openldap-technical October 2009

openldap-technical@openldap.org

62 participants
53 discussions

TLS CA Chain Problem
by Iruwen 13 Oct '09

13 Oct '09

Hello, I just got an SSL certificate issued by Comodo which doesn't work as expected with slapd. Which means I get an untrusted certificate warning in Thunderbird. Probably I just missed something. For Apache2 for example, I just configured SSLCACertificateFile mycert.ca-bundle SSLCertificateFile mycert.crt SSLCertificateKeyFile mycert.key and I don't get any warnings in Firefox. Also if I test the connection using openssl s_client it looks fine: office:~# openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root To achieve the same with OpenLDAP, I tried: TLSCACertificateFile mycert.ca-bundle TLSCertificateFile mycert.crt TLSCertificateKeyFile mycert.key But the result is different, Thunderbird doesn't trust the certificate and throws a corresponding warning and the output of openssl s_client looks like this: office:~# openssl s_client -connect localhost:636 CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mydomain.de i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA Seems like the ca-bundle wouldn't be used at all, does slapd expect a different format or something? Maybe someone could shed some light on this for me, thanks a lot in advance. Regards, Iruwen

3 6

ACL construction : by group
by Florian Götz 08 Oct '09

08 Oct '09

Hi everybody, I´m trying to write some admintool for my ldap in php. Changes to entries of other people should only be possible by members of the group "Domain Admins" So I wrote some phpcode which checks if the provided username (via Webbrowser) is a member of "Domain Admins" "Domain Admins" is created by samba and a normal posixGroup/sambaGroupMapping. All members of the group are listed via "memberUid". But at the same time there is a LDAP ACL used like this: access to dn.subtree="ou=Groups,dc=example,dc=de" by group="cn=Domain Admins,ou=groups,dc=example,dc=de" write by dn="uid=backup,ou=users,dc=example,dc=de" read by users none by * none A internal policy prohibits normal users access to the Groups subtree. I added the "by group" line, but then realised that it can not work this way. A usersearch like "search if memberUid=x is member of "Domain Admins" needs the rights for a search in ou=groups. But the only stored attribute per users is the memberUid, not the complete DN. The DN of a possible user is something like "uid=x,ou=users,dc=example,dc=de" Is there a possibility to use the existing "Domain Admins" group for user authentication, even if there are only memberUids stored and not complete dn? I don´t want to add all Domain Admins to the ACL above one by one. A change in the members would also lead to a change in the ACl if it would be done this way. Best regards, Florian Götz ---------------------------------------------------------------------------------------- Dipl.-Inf. (FH) Florian Götz Rechenzentrum Hochschule Mannheim Paul-Wittsack-Straße 10 68163 Mannheim Tel: 0621/292-6232 EMail: f.goetz(a)hs-mannheim.de Internet: http://www.rz.hs-mannheim.de -----

2 1

Validation of data in OpenLDAP
by David Horat 07 Oct '09

07 Oct '09

Dear OpenLDAP experts, I would like to know if there is any possibility of plug in a script before any transaction is commited into LDAP in order to validate and sanitise the input, giving an error and not letting the data get into OpenLDAP if the scripts decides the data is not valid. I have already taking a look at the Overlays presented in the documentation, but they won't solve what I am looking for exactly. Best Regards, David Horat -- David Horat Software Engineer – IT/GD – Grid Deployment Group CERN – European Organization for Nuclear Research » Where the web was born Address: 1211 Geneva - Switzerland, Office: 28/R-003 Phone +41 22 76 77996 Fax +41 22 76 68178 (fax to email service) Web: http://cern.ch/horat Web: http://davidhorat.com/ Profile: http://linkedin.com/in/davidhorat

