User to administrate a OU
by Leandro Repolho
Hello, i don't know if is it possible to do it but i would like to create a
User inside an OU of my OpenLDAP server and when this user connects to a
ldap manager like phpLdapAdmin he needs to see all objects inside his OU and
manage them. Is it possible to do it?
Thank you very much,
--
Leandro Cascino Repolho
12 years, 9 months
help in ldap and webmin
by Sufyan Aqtam
Hi all
I have a problem in openldap server.
I configured an ldap server with bdb that contains about 25000 user.
It works perfect to answer the authentication requests and modifying
existing users.
I am using the webmin "LDAP Users and Groups" module to create new users.
When I fill the information for a new user and click on create button it
takes a very long time to create the user.
I check the log file of ldap server and I find that it starts access all
users in the database.
The messages in the log file as below and it is repeated for all users:
conn=19 op=1 ENTRY dn="uid=testuser,ou=users,dc=example,dc=com"
Feb 7 10:38:42 testserver slapd[25075]: <= send_search_entry: conn 19 exit.
Feb 7 10:38:42 testserver slapd[25075]: entry_decode:
"uid=testuser,ou=Users,dc=example,dc=com"
Feb 7 10:38:42 testserver slapd[25075]: <=
entry_decode(uid=testuser,ou=Users,dc=example,dc=com)
Feb 7 10:38:42 testserver slapd[25075]: =>
bdb_dn2id("uid=testuser,ou=users,dc=example,dc=com")
Feb 7 10:38:42 testserver slapd[25075]: <= bdb_dn2id: got id=0x24
Feb 7 10:38:42 testserver slapd[25075]: => test_filter
Feb 7 10:38:42 testserver slapd[25075]: EQUALITY
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: search access to
"uid=testuser,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: <= test_filter 6
Feb 7 10:38:42 testserver slapd[25075]: => send_search_entry: conn 19
dn="uid=testuser,ou=Users,dc=example,dc=com"
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "entry" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "uid" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "cn" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "objectClass" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "userPassword" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "shadowLastChange" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "shadowMax" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "shadowWarning" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "loginShell" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "uidNumber" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "gidNumber" requested
Feb 7 10:38:42 testserver slapd[25075]: <= root access granted
Feb 7 10:38:42 testserver slapd[25075]: => access_allowed: read access to
"uid=testuser,ou=Users,dc=example,dc=com" "homeDirectory" requested
Feb 7 10:38:43 testserver slapd[25075]: <= root access granted
I hope to help me with many thanks to your efforts.
Regards
12 years, 9 months
Unable to logon to any server as a locally defined user if the OpenLDAP server is unavailable.
by Sean Leinart
Greetings OpenLDAP Technical Mailing List,
I would generally consider myself at the newb status when it comes to LDAP in the Linux environment. I have acquired a network from a previous admin and my issue is that if the LDAP server is offline I can not authenticate locally on any of my servers, which is obviously
a huge problem.
The version of Open LDAP is:
[user@server:/usr/sbin]slapd -VV
@(#) $OpenLDAP: slapd 2.2.13 (Jul 11 2008 09:16:05) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
The Linux Version is:
[user@server:/]uname -a
Linux server.host.local 2.6.9-42.0.10.ELsmp #1 SMP Tue Feb 27 10:11:19 EST 2007 i686 i686 i386 GNU/Linux
I have read several items regarding the fact that this can be a common issue when using LDAP authentication.
I have read to check the settings in the nsswitch.conf file on the systems in question to verify that "Files"
are being looked at first etc. and all of these settings appear to be correct.
I am looking for guidance on what would be the best thing to do in this case,
and why is it broken when the ldap server is not available. What happens is, if the LDAP server is not available,
and you attempt to logon to a server locally, you enter the userid and password and you will have no activity
for a minute or so then the prompt goes directly back to the login prompt. The userid and
password that is being used is locally defined on the server.
Also PAM LDAP is being utilized.
Any help or ideas on what to look for would be greatly
appreciated.
Is there a way to just turn off the LDAP authentication on the servers.
I feel that the answer to this is probably no. That would simply be too easy.
