upgrading an openldap v1 ldbm database to a v2 bdb database?
by Kevin Martin
So I've got an openldap v1 database with .oc.conf and .at.conf files describing the database that
get included in the slapd.conf and I need to be able to migrate to a v2
database (bdb or ldbm, I don't care which). I find no mention of how to
migrate the .oc and/or .at file entries to a usable .schema/(s) file(s)
and I apparently can't ldapsearch and dump the schema from the old
database (using ldapsearch -b cn=schema -L “(objectclass=*)” )...it
doesn't find a cn=schema. I can copy the ldbm format ldap database
lock, stock, and barrel from the old machine to a new machine but ldap2
won't allow me to include the .at.conf and .oc.conf files that describe
the database. I've also dumped the old database entries into a .ldif
file at this point but have nowhere to import it to. All constructive
thoughts appreciated.
Kevin
12 years, 9 months
Can OpenLDAP get password from AD
by Duong Pham Tung
Hi,
I am building a solution for web-based application authentication using OpenLDAP as a backend data source. But, in my case, OpenLDAP acts as a proxy and all user information are stored on AD servers. I can get some field from AD to OpenLDAP, but it is not enough for my apps to authentication user because OpenLDAP can’t get password field from ADs. So, can OpenLDAP have other solutions to solve my problem?
Thanks and Best regards,
Phạm Tùng Dương
12 years, 9 months
kerberosSecurityObject object Class
by Chavez, James R.
Hello List,
I am inquiring about the kerberosSecurityObject object class and the
krbName Attribute type. How can these be utilized in the LDAP
environment?
I do have an associated kerberos realm that I would not mind using for
authentication. Can these help me to leverage this?
Any pointers to documentation is appreciated as are any explanations. I
have extended the OPenLDAP schema to include the kerberos schema in a
test environment but am unsure how to leverage it.
Thanks
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
12 years, 9 months
Multiple Databases not replicating.
by Tom Cooper
Hi all,
I am running openldap-2.4.12 in a mirror configuration with each master
also having a slave updated with syncrepl.
Each master contains multiple databases but replication between the
masters happens only for the first database. I have checked my
configuration and there is nothing obvious. An extract of my slapd.conf
follows:
# Free Radius OpenLDAP Server
database bdb
suffix "dc=radius,dc=xxxxxxx,dc=co,dc=za"
rootdn "cn=Manager,dc=radius,dc=xxxxxxxx,dc=co,dc=za"
directory /var/lib/ldapradius
rootpw XXXXXXXXX
access to * by * read
overlay syncprov
syncprov-checkpoint 5 1
syncrepl rid=001
provider=ldap://dev-ldap-master-03.xxxxxxxx.co.za
bindmethod=simple
binddn="cn=Manager,dc=radius,dc=xxxxxxxxx,dc=co,dc=za"
credentials=XXXXXXXXXX
searchbase="dc=radius,dc=xxxxxxxxx,dc=co,dc=za"
schemachecking=off
type=refreshAndPersist
interval=00:00:05:00
retry="60 +"
mirrormode true
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
###################################################################
# Portal OpenLDAP Server
database bdb
suffix "dc=portal,dc=xxxxxxxxxx,dc=co,dc=za"
rootdn "cn=Manager,dc=portal,dc=xxxxxxxxxxx,dc=co,dc=za"
directory /var/lib/ldapPortal
rootpw XXXXXXXXXXXXXXXX
access to * by * read
overlay syncprov
syncprov-checkpoint 5 1
syncrepl rid=002
provider=ldap://dev-ldap-master-03.xxxxxxxxxxx.co.za
bindmethod=simple
binddn="cn=Manager,dc=portal,dc=xxxxxxxxxx,dc=co,dc=za"
credentials=XXXXXXXXXXX
searchbase="dc=portal,dc=xxxxxxxxxx,dc=co,dc=za"
schemachecking=off
type=refreshAndPersist
interval=00:00:05:00
retry="60 +"
mirrormode true
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index fnbConnectProfileId eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
Thanks,
To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser:
https://www.fnb.co.za/disclaimer.html
If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclaimer(a)fnb.co.za and we will send you a copy of the Disclaimer.
