March 2009 - openldap-technical

by Brian Krusic

Hi all, How would you run an external script automatically after an LDAP change (add/remove a user)? I've checked around and can't seem to find a solution that I can understand. - Brian

11 years, 10 months

3
4
0 / 0

LDAP proxy and referral

by pierre laffont

Hi, You must already know I'm a French student then i hope you will understand me !! : ) For a project i have to study and make a decision on a new deployment of openldap in the university of Toulouse where i am. for that i read Lot's of sheets on openldap but somethings wrong. To respect of the multitier application we wants to have a frontend proxy and behind this, 3 N-WAY multimaster servers. I have two different database on my replication, the first is the root DIT (dc=iut,dc=fr)and the second database (de=student) must be chain as an OU in the tree of the first database(ou=student,dc=iut,dc=fr). here is my problem, i want an unified presentation of DIT but how can i chain my second database in the first ? with chaining overlay on my 3 servers ? with the meta backend ? with the ldap backend ? and if i use one of the both backend must i add an ldif entry referral for that ? do you have some example ? I'm lost ! Thank you very much for your help ! and sorry for my English : ) Pierre LAFFONT.

11 years, 10 months

1
0
0 / 0

Re: SEGV on AIX (Was: Please test RE24 (3/18/2009 call for testing))

by William Jojo

Resending since I didn't see it hit the list. Cheers, Bill Using the RE24 from CVS last night Mar 22 20:32 EDT... On AIX 5.3: Running 251 of 500 iterations running defines.sh Initializing server configurations... Starting server 1 on TCP/IP port 9011... Using ldapsearch to check that server 1 is running... Inserting syncprov overlay on server 1... Starting server 2 on TCP/IP port 9012... Using ldapsearch to check that server 2 is running... Configuring syncrepl on server 2... Starting server 3 on TCP/IP port 9013... Using ldapsearch to check that server 3 is running... Configuring syncrepl on server 3... Starting server 4 on TCP/IP port 9014... Using ldapsearch to check that server 4 is running... Configuring syncrepl on server 4... Adding schema and databases on server 1... Using ldapadd to populate server 1... ldapadd failed for server 1 database (254)! ------------------------------- Error log: LABEL: CORE_DUMP IDENTIFIER: 40E9A4E1 Date/Time: Mon Mar 23 04:15:11 2009 Sequence Number: 377 Machine Id: 000345FAD300 Node Id: dev53 Class: S Type: PERM Resource Name: SYSPROC Description SOFTWARE PROGRAM ABNORMALLY TERMINATED Probable Causes SOFTWARE PROGRAM User Causes USER GENERATED SIGNAL Recommended Actions CORRECT THEN RETRY Failure Causes SOFTWARE PROGRAM Recommended Actions RERUN THE APPLICATION PROGRAM IF PROBLEM PERSISTS THEN DO THE FOLLOWING CONTACT APPROPRIATE SERVICE REPRESENTATIVE Detail Data SIGNAL NUMBER 11 USER'S PROCESS ID: 495704 FILE SYSTEM SERIAL NUMBER 15 INODE NUMBER 905219 PROCESSOR ID 6 CORE FILE NAME /stage/openldap/RE24/ldap/tests/testrun/srv1/core PROGRAM NAME lt-slapd STACK EXECUTION DISABLED 0 COME FROM ADDRESS REGISTER ADDITIONAL INFORMATION strlen 0 _doprnt 2004 Symptom Data REPORTABLE 1 INTERNAL ERROR 0 SYMPTOM CODE PCSS/SPI2 FLDS/lt-slapd SIG/11 FLDS/strlen VALU/0 FLDS/_doprnt ------------------------------ DBX is: Segmentation fault in noname.strlen [/usr/lib/libs.a] at 0xd0335680 ($t14) 0xd0335680 (strlen) 89030000 lbz r8,0x0(r3) (dbx) GCC is: [dev53:/stage/openldap/RE24/ldap/tests] # gcc -v Using built-in specs. Target: powerpc-ibm-aix5.3.0.0 Configured with: ../stage/gcc-4.2.3/configure --disable-shared --enable-threads=posix --prefix=/usr/local --with-long-double-128 --enable-languages=c,c++ Thread model: aix gcc version 4.2.3 BDB 4.6.21.4, OpenSSL 0.9.8.10 (0.9.8j)

11 years, 10 months

3
3
0 / 0

User root from client can be all another users

by Marcelo Gomes

Hi! In my network, when some client do login as root (local) he can type "su -l" and be all another user from ldap. How can i block this ? thanks Marcelo Gomes

