ppolicy in openldap
by Allgood, John
Hello All
I am fairly new to openldap and have some questions about password
policys. We are running ldap on RHEL5 and using openldap 2.3.27. The
ppolicy overlay gives me a lot of what I need but RHEL5 does not seem to
have it installed. How can I get this installed? Also the best that I
can tell is that ppolicy does not have any dictionary checks either. Is
this true or did I just miss something? What I would like to setup is
what we currently have in place using cracklib. Minlen=8 at least 1
Uppercase, 1 Lowercase, 1 Number, 1 special char.
Best Regars
John Allgood
Senior Systems Administrator
Turbo, division of OHL
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
jallgood(a)ohl.com
www.ohl.com
14 years, 8 months
Ldapsearch
by Juan Pablo Roig
Hi alln i am new to the list and i have 2 questions:
1- i ve just configured my openldap server in a freebsd to use tls an
to require client certificates, my problem is that i cant test the
connection with the ldapsearch command. Is this posible?
2- is there any gui ldap browser that supports client certificates?
Thanks a lot
Juan
2009/1/17, openldap-technical-request(a)openldap.org
<openldap-technical-request(a)openldap.org>:
> Welcome to the openldap-technical(a)openldap.org mailing list! This list
> is intended to be used for technical discussions of issues related to
> use of OpenLDAP Software. This list is lightly moderated.
>
> To submit a message to this list, send your email to
> openldap-technical(a)openldap.org.
>
> General information about the mailing list is at:
> http://www.openldap.org/lists/mm/listinfo/openldap-technical
>
> If you ever want to unsubscribe or change your options (eg, switch to
> or from digest mode, change your password, etc.), visit your
> subscription page at:
>
> http://www.openldap.org/lists/mm/options/openldap-technical/juan.pablo.ro...
>
>
> You can also make such adjustments via email by sending a message to:
> openldap-technical-request(a)openldap.org
>
> with the word `help' in the subject or body (don't include the
> quotes), and you will get back a message with instructions.
>
> You must know your password to change your options (including changing
> the password, itself) or to unsubscribe. It is:
> ilap11
>
> Normally, Mailman will remind you of your openldap.org mailing list
> passwords once every month, although you can disable this if you
> prefer. This reminder will also include instructions on how to
> unsubscribe or change your account options. There is also a button on
> your options page that will email your current password to you.
>
--
Enviado desde mi dispositivo móvil
14 years, 8 months
openldap group filter and websphere
by hai wu
Hi,
We have one openldap server, and for dev environment, groups are put under
'ou=devgroup,dc=example,dc=com', and for production environment, groups are
put under 'ou=group,dc=example,dc=com'.
When integrating websphere to openldap, we can only specify one search base,
which is set to 'dc=example,dc=com', and for the group filter, it is set to
'(&cn=%v)(objectclass=posixGroup))'. But in this case, it is pulling all
groups from both dev and production environment.
Is there a way to set the group filter so that for our dev environment, it
would only pull dev groups, and for production environment, it would only
pull production groups?
I tried ldapsearch by applying the group filter, modified it a little bit,
but still could not get it to work in our case.
Thanks,
Hai
14 years, 8 months
Why TLS is always fail with OpenLdap 2.4.11
by Hunter hu
H <openldap-technical(a)openldap.org>i,
I have to get help from here , because I was struggling with TLS
configuration for weeks.
during those days , I searched google include this list , still cant pass
,my god.
Does anyone could provide some guide on how to configure the openldap TLS
connection with step by step, so can reduce our pain ?
Here I expose the step and try to get help from the senior ldap engineer.
1. installed openldap with-tls=openssl
I add the openssl specially to avoid use gnutls, sometimes, openldap will
goto find gnutls if c header is there
install and start slapd succesfully.
2. using ldapsearch -v -h 10.192.183.73 -b "dc=example,dc=com" -s base
"objectclass=*"
I can get the listed information from openldap server, that is ok
3. now go for certificate genearation with numerous guide in google , but
not fit to pass for me
3.1 cd /var/myca
/usr/local/ssl/misc/CA.sh -newCA
then will generate demoCA, and cacert.pem is there, that is ok
3.2 /usr/local/ssl/misc/CA.sh -newreq
newkey.pem newreq.pem
notes : I am using 10.192.183.73 as the common name, is there any issue
here?
