ldap dir change, ext script?
by Brian Krusic
Hi all,
How would you run an external script automatically after an LDAP
change (add/remove a user)?
I've checked around and can't seem to find a solution that I can
understand.
- Brian
11 years, 10 months
LDAP proxy and referral
by pierre laffont
Hi,
You must already know I'm a French student then i hope you will understand
me !! : )
For a project i have to study and make a decision on a new deployment of
openldap in the university of Toulouse where i am. for that i read Lot's of
sheets on openldap but somethings wrong.
To respect of the multitier application we wants to have a frontend proxy
and behind this, 3 N-WAY multimaster servers. I have two different database
on my replication, the first is the root DIT (dc=iut,dc=fr)and the second
database (de=student) must be chain as an OU in the tree of the first
database(ou=student,dc=iut,dc=fr). here is my problem, i want an unified
presentation of DIT but how can i chain my second database in the first ?
with chaining overlay on my 3 servers ? with the meta backend ? with the
ldap backend ? and if i use one of the both backend must i add an ldif entry
referral for that ? do you have some example ? I'm lost !
Thank you very much for your help ! and sorry for my English : )
Pierre LAFFONT.
11 years, 10 months
Re: SEGV on AIX (Was: Please test RE24 (3/18/2009 call for testing))
by William Jojo
Resending since I didn't see it hit the list.
Cheers,
Bill
Using the RE24 from CVS last night Mar 22 20:32 EDT...
On AIX 5.3:
Running 251 of 500 iterations
running defines.sh
Initializing server configurations...
Starting server 1 on TCP/IP port 9011...
Using ldapsearch to check that server 1 is running...
Inserting syncprov overlay on server 1...
Starting server 2 on TCP/IP port 9012...
Using ldapsearch to check that server 2 is running...
Configuring syncrepl on server 2...
Starting server 3 on TCP/IP port 9013...
Using ldapsearch to check that server 3 is running...
Configuring syncrepl on server 3...
Starting server 4 on TCP/IP port 9014...
Using ldapsearch to check that server 4 is running...
Configuring syncrepl on server 4...
Adding schema and databases on server 1...
Using ldapadd to populate server 1...
ldapadd failed for server 1 database (254)!
-------------------------------
Error log:
LABEL: CORE_DUMP
IDENTIFIER: 40E9A4E1
Date/Time: Mon Mar 23 04:15:11 2009
Sequence Number: 377
Machine Id: 000345FAD300
Node Id: dev53
Class: S
Type: PERM
Resource Name: SYSPROC
Description
SOFTWARE PROGRAM ABNORMALLY TERMINATED
Probable Causes
SOFTWARE PROGRAM
User Causes
USER GENERATED SIGNAL
Recommended Actions
CORRECT THEN RETRY
Failure Causes
SOFTWARE PROGRAM
Recommended Actions
RERUN THE APPLICATION PROGRAM
IF PROBLEM PERSISTS THEN DO THE FOLLOWING
CONTACT APPROPRIATE SERVICE REPRESENTATIVE
Detail Data
SIGNAL NUMBER
11
USER'S PROCESS ID:
495704
FILE SYSTEM SERIAL NUMBER
15
INODE NUMBER
905219
PROCESSOR ID
6
CORE FILE NAME
/stage/openldap/RE24/ldap/tests/testrun/srv1/core
PROGRAM NAME
lt-slapd
STACK EXECUTION DISABLED
0
COME FROM ADDRESS REGISTER
ADDITIONAL INFORMATION
strlen 0
_doprnt 2004
Symptom Data
REPORTABLE
1
INTERNAL ERROR
0
SYMPTOM CODE
PCSS/SPI2 FLDS/lt-slapd SIG/11 FLDS/strlen VALU/0 FLDS/_doprnt
------------------------------
DBX is:
Segmentation fault in noname.strlen [/usr/lib/libs.a] at 0xd0335680 ($t14)
0xd0335680 (strlen) 89030000 lbz r8,0x0(r3)
(dbx)
GCC is:
[dev53:/stage/openldap/RE24/ldap/tests] # gcc -v
Using built-in specs.
Target: powerpc-ibm-aix5.3.0.0
Configured with: ../stage/gcc-4.2.3/configure --disable-shared
--enable-threads=posix --prefix=/usr/local --with-long-double-128
--enable-languages=c,c++
Thread model: aix
gcc version 4.2.3
BDB 4.6.21.4, OpenSSL 0.9.8.10 (0.9.8j)
11 years, 10 months
smbk5pwd - slapd stops responding - please help-me!
by Eduardo Sachs
Hi People,
I use the overlay smbk5pwd for sync password of Samba with the of
Heimdal Kerberos.
