objectclass sambaSamAccount
by Laurence Mayer
Hi,
OS: Linux Redhat x86_64
OpenLdap 2.3.27
I am trying to add an objectclass sambaSamAccount to my ou=People.
My goal would be to have both samba and posix account for each user.
I have included the samba schema to the slapd.conf file.
I tried adding this to a file and running ldapadd:
dn: uid=laurence, ou=People,dc=istraresearch,dc=com
sambaLogonTime: 0
displayName: Laurence Mayer
sambaLMPassword: xxxxx
sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201
objectClass: sambaSamAccount
sambaAcctFlags: [UX ]
gidNumber: 100
sambaKickoffTime: 2147483647
sambaPwdLastSet: 1010179230
sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaNTPassword: xxxx
However I received the error:
adding new entry "uid=laurence, ou=People,dc=istraresearch,dc=com"
ldap_add: Internal (implementation specific) error (80)
additional info: no structuralObjectClass operational attribute
Please can you tell me what I need to do to achieve this.
Thanks in advance
Laurence
14 years, 6 months
Re: RHEL 5 will not do TLS/SSL authentication
by Dat Duong
The slapd.conf is on Solaris 10 machine. This is how I compiled from the source for Openssl and Openldap.
#cd openssl.0.98h
# ./config
shared
# make clean
# make
# make install
# cd openldap-2.4.11
# env
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/local/ssl/lib"
LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib
-L/usr/local/ssl/lib -R/usr/local/lib -R/usr/local/BerkeleyDB.4.2/lib
-R/usr/local/ssl/lib"
CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include
-I/usr/local/ssl/include" ./configure --enable-bdb --enable-crypt
--with-tls --without-cyrus-sasl
# make depend
# make clean
----- Original Message ----
From: Buchan Milne <bgmilne(a)staff.telkomsa.net>
To: Dat Duong <datduong2000(a)yahoo.com>
Cc: openldap-technical(a)openldap.org
Sent: Wednesday, September 3, 2008 5:17:14 AM
Subject: Re: RHEL 5 will not do TLS/SSL authentication
On Wednesday 03 September 2008 09:49:54 Dat Duong wrote:
> I'm thinking, if the gnutls which installed by default, was causing the
> problem??
It doesn't matter if gnutls is installed, what matters is what OpenLDAP was
compiled against.
Now, you stated that you are using RHEL 5, and gave no other details of what
software you installed, so it would be logical to assume you are using only
the RHEL 5 packages. On RHEL 5, OpenLDAP 2.3.27 is compiled against openssl
0.9.8b. But, since you have some weird paths reflected in your slapd.conf
etc., maybe you have built your own software. If you have, you need to supply
the details thereof, or we are all wasting our time.
Regards,
Buchan
14 years, 6 months
Re: RHEL 5 will not do TLS/SSL authentication
by Buchan Milne
On Wednesday 03 September 2008 09:49:54 Dat Duong wrote:
> I'm thinking, if the gnutls which installed by default, was causing the
> problem??
It doesn't matter if gnutls is installed, what matters is what OpenLDAP was
compiled against.
Now, you stated that you are using RHEL 5, and gave no other details of what
software you installed, so it would be logical to assume you are using only
the RHEL 5 packages. On RHEL 5, OpenLDAP 2.3.27 is compiled against openssl
0.9.8b. But, since you have some weird paths reflected in your slapd.conf
etc., maybe you have built your own software. If you have, you need to supply
the details thereof, or we are all wasting our time.