2 1

Re: Importing user defined Object Classes from a file
by Parag Kalra 06 Oct '09

06 Oct '09

Hi Bharath, Thanks for the info you shared. Using that I have successfully imported the user defined object classes from a ldif file. Thanks once again... Cheers, Parag On Mon, Oct 5, 2009 at 5:20 PM, Kantrapati, Bharath < bharath.kantrapati(a)gs.com> wrote: > Hi Parag, > > > > You can import user defined object class using ldif file. > > The below link might be helpful > > > > http://docs.sun.com/source/816-6699-10/schemaov.html > > > > if you check the 99user.ldif it will show you how the current schema is > holding the object class. You can build the ldif file the same way and > import into sun one directory server. > > > > Note : I have taken off the open ldap mailing list, not sure if they would > be OK . > > > > Regards > > Bharath > > > > > > *From:* openldap-technical-bounces+bharath.kantrapati=gs.com(a)OpenLDAP.org > [mailto:openldap-technical-bounces+bharath.kantrapati<openldap-technical-bounces%2Bbharath.kantrapati> > =gs.com(a)OpenLDAP.org] *On Behalf Of *Parag Kalra > *Sent:* Monday, October 05, 2009 5:13 PM > *To:* openldap-technical(a)openldap.org > *Subject:* Importing user defined Object Classes from a file > > > > Hello Folks, > > Note: This question is on SunOne LDAP server. I apologize for posting it > here but I thought someone might know the solution hence sharing with you > all. > > I have a file which contains the schema related settings where in user > defined object classes are defined. > > I know SunOne directory server provides a way to create user defined object > classes but is there a way where I can import my entire file which will > create & define all the user defined settings mentioned in that file. > > I am using Sun One Server Console 5.2 > > Thanks in advance. > > Cheers, > Parag > >

1 0

Openldap ACL's (first timer)
by Craig T 06 Oct '09

06 Oct '09

Hi Openldap Experts, I'm designing a fairly simple openldap setup for our Melbourne office, but it's my first LDAP site, so I'm kinda guessing.... LdapServer1: Centos 5.3x64 with db-4.7.25 and openldap-2.4.16 and the clients are Linux Centos 5.2. I've already got everything working with the basic acl setup of 'access to * by * read', the challenge now is how to best secure the LDAP environment with the right acls? Scenario 1) We'd like to restrict members to only be able to logon at certain machines. The concept I'm missing is, how does the LDAP protocol link the user authenticated to a hostname (machine user is sitting at)? For example, user "cn=craig,ou=users,dc=example,dc=com" would like to log onto pc "craigpc.example.com ip:192.168.0.100". >From my study the following acls may work? access to dn.base="cn=craig,ou=users,dc=example,dc=com" attrs=userPassword by peername.regex=IP:192\.168\.0\.100 & self read by * none Scenario 2) How to setup groups (or "sets" I believe they are called) in a way where user "Craig" can be added to the "sysadmin" group and in turn get full access to all our servers. LDIF ENTRY: # sysadmin, groups, teratext.saic.com.au dn: cn=sysadmin,ou=groups,dc=example,dc=com objectClass: top objectClass: groupOfNames cn: teratext member: cn=cht,ou=users,dc=example,dc=com member: cn=ajg,ou=users,dc=example,dc=com ACCESS ENTRY: access to dn.subtree="ou=servers,dc=example,dc=com" by set="[cn=sysadmin,ou=groups,dc=example,dc=com]/member* & peername.regex=IP:192\.168\.0\.*" auth by * none cya Craig

2 1

smbk5pwd does not properly update sambaNTPassword and sambaLMPassword
by Scott Classen 05 Oct '09

05 Oct '09

Hello I am running openldap 2.4.18 (BDB 4.8.24). Both of which I compiled from source. I compiled smbk5pwd with support ONLY for samba. I am using the samba that is distributed with CentOS 5.3 (3.0.33) openldap does not crash or complain when it launches so I assume that: moduleload /usr/local/libexec/smbk5pwd.la is at least loading up the module correctly. I have a user with the sambaSamAccount objectclass. I have configured PAM to change the LDAP userPassword when invoked from the command line with /usr/bin/passwd The userPassword hash gets successfully updated and the values of the sambaNTPassword and sambaLMPassword hashes are changed, but I am unable to authenticate as a samba user against these hashes... and they look sorta weird: 010000000000000090c9c94100000000 when I would expect them to look more "complicated" like: 552902031BEDE9EFAAD3B435B51404EE Does this smell of a smbk5pwd bug/problem/misconfiguration or a samba/ PAM one? Thanks, Scott

