openldap-technical February 2009

openldap-technical@openldap.org

63 participants
67 discussions

Re: How to set BDB "read-only" before slapcat command ?
by Andrew Hall 09 Feb '09

09 Feb '09

2009/2/8 Michael Ströder <michael(a)stroeder.com>: > Note that this is only needed if you have to ensure the integrity of > inter-related LDAP entries. So this depends on your deployment, > especially the writing LDAP client applications. > > But thinking more thoroughly about this it could be also a problem if a > client application trys to modify several entries and you're switching > to read-only mode in between as preparation for a backup. Even if the > application would theoretically be capable of rolling back all the > changes it wouldn't help since the LDAP server is read-only then. > > So the solution would be rather to really make sure that no > admin/provisioning application is running anymore. > > I think the admin guide could clarify this. I can't really close client applications unless I gracefully terminate all connections on the LDAP server perhaps ? I guess that could be one option.

1 0

How to set BDB "read-only" before slapcat command ?
by Andrew Hall 08 Feb '09

08 Feb '09

Hi there. According to this doc... http://www.openldap.org/doc/admin24/maintenance.html#Directory Backups Prior to slapcat being used for a backup the DB should be set to read-only. How exactly is this done ? I am using a BDB backend and all I can find is in this doc... http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/… Which also doesn't describe how. Is there an OpenLDAP or BDB command / tool which I can use to do this ? Thanks very much.

2 1

ldap_search_s hangs with ms active directory
by Sankhadip Sengupta 07 Feb '09

07 Feb '09

Hi, I have written a C ldap client to interact with a MS Active Directory in Win Server 2003. When I search for the base DNs from scope LDAP_SCOPE_BASE I get all the results perfectly.But when I try to search for an existing user anonymously( I set all the permissions in the ACLS ) it hangs indefinitely. Now, surprisingly when I search with the ldapsearch tool it works fine. I use this : attrs[0]=LDAP_ALL_USER_ATTRIBUTES; attrs[1]=NULL; attrsonly=0; ldap_search_s(ld,"dc=test,dc=com",LDAP_SCOPE_SUBTREE,"uid=test",NULL,0,&msg) After a long period when it returns, I get return code 0 (Success) but there is no entry in that. Can anyone help me? This works fine with slapd server 2.4.12.I am totally confused. Thanks, Sankhadip

4 5

Access to a sync provider via back-meta
by ali.pouya＠free.fr 07 Feb '09

07 Feb '09

Hi, I need to connect my replica to a sync provider via an intermediate slapd configured with back-meta. My goal is to use the rewrite/map functions of back-meta. But I find that slapd crashes each time the replica is started. May be back-meta does not support LDAP controls ? or LDAP partial responses ? Does any one have an experience with this ? I precise that I cannot use the RWM overlay for many reasons : -The RWM overlay has to be installed in the remote sync provider server that is managed by another team. -the overlay is incompatible with the other uses of that server. -The overlay is still experimental but back-meta is not. -And finally, when I configure the overlay on my test server (by simply adding the line "overlay rwm" in the config) slapd crashes each time I make an LDAP search ! (I'm using OpenLdap 2.4.13). I do not send an issue (ITS) for theses crashes because I think that I'm not using a standard feature of slapd. Can any one help me ? Thanks & best regards Ali

2 3

objectClass: ...
by Brian Krusic 06 Feb '09

06 Feb '09

Hi all, I'm back to ask for proper population of ldap dirs so I start with good habits. I've done all three on test servers and haven't noticed any functional issues. What is the best way to define my top level nodes; objectClass: dcObject objectClass: organizationalUnit or objectClass: top objectClass: dcObject objectClass: organization or objectClass: domain Humbly your, - Brian

3 3

Moving Old Certs to New Servers
by James Angell 05 Feb '09

05 Feb '09

Hi Guys, We have just built new replacement LDAP servers and are about to make to switch from the old ones. All of the certs we use are currently authenticated against the old servers. Does anyone know if it is possible to use these certs to authenticate against the new servers or are we going to have to create all new certs for all servers and workstations? Thanks in advance. - Jim -- Regards Jim Angell Cade Network Operations College Of Engineering Phone: 581-7551