Regards,
Buchan
14 years, 6 months
Help needed to set up N-way multimaster replication
by piyush joshi
*Dear All,*
*I am using openldap-2.4.11 version and trying to use N-way
multimaster replication so that changes made to first server reflects to
second and* *vice versa but with my current set up if i use syncprov overlay
and syncrepl on both server then it doesn't allow me to make changes in any
ldap server but if i configure syncprov overlay on one server and configure
syncrepl on another server it allow me to make changes and as well reflect
the changes to another however still i can't make changes to second ldap
server my both server configuration is as follows. please let me know what
is wrong with this configuration or what all changes to be made
to running it.*
Configuration on First LDAP Server
allow bind_v2
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/corba.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
modulepath /usr/local/openldap/libexec/openldap
moduleload syncprov
password-hash {SSHA}
database hdb
suffix "dc=***,dc=com"
rootdn "cn=root,dc=***,dc=com"
rootpw {SSHA}yZkqhHmELfmUTsaQyfxgXBqq95gugTA4
directory /usr/local/openldap/var/openldap-data
index uid pres,eq
index cn,sn pres,eq,approx,sub
index objectClass eq
index entryCSN,entryUUID eq
syncrepl rid=001
provider=ldap://192.168.1.12
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=***,dc=com"
attrs=*
binddn="cn=root,dc=***,dc=com"
credentials=secret
overlay syncprov
syncprov-checkpoint 50 10
database monitor
loglevel 256
Configuration on Second LDAP Server
allow bind_v2
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/corba.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
modulepath /usr/local/openldap/libexec/openldap
moduleload syncprov
password-hash {SSHA}
database hdb
suffix "dc=***,dc=com"
rootdn "cn=root,dc=***,dc=com"
rootpw {SSHA}9nbNE9l1rTvPCoU95zgo6vVoL3nMRzMI
directory /usr/local/openldap/var/openldap-data
index uid pres,eq
index cn,sn pres,eq,approx,sub
index objectClass eq
index entryCSN,entryUUID eq
syncrepl rid=001
provider=ldap://192.168.1.8
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=***,dc=com"
attrs=*
binddn="cn=root,dc=***,dc=com"
credentials=secret
overlay syncprov
syncprov-checkpoint 50 10
database monitor
loglevel 256
Thanks Regards
Piyush Joshi
9415414376
14 years, 6 months
Re: RHEL 5 will not do TLS/SSL authentication
by Buchan Milne
On Tuesday 02 September 2008 21:26:10 Dat Duong wrote:
> Also I did the certs test on the client RHEL5:
And it failed for some reason, meaning this isn't an OpenLDAP problem, but an
OpenSSL problem.
>
> # openssl s_client -connect xxx.xxx.xxx.xxx:636 -showcerts -state -CAfile
> /etc/openldap/cacerts/cacert.pem
>
>
> CONNECTED(00000003)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=1
> /C=US/ST=California/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo.
>com verify return:1
> depth=0 /C=US/ST=California/L=Mountain
> View/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo.com verify
> return:1
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
At this point, I get:
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=ZA ....
> SSL3 alert read:fatal:bad record mac
> SSL_connect:failed in SSLv3 read finished A
> 29751:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
> mac:s3_pkt.c:1057:SSL alert number 20 29751:error:140790E5:SSL
> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
>
So it looks like a problem with the certificate.
>
>
> ----- Original Message ----
> From: Dat Duong <datduong2000(a)yahoo.com>
> To: Buchan Milne <bgmilne(a)staff.telkomsa.net>;
> openldap-technical(a)openldap.org Sent: Tuesday, September 2, 2008 12:14:12
> PM
> Subject: Re: RHEL 5 will not do TLS/SSL authentication
>
>
> I'm using ldapsearch from openldap-2.4.xx on Solaris 10. I can do the
> ldapsearch with -ZZ option and I can get the result back just fine.
> However, on my RHEL 5 using the native ldapsearch with -ZZ and a -d1
> options for debug, will give some errors below. I can do a ldapsearch
> without the -ZZ and it just run fine.
>
> ERROR:
>
> TLS trace: SSL_connect:before/connect initialization
> TLS trace: SSL_connect:SSLv2/v3 write client hello A
> TLS trace: SSL_connect:SSLv3 read server hello A
> TLS certificate verification: depth: 1, err: 19, subject:
> /C=US/ST=California/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo.
