openldap-technical March 2009

openldap-technical@openldap.org

64 participants
69 discussions

new ldap installation -LDAP newbie question
by Swenson, Chris 12 Mar '09

12 Mar '09

This is a bit difficult to articulate. Is there a way to move only the passwords from a passwd file into ldap? I have built out an ldap server and a client box and can successful authenticate from one to the other. I am using this to replace an old RHEL that has depended on the passwd file with nearly 10,000 users. To add the users to the new server I have parsed and imported a good deal of the data in the passwd file into on Oracle Db that has all the HR stuff and then scripted an output ldif to add the users into the new ldap server. Good so far, this works. My concern is thus. Ldap is on a new box. There is a lot of junk in the old box I want to leave behind, hence the rewrite via oracle. I want to extract only the passwords from the passwd file and write them to the new ldap server. If I run migrate_passwd.pl and pull the passwords out, they are hashed in some way and I cannot write them to the ldap nor script setting the password from the old one. Even if I run the passwd file through pwunconv they seem to be unusable. I dread the thought of having to communicate with 9000 students and nearly 1000 faculty and staff with new passwords. Regards Chris S.

2 1

API to read config file before ldap_search.
by Santosh Kumar 12 Mar '09

12 Mar '09

Dear friends,looking to where we could specify config file path to be read by  ldapsearch.c  to /openldap/ldap.conf  will be trying to pass the query to ldapclient and obtain the result. should we write program starting from ldap_open , ldap_init, ldap_bind , ldap_search  or its suffice only by modifying ldapsearch.c.RegardsSantosh

2 1

what ldap configuration paramentrs for ldapclient
by Santosh Kumar 12 Mar '09

12 Mar '09

Hi,  bharath , thanks for the link,command  working fine ,ldapsearch -v -x -W -h 10.10.20.50 -D cn=testuser1,ou=testusers,dc=kpairtest,dc=local -b ou=testusers,dc=kpairtest,dc=localwhat is binddn  , rootbinddn , basepart that needs to be specified in ldap.conf for openldap client,can we  have either in /etc/ldap.conf or  /etc/openldap/ldap.conf  ?and does ldapsearch()  automatically looks for configuration in /etc/ldap.confThanksSantosh Kumar Sr Software Engineer On Tue, 10 Mar 2009 05:21:58 -0400 "Kantrapati, Bharath" wrote Hi santosh,   Your mail is not clear , what is it you are exactly looking for??   But as the error says the objects you are trying to query would require you to bind to the active directory with a set of credentials.   Regards Bharath   From: openldap-technical-bounces+bharath.kantrapati=gs.com(a)OpenLDAP.org [mailto:openldap-technical-bounces+bharath.kantrapati=gs.com@OpenLDAP.org] On Behalf Of Santosh Kumar Sent: Tuesday, March 10, 2009 11:39 AM To: openldap-technical(a)openldap.org Subject: ldap-client connection to AD - LdapErr: DSID-0C090627,   Trying to query Active Directory  via command line for searching all Please let me know what this error refers to ./ldapsearch  -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com"  -s sub "objectclass=*" # extended LDIF # # LDAPv3 # base with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope  ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1  i'm  looking to extract -b option and -D from AD Please if anyone is aware let me know. Thanks Santosh  