4 5

help with indices - what to index depending on server role
by vgrig_us＠hotmail.com 05 Oct '09

05 Oct '09

Hello We're switching our college to openldap and I'm struggling a bit with decisions on indexing (all other parts - base functionality, replication, ACLs - are setup and working fine) . Maybe this list will help? What to index and why? Our setup is as follows: ----------------------------------------- a) 4 incoming MX servers running portfix. /etc/postfix/ldap-aliases.cf file is as follows: server_host = ldap://localhost ldap://mailhub3 bind = no search_base = dc=college, dc=edu query_filter = mail=%s(a)college.edu result_attribute = maildrop ----------------------------------------- b) 2 outgoing smtp servers purring postfix and sasl. /etc/saslauthd.conf: ldap_servers: ldaps://localhost/ ldap_auth_method: fastbind ldap_filter: uid=%u,dc=college,dc=edu ldap_tls_check_peer: no ------------------------------------------- c) 2 radius servers for wifi authentication: basedn = "dc=college,dc=edu" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" password_attribute = userPassword ------------------------------------------- d) IMAP servers - real unix users, using LDAP for system authentication - pretty standard setup. pam_filter objectclass=posixAccount --------------------------------------------- On all of these I have following indices: index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub I suspect I don't need some (or most) of them. Thank you - Vadim

1 0

Importing user defined Object Classes from a file
by Parag Kalra 05 Oct '09

05 Oct '09

Hello Folks, Note: This question is on SunOne LDAP server. I apologize for posting it here but I thought someone might know the solution hence sharing with you all. I have a file which contains the schema related settings where in user defined object classes are defined. I know SunOne directory server provides a way to create user defined object classes but is there a way where I can import my entire file which will create & define all the user defined settings mentioned in that file. I am using Sun One Server Console 5.2 Thanks in advance. Cheers, Parag

1 0

syncrepl between 2.3.30 and 2.4.11
by Marc Cuypers 05 Oct '09

05 Oct '09

Hi, I'm using debian etch with slapd 2.3.30 as the master and debian lenny with slapd 2.4.11 as a consumer. I also have a debian etch consumer (slapd 2.3.30). When doing syncrepl with 2.3.30 consumer everything works fine. When syncrepl with 2.4.11 i get an error: slapd[19567]: slap_client_connect: URI=ldaps://xxx.xxx.xxx.xxx:8636 DN="cn=xxxxxxx,dc=xxxxxxx,dc=xxx" ldap_sasl_bind_s failed (-1) Is there a compatibility issue between 2.3.30 and 2.4.11? -- best regards, marc

3 2

Search Filter ...
by Remi Ferrand 05 Oct '09

05 Oct '09

Hi, I've the following configuration in my OpenLDAP : 1. dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr 2. cn: stats.mysite.fr 3. objectClass: top 4. objectClass: groupOfNames 5. description: VirtualHost stats.mysite.fr 6. member: uid=user_authorized,ou=People,dc=mysite,dc=fr 7. member: uid=USER,ou=People,dc=mysite,dc=fr 8. 9. 10. dn: uid=USER,ou=People,dc=mysite,dc=fr 11. objectClass: top 12. objectClass: person 13. objectClass: inetOrgPerson 14. objectClass: organizationalPerson 15. objectClass: posixAccount 16. objectClass: shadowAccount 17. uid: USER 18. cn: USER P. 19. sn: USER P. 20. shadowMax: 99999 21. shadowWarning: 7 22. mail: USER(a)google.eu 23. loginShell: /bin/bash 24. uidNumber: 10007 25. gidNumber: 10007 26. homeDirectory: /home/ldap_users/USER 27. gecos: ,,, and I'm wondering how to create a filter to match only members of a given Group in order to use it with Apache2 or others ... The difficulty for me is to obtain the posixAccount object and not the Group one. Thanks in advance Rémi

5 8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2009