>com, issuer:
> /C=US/ST=California/O=/OU=/CN=ldap01.example.com/emailAddress=dduong@yahoo.
>com TLS certificate verification: Error, self signed certificate in
> certificate chain TLS trace: SSL3 alert write:fatal:unknown CA
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS trace: SSL_connect:error in SSLv3 read server certificate B
> TLS: can't connect.
> ldap_perror
> ldap_start_tls: Connect error (-11)
> additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
>
> **** Here is how I setup the TLS:
>
> On the Client side, I copied over the cacert.pem from the server to
> /etc/openldap/cacerts/cacert.pem. A look at the cacert.pem show:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> b1:fe:10:70:c6:7e:fe:24
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, ST=California, O=, OU=ODIN,
> CN=ldap01.example.com/emailAddress=dduong@yahoo.com Validity
> Not Before: Sep 2 17:31:55 2008 GMT
> Not After : Sep 2 17:31:55 2011 GMT
> Subject: C=US, ST=California, O=, OU=,
> CN=ldap01.example.com/emailAddress=dduong@yahoo.com Subject Public Key
> Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:bf:eb:3e:89:2b:aa:4f:2f:31:0e:45:8f:7e:1b:
> c6:3f:49:ae:62:ea:1b:fe:4a:71:60:38:b9:a8:02:
> eb:7e:e4:3b:a6:cb:bb:9c:bb:23:b7:86:11:87:b4:
> 2d:59:99:33:20:f4:90:dd:90:52:b0:59:1d:e4:e4:
> 68:03:7f:d2:7f:0b:9d:e7:10:81:9d:d0:ef:d8:98:
> dc:49:a0:2b:c1:71:5d:2c:63:34:e5:38:7c:13:11:
> f4:cf:bd:0b:4a:2b:2c:03:23:9a:e1:67:6d:d9:ae:
> c6:60:ac:85:41:98:43:03:28:fa:e1:e6:76:3e:69:
> 8f:66:de:ca:56:ff:de:33:4d
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> 7C:49:79:29:08:EE:77:8D:C0:93:9B:44:62:63:F6:3F:FD:26:1E:E9
> X509v3 Authority Key Identifier:
>
> keyid:7C:49:79:29:08:EE:77:8D:C0:93:9B:44:62:63:F6:3F:FD:26:1E:E9
> DirName:/C=US/ST=California/O=/OU=ODIN/CN=ldap01.example.com/emailAddress=d
>duong(a)yahoo.com serial:B1:FE:10:70:C6:7E:FE:24
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: sha1WithRSAEncryption
> 4f:c5:42:62:d2:75:38:0f:cd:8c:18:a3:6f:d5:9b:92:23:4b:
> a6:74:f9:e1:fd:9a:2f:43:ee:25:d6:f4:33:cb:2c:e1:f9:f2:
> 1c:13:87:f4:cf:1c:68:ef:99:a3:5e:8c:4c:73:bd:e1:43:80:
> 14:bb:dc:96:12:bf:93:4c:03:f3:f5:0d:bb:2f:92:26:fb:ae:
> 54:62:de:cc:0a:d5:f1:cf:9a:b0:61:53:eb:6c:76:a4:f5:f2:
> 9a:90:a6:a8:cc:db:f6:ba:aa:8c:ad:f5:4d:63:d2:3a:4b:e9:
> 45:41:73:ac:5b:a8:ab:7f:8f:41:07:5d:02:73:a2:b9:9d:27:
> 87:67
> -----BEGIN CERTIFICATE-----
> .
> .
> .
> .
> .
