May 2009 - openldap-technical

by Zdenek Styblik

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, my question is regarding updated Cosine schema [RFC 4524] which has been accepted in March 1991 by IANA. This obsoletes previous Cosine schema [RFC 1274]. OpenLDAP has support for RFC 4524, yet it comes with pre-defined older RFC 1274. So, I'm wondering, is there reason for keep using RFC 1274, or is it safe to define/create new Cosine schema by RFC 4524? Note: I've found ldif file which corresponds with RFC 4524, but no schema file. But I think [believe] it won't be that hard to define schema by published RFC. But, if somebody knows where I can get those files for OpenLDAP, I would be really happy. Thank you for your reply. Regards, Zdenek Styblik - -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla(a)turnovfree.net jabber: stybla(a)jabber.turnovfree.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoeUiMACgkQ8MreUbSH7ilMtACgwoLkn1KtS/D84yxCRrRfZHHv F9IAnjl8PNOaJ3P6Wm783u9c/J3reit4 =EtIk -----END PGP SIGNATURE-----

14 years, 3 months

2
4
0 / 0

Bind/search more than one tree and server

by Schneider, Thomas-P65851

I am seeking a solution to be able to bind to, and search more than one tree and server per request using Linux. My goal is to maintain separate groups of user accounts on an OpenLDAP server -- e.g. local and network. The groups of users can have overlapping posixAccount uid attributes, but will have unique uidNumber attributes. My main use case is authentication, which requires checking a remote LDAP server first -- currently AD which requires attribute re-mapping), then network tree on the local LDAP (openldap) if not in remote server, then the local tree on local server if not in the first tree. I have tried referrals and rewrites, but nothing I've tried worked. It looks like the creation of a custom overlay will work, but I'd rather not go down that path. I have also tried using PAM, but pam_ldap is limited to one configuration per service (modifying pam_ldap is an option at this point). Thanks, Craig

14 years, 3 months

2
2
0 / 0

'unary operator expected' error when TLS turned on

by John Kane

I've also posted this message on the OpenSSL forum: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers (RH EL5) give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config files, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John I am running Openldap 2.3.43-2.el5 & OpenSSL 0.9.8b-10.el5 (RPMs from Red Hat, which I am required to use unless I put up a BIG fight). ++++ Here's my configs ++++ I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [root@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailAddress=john.smith(a)myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailAddress=john.smith(a)myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C X509v3 Authority Key Identifier: keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C Signature Algorithm: sha1WithRSAEncryption 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d: 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c: c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0: 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1: 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f: 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87: 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86: 7a:d4 -----BEGIN CERTIFICATE----- MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT aWduZXJzMRwwGgYDVQQDExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcN AQkBFhtqb2huLmthbmVAcHJvZGVhc3lzdGV3cy5jb20wHhcNMDkwNTI4MDQzNzEz WhcNMTIwNTI3MDQzNzEzWjCBjjELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz MRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdTaWduZXJzMRwwGgYDVQQD ExNJbnRlZ3JhdGlvbiBSb290IENBMSowKAYJKoZIhvcNAQkBFhtqb2huLmthbmVA cHJvZGVhc3lzdGVtcy5jb20wgZ8wDQYJKoZIhvcNAQE1BQADgY0AMIGJAoGBALO/ 8BhdflcKzhU8KCqBbebFMZh+xAkD0ijyMz6IEV994RgzNX31+p2JqJUWCACBCCms N7OxK/MgUhXXGUSSnEXnLlj+fgfUH1qtWZE3hBSoTd9UomJmOJvwz0gBaA06fJOD AkjgdqFc+QU7SR4Dmv3q7nn3h2aWsGl54eYavZ4NAgMBAAGjezB5MAkGA1UdEwQC MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl MB0GA1UdDgQWBBQL+30LDRejzXkCo6OSVxVv3jgHPfAfBgNVHSMEGDAWgBQL+30L DRejzXkCo6OSVxVv3jgHPDANBgkqhkiG9w0BAQUFAAOBgQAoUj2ckOGJANedOwam MijowI2dWgt5uxrJGo3GOqXsXUyfIEzGHkHffdD8RQkrS3z/OKrqM6BKvnyEfFjo mJ7JDktbEcYohLE/uzAD9jhAny0yvDqXuG/9qp9npicHU7JAQYa3AvJrB28bdIdo OxuJEwjLNvA8O17W3+ORGYZ61A== -----END CERTIFICATE----- This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.

