openldap-technical January 2009

openldap-technical@openldap.org

45 participants
44 discussions

ppolicy in openldap
by Allgood, John 19 Jan '09

19 Jan '09

Hello All I am fairly new to openldap and have some questions about password policys. We are running ldap on RHEL5 and using openldap 2.3.27. The ppolicy overlay gives me a lot of what I need but RHEL5 does not seem to have it installed. How can I get this installed? Also the best that I can tell is that ppolicy does not have any dictionary checks either. Is this true or did I just miss something? What I would like to setup is what we currently have in place using cracklib. Minlen=8 at least 1 Uppercase, 1 Lowercase, 1 Number, 1 special char. Best Regars John Allgood Senior Systems Administrator Turbo, division of OHL 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878 jallgood(a)ohl.com www.ohl.com

3 2

Ldapsearch
by Juan Pablo Roig 18 Jan '09

18 Jan '09

Hi alln i am new to the list and i have 2 questions: 1- i ve just configured my openldap server in a freebsd to use tls an to require client certificates, my problem is that i cant test the connection with the ldapsearch command. Is this posible? 2- is there any gui ldap browser that supports client certificates? Thanks a lot Juan 2009/1/17, openldap-technical-request(a)openldap.org <openldap-technical-request(a)openldap.org>: > Welcome to the openldap-technical(a)openldap.org mailing list! This list > is intended to be used for technical discussions of issues related to > use of OpenLDAP Software. This list is lightly moderated. > > To submit a message to this list, send your email to > openldap-technical(a)openldap.org. > > General information about the mailing list is at: > http://www.openldap.org/lists/mm/listinfo/openldap-technical > > If you ever want to unsubscribe or change your options (eg, switch to > or from digest mode, change your password, etc.), visit your > subscription page at: > > http://www.openldap.org/lists/mm/options/openldap-technical/juan.pablo.roig… > > > You can also make such adjustments via email by sending a message to: > openldap-technical-request(a)openldap.org > > with the word `help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. > > You must know your password to change your options (including changing > the password, itself) or to unsubscribe. It is: > ilap11 > > Normally, Mailman will remind you of your openldap.org mailing list > passwords once every month, although you can disable this if you > prefer. This reminder will also include instructions on how to > unsubscribe or change your account options. There is also a button on > your options page that will email your current password to you. > -- Enviado desde mi dispositivo móvil

2 1

openldap group filter and websphere
by hai wu 17 Jan '09

17 Jan '09

Hi, We have one openldap server, and for dev environment, groups are put under 'ou=devgroup,dc=example,dc=com', and for production environment, groups are put under 'ou=group,dc=example,dc=com'. When integrating websphere to openldap, we can only specify one search base, which is set to 'dc=example,dc=com', and for the group filter, it is set to '(&cn=%v)(objectclass=posixGroup))'. But in this case, it is pulling all groups from both dev and production environment. Is there a way to set the group filter so that for our dev environment, it would only pull dev groups, and for production environment, it would only pull production groups? I tried ldapsearch by applying the group filter, modified it a little bit, but still could not get it to work in our case. Thanks, Hai

1 0

Why TLS is always fail with OpenLdap 2.4.11
by Hunter hu 16 Jan '09

16 Jan '09

H <openldap-technical(a)openldap.org>i, I have to get help from here , because I was struggling with TLS configuration for weeks. during those days , I searched google include this list , still cant pass ,my god. Does anyone could provide some guide on how to configure the openldap TLS connection with step by step, so can reduce our pain ? Here I expose the step and try to get help from the senior ldap engineer. 1. installed openldap with-tls=openssl I add the openssl specially to avoid use gnutls, sometimes, openldap will goto find gnutls if c header is there install and start slapd succesfully. 2. using ldapsearch -v -h 10.192.183.73 -b "dc=example,dc=com" -s base "objectclass=*" I can get the listed information from openldap server, that is ok 3. now go for certificate genearation with numerous guide in google , but not fit to pass for me 3.1 cd /var/myca /usr/local/ssl/misc/CA.sh -newCA then will generate demoCA, and cacert.pem is there, that is ok 3.2 /usr/local/ssl/misc/CA.sh -newreq newkey.pem newreq.pem notes : I am using 10.192.183.73 as the common name, is there any issue here? 3.3 /usr/local/ssl/misc/CA.sh -sign then you got newcert.pem now copy into /var/ldap and try to insert into slapd and restart TLSCipherSuite MEDIUM:+TLSv1+SSL3+SSL2 TLSCertificateFile /var/ldap/newcert.pem TLSCertificateKeyFile /var/ldap/newkey.pem ( some guide said should be newreq.pem) TLSCACertificateFile /var/ldap/cacert.pem 4. ftp cacert.pem into client and copy into /var/myca using s-client to test at first penssl s_client -connect 10.192.183.73:389 -showcerts -state -CAfile /var/myca/cacert.pem -tls1 you will got the error always CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:failed in SSLv3 read server hello A 14719:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: could any kind man to give some help to save me? -- Hunter