> -----END CERTIFICATE-----
>
>
> *****On the client RHEL5, /etc/openldap/ldap.conf look like this:
>
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> #BASE dc=example, dc=com
> #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
>
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> URI ldap://xxx.xxx.xxx.xxx/
> BASE dc=foobar,dc=example,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
If you use this directive (and not TLS_CACERT), then you must have created the
hashes in /etc/openldap/cacerts, using c_rehash (on RHEL, you must install
openssl-perl to get this), e.g.
c_rehash /etc/openldap/cacerts
>
>
> ***** On Client RHEL5, the ldap.conf located at /etc/ldap.conf look like
> this:
I've removed the useless lines of commented defaults ....
> base dc=example,dc=com
>
> timelimit 120
>
> bind_timelimit 120
>
> idle_timelimit 3600
>
> nss_base_passwd ou=People,dc=foobar,dc=example,dc=com?one
> nss_base_shadow ou=People,dc=foobar,dc=example,dc=com?one
> nss_base_group ou=Group,dc=foobar,dc=example,dc=com?one
> nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
> ssl start_tls
> tls_checkpeer yes
> tls_cacertfile /etc/openldap/cacerts/cacert.pem
>
> uri ldap://ldap01.example.com/
> #ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password crypt
This should work, if your certificate wasn't broken.
> On the LDAP server, This is how I create CA and certificates:
>
> #openssl req -newkey rsa:1024 -x509 -nodes -out server.pem -keyout
> server.pem -days 365
I'm wondering if some files left over by the order in which you did things
caused a problem.
> ## create self signed certs
>
> ## generate root signing cert:
> /usr/share/ssl/misc/CA.pl -newca
Did you really give your CA the subject: C=US, ST=California, O=,
OU=,CN=ldap01.example.com/emailAddress=dduong@yahoo.com
? Why did you make it so close to that of the LDAP server's certificate ?
>
> ## create a signing req for the server
> openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem
>
> ## sign it with root CA
> # /usr/local/ssl/misc/CA.sh -sign
>
> ## call the cert/key something useful
> mv newcert.pem ldap01-cert.pem
> mv newreq.pem ldap01-key.pem
>
> Copy ldap01-cert.pem and ldap01-key.pem and the root CA (in
> demoCA/cacert.pem) to server:/opt/openldap/keys
>
> chmod 400 *
>
> Add these config params:
>
> TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv3
> TLSCACertificateFile /usr/local/etc/openldap/keys/cacert.pem
> TLSCertificateFile /opt/openldap/keys/ldap01-cert.pem
> TLSCertificateKeyFile /opt/openldap/keys/ldap01-key.pem
> TLSVerifyClient never
Can you verify the certificate on the server? E.g.:
# openssl verify -CAfile /usr/local/etc/openldap/keys/cacert.pem
/opt/openldap/keys/ldap01-cert.pem
Regards,
Buchan
14 years, 6 months
Re: objectclass sambaSamAccount
by Michael Ströder
Laurence,
please stay on the mailing list.
Laurence Mayer wrote:
>
> I got this working and now I can add sambaSamAccounts.
>
> When I add passdb backend = ldapsam:ldap://ldap.example.com to my
> smb.conf with all the other needed options the smb does not come up.
You should provide more information. At first I'd recommend to have a
closer look at the logs of OpenLDAP and Samba.
Ciao, Michael.
14 years, 6 months
RHEL 5 will not do TLS/SSL authentication
by Dat Duong
Hi,
I can't find anywhere on how to fix my RHEL 5 to use TLS/SSL authentication. I will work when I comment out the ssl startTLS and SSL. On my Solaris 10, I can do ldapsearch with the -ZZ option
Here is what I did with the debug on for ldapsearch. Please help me solve this problem...THANKS!!
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
14 years, 6 months
Fw: RHEL 5 will not do TLS/SSL authentication
by Dat Duong
Hi,
I can't find anywhere on how to fix my RHEL 5 to use TLS/SSL authentication. I will work when I comment out the ssl startTLS and SSL. On my Solaris 10, I can do ldapsearch with the -ZZ option
Here is what I did with the debug on for ldapsearch. Please help me solve this problem...THANKS!!
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
14 years, 6 months