1 0

Developing client in c
by Michael Luich 11 Mar '09

11 Mar '09

Hello Everyone, I'm trying to develop my application in c. And since I've never done LDAP before I thought i'd do a test program to work out the how's of retrieving from an ldap directory. in this case I'm pulling a X509 certificate from the verisign directory. I successfully run the search and can retrieve the data, but the certificate;binary is incomplete. I've tried a number of different things but cannot seem to get the whole certificate. Below is the hard coded test program, and any help would be greatly appreciated! -- Michael Luich Stone's Rose mluich(a)stonesrose.com #include <stdio.h> #include "ldap.h" /* Specify the search criteria here. */ #define HOSTNAME "directory.verisign.com" #define PORTNUMBER 389 #define BASEDN "" #define SCOPE LDAP_SCOPE_SUBTREE #define FILTER "(mail=mluich(a)stonesrose.com)" char *encode_64 (char *message); int main (int argc, char **argv) { LDAP *ld; LDAPMessage *result, *e; char *dn, *cert; char **vals; int rc; LDAPMessage *res; char *a; int version, i; BerElement *ber; // /* Print out an informational message. */ // // printf ("Connecting to host %s at port %d...\n\n", HOSTNAME, PORTNUMBER); /* STEP 1: Get a handle to an LDAP connection and set any session preferences. */ if ((ld = ldap_init (HOSTNAME, PORTNUMBER)) == NULL) { perror ("ldap_init"); return (1); } /* Use the LDAP_OPT_PROTOCOL_VERSION session preference to specify that the client is an LDAPv3 client. */ version = LDAP_VERSION3; ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version); /* STEP 2: Bind to the server. In this example, the client binds anonymously to the server (no DN or credentials are specified). */ rc = ldap_simple_bind_s (ld, NULL, NULL); if (rc != LDAP_SUCCESS) { fprintf (stderr, "ldap_simple_bind_s: %s\n", ldap_err2string (rc)); return (1); } /* STEP 3: Perform the LDAP operations. In this example, a simple search operation is performed. The client iterates through each of the entries returned and prints out the DN of each entry. */ rc = ldap_search_ext_s (ld, BASEDN, SCOPE, FILTER, NULL, 0, NULL, NULL, NULL, 0, &result); if (rc != LDAP_SUCCESS) { fprintf (stderr, "ldap_search_ext_s: %s\n", ldap_err2string (rc)); return (1); } if ((vals = ldap_get_values_len (ld, result, "usercertificate;binary")) != NULL) { for (i = 0; vals[i] != NULL; i++) { printf ("%d - %s: %s\n", i, a, vals[i]); // if (!strcmp (a, "usercertificate;binary")) // { printf ("%s: %s\nlength: %d\n\n", a, vals[i], sizeof (vals[i])); encode_64 (vals[i]); // } } } else { fprintf (stderr, "ldap_get_values_len: %s\n", ldap_err2string (rc)); } ldap_value_free (vals); ldap_msgfree (result); /* STEP 4: Disconnect from the server. */ ldap_unbind (ld); return (0); } char * encode_64 (char *message) { #include <openssl/bio.h> #include <openssl/evp.h> BIO *bio, *b64; //char message[] = "Hello World \n"; b64 = BIO_new (BIO_f_base64 ()); bio = BIO_new_fp (stdout, BIO_NOCLOSE); bio = BIO_push (b64, bio); BIO_write (bio, message, strlen (message)); BIO_flush (bio); BIO_free_all (bio); }

2 1

Nway multimaster sync having weird functionality
by Mathew Rowley 11 Mar '09

11 Mar '09

I am experiencing some really strange behavior with nway multimaster. Does anyone know why this would be happening? I have 2 boxes set up to sync, called rsa01, rsa02 If I create ou=groups,dc=comcast,dc=com¹ on rsa02, it will create it on rsa01 If I create cn=test,ou=groups,dc=comcast,dc=com¹ on rsa02 it will NOT create on rsa01 If I delete ou=groups,dc=comcast,dc=com¹ on rsa02, it will delete on rsa01 If I create anything on rsa01, it will NOT create on rsa02 I have the sync set up for searchBase¹ set to dc=comcast,dc=com. Here is the olcSyncrepl configuration (for both boxes): dn: olcDatabase={1}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcbdbConfig olcDatabase: {1}bdb olcSuffix: dc=comcast,dc=com olcDbDirectory: /usr/var/openldap-data/ olcRootDN: cn=Manager,dc=comcast,dc=com olcRootPW: {SSHA}kJTEcfOmPf7fKv71AtxDjlUZNPqN9pIT olcLimits: dn.exact="cn=Manager,dc=comcast,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcSyncRepl: rid=004 provider=ldap://10.252.152.76 binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple credentials="test" searchbase="dc=comcast,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcSyncRepl: rid=005 provider=ldap://10.252.152.77 binddn="cn=Manager,dc=comcast,dc=com" bindmethod=simple credentials="test" searchbase="dc=comcast,dc=com" type=refreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 olcMirrorMode: TRUE dn: olcOverlay=syncprov,olcDatabase={1}bdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov -- MAT

2 4

ldap-client connection to AD - LdapErr: DSID-0C090627,
by Santosh Kumar 10 Mar '09

10 Mar '09

Trying to query Active Directory  via command line for searching all Please let me know what this error refers to./ldapsearch  -h 10.10.10.50 -b "ou=users,DC=SFBAY,DC=tech,DC=com"  -s sub "objectclass=*"# extended LDIF## LDAPv3# base <ou=users,DC=SFBAY,DC=keypairtech,DC=com> with scope subtree# filter: objectclass=*# requesting: ALL## search resultsearch: 2result: 1 Operations errortext: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece# numResponses: 1 i'm  looking to extract -b option and -D from AD Please if anyone is aware let me know.ThanksSantosh

