Account Usable Request Control (1.3.6.1.4.1.42.2.27.9.5.8)
by Charls
Hello,
At the moment I'm working with the Sun Java System Directory Server. I
would like to migrate to Openldap but of course without losing
functionality. I enabled pam_ldap account management on all my Linux and
Solaris computers and everything worked fine. Everyone could do
nonpassword-based logins using tools such as rsh or ssh. This feature
was provided by the "Account Usable Request Control"
(1.3.6.1.4.1.42.2.27.9.5.8) from the Directory Server which is needed by
the ldap_pam module from Solaris. After the installation from openldap
on my Solaris server I recognized that nonpassword-based logins on the
Solaris computers are not possible anymore. This problem [1] was
discussed 2 years ago on "openldap-software(a)openldap.org" but there was
no solution described. I would like to know if there is a way to get
this feature enabled with openldap? If not what can i do else?
More technically: If a ssh client connects with public key
authentication to a Solaris computer the pam module is sending a query
to the ldap server if the account policies are handled by ldap to get
all supportedControls and to check if the "Account Usable Request
Control" exists to retrieve the policy data without the explicit login
from the user.
Thanks in advance!
Charls
[1] http://www.openldap.org/lists/openldap-software/200710/msg00041.html
11 years
Fwd: syncrepl inseard of back-perl ?
by Brett @Google
Hello,
I was wondering if there are any concrete examples of using syncrepl
to monitor a slapd for changes, and perform some scripted operation if
the monitored data changes. I can think of several cases where this
might be very handy, where you want to run a script or custom business
logic, on receipt of some data being changed.
I have seen some examples in the 2.3.x days, where slurpd was used to
push changes to a back-perl script, which then did some custom
business logic and it did fill an very useful niche. I imagine these
post-slurp syncrepl days you could use the syncrepl protocol in a push
mode via a proxy to push changes at a back-perl instance to the same
sort of thing.
But perhaps using syncrepl directly might seem like a better option,
as this has been touted as a benefit of syncrepl, although i have not
seen any specific examples.. To this end, i am wondering are the
syncrepl client parts of slapd usable outside the context of the slapd
binary? Has anyone tried this and has any examle code they are willing
to share ?
Cheers
Brett
11 years
Segmentation fault using logpurge option in slapd.conf
by Julian Thomé
Hello mailing list,
We have a problem using OpenLdap V. 2.4.11 with Debian Lenny.
If we use the option logpurge in our slapd.conf, slapd can't start anymore.
Our slapd.conf:
>8-----------------------------------------------/etc/ldap/slapd.conf
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/hdb.schema
include /etc/ldap/schema/nis.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 4
#sasl-secprops minssf=0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload smbk5pwd
moduleload accesslog
# The maximum number of entries that is returned for a search operation
sizelimit unlimited
# TLS Stuff
TLSCACertificateFile /etc/ssl/certs/ca.pem
TLSCertificateKeyFile /etc/ldap/openldap.key
TLSCertificateFile /etc/ldap/openldap.crt
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 2
# Specific Backend Directives for hdb:
backend hdb
# Specific Directives for database: accesslog
database hdb
directory "/var/lib/accesslog"
suffix "cn=accesslog"
checkpoint 512 30
rootdn "cn=accesslog"
rootpw ...
index default eq
index reqStart eq
index reqType eq
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
# Specific Directives for database: data
database hdb
directory "/var/lib/ldap"
overlay smbk5pwd
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logold (objectClass=posixAccount)
logpurge 07+00:00 01+00:00
suffix ...
rootdn ...
rootpw ...
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index default eq
index objectClass eq
index uidNumber pres,eq
index uid eq
smbk5pwd-enable krb5
smbk5pwd-enable samba
smbk5pwd-must-change 2592000
password-hash {K5KEY}
# lastmod on
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
filter="(memberOf=Archiv)"
by peername.ip=192.168.222.17 auth stop
by peername.regex=.* none break
access to dn.base="..."
by * read
access to attrs=userPassword,shadowLastChange
filter="(!(memberOf=Archiv))"
by peername.ip=192.168.222.17 none stop
by peername.regex=.* none break
# this rule is more specific than the admin rule below
access to attrs=userPassword,shadowLastChange
by set="user/memberOf & [Administratoren]" write
by dn="cn=admin,..." write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
# be sure to include the admins in the previous, more specific rule
access to *
by set="user/memberOf & [Administratoren]" write
by dn="cn=admin,..." write
by * read
access to dn.subtree="ou=Benutzer,..."
by sockurl="ldapi:///" write
authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,..."
----------------------------------------------------8<
Starting slapd with the command:
slapd -d 16383
produces the following output:
>8---------------------------------------------------
...
...
>>> dnPrettyNormal: <cn=accesslog>
=> ldap_bv2dn(cn=accesslog,0)
<= ldap_bv2dn(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
<<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog>
line 65 (rootpw ***)
line 66 (index default eq)
line 67 (index reqStart eq)
index reqStart 0x0004
line 68 (index reqType eq)
index reqType 0x0004
line 69 (dbconfig set_cachesize 0 2097152 0)
line 70 (dbconfig set_lk_max_objects 1500)
line 71 (dbconfig set_lk_max_locks 1500)
line 72 (dbconfig set_lk_max_lockers 1500)
line 75 (database hdb)
hdb_db_init: Initializing HDB database
line 76 (directory "/var/lib/ldap")
line 78 (overlay smbk5pwd)
line 80 (overlay accesslog)
line 81 (logdb cn=accesslog)
>>> dnPrettyNormal: <cn=accesslog>
=> ldap_bv2dn(cn=accesslog,0)
<= ldap_bv2dn(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
<<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog>
line 82 (logops writes)
line 83 (logsuccess TRUE)
line 85 (logpurge 07+00:00 01+00:00)
Speicherzugriffsfehler
----------------------------------------------------8<
If the logpurge-option is uncommented, slapd starts without any problems.
It would be very nice if someone could help us !
Greetings
Julian
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
11 years