openldap-technical October 2009

openldap-technical@openldap.org

62 participants
53 discussions

Account Usable Request Control (1.3.6.1.4.1.42.2.27.9.5.8)
by Charls 02 Oct '09

02 Oct '09

Hello, At the moment I'm working with the Sun Java System Directory Server. I would like to migrate to Openldap but of course without losing functionality. I enabled pam_ldap account management on all my Linux and Solaris computers and everything worked fine. Everyone could do nonpassword-based logins using tools such as rsh or ssh. This feature was provided by the "Account Usable Request Control" (1.3.6.1.4.1.42.2.27.9.5.8) from the Directory Server which is needed by the ldap_pam module from Solaris. After the installation from openldap on my Solaris server I recognized that nonpassword-based logins on the Solaris computers are not possible anymore. This problem [1] was discussed 2 years ago on "openldap-software(a)openldap.org" but there was no solution described. I would like to know if there is a way to get this feature enabled with openldap? If not what can i do else? More technically: If a ssh client connects with public key authentication to a Solaris computer the pam module is sending a query to the ldap server if the account policies are handled by ldap to get all supportedControls and to check if the "Account Usable Request Control" exists to retrieve the policy data without the explicit login from the user. Thanks in advance! Charls [1] http://www.openldap.org/lists/openldap-software/200710/msg00041.html

2 1

Fwd: syncrepl inseard of back-perl ?
by Brett ＠Google 02 Oct '09

02 Oct '09

Hello, I was wondering if there are any concrete examples of using syncrepl to monitor a slapd for changes, and perform some scripted operation if the monitored data changes. I can think of several cases where this might be very handy, where you want to run a script or custom business logic, on receipt of some data being changed. I have seen some examples in the 2.3.x days, where slurpd was used to push changes to a back-perl script, which then did some custom business logic and it did fill an very useful niche. I imagine these post-slurp syncrepl days you could use the syncrepl protocol in a push mode via a proxy to push changes at a back-perl instance to the same sort of thing. But perhaps using syncrepl directly might seem like a better option, as this has been touted as a benefit of syncrepl, although i have not seen any specific examples.. To this end, i am wondering are the syncrepl client parts of slapd usable outside the context of the slapd binary? Has anyone tried this and has any examle code they are willing to share ? Cheers Brett

5 7

Segmentation fault using logpurge option in slapd.conf
by Julian Thomé 01 Oct '09

01 Oct '09

Hello mailing list, We have a problem using OpenLdap V. 2.4.11 with Debian Lenny. If we use the option logpurge in our slapd.conf, slapd can't start anymore. Our slapd.conf: >8-----------------------------------------------/etc/ldap/slapd.conf # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/hdb.schema include /etc/ldap/schema/nis.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 4 #sasl-secprops minssf=0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload smbk5pwd moduleload accesslog # The maximum number of entries that is returned for a search operation sizelimit unlimited # TLS Stuff TLSCACertificateFile /etc/ssl/certs/ca.pem TLSCertificateKeyFile /etc/ldap/openldap.key TLSCertificateFile /etc/ldap/openldap.crt # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 2 # Specific Backend Directives for hdb: backend hdb # Specific Directives for database: accesslog database hdb directory "/var/lib/accesslog" suffix "cn=accesslog" checkpoint 512 30 rootdn "cn=accesslog" rootpw ... index default eq index reqStart eq index reqType eq dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 # Specific Directives for database: data database hdb directory "/var/lib/ldap" overlay smbk5pwd overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logold (objectClass=posixAccount) logpurge 07+00:00 01+00:00 suffix ... rootdn ... rootpw ... dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index default eq index objectClass eq index uidNumber pres,eq index uid eq smbk5pwd-enable krb5 smbk5pwd-enable samba smbk5pwd-must-change 2592000 password-hash {K5KEY} # lastmod on # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange filter="(memberOf=Archiv)" by peername.ip=192.168.222.17 auth stop by peername.regex=.* none break access to dn.base="..." by * read access to attrs=userPassword,shadowLastChange filter="(!(memberOf=Archiv))" by peername.ip=192.168.222.17 none stop by peername.regex=.* none break # this rule is more specific than the admin rule below access to attrs=userPassword,shadowLastChange by set="user/memberOf & [Administratoren]" write by dn="cn=admin,..." write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. # be sure to include the admins in the previous, more specific rule access to * by set="user/memberOf & [Administratoren]" write by dn="cn=admin,..." write by * read access to dn.subtree="ou=Benutzer,..." by sockurl="ldapi:///" write authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,..." ----------------------------------------------------8< Starting slapd with the command: slapd -d 16383 produces the following output: >8--------------------------------------------------- ... ... >>> dnPrettyNormal: <cn=accesslog> => ldap_bv2dn(cn=accesslog,0) <= ldap_bv2dn(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 <<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog> line 65 (rootpw ***) line 66 (index default eq) line 67 (index reqStart eq) index reqStart 0x0004 line 68 (index reqType eq) index reqType 0x0004 line 69 (dbconfig set_cachesize 0 2097152 0) line 70 (dbconfig set_lk_max_objects 1500) line 71 (dbconfig set_lk_max_locks 1500) line 72 (dbconfig set_lk_max_lockers 1500) line 75 (database hdb) hdb_db_init: Initializing HDB database line 76 (directory "/var/lib/ldap") line 78 (overlay smbk5pwd) line 80 (overlay accesslog) line 81 (logdb cn=accesslog) >>> dnPrettyNormal: <cn=accesslog> => ldap_bv2dn(cn=accesslog,0) <= ldap_bv2dn(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 <<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog> line 82 (logops writes) line 83 (logsuccess TRUE) line 85 (logpurge 07+00:00 01+00:00) Speicherzugriffsfehler ----------------------------------------------------8< If the logpurge-option is uncommented, slapd starts without any problems. It would be very nice if someone could help us ! Greetings Julian ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2009