5 8

Mirrormode problem
by Sergio Cioban Filho 10 Mar '09

10 Mar '09

Hi all, I have configured two openldap servers with mirrormode, but no have sync at servers... Any idea about the problem? My configuration files: Server1: serverID 1 syncrepl rid=001 provider=ldap://192.168.170.36:389/ bindmethod=simple binddn="cn=user,dc=teste,dc=com,dc=br" credentials="xxxxx" searchbase="dc=teste,dc=com,dc=br" schemachecking=on type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 mirrormode on mirrormode on overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 Server2: serverID 2 syncrepl rid=001 provider=ldap://192.168.170.25:389/ bindmethod=simple binddn="cn=user,dc=teste,dc=com,dc=br" credentials="xxxxx" searchbase="dc=teste,dc=com,dc=br" schemachecking=on type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 5" timeout=1 mirrormode on mirrormode on overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 ** Sorry for my poor english. Thanks, Regards, --- Sérgio Cioban Filho | Tecnólogo em Gestão de TI | Linux Professional Institute Certified - Level 1 ------------------------------------------------------------ | Linux - Servidores - Firewall - VPN | Virtualização - VoIP - ShellScript - C - PHP | http://cioban.googlepages.com | +55 48 9989-8733 ------------------------------------------------------------ ..:: Seja livre, use LiNuX!! ::.. ------------------------------------------------------------ Vendo GOL G3 PLUS 1.0 8V 4P 2002 - Branco - COMPLETÍSSIMO - Só R$ 18.500,00 http://cioban.googlepages.com/vendogolg38v

1 0

automatic versioning of objects?
by Karsten Kankowski 09 Mar '09

09 Mar '09

Hello dear wise guys :-) Is there any nice feature at Oo-LDAP implemented to get the information if an object is changed; something like a internal version number...??? We would like to use LDAP for storing complex configuration data which can have dependencies. For that a version number for all objects is necessary. Unfortunately these changes must be done also in a safe way which means that a version change must be done in a “atomic operation”. A internal incrementing by the LDAP server seemed to me a quite more simple solution than to try this to handle via the ( say here ~ 6000 concurrent ) clients. By the way: Do anyone implement something like a LDAP server based sequence number which can be queried??? Thanks a lot for your hints... and best regards Karsten (Sorry for the bad English ;-() The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other then the addressee. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, please notify Airbus immediately and delete this e-mail. Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately. All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.

2 1

Issues when changing LDAP password
by Gustavo Mendes de Carvalho 09 Mar '09

09 Mar '09

Hi there, I'm running an LDAP server version 2.3.39 and I'm using ppolicy to force users in some specific things, but I'm having some issue when I try to change my user's password with passwd command. Here's the output screen [user1@cliserv ~]$ ssh ldapclisrv user1@ldapclisrv's password: Your LDAP password will expire in 10 days. Last login: Wed Mar 4 17:42:18 2009 from cliserv [user1@ldapclisrv ~]$ [user1@ldapclisrv ~]$ [user1@ldapclisrv ~]$ passwd Changing password for user user1. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Must supply old password to be changed as well as new one passwd: Permission denied [user1@ldapclisrv ~]$ As you can see, I can login using LDAP ID, and I can change user1 password if I use ldappasswd, entering all ldap information, but I would like to make it simpler. Does anybody has any idea ? -- Gustavo Mendes de Carvalho e-mail: gmcarvalho(a)gmail.com

2 1

Multi-master or MirrorMode
by Sergio Cioban Filho 09 Mar '09

09 Mar '09

Hello all, I've read about ldap replication and I changed my replication from slurp to syncrepl. I want configure an failover Ldap Server, but I've read that in the multi-master replication configuration, I'll have problems with data consistency, is is true? When I'll have data inconsistency? In MIrrorMode, can I have much of two servers? What is the limit number of servers (nodes)? What is the better configuration for failover (Without a hardware proxies/load-balancing or dedicated proxy software)? ** Sorry for my poor english... ;) Thanks Regards, --- Sérgio Cioban Filho | Tecnólogo em Gestão de TI | Linux Professional Institute Certified - Level 1 ------------------------------------------------------------ | Linux - Servidores - Firewall - VPN | Virtualização - VoIP - ShellScript - C - PHP | http://cioban.googlepages.com | +55 48 9989-8733 ------------------------------------------------------------ ..:: Seja livre, use LiNuX!! ::.. ------------------------------------------------------------

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2009