new ldap installation -LDAP newbie question
by Swenson, Chris
This is a bit difficult to articulate.
Is there a way to move only the passwords from a passwd file into ldap?
I have built out an ldap server and a client box and can successful
authenticate from one to the other.
I am using this to replace an old RHEL that has depended on the passwd
file with nearly 10,000 users.
To add the users to the new server I have parsed and imported a good
deal of the data in the passwd file into on Oracle Db that has all the
HR stuff
and then scripted an output ldif to add the users into the new ldap
server. Good so far, this works.
My concern is thus. Ldap is on a new box. There is a lot of junk in
the old box I want to leave behind, hence the rewrite via oracle.
I want to extract only the passwords from the passwd file and write them
to the new ldap server.
If I run migrate_passwd.pl and pull the passwords out, they are hashed
in some way and I cannot write them to the ldap nor script setting the
password from the old one.
Even if I run the passwd file through pwunconv they seem to be unusable.
I dread the thought of having to communicate with 9000 students and
nearly 1000 faculty and staff with new passwords.
Regards
Chris S.
13 years, 3 months
API to read config file before ldap_search.
by Santosh Kumar
Dear friends,looking to where we could specify config file path to be read by ldapsearch.c to /openldap/ldap.conf will be trying to pass the query to ldapclient and obtain the result. should we write program starting from ldap_open , ldap_init, ldap_bind , ldap_search or its suffice only by modifying ldapsearch.c.RegardsSantosh
13 years, 3 months
what ldap configuration paramentrs for ldapclient
by Santosh Kumar
Hi, bharath , thanks for the link,command working fine ,ldapsearch -v -x -W -h 10.10.20.50 -D cn=testuser1,ou=testusers,dc=kpairtest,dc=local -b ou=testusers,dc=kpairtest,dc=localwhat is binddn , rootbinddn , basepart that needs to be specified in ldap.conf for openldap client,can we have either in /etc/ldap.conf or /etc/openldap/ldap.conf ?and does ldapsearch() automatically looks for configuration in /etc/ldap.confThanksSantosh Kumar Sr Software Engineer On Tue, 10 Mar 2009 05:21:58 -0400 "Kantrapati, Bharath" wrote Hi santosh, Your mail is not clear , what is it you are exactly looking for?? But as the error says the objects you are trying to query would require you to bind to the active directory with a set of credentials. Regards Bharath From: openldap-technical-bounces+bharath.kantrapati=gs.com(a)OpenLDAP.org [mailto:openldap-technical-bounces+bharath.kantrapati=gs.com@OpenLDAP.org] On Behalf Of Santosh Kumar Sent: Tuesday, March 10, 2009 11:39 AM To: openldap-technical(a)openldap.org Subject: ldap-client connection to AD - LdapErr: DSID-0C090627, Trying to query Active Directory via command line for searching all Please let me know what this error refers to ./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*" # extended LDIF # # LDAPv3 # base with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1 i'm looking to extract -b option and -D from AD Please if anyone is aware let me know. Thanks Santosh
13 years, 3 months
Developing client in c
by Michael Luich
Hello Everyone,
I'm trying to develop my application in c. And since I've never done
LDAP before I thought i'd do a test program to work out the how's of
retrieving from an ldap directory. in this case I'm pulling a X509
certificate from the verisign directory. I successfully run the search
and can retrieve the data, but the certificate;binary is incomplete.
I've tried a number of different things but cannot seem to get the
whole certificate. Below is the hard coded test program, and any help
would be greatly appreciated!
--
Michael Luich
Stone's Rose
mluich(a)stonesrose.com
#include <stdio.h>
#include "ldap.h"
/* Specify the search criteria here. */
#define HOSTNAME "directory.verisign.com"
#define PORTNUMBER 389
#define BASEDN ""
#define SCOPE LDAP_SCOPE_SUBTREE
#define FILTER "(mail=mluich(a)stonesrose.com)"
char *encode_64 (char *message);
int
main (int argc, char **argv)
{
LDAP *ld;
LDAPMessage *result, *e;
char *dn, *cert;
char **vals;
int rc;
LDAPMessage *res;
char *a;
int version, i;
BerElement *ber;
// /* Print out an informational message. */
//
// printf ("Connecting to host %s at port %d...\n\n", HOSTNAME, PORTNUMBER);
/* STEP 1: Get a handle to an LDAP connection and
set any session preferences. */
if ((ld = ldap_init (HOSTNAME, PORTNUMBER)) == NULL)
{
perror ("ldap_init");
return (1);
}
/* Use the LDAP_OPT_PROTOCOL_VERSION session preference to specify
that the client is an LDAPv3 client. */
version = LDAP_VERSION3;
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version);
/* STEP 2: Bind to the server.