3.3 /usr/local/ssl/misc/CA.sh -sign
then you got newcert.pem
now copy into /var/ldap and try to insert into slapd and restart
TLSCipherSuite MEDIUM:+TLSv1+SSL3+SSL2
TLSCertificateFile /var/ldap/newcert.pem
TLSCertificateKeyFile /var/ldap/newkey.pem ( some guide said should be
newreq.pem)
TLSCACertificateFile /var/ldap/cacert.pem
4. ftp cacert.pem into client and copy into /var/myca
using s-client to test at first
penssl s_client -connect 10.192.183.73:389 -showcerts -state -CAfile
/var/myca/cacert.pem -tls1
you will got the error always
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
14719:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:530:
could any kind man to give some help to save me?
--
Hunter
14 years, 8 months
Re: Syncrepl Questions
by Gavin Henry
> I am not understanding what happens to my clients if something happens
> to my provider. In some replication systems when the main server fails
> you can start using the machine that was replicated to as your
> primary.
This is called Active-Active Hot Standby and can be done with MirrorMode.
> Does the consumer act as a slave machine?
It can be, depends how you've set it up, which you have told us ;-)
> On each of my
> clients do I point them to the provider/consumer.
It depends on what your clients are doing, if it's all readonly, then point
them at both. Tell us more.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
14 years, 8 months
Re: Syncrepl Questions
by Gavin Henry
----- "John Allgood" <jallgood(a)ohl.com> wrote:
> Hello Again
Hi,
> Maybe by the end of this project I will be somewhat of an ldap expert
> until them please bear with me.
It will take many years to get there (I'm no where near), trust me ;-)
> I think I have gotten a little more understanding to how this will
> work. I have a provider and a consumer up and running and I am
> pointing each application and or server to both the provider and the
> consumer. Also there is something called referrals that are talked
> about for the consumer. Is this something I will need to use.
If you understand referrals you will be able to answer this yourself. Anyway,
referrals "refer" a client to the Provider if it is trying to write a consumer
that doesn't accept writes, think of it as "Go speak to the boss".
> We started building the ldap server about a month ago. We have not
> really had the time to do proper research due to time constraints.
This can be a big problem.
> We
> just used the rpms that Redhat provided with RHEL5 which is openldap
> 2.3. The rpms built from Redhat did not have the ppolicy overlay built
> in. I found the overlays on the Beta channels from Redhat Network and
> used those to get the ppolicy. I wish Redhat would stay a little more
> up2date. Anyways if there is anymore advise that can be provided I
> would appreciate it. Oh one more thing. When I was setting up syncprov
> for the first time I missed the part about loading the module in the
> slapd.conf. I did enter the overlay syncprov to my config and it
> appears to work. Can syncprov be built into openldap and not loaded as
> an module. Just wanted some verification on this issue.
Build it how you like, it's best to build from source to start with to get
a feel for everything. Then depending on how you company works you can move
to a commercially supported version. I would never recommend the RHEL version, but
please visit the list archives for why.
Thanks.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
14 years, 8 months
Re: Re: N-Way Multi-Master replication - delete problem
by Adrien Futschik
It seems like I am not the only one facing this problem.
Is this officially reported as a bug ?
I found out that when deleting an entry on the master I added it to, it is removed only on this master and deleting is not replicated until I make some other operation on the other master. Seems like the delete is "queued".
When deleting an entry on the "other" master (not the one I added the entry to), the delete works fine and is correctly replicated.
Anyone to help me with N-Way Multi-Master replication ?
Adrien Futschik
========================================
Message date : Jan 07 2009, 06:35 PM
From : "jakjr" <joao.alfredo(a)gmail.com>
To : adrien.futschik(a)atosorigin.com
Copy to :
Subject : Re: N-Way Multi-Master replication - delete problem
Hello Adrien,
I have the same problem deleting entries on N-Way MultiMaster.
Did you resolved this problem ?
Best Regards.
On Mon, Dec 22, 2008 at 6:10 AM, Adrien Futschik <
adrien.futschik(a)atosorigin.com> wrote:
> OK, But then what did I do wrong ? delete an entry shouldn't be a problem
> with N-Way Multi-Master replication ? should it ?
