openldap-technical March 2009

openldap-technical@openldap.org

64 participants
69 discussions

acls for mirrormode user and its clear text passwords
by Tyler Gates 20 Mar '09

20 Mar '09

I have a multimaster system running behind a back_ldap proxy and all is running fine except for the fact that the mirrormode user specified in syncrepl section can only specify its password as cleartext or use sasl authentication. I'm not so worried about the clear text password being seen because all connections are via tls. But, if anyone binds, including anonymous users, that password is visible to them which scares me because the mirrormode user has write access to the entire tree. My first course of action was to set acls as write to mirrormode user and none to everyone else but no matter what I do, replication between the two servers breaks because it seems as soon as an acl is defined, mirrormode user no longer has permissions. Am I fundamentally missing something here with the visible clear text password? Or am I just not doing the acls right? Below is an example of what I surely thought would work at a (very minimal level). access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword by anonymous none doesn't work. Even: access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword by self write gives me no love either. If you need the entire acl I can provide it but I'm guessing I missing something much more obvious. Thanks, Tyler

1 0

acls for mirrormode user and its clear text passwords
by Tyler Gates 20 Mar '09

20 Mar '09

1 0

Starting OpenLDAP: slapd - failed
by Eldon Phukuile 20 Mar '09

20 Mar '09

I am following the tutorial at https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html. Everything worked until... Command: sudo /etc/init.d/slapd restart Output: Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap://127.0.0.1:389/ ldaps:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/ Command: slapd -d 16383 Output: @(#) $OpenLDAP: slapd 2.4.11 (Nov 8 2008 09:42:18) $ buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd ldap_pvt_gethostbyname_a: host=MORPHEUS.matrix.corp, r=0 daemon_init: <null> daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: bind(7) failed errno=13 (Permission denied) daemon: bind(7) failed errno=13 (Permission denied) slap_open_listener: failed on ldap:/// slapd stopped. connections_destroy: nothing to destroy.

3 2

trigger a program when ldap db modifies
by Hegedus Gabor 19 Mar '09

19 Mar '09

Hi all! Can you suggest me a program or solution what is do the following: after i modify a record in a db, an external bash script runs off, like a daemon what is check the modifications, and start a script. I hope you are understanding what i want. Gabor

3 2

main: TLS init def ctx failed: -1
by mario ramirez cervera 19 Mar '09

19 Mar '09

main: TLS init def ctx failed: -1 ani ideas? thank

2 1

mirroring problem (unwilling to perform error)
by Hegedus Gabor 18 Mar '09

18 Mar '09

Hi all! I have a serious problem! I try to configure the ldap server mirroring mode, but something problem with this. Fist of all: I tested the mirroring on two openldap 2.4.11-0ubuntu6.1. and it worked fine. I just configured slapd.conf file like this: # Global section serverID 1 (another ldap is 2) moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.168.1.2 type=refreshAndPersist interval=00:00:00:10 searchbase="dc=test,dc=hu" filter="(objectClass=*)" attrs="*" scope=sub schemachecking=off bindmethod=simple binddn="cn=admin,dc=test,dc=hu" credentials="test" retry="60 +" mirrormode on It was okay, when I modified the db1, the db2 modified too. BUT! I try to set up on version 2.3.30, I use the same configuration, the ldap starts good, but when i try to modify the db, the phpldapadmin shows this error: Could not perform ldap_modify operation. LDAP said: Server is unwilling to perform Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM) Description: The LDAP server refused to perform the operation. What is the problem, what is missconfigured? please help, thank you! br Gabor

2 2

pam_ldap, libnss-ldap and different fields for authentication
by Florian MAURY 18 Mar '09