12 years, 9 months
LDAP at the UKUUG Spring 2009 Conference
by Andrew Findlay
The UKUUG Spring 2009 Conference (24-26 March 2009 in London) has
a strong LDAP flavour.
OpenLDAP and other LDAP technologies are covered by several papers:
* OpenLDAP Replication Strategies
Gavin Henry (Suretec Systems & OpenLDAP project)
* OpenLDAP and MySQL: Bridging the Data Model Divide
Howard Chu (Symas Corp. & OpenLDAP project)
* Writing Access Control Policies for LDAP
Andrew Findlay (Skills 1st)
* Securing Access to UNIX, Linux and Mac with Active Directory
Barry Scott (Centrify)
There is also a Kerberos tutorial and several papers on systems
monitoring.
The programme is here:
http://www.ukuug.org/events/spring2009/programme/
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
12 years, 9 months
Openldap RWM/AD Bind
by Chris Natter
Hi,
I'm hoping someone can help me out on this. At the moment I have this
setup:
database ldap
suffix "ou=foo.com,o=mail"
uri "ldap://4.4.4.4:389/"
rootdn "cn=Overlord,dc=foo,dc=com"
idassert-bind bindmethod=simple
binddn="cn=BAR LDAP Proxy Account,cn=Users,dc=bar,dc=local"
credentials="w00tz0r"
mode=none
flags=override,prescriptive
rebind-as-user yes
overlay rwm
rwm-suffixmassage "dc=bar,dc=local"
rwm-map attribute proxyAddresses *
rwm-map attribute sAMAccountName *
rwm-map attribute cn *
rwm-map attribute givenName *
rwm-map attribute mail *
rwm-map attribute sn *
rwm-map attribute *
4.4.4.4 is an Active Directory server.
This seems to work fine for simple searches and the like again ou=foo.com,o=mail, however I need to setup an application against it. The way the application works for authentication is it uses an openldap service account, finds the user's email address in the directory via proxy, then tries to rebind as that user to the directory via proxy.
I'm imagining this setup doesn't work because of the service account handling the bind for the actual directory search transparently, you can't just bind as a user through it. (specifically, I get inappropriateAuthentication/error code 48)
Is there a way to implement what I need?
Thanks for any help in advance.
-Chris
12 years, 9 months
ssh certificate ldap
by Peter Gordon
Hi.
I have the following setup:
pam.d/ssh
#%PAM0.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_unix_auth.so try_first_pass
account [success=ok perm_denied=die
default=ignore] /lib/security/pam_ldap.so
account required /lib/security/pam_unix_acct.so
password sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_unix_session.so
User logins are filtered by the line
pam_filter
in /etc/ldap.conf. All the conf files are soft links to this file.
The configuration works for a user without a certificate. Which is to
say, users belonging to the correct group as defined in the filter can
login, others cannot.
If the user has an ssh certificate pair, and the public key appears on
the target, and there is no password needed, the pam_filter is not
used.
Is there any way to ensure that even users with certificates have to
pass the pam_filter?
Thanks,
Peter
12 years, 9 months
Block IP address after failure Bind
by jakjr
Hello,
Is there a way to block a specific ip address when this ip attempt to
bind many times if failure result ??
This could be useful to prevent a brute-force attack.
I know that ppolicy can lockout the user after some failed attempts.
But I would like to block new connections from the IP, after this IP
try to make a number of fail binds.
Best regards,
Jakjr
12 years, 9 months
Problem when using OpenLDAP query to AD server
by Duong Pham Tung
Hi all,
I am testing a OpenLDAP act as LDAP proxy server using meta-backend. My
back-end server contain AD servers and some OpenLDAP servers.
