sasl issue - but I don't want sasl atm
by Da Rock
I know the security implications of this, but I just want to stage this
procedure and take one problem at a time; trouble is the system wants me
to bite more than I can chew at a given time!
I have setup an ldap server, ldap admin programs can connect to it, but
when I run say ldapsearch it says it can't connect with the following
error:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
Sure, eventually I'd like to secure things more, but I simply need to
test things at this point. It also gets in the way of other things which
I'm just looking in to right now.
I kinda understand the error code, but I'm not entirely sure what the -2
is; I've been working on the premise that it can't connect because the
security service isn't setup (sasl or krb principal), so I'm trying to
work out how to setup the system to do a simple bind (through ldap.conf?
either /etc/ or openldap/) but I can't for the life of me get it to
cooperate.
Any help? What info is needed here to resolve this?
Cheers
14 years, 8 months
syncrepl issue
by Oliver Henriot
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear list users,
I have a master openldap 2.3 server which is replicated via syncrepl on
half a dozen other servers (2.3 too).
Due to a legacy application from which I have to import passwords once a
day, the master server is stopped, erased and re-built from scratch once
every day...
I have noticed that all the replicas have recovered only a partial
subset of the entries and the strange thing is that all the replicas
have the same subset. They are all missing a few hundred entries.
When I stop the replicas, erase their data and start them anew, they
replicate just fine and are consistent with the master server.
I was wondering : could this be due to the fact that the replicas have
problems erasing the old entries and replacing them with the new set of
entries? Would increasing syncprov-checkpoint <ops> and
syncprov-sessionlog <size> values improve the situation? I also recall
reading something about a specific configuration directive to improve
delete replication but I have a feeling it was 2.4 specific...
Thanks,
Cheers
- --
Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance
Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/
Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France
tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAknQo4MACgkQSWuBJnHIHdKr5gCgl4i6UHIebD5npfmzS+c3bp5O
SOcAoLb+T7NtNTg9XIs17MgS7EkENpT9
=YEot
-----END PGP SIGNATURE-----
14 years, 8 months
open-source admin tools
by Raul Libório
Hello,
I wonder which of you are the best open-source tools to maintain a
database, which currently are the best if they leave ...
I want to integrate environment, leave everything tied in (LDAP proxy,
samba, e-mail clients, asterisk, joomla!)
I see much talk of phpldapadmin, it is that all who speak it?
------
Raul Libório
http://rauhmaru.blogspot.com/
rauhmarutsªhotmailºcom
Linux user#4444581
Brazil
"The bug is on the table."
14 years, 8 months
Unable to get openldap to use active directory as ldap backend but am able to search using ldapsearch
by Kyle Pike
It might be easier to read all of this on here:
http://www.linuxquestions.org/questions/linux-server-73/unable-to-get-lda...
I am able to bind and search AD with ldapsearch, but am unable to get
openldap to use it as a backend db.
I am able to search for a user in active directory by using the following:
ldapsearch -v -H ldap://charizard.company.internal -x -b
"dc=company,dc=internal" -D "cn=ldap proxy,cn=Users,dc=company,dc=internal"
-w 'passwd' -LLL "(sAMAccountName=testuser)"
My slapd.conf looks like:
slapd.conf
-----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 1024
database ldap
suffix "cn=Users,dc=company,dc=internal"
rootdn "cn=ldap proxy"
uri "ldap://charizard.company.internal"
binddn "cn=ldap proxy,cn=Users,dc=company,dc=internal"
bindpw "passwd"
rwm-rewriteEngine on
rwm-map objectclass account user
rwm-map attribute uid sAMAccountname
rwm-map attribute cn name
rwm-map attribute sn sn
rwm-map attribute mail userPrincipalName
rwm-map attribute *
lastmod off
chase-referrals no
access to * by * read
-----------------------------
When I try and search on my openldap host, I recive..