>
> Here is how I have setup-ed my masters :
>
> m1 -config :
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcServerID: 1
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcRootPW:< file://$CONFIGPWF
>
> m2 - config :
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcServerID: 2
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcRootPW:< file://$CONFIGPWF
>
> m1 - syncprov :
> dn: cn=config
> changetype: modify
> replace: olcServerID
> olcServerID: 1 $URI1
> olcServerID: 2 $URI2
>
> dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
> changetype: add
> objectClass: olcOverlayConfig
> objectClass: olcSyncProvConfig
> olcOverlay: syncprov
>
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcSyncRepl
> olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
> credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
> retry="5 5 300 5" timeout=3
> olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
> credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
> retry="5 5 300 5" timeout=3
> -
> add: olcMirrorMode
> olcMirrorMode: TRUE
>
> m2 - syncrepl :
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> add: olcSyncRepl
> olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple
> credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
> retry="5 5 300 5" timeout=3
> olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple
> credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist
> retry="5 5 300 5" timeout=3
> -
> add: olcMirrorMode
> olcMirrorMode: TRUE
>
> m1 - schema :
> include: file://$ABS_SCHEMADIR/core.ldif
> include: file://$ABS_SCHEMADIR/cosine.ldif
> include: file://$ABS_SCHEMADIR/inetorgperson.ldif
> include: file://$ABS_SCHEMADIR/openldap.ldif
> include: file://$ABS_SCHEMADIR/nis.ldif
>
> m1 - backend :
> dn: olcDatabase={1}$BACKEND,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olc${BACKEND}Config
> olcDatabase: {1}$BACKEND
> olcSuffix: $BASEDN
> olcDbDirectory: ./openldap-data
> olcRootDN: $MANAGERDN
> olcRootPW: $PASSWD
> olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
> credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
> interval=$INTERVAL retry="5 5 300 5" timeout=3
> olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple
> credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
> interval=$INTERVAL retry="5 5 300 5" timeout=3
> olcMirrorMode: TRUE
>
> dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config
> changetype: add
> objectClass: olcOverlayConfig
> objectClass: olcSyncProvConfig
> olcOverlay: syncprov
>
> Did I miss something ?
> Has anyone tested N-way Multi-master replication & encountered the same
> problem as me ?
>
> Adrien
>
> ========================================
> Message date : Dec 19 2008, 07:11 PM
> From : "Quanah Gibson-Mount" <quanah(a)zimbra.com>
> To : adrien.futschik(a)atosorigin.com, openldap-technical(a)openldap.org
> Copy to : "Miguel Jinez" <miguel.jinez(a)gmail.com>
> Subject : Re: Re: N-Way Multi-Master replication - delete problem
>
>
>
> --On December 19, 2008 9:28:41 AM +0100 Adrien Futschik
> <adrien.futschik(a)atosorigin.com> wrote:
>
> > Hy everyone,
> >
> > I have just tested the same procedure with OpenLDAP 2.4.13. The problem
> > remains the same.
> >
> > Did I miss something ? Is this supposed to be like this ?
> >
> > I'm joining the modified script I'm using to setup both masters and the
> > LDIF files I'm using to add and remove an entry (+ attributes).
> >
> > I did not use access-log, is this supposed to work with N-Way
> > Multi-Master replication ? I thought it was only used in case of Delta
> > Synchronization/Replication.
>
> Correct, delta-syncrepl and MMR are not currently supported together (that
> may change in the future).
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
>
>
>
> Adrien Futschik
>
14 years, 8 months
ppolicy
by Allgood, John
Hey Guys
I have another question in regards to using ppolicy. I have built my
policy into ldap. How do I apply that policy to my existing user
objects.
Thanks
John Allgood
Senior Systems Administrator
Turbo, division of OHL
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
jallgood(a)ohl.com <mailto:jallgood@ohl.com>
www.ohl.com <http://www.ohl.com>
14 years, 8 months
Syncrepl Questions
by Allgood, John
Hey All
I am working on setting up sync replication for ldap. I have it working
but I am not sure exactly what I can do with it. How do I failover to
it? I may be missing a piece that would help tie it all together. Thanks
for any input.
John Allgood
Senior Systems Administrator
Turbo, division of OHL
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878
jallgood(a)ohl.com <mailto:jallgood@ohl.com>
www.ohl.com <http://www.ohl.com>
14 years, 8 months
OpenLDAP centralized authentication with Active Directory
by Duong Pham Tung (FIM HN)
Hello,
My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server.
Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand.
Can anyone suggest me the solution to solve this problem.
Thanks and Best regards,
Duong Pham.
14 years, 8 months