11 years, 10 months

4
3
0 / 0

smbk5pwd - slapd stops responding - please help-me!

by Eduardo Sachs

Hi People, I use the overlay smbk5pwd for sync password of Samba with the of Heimdal Kerberos. In Debian Etch using Samba 3.0.24-6etch10, OpenLDAP 2.3.30-5+etch2 and Heimdal Kerberos 0.7.2.dfsg.1-10, I don't have problems. But, in Debian Lenny using Samba 2:3.2.5-4, OpenLDAP 2.4.11-1, and Heimdal Kerberos 1.2.dfsg.1-2.1, I have problems. When I invoke smbpasswd or ldappaswd and trying change the password, slapd stops responding. With kpasswd I do not have problems, change the password of Samba and Kerberos correctly, and userPassword fixed with {K5KEY}, slapd not stops responding (working correctly), but, I need change the password with smbpasswd for Windows clients. Below follows a more detailed debug, has something else that I can show? This is a bug? slapd.conf configuration: moduleload smbk5pwd overlay smbk5pwd smbk5pwd-enable krb5 smbk5pwd-enable samba smbk5pwd-must-change 2592000 password-hash {K5KEY} - OpenLDAP have permission to read/write the file /var/lib/heimdal-kdc/m-key. - I configure OpenLDAP to run with user root and group root, for tests. smb.conf configuration about password: ldap passwd sync = Only unix password sync = no Look this example: 1 - LDAP OK: root# ps aux|grep slapd root 3841 3.0 0.8 21920 4512 ? Ssl 14:47 0:00 /usr/sbin/slapd -h ldap://10.111.222.100:389/ ldaps://10.111.222.100:636/ ldapi:/// -g root -u root -f /etc/ldap/slapd.conf root 3844 0.0 0.1 3116 728 pts/0 S+ 14:47 0:00 grep slapd root# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: sachs(a)LOCAL.INT.BR SASL SSF: 56 SASL data security layer installed. dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br 2 - Change password witch LDAPPASSWD: root# ldappasswd -x -D "krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" "uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" -w secret -S New password: Re-enter new password: ldap_result: Can't contact LDAP server (-1) root# ps aux|grep slapd root 3832 0.0 0.1 3116 724 pts/0 S+ 14:47 0:00 grep slapd root# ldapwhoami -Y GSSAPI ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) Loglevel in 256, trying change password with LDAPPASWD, stop in PASSMOD: conn=0 fd=18 ACCEPT from IP=10.111.222.100:40181 (IP=10.111.222.100:389) conn=0 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" method=128 conn=0 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" mech=SIMPLE ssf=0 conn=0 op=0 RESULT tag=97 err=0 text= conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=0 op=1 PASSMOD id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new Debug of Overlay Audit, trying change password with LDAPPASWD: # modify 1236964911 dc=local,dc=int,dc=br krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br changetype: modify replace: userPassword userPassword:: e0s1S0VZfQ== - replace: entryCSN entryCSN: 20090313172151.459306Z#000000#000#000000 - replace: modifiersName modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin cipals,ou=Usuarios,dc=local,dc=int,dc=br - replace: modifyTimestamp modifyTimestamp: 20090313172151Z - # end replace 1236964911 3 - Change Password with SMBPASSWD: LDAP running correctly. root# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: sachs(a)LOCAL.INT.BR SASL SSF: 56 SASL data security layer installed. dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br # smbpasswd sachs New SMB password: Retype new SMB password: failed to bind to server ldaps://debian.local.int.br/ with dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" Error: Can't contact LDAP server (unknown) Connection to LDAP server failed for the 2 try! Connection to LDAP server failed for the 3 try! Connection to LDAP server failed for the 4 try! Connection to LDAP server failed for the 5 try! Connection to LDAP server failed for the 6 try! Connection to LDAP server failed for the 7 try! Loglevel in 256, trying change password with SMBPASSWD, stop in PASSMOD: conn=2 fd=27 ACCEPT from IP=10.111.222.100:35715 (IP=10.111.222.100:636) conn=2 fd=27 TLS established tls_ssf=128 ssf=128 conn=2 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" method=128 conn=2 op=0 BIND dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br" mech=SIMPLE ssf=0 conn=2 op=0 RESULT tag=97 err=0 text= conn=2 op=1 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sachs))" conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=5 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))" conn=1 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=6 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))" conn=1 op=6 SRCH attr=uid sambaSid conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=1 op=7 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))" conn=1 op=7 SRCH attr=cn displayName sambaSid sambaGroupType conn=1 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=8 MOD dn="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" conn=1 op=8 MOD attr=sambaAcctFlags sambaAcctFlags conn=1 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=1 op=9 SRCH attr=supportedExtension conn=1 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=1 op=10 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1 op=10 PASSMOD id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new conn=1 op=8 RESULT tag=103 err=0 text= Debug of Overlay Audit, trying change password with SMBPASSWD: # modify 1236968199 dc=local,dc=int,dc=br krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br changetype: modify delete: sambaAcctFlags sambaAcctFlags: [U] - add: sambaAcctFlags sambaAcctFlags: [U ] - replace: entryCSN entryCSN: 20090313181639.613866Z#000000#000#000000 - replace: modifiersName modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin cipals,ou=Usuarios,dc=local,dc=int,dc=br - replace: modifyTimestamp modifyTimestamp: 20090313181639Z - # end replace 1236968199 Thanks!!!