[kylec@localhost ~]$ ldapsearch -v -H ldap://localhost -x -b
"cn=Users,dc=company,dc=internal"
ldap_initialize( ldap://localhost )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=company,dc=internal> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this
ope
ration a successful bind must be completed on the connection., data 0, vece
# numResponses: 1
--------------------------------
In slapd debug log I can see the following...
backend_startup_one: starting "cn=Users,dc=corpedia,dc=internal"
ldap_back_db_open: URI=ldap://charizard.corpedia.internal
slapd starting
ldap_pvt_gethostbyname_a: host=heracross.corpedia.local, r=0
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 9
do_bind: v3 anonymous bind
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 69 contents:
ber_get_next
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <cn=Users,dc=corpedia,dc=internal>
<<< dnPrettyNormal: <cn=Users,dc=corpedia,dc=internal>,
<cn=users,dc=corpedia,dc=internal>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=0 op=1 dn="[anonymous]"
ldap_create
ldap_url_parse_ext(ldap://charizard.corpedia.internal)
=>ldap_back_getconn: conn 0x8ad8a88 inserted refcnt=1 binding=1
ldap_search_ext
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP charizard.corpedia.internal:389
ldap_new_socket: 10
ldap_prepare_socket: 10
ldap_connect_to_host: Trying 10.0.0.6:389
ldap_connect_timeout: fd: 10 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 73 bytes to sd 10
ldap_result ld 0x8ad0860 msgid 1
ldap_chkResponseList ld 0x8ad0860 msgid 1 all 0
ldap_chkResponseList returns ld 0x8ad0860 NULL
wait4msg ld 0x8ad0860 msgid 1 (timeout 100000 usec)
wait4msg continue ld 0x8ad0860 msgid 1 all 0
** ld 0x8ad0860 Connections:
* host: charizard.corpedia.internal port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Mar 27 16:23:13 2009
** ld 0x8ad0860 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8ad0860 Response Queue:
Empty
ldap_chkResponseList ld 0x8ad0860 msgid 1 all 0
ldap_chkResponseList returns ld 0x8ad0860 NULL
ldap_int_select
read1msg: ld 0x8ad0860 msgid 1 all 0
ber_get_next
ber_get_next: tag 0x30 len 167 contents:
read1msg: ld 0x8ad0860 msgid 1 message type search-result
ber_scanf fmt ({eaa) ber:
read1msg: ld 0x8ad0860 0 new referrals
read1msg: mark request completed, ld 0x8ad0860 msgid 1
request done: ld 0x8ad0860 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=1
ber_flush: 163 bytes to sd 9
connection_get(9): got connid=0
connection_read(9): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 9 failed errno=0 (Success)
connection_read(9): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=9 for close
do_unbind
connection_close: deferring conn=0 sd=9
connection_resched: attempting closing conn=0 sd=9
connection_close: conn=0 sd=9
=>ldap_back_conn_destroy: fetching conn 0
connection_get(9): connection not used
connection_read(9): no connection!
Any help would be much appreciated :-)
14 years, 8 months
OpenLDAP Load balancing.
by William Jojo
Under 2.4.x I would like to have 4 replicas of a master or perhaps just
use 4 masters in multi-master replication. What is more important is I
would like to provide one IP for LDAP queries. I have seen PEN and POUND
and other types of TCP "load balancers" for simple TCP and was wondering
what the OpenLDAP community recommends for doing such tasks and the
implications of TLS/SSL on these tools.
I thought about DNS round robin, but that doesn't take into account a
missing or non-responsive server, whereas a product like PEN seems to do so.
I looked at some older threads regarding this but there don't seem to be
any definitive recommendation(s) by the OpenLDAP community whom I feel
is the best source for such solutions. :-)
Cheers,
Bill
14 years, 8 months
Syncrepl doesn't delete entries?
by Jordi Espasa Clofent
Hi all,
In provider:
# provider
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
index entryCSN eq
index entryUUID eq
and ...
ldap01:~# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)' |
grep javi
# javi, CAT, Tecnic, mydomain.com
dn: cn=javi,ou=CAT,ou=Tecnic,dc=mydomain,dc=com
cn: javi
# javi, CAT, Tecnic, mydomain.com
dn: uid=javi,ou=CAT,ou=Tecnic,dc=domain,dc=com
uid: javi
cn: javi
homeDirectory: /usr/local/home/javi
but in the consumer:
# consumer
index objectclass,entryCSN,entryUUID eq
syncrepl rid=125
provider=ldap://192.168.10.10:389
type=refreshAndPersist
searchbase="dc=mydomain,dc=com"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
bindmethod=simple
binddn="cn=Manager,dc=mydomain,dc=com"
credentials=<password>
ldap02:/var/lib# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)'
| grep javi
# javi, Tecnic, mydomain.com
dn: uid=javi,ou=Tecnic,dc=mydomain,dc=com
uid: javi
cn: javi
homeDirectory: /usr/local/home/javi
# javi, CAT, Tecnic, mydomain.com
dn: cn=javi,ou=CAT,ou=Tecnic,dc=mydomain,dc=com
cn: javi
# javi, CAT, Tecnic, mydomain.com
dn: uid=javi,ou=CAT,ou=Tecnic,dc=mydomain,dc=com
uid: javi
cn: javi
homeDirectory: /usr/local/home/javi
It seems that the info in provider and consumer is diferent.