14 years, 3 months

2
5
0 / 0

Deleting records while iterating through ldap_result

by Stephen

Hi everyone, I'm using the C SDK and writing a program to prune old directory records. The core logic of the program could go something like this:- rc = ldap_search_ext( ld, .. <rest of parameters> ); while (!done) { rc = ldap_result( ld, .. <rest of parameters>, &searchResult) ; //Delete records matching criteria dn = ldap_get_dn( ld, searchResult ); rc = ldap_delete_ext_s( ld, dn, .. <rest of parameters>); } ------- I have two questions and they are probably related:- Firstly: Can I delete records while iterating through the results of the ldap search? (In higher level languages deleting an item from a collection while navigating through a collection is often bad form. Is that the case here?) Secondly: Can I use the same session handle to delete the records as is used for the search? In the logic above, the session handle is ld, and ld is used for both the search and for the deletion. (I'm expecting I would need to use a different session handle for the logic above to work. Alternatively one could save all the records to be deleted in an array and then after the search loop, the same session handle can be used for all the deletes). Thank you Stephen

14 years, 3 months

2
1
0 / 0

Cannot bind/connect to server outside the LAN

by Stelios A.

Hello all, I need help in three problems that I'm facing with my OpenLDAP implementation please. First problem: I'm able to connect to my LDAP server on 636 port without a problem from the same subnet but not outside the Internet. What I want to achieve is to be able to connect from a particular range of static IP's. The ACL part of my slapd.conf is: access to attrs=userPassword,shadowLastChange by dn="uid=authenticate,ou=System,dc=example.com" read by dn="uid=myusername,ou=Users,ou=bca,dc=example.com" read by anonymous auth by self write access to attrs=givenName,sn,cn,mail by dn="uid=syncrepl,ou=system,dc=example.com" read by anonymous peername.ip=some_static_ip read by anonymous peername.ip=some_static_ip read by anonymous peername.ip=some_static_ip read by anonymous peername.ip=some_static_ip read by self read by users auth by anonymous auth access to attrs=uid by anonymous read by users read access to dn.regex="^.*,uid=([^,]+),ou=Users,dc=example.com$" by dn.exact,expand="uid=$1,ou=Users,dc=example.com" write access to * by dn.exact="uid=authenticate,ou=System,dc=example.com" none by users none break by self read by users read by * none 2nd problem: The following ACL does not work at all or I'm doing something wrong: access to attrs=givenName,sn,cn,mail by dn="uid=syncrepl,ou=system,dc=example.com" read by anonymous peername.ip=some_static_ip read by anonymous peername.ip=some_static_ip read by anonymous peername.ip=some_static_ip read by anonymous peername.ip=some_static_ip read by self read by users auth by anonymous auth I can't bind as anonymous from 'some_static_ip' in order to fetch the mail, givenName etc into the Thunderbird address book for example. 3rd problem and last! If I reboot the master server then the slave does not bind correctly and email etc does not work at all even though it is configured on that server (slave). Also when I reboot the servers, master must come up first as otherwise I'm not able to connect until I reboot the slave server. Both servers running on Ubuntu 9.04 if that matters in any way. See output: root@masterldap:/etc/ldap# dpkg -l slapd Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii slapd 2.4.15-1ubuntu OpenLDAP server (slapd) I have also attached the whole slapd.conf file of my master server in case that helps more. Any help, suggestion is much appreciated.

