lotus Domino as my Directory Server I get the error "got empty SyncUUID with LDAP_SYNC_ADD" and the content doesn't replicate down from the Directory Server. Although I see activity on my proxy - he queries my Directory Server. Did I bite off to much for a newbie or am I missing something obvious?? Thanks for ideas in which direction I need to be looking! Bonnie (* the more or less refers to the fact that changes made to the Directory Server content don't replicate down unless I restart the Proxy. Then the changes are immediately replicated to the consumer..... I'm still working on that one??)

3 3

Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL
by Chavez, James R. 16 Aug '08

16 Aug '08

Rahul, Thank you again..I will try this expression you have provided. Am I going about this in the correct way? What I want is to login through ssh or even the local box and be authenticated by the kerberos credentials. But I want the effective uid or account to be that of the ldap user in the openldap directory. I want my kerberos credentials to authorize my ldap login even though the account names do not match. Is it possible with this authz-regexp? Or is this simply for services. Sorry for all the questions. Thanks James Message: 1 Date: Wed, 13 Aug 2008 15:08:43 +0530 From: Rahul Amaram <rahul(a)synovel.com> Subject: Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL Cc: openldap-technical(a)openldap.org Message-ID: <48A2ABA3.9090900(a)synovel.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Chavez, Try this expression. It should work. authz-regexp uid=(.).*_([^,]*),cn=company.com,cn=gssapi,cn=auth uid=$1$2,ou=People,dc=company,dc=com The "sasl-realm" parameter is set in /etc/slapd/slapd.conf (main slapd.conf file). You might also be interested in sasl-host (for hard-coding the host sasl fqdn name to be used while fetching ldap/<fqdn>@<REALM> password from the keytab file) and sasl-secprops parameters. Regards, Rahul. Chavez, James R. wrote: > > Rahul, > My friend finally a response. > Thank you for the input I had also read that link you provided, it was > somewhat helpful. If the usernames were identical that would work > great I believe. However the source name is coming in as joe_montana > and I need it to map to jmontana. > So I need only the first character of the first name and everything > after the underscore (last name). I am looking for the expression that > would give me that. I am not too familiar with the expressions syntax > or how to manipulate them. I see there is an option to search ldap > using ldap:///ou=people,dc=example,dc=com??one?(uid=$1), maybe I > should look into that. Do you have any suggestions or source for > reading on authz-regexp? I have been looking. If it was shell > scripting I could manage another way. > > When you say the SASL Realm would that go in the main slapd.conf or > the /usr/lib/sasl2/slapd.conf? > > I am indeed using GSSAPI for the SASL-auth-mechanism. I am getting > close,just gotta get past this. :) > > Thank you again. > James > > > > > ------------------------------ > > Message: 2 > Date: Mon, 11 Aug 2008 17:54:02 +0530 > From: Rahul Amaram <rahul(a)synovel.com> > Subject: Re: Help with authz-regexp mapping kerberos identity to dn > ....SASL > To: openldap-technical(a)openldap.org > Message-ID: <48A02F62.1000305(a)synovel.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi Chavez, > This is the authz-regexp string I have used in slapd.conf: > > authz-regexp uid=([^,]*),cn=synovel.com,cn=gssapi,cn=auth > uid=$1,ou=People,dc=synovel,dc=com > > This works if the SASL auth mechanism is gssapi. I have also > hard-coded the SASL Realm with the below config option: > > sasl-realm SYNOVEL.COM > > If it uses the default realm (i.e. sasl-realm option is missing) then > the string would probably be: > > authz-regexp uid=([^,]*),cn=gssapi,cn=auth > uid=$1,ou=People,dc=synovel,dc=com > > > Hope this is of some assistance. For furthur information, kindly read > http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication > %2 > 0Identities > . > > Regards, > Rahul. > > Chavez, James R. wrote: > >> Hello all, >> My plan is to use Kerberos and LDAP as a replacement for NIS. >> My issue is that I need my kerberos credentials to map to a user in >> > LDAP > >> so I can avoid permission issues when logging in with kerberos creds. >> All the perms are based on the UNIX/LDAP users and groups. Thing is >> > the > >> user id's are different between kerberos and LDAP. >> The kerberos names consist of firstname_lastname@REALM. The ldap >> > entries > >> are in the format of standard Unix user names or first letter of >> first name and up to 7 characters of the last name (jmontana). I >> migrated >> > the > >> LDAP entries from my existing NIS maps. >> Now I understand that I can use SASL and authz-regexp in slapd.conf >> to map these id's. Please correct me if I am wrong. >> >> I added all the corresponding "krbName: first_last@REALM" to the >> > users > >> when I added them to the LDAP directory. >> For example for user Joe Montana..His ldap dn is "dn: >> uid=jmontana,ou=People,dc=test,dc=example,dc=com" >> His uid is "uid: jmontana >> And his Krb name is ""krbName: joe_montana(a)TEST.EXAMPLE.COM" >> >> I think all the data is there to get a mapping I just am unsure of >> the auth-regexp strings I need to add to the slapd.conf file. >> Does anyone out there have any experience with this and better yet >> provide the string or example of what strings I can use? >> I have searched the net on how to authenticate with kerberos and >> effictively login with a local id but have been unsuccessful in my >> search. >> Appreciate any help. >> >> Thank You >> James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2008