openldap-technical April 2009

openldap-technical@openldap.org

71 participants
79 discussions

Expiration accounts and indexes ?
by Jordi Espasa Clofent 09 Apr '09

09 Apr '09

Hi folks, Yesterday I see a lot of "Apr 6 16:08:20 xen-ldap01 slapd[1167]: <= bdb_equality_candidates: (objectClass) not indexed" in my OpenLDAP provider server log. After searching in docs (http://www.openldap.org/faq/data/cache/42.html), I applied index objectClass eq instead of previous #index objectClass eq and restart the service. The suprise has been when a few users cannot login in system through LDAP validation this morning. The errors in log (in client logs) was: [...] Apr 9 09:11:13 hc23 sshd[44389]: pam_ldap: error trying to bind as user "uid=ivan,ou=SAT,ou=Tecnic,dc=my_company,dc=com" (Invalid credentials) Apr 9 09:11:13 hc23 sshd[44387]: error: PAM: authentication error for illegal user ivan from XXX.XXX.XXX.XXX [...] The solution has been easy: comment the "index objectClass eq" parameter again in slapd conf file. ¿Why it happens? I wonder it. Maybe some cache-related issue... -- Thanks, Jordi Espasa Clofent

3 2

Ldap authentication
by Hammad Ahmad Bhatti 08 Apr '09

08 Apr '09

Hello, I have configured openldap for SSO. Now I am authenticating all of my linux boxes with this SSO. Now I have requirement that my root user should not authenticate through this SSO. Rest of all users should authenticate through this. Can any one have any suggestion for this. Thannn Koooo Hammad Ahmad

3 3

LDAP for MySQL Cluster
by Howard Chu 07 Apr '09

07 Apr '09

I will be co-presenting a talk at the MySQL Conference on Thursday April 23 in Santa Clara, California on the back-ndb backend in OpenLDAP. Johan Andersson from Sun/MySQL will also be presenting; Symas and MySQL worked together to design the data model for this backend. http://en.oreilly.com/mysql2009/public/schedule/detail/6219 back-ndb is a new OpenLDAP slapd backend that provides direct access to MySQL's NDB Cluster engine. The NDB Cluster design allows concurrent access to relational tables from multiple access methods (including mysqld for traditional SQL access, and slapd for LDAP access) and allows capacity to scale horizontally across multiple data nodes. The OpenLDAP backend uses the native NDBAPI to achieve high speed access without any SQL translation overhead. Multiple slapd servers can operate concurrently on an NDB database, along with other mysqld servers and other agents, allowing performance to be augmented linearly simply by adding more nodes to a cluster. This will be slightly more in-depth than the back-ndb talk I presented at the UKUUG conference in March. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: Migrating users, groups and machines from Win NT 4.0 PDC to openldap+samba
by Norberto Bensa 07 Apr '09

07 Apr '09

On Tue, Apr 7, 2009 at 5:51 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, April 07, 2009 11:31 AM -0300 Norberto Bensa > <nbensa(a)gmail.com> wrote: >> This is OT to this list, but "net rpc vampire" will do what you want. >> Consult the samba docs/mailing list. > > I don't see why this is off topic. The -technical list is about > interoperability of OpenLDAP with other applications. Thanks. I thought this list was openldap-only questions. Regards, Norberto

1 0

Migrating users, groups and machines from Win NT 4.0 PDC to openldap+samba
by Nathaniel Simch de Morais 07 Apr '09

07 Apr '09

Hi, does anyone know how can i export users, groups and machines from a WinNT 4.0 PDC and put this informations in my OpenLDAP+SAMBA(PDC)? -- --------------------------------------------------- Nathaniel Simch de Morais skype: nathanielmorais --------------------------------------------------- °v° "Você acha que é livre se o | /(_)\ Software que você usa | ^ ^ nao é?" | --------------------------------------------------- Eu uso BrOffice.org!!! Eu uso Mozilla Firefox!!!