14 years, 3 months

1
0
0 / 0

Host and group of users authentication

by Tech Only

Hello, I am trying to make group of users to log on to a particular server depending on LDAP credentials. Telnet , ssh work just fine to the host with out any issues. Once I make changes to the ldap.conf file on the client to use the base dc=test,dc=org uri ldap://1.1.1.1 pam_groupdn cn=ldap,ou=hosts,dc=test,dc=org pam_member_attribute member The server is Debian Openldap and the client is Centos 5.* I get You must be a memeber of cn=ldap,ou=hosts,dc=test,dc=org to login And here are the ldif files I used to create the entries. users.ldif dn: cn=Test1 User1,ou=people,dc=test,dc=org givenName: Test1 sn: User1 cn: Test1 User1 userPassword: {MD5}ICy5YqxZB1uWSwcVLSNLcA== uidNumber: 1001 gidNumber: 1000 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: test1 homeDirectory: /home/users/test1 dn: cn=Test2 User2,ou=people,dc=test,dc=org givenName: Test2 sn: User2 cn: Test2 User2 userPassword: {MD5}ICy5YqxZB1uWSwcVLSNLcA== uidNumber: 1002 gidNumber: 1000 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uid: test2 homeDirectory: /home/users/test2 Hosts.ldif dn: cn=ldap,ou=hosts,dc=test,dc=org objectclass: ipHost objectclass: device objectclass: extensibleObject ipHostnumber: 1.1.1.2 cn: ldap member: uid=test1,ou=people,dc=test,dc=org member: uid=test2,ou=people,dc=test,dc=org

14 years, 3 months

1
0
0 / 0

Recommendations for adding "MUST" attribute to in-production objectclass?

by Christopher DeMarco

Greetings, list! I have a custom schema, which defines an objectclass to which all of my "users" belong. I'd like to add a required ("MUST") attribute to that objectclass, but I'm frightened of destroying my users :-) Is the following procedure safe? 1. Add the desired attribute as optional ("MAY") to the objectclass in my schema. Restart slapd. 2. Apply an LDIF change to every node with that particular objectclass, setting that new attribute to some acceptable value. 3. Ensure that my "create a new user" tools will set that attribute. 4. Change my schema to require ("MUST") that attribute within that objectclass. Restart slapd. If not, what is the safe procedure? Is there a better way of adding a required attribute to an in-production objectclass? Thanks! -- Christopher DeMarco <demarco(a)maya.com> IT Director MAYA Group +1-412-708-9660

14 years, 3 months

6
8
0 / 0

ACI and OpenLdap 2.4.11 un debian lenny

by Sebastien Cramatte

Hello How can I use ACI with Openldap 2.4.11 ? I'm running debian lenny and seems that debian package by default has the option --enable-aci I don't have any OpenLDAPAci attribute and OpenLDAPAcl object in core.schema Thank your help Best regards

14 years, 4 months

2
1
0 / 0

Problems with openLDAP and Samba

by Matt Burkhardt

Hope this is the right list - Anyway, I've got openLDAP 2.4.9 on Ubuntu 8.04 along with Samba 3.028 I've got it all installed and used the slapd.d (cn=config) capabilities. I get no errors on start up or stop, can create, modify and delete users and groups. However, I cannot create a user in openLDAP that is usable with Samba. If I go back in and create a Unix user, it will work. I've installed libnss-lapd and configured it - but is this the way it's supposed to work? What should I be looking at? Thanks and sorry for the noob question... -- Matt Burkhardt, M.Sci. Technology Management mlb(a)imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com

14 years, 4 months

3
5
0 / 0

hostObject, host attribute

by François Mehault

Hi all I use the primitive pam_check_host_attr in pam_ldap to filter my users. In OpenLDAP I add the attribute host for each users. I can write « host = hostlab.netplus.fr (fqdn) » to allow just one host for my user, or « host = * » to allow all hosts. But if I write host = 192.168.57.48 (the IP of hostlab.netplus.fr), my user is not able to authenticate on the host, Why I have to write the FQDN and not the IP address. Isn't possible ? And Is it possible to use regexp with the host attribute? Like host = 192.168.45.* ? Regards, François

14 years, 4 months

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2009