2 1

Re: Syncrepl Questions
by Gavin Henry 15 Jan '09

15 Jan '09

> I am not understanding what happens to my clients if something happens > to my provider. In some replication systems when the main server fails > you can start using the machine that was replicated to as your > primary. This is called Active-Active Hot Standby and can be done with MirrorMode. > Does the consumer act as a slave machine? It can be, depends how you've set it up, which you have told us ;-) > On each of my > clients do I point them to the provider/consumer. It depends on what your clients are doing, if it's all readonly, then point them at both. Tell us more. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

3 4

Re: Syncrepl Questions
by Gavin Henry 15 Jan '09

15 Jan '09

----- "John Allgood" <jallgood(a)ohl.com> wrote: > Hello Again Hi, > Maybe by the end of this project I will be somewhat of an ldap expert > until them please bear with me. It will take many years to get there (I'm no where near), trust me ;-) > I think I have gotten a little more understanding to how this will > work. I have a provider and a consumer up and running and I am > pointing each application and or server to both the provider and the > consumer. Also there is something called referrals that are talked > about for the consumer. Is this something I will need to use. If you understand referrals you will be able to answer this yourself. Anyway, referrals "refer" a client to the Provider if it is trying to write a consumer that doesn't accept writes, think of it as "Go speak to the boss". > We started building the ldap server about a month ago. We have not > really had the time to do proper research due to time constraints. This can be a big problem. > We > just used the rpms that Redhat provided with RHEL5 which is openldap > 2.3. The rpms built from Redhat did not have the ppolicy overlay built > in. I found the overlays on the Beta channels from Redhat Network and > used those to get the ppolicy. I wish Redhat would stay a little more > up2date. Anyways if there is anymore advise that can be provided I > would appreciate it. Oh one more thing. When I was setting up syncprov > for the first time I missed the part about loading the module in the > slapd.conf. I did enter the overlay syncprov to my config and it > appears to work. Can syncprov be built into openldap and not loaded as > an module. Just wanted some verification on this issue. Build it how you like, it's best to build from source to start with to get a feel for everything. Then depending on how you company works you can move to a commercially supported version. I would never recommend the RHEL version, but please visit the list archives for why. Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

1 0

Re: Re: N-Way Multi-Master replication - delete problem
by Adrien Futschik 15 Jan '09

