acls for mirrormode user and its clear text passwords
by Tyler Gates
I have a multimaster system running behind a back_ldap proxy and all is
running fine except for the fact that the mirrormode user specified in
syncrepl section can only specify its password as cleartext or use sasl
authentication. I'm not so worried about the clear text password being
seen because all connections are via tls. But, if anyone binds,
including anonymous users, that password is visible to them which
scares me because the mirrormode user has write access to the entire
tree. My first course of action was to set acls as write to mirrormode
user and none to everyone else but no matter what I do, replication
between the two servers breaks because it seems as soon as an acl is
defined, mirrormode user no longer has permissions. Am I fundamentally
missing something here with the visible clear text password? Or am I
just not doing the acls right? Below is an example of what I surely
thought would work at a (very minimal level).
access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
by anonymous none
doesn't work. Even:
access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
by self write
gives me no love either. If you need the entire acl I can provide it
but I'm guessing I missing something much more obvious.
Thanks,
Tyler
11 years, 10 months
acls for mirrormode user and its clear text passwords
by Tyler Gates
I have a multimaster system running behind a back_ldap proxy and all is
running fine except for the fact that the mirrormode user specified in
syncrepl section can only specify its password as cleartext or use sasl
authentication. I'm not so worried about the clear text password being
seen because all connections are via tls. But, if anyone binds,
including anonymous users, that password is visible to them which
scares me because the mirrormode user has write access to the entire
tree. My first course of action was to set acls as write to mirrormode
user and none to everyone else but no matter what I do, replication
between the two servers breaks because it seems as soon as an acl is
defined, mirrormode user no longer has permissions. Am I fundamentally
missing something here with the visible clear text password? Or am I
just not doing the acls right? Below is an example of what I surely
thought would work at a (very minimal level).
access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
by anonymous none
doesn't work. Even:
access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
by self write
gives me no love either. If you need the entire acl I can provide it
but I'm guessing I missing something much more obvious.
Thanks,
Tyler
11 years, 10 months
Starting OpenLDAP: slapd - failed
by Eldon Phukuile
I am following the tutorial at https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html. Everything worked until...
Command:
sudo /etc/init.d/slapd restart
Output:
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
try running the daemon in Debug mode like via "slapd -d 16383" (warning:
this will create copious output).
Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
slapd -h 'ldap://127.0.0.1:389/ ldaps:/// ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d/
Command:
slapd -d 16383
Output:
@(#) $OpenLDAP: slapd 2.4.11 (Nov 8 2008 09:42:18) $
buildd@palmer:/build/buildd/openldap-2.4.11/debian/build/servers/slapd
ldap_pvt_gethostbyname_a: host=MORPHEUS.matrix.corp, r=0
daemon_init: <null>
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: bind(7) failed errno=13 (Permission denied)
daemon: bind(7) failed errno=13 (Permission denied)
slap_open_listener: failed on ldap:///
slapd stopped.
connections_destroy: nothing to destroy.
11 years, 10 months
trigger a program when ldap db modifies
by Hegedus Gabor
Hi all!
Can you suggest me a program or solution what is do the following:
after i modify a record in a db, an external bash script runs off,
like a daemon what is check the modifications, and start a script.
I hope you are understanding what i want.
Gabor
11 years, 10 months
mirroring problem (unwilling to perform error)
by Hegedus Gabor
Hi all!
I have a serious problem!
I try to configure the ldap server mirroring mode, but something problem
with this.
Fist of all:
I tested the mirroring on two openldap 2.4.11-0ubuntu6.1. and it worked
fine.
I just configured slapd.conf file like this:
# Global section
serverID 1 (another ldap is 2)
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldap://192.168.1.2
type=refreshAndPersist
interval=00:00:00:10
searchbase="dc=test,dc=hu"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=admin,dc=test,dc=hu"
credentials="test"
retry="60 +"
mirrormode on
It was okay, when I modified the db1, the db2 modified too.
BUT!
I try to set up on version 2.3.30, I use the same configuration, the
ldap starts good, but when i try to modify the db, the phpldapadmin
shows this error:
Could not perform ldap_modify operation.
LDAP said: Server is unwilling to perform
Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM)
Description: The LDAP server refused to perform the operation.
What is the problem, what is missconfigured?
please help,
thank you!
br Gabor
11 years, 10 months
pam_ldap, libnss-ldap and different fields for authentication
by Florian MAURY
Hi,
I'm currently working on an authentication system for my company and facing
a problem using pam_ldap, and libnss_ldap.
I want to configure pam to authenticate againt a field (let's call it
AField) (e.g. a ssh session's authentication) and libnss to provide the
content of another field (BField) if I run e.g. ls -l.
I mean :
# ssh AField-value(a)192.168.1.1
[...]
# ls -l /tmp/test
-rwx------ 1 BField-value root 1305 2009-03-18 14:11 test
#whoami
BField-value
The goal is to permit login via AField, which will be a quite long name, and
BField will ease the reading in my linux-box.