In this example, the client binds anonymously to the server
(no DN or credentials are specified). */
rc = ldap_simple_bind_s (ld, NULL, NULL);
if (rc != LDAP_SUCCESS)
{
fprintf (stderr, "ldap_simple_bind_s: %s\n", ldap_err2string (rc));
return (1);
}
/* STEP 3: Perform the LDAP operations.
In this example, a simple search operation is performed.
The client iterates through each of the entries returned and
prints out the DN of each entry. */
rc = ldap_search_ext_s (ld, BASEDN, SCOPE, FILTER, NULL, 0,
NULL, NULL, NULL, 0, &result);
if (rc != LDAP_SUCCESS)
{
fprintf (stderr, "ldap_search_ext_s: %s\n", ldap_err2string (rc));
return (1);
}
if ((vals =
ldap_get_values_len (ld, result, "usercertificate;binary")) != NULL)
{
for (i = 0; vals[i] != NULL; i++)
{
printf ("%d - %s: %s\n", i, a, vals[i]);
// if (!strcmp (a, "usercertificate;binary"))
// {
printf ("%s: %s\nlength: %d\n\n", a, vals[i], sizeof (vals[i]));
encode_64 (vals[i]);
// }
}
}
else
{
fprintf (stderr, "ldap_get_values_len: %s\n", ldap_err2string (rc));
}
ldap_value_free (vals);
ldap_msgfree (result);
/* STEP 4: Disconnect from the server. */
ldap_unbind (ld);
return (0);
}
char *
encode_64 (char *message)
{
#include <openssl/bio.h>
#include <openssl/evp.h>
BIO *bio, *b64;
//char message[] = "Hello World \n";
b64 = BIO_new (BIO_f_base64 ());
bio = BIO_new_fp (stdout, BIO_NOCLOSE);
bio = BIO_push (b64, bio);
BIO_write (bio, message, strlen (message));
BIO_flush (bio);
BIO_free_all (bio);
}
13 years, 3 months
Nway multimaster sync having weird functionality
by Mathew Rowley
I am experiencing some really strange behavior with nway multimaster. Does
anyone know why this would be happening?
I have 2 boxes set up to sync, called rsa01, rsa02
If I create ou=groups,dc=comcast,dc=com¹ on rsa02, it will create it on
rsa01
If I create cn=test,ou=groups,dc=comcast,dc=com¹ on rsa02 it will NOT
create on rsa01
If I delete ou=groups,dc=comcast,dc=com¹ on rsa02, it will delete on rsa01
If I create anything on rsa01, it will NOT create on rsa02
I have the sync set up for searchBase¹ set to dc=comcast,dc=com.
Here is the olcSyncrepl configuration (for both boxes):
dn: olcDatabase={1}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcbdbConfig
olcDatabase: {1}bdb
olcSuffix: dc=comcast,dc=com
olcDbDirectory: /usr/var/openldap-data/
olcRootDN: cn=Manager,dc=comcast,dc=com
olcRootPW: {SSHA}kJTEcfOmPf7fKv71AtxDjlUZNPqN9pIT
olcLimits: dn.exact="cn=Manager,dc=comcast,dc=com" time.soft=unlimited
time.hard=unlimited size.soft=unlimited size.hard=unlimited
olcSyncRepl: rid=004 provider=ldap://10.252.152.76
binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple
credentials="test" searchbase="dc=comcast,dc=com" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=005 provider=ldap://10.252.152.77
binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple
credentials="test" searchbase="dc=comcast,dc=com" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
dn: olcOverlay=syncprov,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
--
MAT
13 years, 3 months
ldap-client connection to AD - LdapErr: DSID-0C090627,
by Santosh Kumar
Trying to query Active Directory via command line for searching all Please let me know what this error refers to./ldapsearch -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com" -s sub "objectclass=*"# extended LDIF## LDAPv3# base <ou=users,DC=SFBAY,DC=keypairtech,DC=com> with scope subtree# filter: objectclass=*# requesting: ALL## search resultsearch: 2result: 1 Operations errortext: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece# numResponses: 1 i'm looking to extract -b option and -D from AD
Please if anyone is aware let me know.ThanksSantosh
13 years, 3 months
Mirrormode problem
by Sergio Cioban Filho
Hi all,
I have configured two openldap servers with mirrormode, but no have sync at
servers...