18 Mar '09

Hi, I'm currently working on an authentication system for my company and facing a problem using pam_ldap, and libnss_ldap. I want to configure pam to authenticate againt a field (let's call it AField) (e.g. a ssh session's authentication) and libnss to provide the content of another field (BField) if I run e.g. ls -l. I mean : # ssh AField-value(a)192.168.1.1 [...] # ls -l /tmp/test -rwx------ 1 BField-value root 1305 2009-03-18 14:11 test #whoami BField-value The goal is to permit login via AField, which will be a quite long name, and BField will ease the reading in my linux-box. Everything is working perfectly fine if I use the same field. (i.e. pam_login_attribute BField and nss_map_attribute uid BField) but if I try to set pam_login_attribute to AField and nss_map_attribute to "uid BField" the authentication process failed in an "Invalid credentials" error. Libnss works correctly since when I list (ls) a file created by an ldap user after logging in via a local user, the resolution works fine. Ls answers me the file is owned by {BField-value} user. Pam_ldap seems to understand it needs to look up to the AField since it bind anonymously, request the rdn of the user having AField equal to the login submitted, but when the binding is done with the rdn of the user, I've got the error. I tcpdump-ed the ldap trafic and discovered pam_ldap is requesting the binding without providing the password. In the packets, where the password (in clear for tests) should be, I can read "INCORRECT". Which is not my password at all =) Then, it's perfectly logical that openldap returns me "Invalid credentials". My question is : what can this INCORRECT mean ? A configuration error ? Is it just possible to do what I want to do ? When my authentication fails, I can rean in openldap log files : slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 When I'm using only the AField (or the BField) for the two options, I don't get this error :o/ I'm using Openldap 2.3.30-5+etch2, libpam-ldap 180-1.7 and libnss-ldap 251-7.5etch1 on Debian. Thank you in advance for your support. Regards, -- Florian MAURY

1 0

dbconfig
by Oliver Henriot 18 Mar '09

18 Mar '09

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list members, I have a bdb database in openldap 2.3.27 on centos 5.2 in which I have defined, in the database section : dbconfig set_cachesize 0 268435456 1 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 dbconfig set_lg_regionmax 262144 dbconfig set_lg_bsize 2097152 I stop my server, clear /var/lib/ldap/*, slapadd my basic ldif entries (replication account, people and groups ou), chown everything to ldap:ldap and start openldap but I still get a warning : bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap - From what I read, I understood that the dbconfig directives created the DB_CONFIG file at startup if it wasn't present in the database directory. This doesn't seem to be working and I can't figure out why. Is there something obvious I'm missing out here? Thanks. - -- Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/ Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm/wc0ACgkQSWuBJnHIHdLvJQCeJKiqBxahNvb65kPI91yTgmVS 1z4An2YprXc5nDcdyw6mm7UWf5yoN7Hp =QFKr -----END PGP SIGNATURE-----

1 1

PROBLEM SSL
by mario ramirez cervera 17 Mar '09

17 Mar '09

Hello again: I copied the certificates in slapd.con: TLSCipherSuite HIGH: MEDIUM: + sslv2: RSA TLSCACertificateFile / etc / ldap / slapd-certs / cacert.pem TLSCertificateFile / etc / ldap / slapd-certs / servercrt.pem TLSCertificateKeyFile / etc / ldap / slapd-certs / serverkey.pem and also writes: SLAPD_SERVICES = "ldap: / / / LDAPS :///" And start giving me the following error: root @ mario-desktop: / etc / gulCA # / etc / init.d / slapd start Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (eg / var / log / syslog) or try running the daemon in Debug mode like via "slapd-d 16383" (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd-g openldap-u openldap-f / etc / ldap / slapd.conf Deputy my folder Thank you very much it is very important

2 1

Initial setup confusion
by Luke Biddell 17 Mar '09

17 Mar '09

I'm attempting to run openldap on intrepid ibex and am encountering some problems which are most likely down to my understanding. So any newbie help is much appreciated. The first confusion is slapd.conf versus slapd.d. I don't have a slapd.conf file to start with and /etc/ldap/slapd.d is empty. So should I hand-craft a slapd.conf (despite the docs saying this is the old way) and convert it to slapd.d format or do I create an ldif file and put it somewhere (presumably in slapd.d or ldapmodify it)? I've also got a schema I wish to import and currently I'm ldapmodify-ing it in, it's of this form. dn: cn=schema,cn=config changeType: modify add: olcAttributeTypes olcAttributeTypes: ... dn: cn=schema,cn=config changeType: modify add: olcObjectClasses olcObjectClasses: .... ... As you can see I'm adding custom attribute types and object classes into cn=schema,cn=config and this appears to work fine, however they are not persisted across slapd restarts. I presume I need to put them under cn=mycustomconfig,cn=schema,cn=config and then they will persist? I'm sure I'm just missing something fundamental here. More coffee is probably needed. TIA for any help. Luke

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2009