When this OpenLDAP server connects to other OpenLDAP servers to query data,
everything is okie, I get any data as I desire. But, when I use this server
query to AD server, the return code is always Operation Error. I debug this
process and I get a error which AD server return to my OpenLDAP server
"errorMessage: 00000000: LdapErr: DSID-0C090627, comment: In order to
perform this operation a successful bind must be completed on the
connection., data 0, vece" although I had configured a binddn and bindpw for
my OpenLDAP server. But if I using ldapsearch, query directly to AD server
and specify username and password, everything is okie :-(. Here is a piece
of my sldapd.conf:
database meta
suffix "dc=abc,dc=com "
uri "ldap://10.3.0.24/dc=abc,dc=com "
binddn "cn=root,dc=abc,dc=com "
bindpw 123
suffix "dc=xyz,dc=net"
uri "ldap://10.3.0.26/dc=xyz,dc=net"
binddn "cn=openldap,cn=Users,dc=xyz,dc=net"
bindpw 123
map attribute uid
sAMAccountName
map attribute cn name
map attribute mail
userPrincipalName
map objectClass account user
map attribute *
Note: 10.3.0.24 is a OpenLDAP server IP and 10.3.0.26 is AD server IP.
I used openldap(a)xyz.net to query data from AD server directly and It is
okie. But in this case, I got an error.
Any idea for my problem?
Thanks and best regards,
12 years, 9 months
nss_ldap SSL/TLS problems..
by Arjun Singh
Hi,
I'm trying to set up an ldap server on FreeBSD 7.1-RELEASE. I sent this to
the freebsd-support list as well, but I don't think this is FreeBSD specific
so I thought I'd ask here too.
I installed all of the latest versions of openldap24-server,
openldap24-client, nss_ldap, and pam_ldap.
When I do any sort of ldapsearch or 'getent passwd' or anything, everything
works perfectly. The only time I have trouble is when I'm logging in via
SSH..then it gets really weird.
1.) When I log in as a user in LDAP only and give the incorrect password
first and then supply the correct password, everything works fine. If the
user is in wheel, I can sudo.
2.) When I log in as the same user and give only the correct password the
first time, it hangs for roughly 45 seconds and then lets me in. Even though
this user is in wheel, it says that the user is not in the sudoers file.
Here are the log messages I get in auth.log that correspond to the events
above:
sshd[54031]: pam_ldap: error trying to bind as user "uid=user..(cut)..."
(Invalid credentials) # This is the incorrect pw
sshd[54029]: error: PAM: authentication error for user from localhost
#Incorrect pw
sshd[54032]: nss_ldap: could not search LDAP server - Server is unavailable
# correct pw
sshd[54029]: Accepted keyboard-interactive/pam for user from localhost port
32935 ssh2 #correct pw
When I enter just the right password, the first time, I get this in the log:
sshd[54047]: Accepted keyboard-interactive/pam for user from localhost port
51972 ssh2
sshd[54050]: nss_ldap: could not get LDAP result - Can't contact LDAP server
Again, when SSL/TLS are disabled, I get normal log output and none of the
weird stuff above..
I turned on debugging in nss_ldap.conf and found that each time I gave only
the correct password (corresponding with the 45 second hang) I found this in
the debug output:
...bunch of normal looking output...
ldap_chkResponseList ld 0x801b31480 msgid 5 all 0
ldap_chkResponseList returns ld 0x801b31480 NULL
ldap_int_select
read1msg: ld 0x801b31480 msgid 5 all 0
ber_get_next
TLS trace: SSL3 alert write:fatal:bad record mac <--- what is the cause of
this?
ldap_free_connection 1 0
ldap_free_connection: actually freed
ldap_err2string
ldap_result ld 0x801b31480 msgid 5
wait4msg ld 0x801b31480 msgid 5 (timeout 30000000 usec)
wait4msg continue ld 0x801b31480 msgid 5 all 0
** ld 0x801b31480 Connections:
** ld 0x801b31480 Outstanding Requests:
Empty
ld 0x801b31480 request count 0 (abandoned 0)
** ld 0x801b31480 Response Queue:
Empty
I get the above regardless of whether I'm using start_tls or ssl.
If you have any insight, it'd be really useful. I've spent tons of time
scouring lists for help and haven't found anything yet..
Thanks,
-Arjun
12 years, 9 months