Everything is working perfectly fine if I use the same field. (i.e.
pam_login_attribute BField and nss_map_attribute uid BField) but if I try to
set pam_login_attribute to AField and nss_map_attribute to "uid BField" the
authentication process failed in an "Invalid credentials" error.
Libnss works correctly since when I list (ls) a file created by an ldap user
after logging in via a local user, the resolution works fine. Ls answers me
the file is owned by {BField-value} user.
Pam_ldap seems to understand it needs to look up to the AField since it bind
anonymously, request the rdn of the user having AField equal to the login
submitted, but when the binding is done with the rdn of the user, I've got
the error.
I tcpdump-ed the ldap trafic and discovered pam_ldap is requesting the
binding without providing the password. In the packets, where the password
(in clear for tests) should be, I can read "INCORRECT". Which is not my
password at all =) Then, it's perfectly logical that openldap returns me
"Invalid credentials".
My question is : what can this INCORRECT mean ? A configuration error ? Is
it just possible to do what I want to do ?
When my authentication fails, I can rean in openldap log files :
slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
When I'm using only the AField (or the BField) for the two options, I don't
get this error :o/
I'm using Openldap 2.3.30-5+etch2, libpam-ldap 180-1.7 and libnss-ldap
251-7.5etch1 on Debian.
Thank you in advance for your support.
Regards,
--
Florian MAURY
11 years, 10 months
dbconfig
by Oliver Henriot
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear list members,
I have a bdb database in openldap 2.3.27 on centos 5.2 in which I have
defined, in the database section :
dbconfig set_cachesize 0 268435456 1
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 2097152
I stop my server, clear /var/lib/ldap/*, slapadd my basic ldif entries
(replication account, people and groups ou), chown everything to
ldap:ldap and start openldap but I still get a warning :
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap
- From what I read, I understood that the dbconfig directives created the
DB_CONFIG file at startup if it wasn't present in the database
directory. This doesn't seem to be working and I can't figure out why.
Is there something obvious I'm missing out here?
Thanks.
- --
Oliver Henriot B.Sc. Ph.D. | Technicien de Maintenance
Moyens Informatiques et Multimédia | UMS MI2S | http://mi2s.imag.fr/
Domaine universitaire BP53 | 38041 Grenoble cedex 9 | France
tel.: +33 4 76 51 43 48 | fax: +33 4 76 51 47 15
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkm/wc0ACgkQSWuBJnHIHdLvJQCeJKiqBxahNvb65kPI91yTgmVS
1z4An2YprXc5nDcdyw6mm7UWf5yoN7Hp
=QFKr
-----END PGP SIGNATURE-----
11 years, 10 months
PROBLEM SSL
by mario ramirez cervera
Hello again:
I copied the certificates in slapd.con:
TLSCipherSuite HIGH: MEDIUM: + sslv2: RSA
TLSCACertificateFile / etc / ldap / slapd-certs / cacert.pem
TLSCertificateFile / etc / ldap / slapd-certs / servercrt.pem
TLSCertificateKeyFile / etc / ldap / slapd-certs / serverkey.pem
and also writes:
SLAPD_SERVICES = "ldap: / / / LDAPS :///"
And start giving me the following error:
root @ mario-desktop: / etc / gulCA # / etc / init.d / slapd start
Starting OpenLDAP: slapd - failed.
The operation failed but no output was produced. For hints on what went
wrong please refer to the system's logfiles (eg / var / log / syslog) or
try running the daemon in Debug mode like via "slapd-d 16383" (warning:
this will create copious output).
Below, you can find the command line options used by this script to
run slapd. Do not forget to specify those options if you
want to look to debugging output:
slapd-g openldap-u openldap-f / etc / ldap / slapd.conf
Deputy my folder
Thank you very much it is very important
11 years, 10 months
Initial setup confusion
by Luke Biddell
I'm attempting to run openldap on intrepid ibex and am encountering some
problems which are most likely down to my understanding. So any newbie help
is much appreciated.
The first confusion is slapd.conf versus slapd.d. I don't have a slapd.conf
file to start with and /etc/ldap/slapd.d is empty. So should I hand-craft a
slapd.conf (despite the docs saying this is the old way) and convert it to
slapd.d format or do I create an ldif file and put it somewhere (presumably
in slapd.d or ldapmodify it)?
I've also got a schema I wish to import and currently I'm ldapmodify-ing it
in, it's of this form.
dn: cn=schema,cn=config
changeType: modify
add: olcAttributeTypes
olcAttributeTypes: ...
dn: cn=schema,cn=config
changeType: modify
add: olcObjectClasses
olcObjectClasses: ....
...
As you can see I'm adding custom attribute types and object classes into
cn=schema,cn=config and this appears to work fine, however they are not
persisted across slapd restarts. I presume I need to put them under
cn=mycustomconfig,cn=schema,cn=config and then they will persist?
I'm sure I'm just missing something fundamental here. More coffee is
probably needed.
TIA for any help.
Luke
11 years, 10 months