Thanks in advance for any responses.
sean
sleinart(a)fscarolina.com
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.552 / Virus Database: 270.10.19/1941 - Release Date: 2/9/2009 6:50 AM
12 years, 9 months
N-way replication config file help
by Mike Simonton
Hello everyone,
I'm trying to convert my two node replicated OpenLDAP pair to a three-way
pair and am having trouble with configuring the slapd.conf files. Can
anyone tell me what I need to add here? Below is my newly modified
slapd.conf file with the system03 addition:
----- slapd.conf on system01 replicating to system02 and system03 -----
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/promptu.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
serverID 001
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=mydomain,dc=local"
rootdn "cn=Manager,dc=mydomain,dc=local"
rootpw secret
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index entryCSN eq
index entryUUID eq
syncrepl rid=0
provider=ldap://sys02
type=refreshAndPersist
interval=00:00:00:30
retry="5 5 300 +"
searchbase="dc=mydomain,dc=local"
filter="(objectClass=*)"
attrs="*,+"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=mydomain,dc=local"
credentials="secret"
updateref ldap://sys02
syncrepl rid=0
provider=ldap://sys03
type=refreshAndPersist
interval=00:00:00:30
retry="5 5 300 +"
searchbase="dc=mydomain,dc=local"
filter="(objectClass=*)"
attrs="*,+"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=mydomain,dc=local"
credentials="secret"
updateref ldap://sys03
mirrormode TRUE
overlay syncprov
syncprov-checkpoint 100 10
Thank you for your help!
Mike
12 years, 9 months
Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall
2009/2/9 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> I'm not sure why you feel it is necessary to set the server read-only before
> you run slapcat anyway.
It was purely in relation to point 18.1.2 in this doc...
http://www.openldap.org/doc/admin24/maintenance.html
To quote...
"Slapcat can be run while slapd is active. However, one runs the risk
of an inconsistent database- not from the point of slapd, but from the
point of the applications using LDAP. For example, if a provisioning
application performed tasks that consisted of several LDAP operations,
and the slapcat took place concurrently with those operations, then
there might be inconsistencies in the LDAP database from the point of
view of that provisioning application and applications that depended
on it. One must, therefore, be convinced something like that won't
happen. One way to do that would be to put the database in read-only
mode while performing the slapcat."
12 years, 9 months
Re: How to set BDB "read-only" before slapcat command ?
by William Jojo
---- Original message ----
>Date: Mon, 09 Feb 2009 08:08:32 -0800
>From: Quanah Gibson-Mount <quanah(a)zimbra.com>
>Subject: Re: How to set BDB "read-only" before slapcat command ?
>To: Andrew Hall <whippyhubbles(a)googlemail.com>,Michael Ströder <michael(a)stroeder.com>
>Cc: openldap-technical(a)openldap.org
>
>--On Monday, February 09, 2009 3:44 PM +0000 Andrew Hall
><whippyhubbles(a)googlemail.com> wrote:
>
>
>> The possible problem I see with that setup is what happens if the
>> slapcat occurs during an update from the provider to the consumer ?
>
>
>I'm not sure why you feel it is necessary to set the server read-only
>before you run slapcat anyway. Do you actually have a process that knows
>exactly what changes occurred in any given second, so that, if say, your
>backup starts at 1:00:00, you can then replay all the changes from that
>point in time?
>
>If you do, then it doesn't matter whether or not it was in read-only.
>Simply replay the changes. If you don't, then it doesn't matter whether or
>not it was in read-only, because you don't know what changes happened after
>that point.
>
>I honestly am not aware of anyone who bothers to put their DB into
>read-only before slapcatting, although they may be out there.
>
Admittedly we stop one slapd in our group of servers (usually a master) to take a point in time snapshot with slapcat, then simply restart it. It is used solely as part of our disaster recovery. In the event of BDB corruption that is unrecoverable, we can build a new server from the full-text export.
Just basic DBA paranoia policy. :-) :-)
Cheers,
Bill
12 years, 9 months
Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall
2009/2/9 Michael Ströder <michael(a)stroeder.com>:
> No matter what you do at the LDAP server's side it could happen in
> between a series of related write operations leading to inconsistent
> state of data (from the application's point of view).
>
> If you want better hints then you have to provide more details about
> your deployment.
>
> Ciao, Michael.
We have a primary "hidden" master and two replicating secondaries
which both get queried in a round-robin DNS fashion.
Applications such as phpLDAPadmin are configured to connect to these
secondaries which pass writes to the primary via an updateref chain
overlay.
At the moment I am using slapcat on the primary for backups but am
open to other suggestions.
Perhaps I should just create a third read-only replicating secondary
which no applications connect to and backup from that ?
The possible problem I see with that setup is what happens if the
slapcat occurs during an update from the provider to the consumer ?
12 years, 9 months
LDAP - Password and userId length
by yukti kaura
Hi,
I required to perform length validation on the credential used to log in to
LDAP.
Could you please help me with the *length *of userId & password used to log
in to LDAP
Thanks for all your help
Yukti
12 years, 9 months
Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall
Dieter KlÃnter writes...
> man slapd.conf(5), readonly on
Thanks for the info.
So I would need to edit the .conf file and restart the service for
this to take effect ?
Is there no "on the fly" solution similar to "FLUSH TABLES WITH READ
LOCK;" for example ?
Thanks.
12 years, 9 months