If I try, for example, to change the password in provider I see that the
value in consumer change automatically. Good.
But it seems if I delete some entries in consumer, these changes are not
reflected in consumer.
¿Where is the problem? ¿How can I debug t?
--
Thanks,
Jordi Espasa Clofent
14 years, 8 months
Require object classes in an OU
by Troy Knabe
We have a custom schema and we would like to require that all entries
in ou=Group have that objectClass in order to be added. Can someone
point me in the direction that I should be looking?
Thanks
-Troy
14 years, 8 months
mirrormode replication issues
by Jonas Haskins
Hello friends, I've been trying to setup Mirror Mode replication, using
the openldap.org docs and others from googling.. and am having some
interesting results. I am new to this so this has been an enlightening
experience to say the least, but perhaps if someone on the list might be
able to answer a few questions that would be awesome...
I have 2 nodes, and want to get mirror mode running for high
availibility .. and will add samba to auth ( later )
Basically it seems that mirror mode is sort of working.. i can see the
syncRep talking back and forth .. However .. I cannot write to either
nodes once replication is running.
Below example is me trying to add a user account:
error is : ( phpldapadmin reports )
LDAP said: Server is unwilling to perform
Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM)
Description: The LDAP server refused to perform the operation.
log file reports in detail:
Mar 26 13:14:38 ldap01 slapd[1433]: >>> dnPrettyNormal:
<cn=joepreston,dc=foobar,dc=com>
Mar 26 13:14:38 ldap01 slapd[1433]: <<< dnPrettyNormal:
<cn=joepreston,dc=foobar,dc=com>, <cn=joepreston,dc=foobar,dc=com>
Mar 26 13:14:38 ldap01 slapd[1433]: do_add: dn
(cn=joepreston,dc=foobar,dc=com)
Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 ADD
dn="cn=joepreston,dc=foobar,dc=com"
Mar 26 13:14:38 ldap01 slapd[1433]:
bdb_dn2entry("cn=joepreston,dc=foobar,dc=com")
Mar 26 13:14:38 ldap01 slapd[1433]: =>
bdb_dn2id("cn=joepreston,dc=foobar,dc=com")
Mar 26 13:14:38 ldap01 slapd[1433]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Mar 26 13:14:38 ldap01 slapd[1433]: bdb_referrals: op=104
target="cn=joepreston,dc=foobar,dc=com" matched="dc=foobar,dc=com"
Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: conn=14 op=1 p=3
Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_result: err=53 matched=""
text="shadow context; no update referral"
Mar 26 13:14:38 ldap01 slapd[1433]: send_ldap_response: msgid=2 tag=105
err=53
Mar 26 13:14:38 ldap01 slapd[1433]: conn=14 op=1 RESULT tag=105 err=53
text=shadow context; no update referral
Mar 26 13:14:38 ldap01 slapd[1433]: daemon: activity on 1 descriptor
Ma
so::
text="shadow context; no update referral"
using mirrormode, i should be able to write to the db correct?
initally, i used ldapadd to add my ldif files on node 1 ( with syncRep
commented out ) then useds slapcat/slapadd to populate the db on node 2,
then uncommented syncRep on both nodes and restarted both..
