openldap-technical February 2009

openldap-technical@openldap.org

63 participants
67 discussions

upgrading an openldap v1 ldbm database to a v2 bdb database?
by Kevin Martin 13 Feb '09

13 Feb '09

So I've got an openldap v1 database with .oc.conf and .at.conf files describing the database that get included in the slapd.conf and I need to be able to migrate to a v2 database (bdb or ldbm, I don't care which). I find no mention of how to migrate the .oc and/or .at file entries to a usable .schema/(s) file(s) and I apparently can't ldapsearch and dump the schema from the old database (using ldapsearch -b cn=schema -L “(objectclass=*)” )...it doesn't find a cn=schema. I can copy the ldbm format ldap database lock, stock, and barrel from the old machine to a new machine but ldap2 won't allow me to include the .at.conf and .oc.conf files that describe the database. I've also dumped the old database entries into a .ldif file at this point but have nowhere to import it to. All constructive thoughts appreciated. Kevin

3 2

Can OpenLDAP get password from AD
by Duong Pham Tung 13 Feb '09

13 Feb '09

Hi, I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem? Thanks and Best regards, Phạm Tùng Dương

5 5

kerberosSecurityObject object Class
by Chavez, James R. 12 Feb '09

12 Feb '09

Hello List, I am inquiring about the kerberosSecurityObject object class and the krbName Attribute type. How can these be utilized in the LDAP environment? I do have an associated kerberos realm that I would not mind using for authentication. Can these help me to leverage this? Any pointers to documentation is appreciated as are any explanations. I have extended the OPenLDAP schema to include the kerberos schema in a test environment but am unsure how to leverage it. Thanks James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

1 0

Multiple Databases not replicating.
by Tom Cooper 12 Feb '09

12 Feb '09

Hi all, I am running openldap-2.4.12 in a mirror configuration with each master also having a slave updated with syncrepl. Each master contains multiple databases but replication between the masters happens only for the first database. I have checked my configuration and there is nothing obvious. An extract of my slapd.conf follows: # Free Radius OpenLDAP Server database bdb suffix "dc=radius,dc=xxxxxxx,dc=co,dc=za" rootdn "cn=Manager,dc=radius,dc=xxxxxxxx,dc=co,dc=za" directory /var/lib/ldapradius rootpw XXXXXXXXX access to * by * read overlay syncprov syncprov-checkpoint 5 1 syncrepl rid=001 provider=ldap://dev-ldap-master-03.xxxxxxxx.co.za bindmethod=simple binddn="cn=Manager,dc=radius,dc=xxxxxxxxx,dc=co,dc=za" credentials=XXXXXXXXXX searchbase="dc=radius,dc=xxxxxxxxx,dc=co,dc=za" schemachecking=off type=refreshAndPersist interval=00:00:05:00 retry="60 +" mirrormode true # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq ################################################################### # Portal OpenLDAP Server database bdb suffix "dc=portal,dc=xxxxxxxxxx,dc=co,dc=za" rootdn "cn=Manager,dc=portal,dc=xxxxxxxxxxx,dc=co,dc=za" directory /var/lib/ldapPortal rootpw XXXXXXXXXXXXXXXX access to * by * read overlay syncprov syncprov-checkpoint 5 1 syncrepl rid=002 provider=ldap://dev-ldap-master-03.xxxxxxxxxxx.co.za bindmethod=simple binddn="cn=Manager,dc=portal,dc=xxxxxxxxxx,dc=co,dc=za" credentials=XXXXXXXXXXX searchbase="dc=portal,dc=xxxxxxxxxx,dc=co,dc=za" schemachecking=off type=refreshAndPersist interval=00:00:05:00 retry="60 +" mirrormode true # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index fnbConnectProfileId eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq Thanks, To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclaimer(a)fnb.co.za and we will send you a copy of the Disclaimer.

1 0

LDAP at the UKUUG Spring 2009 Conference
by Andrew Findlay 11 Feb '09

11 Feb '09

The UKUUG Spring 2009 Conference (24-26 March 2009 in London) has a strong LDAP flavour. OpenLDAP and other LDAP technologies are covered by several papers: * OpenLDAP Replication Strategies Gavin Henry (Suretec Systems & OpenLDAP project) * OpenLDAP and MySQL: Bridging the Data Model Divide Howard Chu (Symas Corp. & OpenLDAP project) * Writing Access Control Policies for LDAP Andrew Findlay (Skills 1st) * Securing Access to UNIX, Linux and Mac with Active Directory Barry Scott (Centrify) There is also a Kerberos tutorial and several papers on systems monitoring. The programme is here: http://www.ukuug.org/events/spring2009/programme/ Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

1 0

Openldap RWM/AD Bind
by Chris Natter 11 Feb '09

11 Feb '09

Hi, I'm hoping someone can help me out on this. At the moment I have this setup: database ldap suffix "ou=foo.com,o=mail" uri "ldap://4.4.4.4:389/" rootdn "cn=Overlord,dc=foo,dc=com" idassert-bind bindmethod=simple binddn="cn=BAR LDAP Proxy Account,cn=Users,dc=bar,dc=local" credentials="w00tz0r" mode=none flags=override,prescriptive rebind-as-user yes overlay rwm rwm-suffixmassage "dc=bar,dc=local" rwm-map attribute proxyAddresses * rwm-map attribute sAMAccountName * rwm-map attribute cn * rwm-map attribute givenName * rwm-map attribute mail * rwm-map attribute sn * rwm-map attribute * 4.4.4.4 is an Active Directory server. This seems to work fine for simple searches and the like again ou=foo.com,o=mail, however I need to setup an application against it. The way the application works for authentication is it uses an openldap service account, finds the user's email address in the directory via proxy, then tries to rebind as that user to the directory via proxy. I'm imagining this setup doesn't work because of the service account handling the bind for the actual directory search transparently, you can't just bind as a user through it. (specifically, I get inappropriateAuthentication/error code 48) Is there a way to implement what I need? Thanks for any help in advance. -Chris