Any idea about the problem?
My configuration files:
Server1:
serverID 1
syncrepl rid=001
provider=ldap://192.168.170.36:389/
bindmethod=simple
binddn="cn=user,dc=teste,dc=com,dc=br"
credentials="xxxxx"
searchbase="dc=teste,dc=com,dc=br"
schemachecking=on
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
mirrormode on
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
Server2:
serverID 2
syncrepl rid=001
provider=ldap://192.168.170.25:389/
bindmethod=simple
binddn="cn=user,dc=teste,dc=com,dc=br"
credentials="xxxxx"
searchbase="dc=teste,dc=com,dc=br"
schemachecking=on
type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 5"
timeout=1
mirrormode on
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
** Sorry for my poor english.
Thanks,
Regards,
---
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
------------------------------------------------------------
| Linux - Servidores - Firewall - VPN
| Virtualização - VoIP - ShellScript - C - PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..
------------------------------------------------------------
Vendo GOL G3 PLUS 1.0 8V 4P 2002 - Branco - COMPLETÍSSIMO - Só R$ 18.500,00
http://cioban.googlepages.com/vendogolg38v
13 years, 3 months
automatic versioning of objects?
by Karsten Kankowski
Hello dear wise guys :-)
Is there any nice feature at Oo-LDAP implemented to get the information if an
object is changed; something like a internal version number...???
We would like to use LDAP for storing complex configuration data which can
have dependencies. For that a version number for all objects is necessary.
Unfortunately these changes must be done also in a safe way which means that
a version change must be done in a “atomic operation”. A internal
incrementing by the LDAP server seemed to me a quite more simple solution
than to try this to handle via the ( say here ~ 6000 concurrent ) clients.
By the way:
Do anyone implement something like a LDAP server based sequence number which
can be queried???
Thanks a lot for your hints...
and best regards
Karsten
(Sorry for the bad English ;-()
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other then the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
13 years, 3 months
Issues when changing LDAP password
by Gustavo Mendes de Carvalho
Hi there,
I'm running an LDAP server version 2.3.39 and I'm using ppolicy to force
users in some specific things, but I'm having some issue when I try to
change my user's password with passwd command.
Here's the output screen
[user1@cliserv ~]$ ssh ldapclisrv
user1@ldapclisrv's password:
Your LDAP password will expire in 10 days.
Last login: Wed Mar 4 17:42:18 2009 from cliserv
[user1@ldapclisrv ~]$
[user1@ldapclisrv ~]$
[user1@ldapclisrv ~]$ passwd
Changing password for user user1.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
Must supply old password to be changed as well as new one
passwd: Permission denied
[user1@ldapclisrv ~]$
As you can see, I can login using LDAP ID, and I can change user1 password
if I use ldappasswd, entering all ldap information, but I would like to make
it simpler.
Does anybody has any idea ?
--
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
13 years, 3 months
Multi-master or MirrorMode
by Sergio Cioban Filho
Hello all,
I've read about ldap replication and I changed my replication from slurp to
syncrepl.
I want configure an failover Ldap Server, but I've read that in the
multi-master replication configuration, I'll have problems with data
consistency, is is true? When I'll have data inconsistency?
In MIrrorMode, can I have much of two servers? What is the limit number of
servers (nodes)?
What is the better configuration for failover (Without a hardware
proxies/load-balancing or dedicated proxy software)?
** Sorry for my poor english... ;)
Thanks
Regards,
---
Sérgio Cioban Filho
| Tecnólogo em Gestão de TI
| Linux Professional Institute Certified - Level 1
------------------------------------------------------------
| Linux - Servidores - Firewall - VPN
| Virtualização - VoIP - ShellScript - C - PHP
| http://cioban.googlepages.com
| +55 48 9989-8733
------------------------------------------------------------
..:: Seja livre, use LiNuX!! ::..
------------------------------------------------------------
13 years, 3 months