1 0

RE: Forgotten password recovery
by Brett Maxfield 05 Feb '09

05 Feb '09

Maybe generate a random challenge, store it in ldap as an additional hashed password value maybe with a special {challenge} hash type as a marker, assuming ldap will try *all* passwords when logging in. openldap would need to know the marker {challenge} hash type is like {plain} or some other hash type for purposes of comparison. You cannot allow reset of a password (destroying the old one) immediately, as otherwise you are allowing a denial of service attack where people could randomly reset passwords. But given the random challenge (returned by the user) could now be used for authentication, the user could authenticate as themselves and reset thier own password, and remove the temporary challenge password. This probably requires a marker "hash" type to identify temporary hash password, to allow reliable removal of old or expired challenge passwords. -----Original Message----- From: Vincent Panel <yohonet(a)gmail.com> Sent: Thursday, 5 February 2009 1:59 AM To: openldap-technical(a)openldap.org Subject: Forgotten password recovery On 2/4/09, Michael Ströder <michael(a)stroeder.com> wrote: > Yes, but these "temporary security objects" have to be generated. If you > do this automagically you have a privileged service account which resets > the user's password in combination with a e-mail based > challenge-response check. I agree, but until I get your replies, I did not find any satisfying solution integrating this "e-mail based challenge-response check". I wanted the ldap server to validate the challenge which is going to be possible if I make drupal create those security objects with the challenge answer as the password. Once a user comes back with its response to the challenge, drupal will try to bind to the LDAP server as this temporary security object with the password being the "challenge" url. If the bind is successful, then drupal will automatically be granted the right to reset the corresponding user's password (thanks to regex ACLs). Once this is done, the user will be able to log in (or actually, drupal will log the user in) This is probably a bit complex to implement, but I'm gonna try.

3 2

[openldap] Newbie question: can the server (slapd) show incoming search queries?
by sol myr 05 Feb '09

05 Feb '09

Hi, I'm new to ldap, and would appreciate help on the following: I'm running the stand-alone server (slapd), and allow some client machines run search queries against it (ldapsearch). My question: I'd like the "slapd" server to show the incoming search queries. Can it be done? For example: - If the client runs "ldapsearch -h myhost -b "dc=example,dc=com" -s sub "objectclass=*" - I'd like the server console(or log file) to show something like: Incoming query: -b "dc=example,dc=com" -s sub "objectclass=*" I'd tries running "slapd" in debug mode (slupd -d 1), but couldn't quite deduce the query from it (it logs lot of detailed lines, but I couldn't gather the qeury from them. Probably my fault for being a newbie). Thanks :)

3 2

slave dbd files and timestamps
by Ken McLauchlin 05 Feb '09

05 Feb '09

Hi there, We're running openldap 4.1.25 on 4 servers. 2 servers on a site running in master/slave configuration and 2 more on a remote site running as slaves receiving updates from the slurpd running on the master. The question I have isn't really anything to do with the configuration but with what files should be updated on the remote slave servers on update? The slave running at the same site as the master has all the files (dc.bdb, db2id.bdb, id2entry.bdb and objectClass.bdb) all updated with the same timestamp. However on the remote slaves the objectClass.bdb is NOT updated at the same time as the others. Is this a problem? As an aside, we are getting a log.00000xxxx file created every couple of days on the remote slave servers which isn't happening on the primary site slave server. Is this a configuration issue? Hope you can help. Cheers, Ken

1 0

Forgotten password recovery
by Vincent Panel 04 Feb '09

04 Feb '09

On 2/4/09, Michael Ströder <michael(a)stroeder.com> wrote: > Yes, but these "temporary security objects" have to be generated. If you > do this automagically you have a privileged service account which resets > the user's password in combination with a e-mail based > challenge-response check. I agree, but until I get your replies, I did not find any satisfying solution integrating this "e-mail based challenge-response check". I wanted the ldap server to validate the challenge which is going to be possible if I make drupal create those security objects with the challenge answer as the password. Once a user comes back with its response to the challenge, drupal will try to bind to the LDAP server as this temporary security object with the password being the "challenge" url. If the bind is successful, then drupal will automatically be granted the right to reset the corresponding user's password (thanks to regex ACLs). Once this is done, the user will be able to log in (or actually, drupal will log the user in) This is probably a bit complex to implement, but I'm gonna try.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2009