1 0

ssh certificate ldap
by Peter Gordon 11 Feb '09

11 Feb '09

Hi. I have the following setup: pam.d/ssh #%PAM0.0 auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_ldap.so auth required /lib/security/pam_unix_auth.so try_first_pass account [success=ok perm_denied=die default=ignore] /lib/security/pam_ldap.so account required /lib/security/pam_unix_acct.so password sufficient /lib/security/pam_ldap.so session required /lib/security/pam_unix_session.so User logins are filtered by the line pam_filter in /etc/ldap.conf. All the conf files are soft links to this file. The configuration works for a user without a certificate. Which is to say, users belonging to the correct group as defined in the filter can login, others cannot. If the user has an ssh certificate pair, and the public key appears on the target, and there is no password needed, the pam_filter is not used. Is there any way to ensure that even users with certificates have to pass the pam_filter? Thanks, Peter

1 0

Block IP address after failure Bind
by jakjr 11 Feb '09

11 Feb '09

Hello, Is there a way to block a specific ip address when this ip attempt to bind many times if failure result ?? This could be useful to prevent a brute-force attack. I know that ppolicy can lockout the user after some failed attempts. But I would like to block new connections from the IP, after this IP try to make a number of fail binds. Best regards, Jakjr

4 4

Problem when using OpenLDAP query to AD server
by Duong Pham Tung 10 Feb '09

10 Feb '09

Hi all, I am testing a OpenLDAP act as LDAP proxy server using meta-backend. My back-end server contain AD servers and some OpenLDAP servers. When this OpenLDAP server connects to other OpenLDAP servers to query data, everything is okie, I get any data as I desire. But, when I use this server query to AD server, the return code is always Operation Error. I debug this process and I get a error which AD server return to my OpenLDAP server "errorMessage: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece" although I had configured a binddn and bindpw for my OpenLDAP server. But if I using ldapsearch, query directly to AD server and specify username and password, everything is okie :-(. Here is a piece of my sldapd.conf: database meta suffix "dc=abc,dc=com " uri "ldap://10.3.0.24/dc=abc,dc=com " binddn "cn=root,dc=abc,dc=com " bindpw 123 suffix "dc=xyz,dc=net" uri "ldap://10.3.0.26/dc=xyz,dc=net" binddn "cn=openldap,cn=Users,dc=xyz,dc=net" bindpw 123 map attribute uid sAMAccountName map attribute cn name map attribute mail userPrincipalName map objectClass account user map attribute * Note: 10.3.0.24 is a OpenLDAP server IP and 10.3.0.26 is AD server IP. I used openldap(a)xyz.net to query data from AD server directly and It is okie. But in this case, I got an error. Any idea for my problem? Thanks and best regards,

2 4

nss_ldap SSL/TLS problems..
by Arjun Singh 10 Feb '09

10 Feb '09

Hi, I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. I sent this to the freebsd-support list as well, but I don't think this is FreeBSD specific so I thought I'd ask here too. I installed all of the latest versions of openldap24-server, openldap24-client, nss_ldap, and pam_ldap. When I do any sort of ldapsearch or 'getent passwd' or anything, everything works perfectly. The only time I have trouble is when I'm logging in via SSH..then it gets really weird. 1.) When I log in as a user in LDAP only and give the incorrect password first and then supply the correct password, everything works fine. If the user is in wheel, I can sudo. 2.) When I log in as the same user and give only the correct password the first time, it hangs for roughly 45 seconds and then lets me in. Even though this user is in wheel, it says that the user is not in the sudoers file. Here are the log messages I get in auth.log that correspond to the events above: sshd[54031]: pam_ldap: error trying to bind as user "uid=user..(cut)..." (Invalid credentials) # This is the incorrect pw sshd[54029]: error: PAM: authentication error for user from localhost #Incorrect pw sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable # correct pw sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port 32935 ssh2 #correct pw When I enter just the right password, the first time, I get this in the log: sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port 51972 ssh2 sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server Again, when SSL/TLS are disabled, I get normal log output and none of the weird stuff above.. I turned on debugging in nss_ldap.conf and found that each time I gave only the correct password (corresponding with the 45 second hang) I found this in the debug output: ...bunch of normal looking output... ldap_chkResponseList ld 0x801b31480 msgid 5 all 0 ldap_chkResponseList returns ld 0x801b31480 NULL ldap_int_select read1msg: ld 0x801b31480 msgid 5 all 0 ber_get_next TLS trace: SSL3 alert write:fatal:bad record mac <--- what is the cause of this? ldap_free_connection 1 0 ldap_free_connection: actually freed ldap_err2string ldap_result ld 0x801b31480 msgid 5 wait4msg ld 0x801b31480 msgid 5 (timeout 30000000 usec) wait4msg continue ld 0x801b31480 msgid 5 all 0 ** ld 0x801b31480 Connections: ** ld 0x801b31480 Outstanding Requests: Empty ld 0x801b31480 request count 0 (abandoned 0) ** ld 0x801b31480 Response Queue: Empty I get the above regardless of whether I'm using start_tls or ssl. If you have any insight, it'd be really useful. I've spent tons of time scouring lists for help and haven't found anything yet.. Thanks, -Arjun

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2009