( this was because i was trying to troubleshoot the DB_NOTFOUND error
above ... the result was it still errored ) however, it seems the
text=shadow context; no update referral may be the real issue.
am i missing something in these configs in reguards to mirrormode?
logs seem to indicate syncRep is talking, and access is allowed,
but no write, and if i ldap add to node 1 ( with Rep commented out )
then uncomment and restart both ( so node 1 has data but node2 does not,
i can see syncRep talking, but node2 never picks up the changes )
ok whew, sorry about all of that.. any ideas?
using:
openldap-2.3.27
CentOS 5.2 2.6.18-92.el5 64
db-4.7.25
smbldap-tools-0.9.5-1
was going to upgrade to the latest, but there are a ton
of deps , so i though i'd ask forst..
many many thanks!
node1: slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/samba.schema
loglevel -1
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib64/openldap
moduleload back_bdb.la
moduleload back_ldap.la
moduleload back_ldbm.la
moduleload back_passwd.la
moduleload back_shell.la
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
access to *
by dn.base="cn=Manager,dc=foobar,dc=com" read
by * break
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=foobar,dc=com"
rootdn "cn=Manager,dc=foobar,dc=com"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap
index objectclass,entryCSN,entryUUID eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index memberUid,mail,givenname
eq,subinitial
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# Global section
serverID 1
# database section
# syncrepl directive
syncrepl rid=001
provider=ldap://ldap02.hq.foobar.com
bindmethod=simple
binddn="cn=Manager,dc=foobar,dc=com"
credentials=morefoo
searchbase="dc=foobar,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
node2:
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/samba.schema
loglevel -1
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib64/openldap
moduleload back_bdb.la
moduleload back_ldap.la
moduleload back_ldbm.la
moduleload back_passwd.la
moduleload back_shell.la
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/slapdcert.pem
TLSCertificateKeyFile /etc/openldap/slapdkey.pem
access to *
by dn.base="cn=Manager,dc=foobar,dc=com" read
by * break
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=foobar,dc=com"
rootdn "cn=Manager,dc=foobar,dc=com"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap
index objectclass,entryCSN,entryUUID eq
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
index memberUid,mail,givenname
eq,subinitial
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# Global section
serverID 2
# database section
# syncrepl directive
syncrepl rid=001
provider=ldap://ldap01.hq.foobar.com
bindmethod=simple
binddn="cn=Manager,dc=foobar,dc=com"
credentials=morefoo
searchbase="dc=foobar,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
--
Jonas Haskins
Sr Network Administrator
jhaskins(a)adready.com (206)792-5184
AdReady INC
14 years, 8 months
configuring SSL certificate chains for slapd
by Marc Ochs
Please forgive me if this should be clear, but could someone please point me
to info on how
to configure a SSL certificate chain for ldaps in slapd?
My CA of choice requires a chain cert and I'm having trouble finding this
information in the fine documentation.
Thanks much,
Marc
14 years, 8 months
Proxy to Active Directory: lost field
by Bogdan B. Rudas
Hello.
I use OpenLDAP as proxy for M$ AD.
The problem is: I can set filter only by some fileds like CN or Name.
I can't query AD by sAMAccountName via proxy
Also I can't see many AD-specific fileds while browsing AD via OpenLDAP
proxy.
Request to proxy:
ldapsearch -M -LLL -H ldap://localhost:389 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com"
'(sAMAccountName=bogdan.rudas)' sAMAccountName
Return nothing.
Request directly to AD LDAP:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com"
'(sAMAccountName=bogdan.rudas)' cn
Returns:
dn: CN=Bogdan Rudas.......skipped....
cn: Bogdan Rudas
Yet another request to proxy:
ldapsearch -M -LLL -H ldap://ADserver.domain.company.com:1234 -x -D
"cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com" -w
password -x -b "dc=domain,dc=company,dc=com" '(name=Bogdan Rudas)' cn
sAMAccountName
dn: cn=Bogdan Rudas.......skip.....
cn: Bogdan Rudas
SAMACCOUNTNAME: bogdan.rudas
Slapd version 2.4.11-1
Running on Debian 5.0 amd64
OpenLDAP config:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/ldap
moduleload back_ldap
access to dn.base="" by * read
access to *
by self read
by users read
by anonymous auth
loglevel 256
######################################################
# database definitions
######################################################
database ldap
suffix "dc=intra,dc=nival,dc=com"
uri "ldap://ADserver.domain.company.com:1234"
acl-bind bindmethod=simple
binddn="cn=aduser,ou=allusers,ou=itdep,dc=domain,dc=company,dc=com"
credentials=password
chase-referrals yes
14 years, 8 months