In Debian Etch using Samba 3.0.24-6etch10, OpenLDAP 2.3.30-5+etch2
and Heimdal Kerberos 0.7.2.dfsg.1-10, I don't have problems.
But, in Debian Lenny using Samba 2:3.2.5-4, OpenLDAP 2.4.11-1,
and Heimdal Kerberos 1.2.dfsg.1-2.1, I have problems.
When I invoke smbpasswd or ldappaswd and trying change
the password, slapd stops responding.
With kpasswd I do not have problems, change the password of
Samba and Kerberos correctly, and userPassword fixed with {K5KEY},
slapd not stops responding (working correctly), but, I need change
the password with smbpasswd for Windows clients.
Below follows a more detailed debug, has something else that I can show?
This is a bug?
slapd.conf configuration:
moduleload smbk5pwd
overlay smbk5pwd
smbk5pwd-enable krb5
smbk5pwd-enable samba
smbk5pwd-must-change 2592000
password-hash {K5KEY}
- OpenLDAP have permission to read/write the file /var/lib/heimdal-kdc/m-key.
- I configure OpenLDAP to run with user root and group root, for tests.
smb.conf configuration about password:
ldap passwd sync = Only
unix password sync = no
Look this example:
1 - LDAP OK:
root# ps aux|grep slapd
root 3841 3.0 0.8 21920 4512 ? Ssl 14:47 0:00
/usr/sbin/slapd -h ldap://10.111.222.100:389/
ldaps://10.111.222.100:636/ ldapi:/// -g root -u root -f
/etc/ldap/slapd.conf
root 3844 0.0 0.1 3116 728 pts/0 S+ 14:47 0:00 grep slapd
root# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: sachs(a)LOCAL.INT.BR
SASL SSF: 56
SASL data security layer installed.
dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br
2 - Change password witch LDAPPASSWD:
root# ldappasswd -x -D
"krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
"uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" -w secret -S
New password:
Re-enter new password:
ldap_result: Can't contact LDAP server (-1)
root# ps aux|grep slapd
root 3832 0.0 0.1 3116 724 pts/0 S+ 14:47 0:00 grep slapd
root# ldapwhoami -Y GSSAPI
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Loglevel in 256, trying change password with LDAPPASWD, stop in PASSMOD:
conn=0 fd=18 ACCEPT from IP=10.111.222.100:40181 (IP=10.111.222.100:389)
conn=0 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
method=128
conn=0 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
mech=SIMPLE ssf=0
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=0 op=1 PASSMOD
id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new
Debug of Overlay Audit, trying change password with LDAPPASWD:
# modify 1236964911 dc=local,dc=int,dc=br
krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br
dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br
changetype: modify
replace: userPassword
userPassword:: e0s1S0VZfQ==
-
replace: entryCSN
entryCSN: 20090313172151.459306Z#000000#000#000000
-
replace: modifiersName
modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin
cipals,ou=Usuarios,dc=local,dc=int,dc=br
-
replace: modifyTimestamp
modifyTimestamp: 20090313172151Z
-
# end replace 1236964911
3 - Change Password with SMBPASSWD:
LDAP running correctly.
root# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: sachs(a)LOCAL.INT.BR
SASL SSF: 56
SASL data security layer installed.
dn:uid=sachs,ou=samba,ou=usuarios,dc=local,dc=int,dc=br
# smbpasswd sachs
New SMB password:
Retype new SMB password:
failed to bind to server ldaps://debian.local.int.br/ with
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
Error: Can't contact LDAP server
(unknown)
Connection to LDAP server failed for the 2 try!
Connection to LDAP server failed for the 3 try!
Connection to LDAP server failed for the 4 try!
Connection to LDAP server failed for the 5 try!
Connection to LDAP server failed for the 6 try!
Connection to LDAP server failed for the 7 try!