11 years, 10 months

1
0
0 / 0

Re: ssh automatic logins using OpenLDAP

by Norberto Bensa

On Tue, Mar 24, 2009 at 12:51 PM, Jordi Espasa Clofent <jespasac(a)minibofh.org> wrote: > Another related question żis possible to _NOT_ use LDAP auth in some users? > It means, use LDAP+ssh in general sense, with only a few exeptions which > will stills login in local. Just configure pam/nss to use both sources (files and ldap). Then add users to /etc/passwd and ldap as needed

11 years, 10 months

1
0
0 / 0

ssh automatic logins using OpenLDAP

by Jordi Espasa Clofent

Hi all, ¿Is possible to configure ssh automatic logins [1] using/through OpenLDAP? ¿How? Currently the ssh+ldap works perfectly in my OpenLDAP config, so a lot of works has been already done. [1] http://linuxproblem.org/art_9.html -- Thanks, Jordi Espasa Clofent

11 years, 10 months

2
1
0 / 0

mirror mode works just one way

by Hegedus Gabor

Hi, all! I have a problem, I could include the schema to the 2.4 openldap, and I set the mirror mode like the manual said on the first server. I installed the same version openldap to the another server, and set it like the first server. the full database came to the second ldap. If i modify the first database, it push the changes to the second, and I can see the changes on it. BUT when I modify the second database, there is no changes on the first... Why? I can see trafic with tcp dump on first server 389 port,but nothing changes on it. /etc/ldap/* /etc/default/slapd files are the same on both server, and the databases are too. the only differences are the serverID and the provider in the slapd.conf file my mirror mode configuration: serverID 1 moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.168.1.2 type=refreshAndPersist interval=00:00:00:10 searchbase="dc=test,dc=hu" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin,dc=test,dc=hu" credentials="test" mirrormode on I have tried the mirror mode on a basic database and it worked, what is the problem now? please help, it is very important! thank you, best regards, Gabor

11 years, 10 months

3
5
0 / 0

OpenLDAP Syncrepl issue

by Luis Castillo

Hello, I am having an issue getting the OpenLDAP to replicate using syncrepl. Basically, after configuring the consumer I can start the slapd process but I see no replication happening. Do you have a sample configuration file that can provide more info? Is there anything required on the master? Thanks, Luis

11 years, 10 months

5
8
0 / 0

Re: acls for mirrormode user and its clear text passwords

by Tyler Gates

I figured this out. The problem was I didn't have the entry 'anonymous auth' in the clause. >I have a multimaster system running behind a back_ldap proxy and all >is? >running fine except for the fact that the mirrormode user specified in >syncrepl section can only specify its password as cleartext or use sasl >authentication. I'm not so worried about the clear text password being >seen because all connections are via tls. But, if anyone binds, >including anonymous users, that password is visible to them which >scares me because the mirrormode user has write access to the entire >tree. My first course of action was to set acls as write to mirrormode >user and none to everyone else but no matter what I do, replication >between the two servers breaks because it seems as soon as an acl is >defined, mirrormode user no longer has permissions. Am I fundamentally >missing something here with the visible clear text password? Or am I >just not doing the acls right? Below is an example of what I surely >thought would work at a (very minimal level). > >access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword > by anonymous none > >doesn't work. Even: > >access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword > by self write > >gives me no love either. If you need the entire acl I can provide it >but I'm guessing I missing something much more obvious. > >Thanks, > Tyler

11 years, 10 months

1
0
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2009