15 Jan '09

It seems like I am not the only one facing this problem. Is this officially reported as a bug ? I found out that when deleting an entry on the master I added it to, it is removed only on this master and deleting is not replicated until I make some other operation on the other master. Seems like the delete is "queued". When deleting an entry on the "other" master (not the one I added the entry to), the delete works fine and is correctly replicated. Anyone to help me with N-Way Multi-Master replication ? Adrien Futschik ======================================== Message date : Jan 07 2009, 06:35 PM From : "jakjr" <joao.alfredo(a)gmail.com> To : adrien.futschik(a)atosorigin.com Copy to : Subject : Re: N-Way Multi-Master replication - delete problem Hello Adrien, I have the same problem deleting entries on N-Way MultiMaster. Did you resolved this problem ? Best Regards. On Mon, Dec 22, 2008 at 6:10 AM, Adrien Futschik < adrien.futschik(a)atosorigin.com> wrote: > OK, But then what did I do wrong ? delete an entry shouldn't be a problem > with N-Way Multi-Master replication ? should it ? > > Here is how I have setup-ed my masters : > > m1 -config : > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 1 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW:< file://$CONFIGPWF > > m2 - config : > dn: cn=config > objectClass: olcGlobal > cn: config > olcServerID: 2 > > dn: olcDatabase={0}config,cn=config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcRootPW:< file://$CONFIGPWF > > m1 - syncprov : > dn: cn=config > changetype: modify > replace: olcServerID > olcServerID: 1 $URI1 > olcServerID: 2 $URI2 > > dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > dn: olcDatabase={0}config,cn=config > changetype: modify > add: olcSyncRepl > olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple > credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=3 > olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple > credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=3 > - > add: olcMirrorMode > olcMirrorMode: TRUE > > m2 - syncrepl : > dn: olcDatabase={0}config,cn=config > changetype: modify > add: olcSyncRepl > olcSyncRepl: rid=001 provider=$URI1 binddn="cn=config" bindmethod=simple > credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=3 > olcSyncRepl: rid=002 provider=$URI2 binddn="cn=config" bindmethod=simple > credentials=$CONFIGPW searchbase="cn=config" type=refreshAndPersist > retry="5 5 300 5" timeout=3 > - > add: olcMirrorMode > olcMirrorMode: TRUE > > m1 - schema : > include: file://$ABS_SCHEMADIR/core.ldif > include: file://$ABS_SCHEMADIR/cosine.ldif > include: file://$ABS_SCHEMADIR/inetorgperson.ldif > include: file://$ABS_SCHEMADIR/openldap.ldif > include: file://$ABS_SCHEMADIR/nis.ldif > > m1 - backend : > dn: olcDatabase={1}$BACKEND,cn=config > objectClass: olcDatabaseConfig > objectClass: olc${BACKEND}Config > olcDatabase: {1}$BACKEND > olcSuffix: $BASEDN > olcDbDirectory: ./openldap-data > olcRootDN: $MANAGERDN > olcRootPW: $PASSWD > olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=$INTERVAL retry="5 5 300 5" timeout=3 > olcSyncRepl: rid=005 provider=$URI2 binddn="$MANAGERDN" bindmethod=simple > credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly > interval=$INTERVAL retry="5 5 300 5" timeout=3 > olcMirrorMode: TRUE > > dn: olcOverlay=syncprov,olcDatabase={1}${BACKEND},cn=config > changetype: add > objectClass: olcOverlayConfig > objectClass: olcSyncProvConfig > olcOverlay: syncprov > > Did I miss something ? > Has anyone tested N-way Multi-master replication & encountered the same > problem as me ? > > Adrien > > ======================================== > Message date : Dec 19 2008, 07:11 PM > From : "Quanah Gibson-Mount" <quanah(a)zimbra.com> > To : adrien.futschik(a)atosorigin.com, openldap-technical(a)openldap.org > Copy to : "Miguel Jinez" <miguel.jinez(a)gmail.com> > Subject : Re: Re: N-Way Multi-Master replication - delete problem > > > > --On December 19, 2008 9:28:41 AM +0100 Adrien Futschik > <adrien.futschik(a)atosorigin.com> wrote: > > > Hy everyone, > > > > I have just tested the same procedure with OpenLDAP 2.4.13. The problem > > remains the same. > > > > Did I miss something ? Is this supposed to be like this ? > > > > I'm joining the modified script I'm using to setup both masters and the > > LDIF files I'm using to add and remove an entry (+ attributes). > > > > I did not use access-log, is this supposed to work with N-Way > > Multi-Master replication ? I thought it was only used in case of Delta > > Synchronization/Replication. > > Correct, delta-syncrepl and MMR are not currently supported together (that > may change in the future). > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > > > > Adrien Futschik >

2 1

ppolicy
by Allgood, John 15 Jan '09

15 Jan '09

Hey Guys I have another question in regards to using ppolicy. I have built my policy into ldap. How do I apply that policy to my existing user objects. Thanks John Allgood Senior Systems Administrator Turbo, division of OHL 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878 jallgood(a)ohl.com <mailto:jallgood@ohl.com> www.ohl.com <http://www.ohl.com>

3 2

Syncrepl Questions
by Allgood, John 14 Jan '09

14 Jan '09

Hey All I am working on setting up sync replication for ldap. I have it working but I am not sure exactly what I can do with it. How do I failover to it? I may be missing a piece that would help tie it all together. Thanks for any input. John Allgood Senior Systems Administrator Turbo, division of OHL 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878 jallgood(a)ohl.com <mailto:jallgood@ohl.com> www.ohl.com <http://www.ohl.com>

2 1

OpenLDAP centralized authentication with Active Directory
by Duong Pham Tung (FIM HN) 13 Jan '09

13 Jan '09

Hello, My company network have some different domains such as abc.net, abc.com and xyz.com (I don't use real domain name because of our company's security policy). Each domain is managed by a dedicated Active Directory server. Now, I want to use one OpenLDAP server to authenticate all users from these domains because we want manage services they use focusly (such as Mail, Portal). But now, I have'nt any solutions to solve this problem. Because the number of users is very large (approximately 10.000 users) so I can't build database by hand. Can anyone suggest me the solution to solve this problem. Thanks and Best regards, Duong Pham.

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2009