3 2

unable to get openldap to bind to active directory
by Kyle Pike 07 Apr '09

07 Apr '09

[kylec@localhost ~]$ ldapsearch -v -H ldap://localhost -x -b "cn=Users,dc=company,dc=internal" ldap_initialize( ldap://localhost ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=Users,dc=company,dc=internal> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope ration a successful bind must be completed on the connection., data 0, vece # numResponses: 1

1 0

back-ndb vs back-sql for exposing one MySQL db?
by Gavin Henry 07 Apr '09

07 Apr '09

Hi All, Here's a quick question, if you need to expose one MySQL db as LDAP for example, using the existing db that has customer records in it and a 3rd party application can look up via LDAP, do you use bog standard back-sql or back-ndb just use one db, as it looks easier to setup? Going by Howards talk at UKUUG 2009: http://www.ukuug.org/events/spring2009/programme/openldap-mysql.shtml -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

2 1

How to Secure openLdap nss_ldap
by Matthew.GARRETT＠external.total.com 07 Apr '09

07 Apr '09

Folks Note sure if this is the right list ? I have a new OpenLdap (version 2.3) Server that uses Kerberos for Password Authentication, which is going to be a Replacement for NIS (YP) All Normal access works fine and users can login , access automount maps etc However there are 2 types of Ldap binding Simple TLS At the moment any body can run the following ldapsearch -x I would like to try and disable Simple Binding But if I select "disallow bind_anon" in slapd.conf file Things start to break like authentication stops working. /var/log/messages Apr 1 15:42:15 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication) Apr 1 15:42:18 apricot sudo[31515]: pam_ldap: error trying to bind (Inappropriate authentication) Apr 1 15:42:25 apricot sudo[31515]: pam_ldap: ldap_result Can't contact LDAP server How do I get a Machine to authenticate to Ldap ? I think the problem lies with nss_ldap ? When I add the following line to /etc/ldap.conf ssl start_tls I start to get the following error's Apr 2 14:09:11 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Apr 2 14:09:15 bruce vmware-guestd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Apr 2 14:09:18 bruce nscd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Apr 2 14:27:06 bruce sshd: pam_ldap: ldap_starttls_s: Operations error Apr 2 14:27:06 bruce sshd(pam_unix)[11233]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=apricot.uk.ad.ep.corp.local user=mgarrett Apr 2 14:27:06 bruce sshd[11233]: pam_krb5[11233]: authentication succeeds for'mgarrett' (mgarrett(a)UK.AD.EP.CORP.LOCAL) /etc/ldap.conf base dc=unix,dc=total bind_timelimit 120 idle_timelimit 3600 ldap_version 3 pam_password md5 scope sub ssl start_tls timelimit 120 tls_cacertdir /etc/openldap/cacerts tls_checkpeer no Can any body point me in the right direction Thanks Matthew Server is RedHat 5.3 Clients are RedHat 4.7 Copy of slapd.conf pwcheck_method: saslauthd mech_list: gssapi sizelimit unlimited include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/krb5-kdc.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/slapd.pem TLSCertificateKeyFile /etc/openldap/slapd.key ## security - other directives ## prevents anonymous access to ## any connection #disallow bind_anon ## forces a bind operation before DIT access #require bind ## Use of reads on ldaps only port forces use ## of TLS/SSL but not a minimum value ## this directive forces a minimum value #security simple_bind=128 sasl-secprops noanonymous,noplain,noactive # Map SASL authentication DNs to LDAP DNs # This leaves "username/admin" principals untouched sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=people,dc=unix,dc=total # This should be a ^ plus, not a star, but slapd won't accept it # Default read access for everything else except anonymous users who have no access but does not work. ! access to * by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write by * read #by anonymous none Matthew Garrett Senior IS Technical Analyst Tel: 01224 297889 Fax: 01224 296806 Email: Matthew.Garrett(a)total.com Total E&P UK, Crawpeel Road, Altens Industrial Estate, Aberdeen AB12 3FG Registered in England and Wales No.811900 Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information. If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.

2 3

sasl use ip as digest-uri
by Zhen Li 07 Apr '09

07 Apr '09

Hi, I'm trying to do sasl authentication against an active directory server. In the second sasl bind request sent to AD, the ip address of the AD server is used as the digest-uri. e.g. "ldap/192.168.1.1". Isn't it supposed to use domain name like "ldap/svr.example.com"? I used "ldapsearch -Y DIGEST-MD5". And in ldap.conf, "uri" and "host" are given in domain names. Any help will be appreciated. liz _________________________________________________________________ View your Twitter and Flickr updates from one place – Learn more! http://clk.atdmt.com/UKM/go/137984870/direct/01/

1 0

LDAP presentation PDFs are available
by Gavin Henry 07 Apr '09

07 Apr '09

OpenLDAP Replication Strategies - http://www.ukuug.org/events/spring2009/programme/openldap-replication.shtml OpenLDAP and MySQL: Bridging the Data Model Divide - http://www.ukuug.org/events/spring2009/programme/openldap-mysql.shtml Writing Access Control Policies for LDAP - http://www.ukuug.org/events/spring2009/programme/ldap-access-control.shtml -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2009