Loglevel in 256, trying change password with SMBPASSWD, stop in PASSMOD:
conn=2 fd=27 ACCEPT from IP=10.111.222.100:35715 (IP=10.111.222.100:636)
conn=2 fd=27 TLS established tls_ssf=128 ssf=128
conn=2 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
method=128
conn=2 op=0 BIND
dn="krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br"
mech=SIMPLE ssf=0
conn=2 op=0 RESULT tag=97 err=0 text=
conn=2 op=1 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=sachs))"
conn=2 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass
conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=5 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2
deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=513))"
conn=1 op=5 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList
description displayName cn objectClass
conn=1 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=6 SRCH base="ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
scope=2 deref=0
filter="(&(objectClass=sambaSamAccount)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))"
conn=1 op=6 SRCH attr=uid sambaSid
conn=1 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
conn=1 op=7 SRCH base="ou=Grupos,dc=local,dc=int,dc=br" scope=2
deref=0 filter="(&(objectClass=sambaGroupMapping)(|(sambaSID=s-1-5-21-1831924168-3154312721-1575139623-513)))"
conn=1 op=7 SRCH attr=cn displayName sambaSid sambaGroupType
conn=1 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=8 MOD dn="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br"
conn=1 op=8 MOD attr=sambaAcctFlags sambaAcctFlags
conn=1 op=9 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=1 op=9 SRCH attr=supportedExtension
conn=1 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1 op=10 EXT oid=1.3.6.1.4.1.4203.1.11.1
conn=1 op=10 PASSMOD
id="uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br" new
conn=1 op=8 RESULT tag=103 err=0 text=
Debug of Overlay Audit, trying change password with SMBPASSWD:
# modify 1236968199 dc=local,dc=int,dc=br
krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrincipals,ou=Usuarios,dc=local,dc=int,dc=br
dn: uid=sachs,ou=Samba,ou=Usuarios,dc=local,dc=int,dc=br
changetype: modify
delete: sambaAcctFlags
sambaAcctFlags: [U]
-
add: sambaAcctFlags
sambaAcctFlags: [U ]
-
replace: entryCSN
entryCSN: 20090313181639.613866Z#000000#000#000000
-
replace: modifiersName
modifiersName: krb5PrincipalName=ldapmaster/admin(a)LOCAL.INT.BR,ou=KerberosPrin
cipals,ou=Usuarios,dc=local,dc=int,dc=br
-
replace: modifyTimestamp
modifyTimestamp: 20090313181639Z
-
# end replace 1236968199
Thanks!!!
11 years, 10 months
Re: ssh automatic logins using OpenLDAP
by Norberto Bensa
On Tue, Mar 24, 2009 at 12:51 PM, Jordi Espasa Clofent
<jespasac(a)minibofh.org> wrote:
> Another related question żis possible to _NOT_ use LDAP auth in some users?
> It means, use LDAP+ssh in general sense, with only a few exeptions which
> will stills login in local.
Just configure pam/nss to use both sources (files and ldap). Then add
users to /etc/passwd and ldap as needed
11 years, 10 months
mirror mode works just one way
by Hegedus Gabor
Hi, all!
I have a problem,
I could include the schema to the 2.4 openldap, and I set the mirror
mode like the manual said on the first server.
I installed the same version openldap to the another server, and set it
like the first server.
the full database came to the second ldap.
If i modify the first database, it push the changes to the second, and I
can see the changes on it.
BUT when I modify the second database, there is no changes on the
first... Why?
I can see trafic with tcp dump on first server 389 port,but nothing
changes on it.
/etc/ldap/*
/etc/default/slapd
files are the same on both server, and the databases are too.
the only differences are the serverID and the provider in the slapd.conf
file
my mirror mode configuration:
serverID 1
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldap://192.168.1.2
type=refreshAndPersist
interval=00:00:00:10
searchbase="dc=test,dc=hu"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=admin,dc=test,dc=hu"
credentials="test"
mirrormode on
I have tried the mirror mode on a basic database and it worked,
what is the problem now?
please help, it is very important!
thank you,
best regards, Gabor
11 years, 10 months
OpenLDAP Syncrepl issue
by Luis Castillo
Hello,
I am having an issue getting the OpenLDAP to replicate using syncrepl.
Basically, after configuring the consumer I can start the slapd process
but I see no replication happening. Do you have a sample configuration
file that can provide more info? Is there anything required on the
master?
Thanks,
Luis
11 years, 10 months
Re: acls for mirrormode user and its clear text passwords
by Tyler Gates
I figured this out. The problem was I didn't have the entry 'anonymous
auth' in the clause.
>I have a multimaster system running behind a back_ldap proxy and all
>is?
>running fine except for the fact that the mirrormode user specified in
>syncrepl section can only specify its password as cleartext or use sasl
>authentication. I'm not so worried about the clear text password being
>seen because all connections are via tls. But, if anyone binds,
>including anonymous users, that password is visible to them which
>scares me because the mirrormode user has write access to the entire
>tree. My first course of action was to set acls as write to mirrormode
>user and none to everyone else but no matter what I do, replication
>between the two servers breaks because it seems as soon as an acl is
>defined, mirrormode user no longer has permissions. Am I fundamentally
>missing something here with the visible clear text password? Or am I
>just not doing the acls right? Below is an example of what I surely
>thought would work at a (very minimal level).
>
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
> by anonymous none
>
>doesn't work. Even:
>
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
> by self write
>
>gives me no love either. If you need the entire acl I can provide it
>but I'm guessing I missing something much more obvious.
>
>Thanks,
> Tyler
11 years, 10 months