Re: Host based authentication using OpenLDAP
by Gavin Henry
----- "Per Kristiansen" <perk(a)funcom.com> wrote:
> Hello, I've been working on implementing a LDAP solution for the last
> 8
> months (in-between task, you know how it is :D )
Time flies!
> I now have a working LDAP directory, have all my users imported,
> things
> actually work! :D..(jinx!)
Excellent work, well done!
> But now I wanna get fancy..
>
> I've been googeling for some sort of clear description on how I can
> set
> up a system using groups of hosts and user groups to create a
> selective
> ACL for ssh'ing to a set of servers based on group membership.
>
It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs
and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos?
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
14 years, 4 months
OpenLDAP 23 client with 24 server?
by Matt Juszczak
Hi All,
Most of our boxes are FreeBSD. FreeBSD has ports for openldap22,
openldap23, and openldap24. Not using slurpd much anymore in my setups, I
decided to run with openldap24 in our recent setup. Setup openldap24
server, and all the FreeBSD clients have openldap24 clients. Everything
is working well.
Recently, we had to introduce a few RHEL boxes into our setup. We're
pointing to the redhat repositories, but they seem to only have
openldap23-* client packages. I know I could potentially make my own
packages, or perhaps get RPM's from the Internet, but I was wondering if
by some chance openldap23 clients (and pam_ldap/nss_ldap libraries) are
compatible with openldap24 servers? I would assume the other way around
(openldap24 clients with openldap23 servers) would work fine.
Thanks!
-Matt
14 years, 4 months
Matthew GARRETT is out of the office.
by Matthew GARRETT
I will be out of the office starting 22/05/2009 and will not return until 27/05/2009.
I will respond to your message when I return.
For IT issues please see Drew Harvey
Registered in England and Wales No.811900
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information. If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects. The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.
14 years, 4 months
freeBSD 7.0 + passwd + openldap
by François Mehault
Hi all
Maybe it's not the good mailing list (sorry !)to post my question, but I hope someone can help me. I use OpenLDAP to authenticate some users. Then I want my users are able to change their passwords themselves with the command passwd. But I have this message :
<14:59>[labobe1:~]$ passwd
passwd: Sorry, `passwd' can only change passwords for local or NIS users.
I read that I have to modify passwd.c in /usr/src/usr.bin/passwd but I can't find this path, I just have /usr/src/sys
Is-there another way to change users's password ?
Thanks for your help,
Regards,
François
14 years, 4 months
Re: Host based authentication using OpenLDAP
by Gavin Henry
> And fyi, here's an example... For a given host:
>
> dn: cn=hostX,ou=hosts,dc=example,dc=com
> objectClass: ipHost
> objectClass: authorizedServiceObject
> cn: hostX
> ipHostNumber: 192.168.1.127
> authorizedService: sshd
> authorizedService: ftp
>
> you use the authorizedService attribute to list the PAM services that
> are
> available. Then you set ACLs to control who can access each service,
> like so:
>
> access to dn.subtree=ou=hosts,dc=example,dc=com
> attrs=authorizedService val.exact=sshd
> by group.exact="cn=admins,ou=groups,dc=example,dc=com" write
> by peername.ip=192.168.2.0%255.255.255.0 read
> by * search
>
> The overlay performs a Compare operation to check for the required
> service, so
> if you deny Compare access to a particular service, then users aren't
> allowed
> to use that service.
Very nice! We did something like this for a hosting company that had users accounts with the services that
the user was allowed to access and the specific apps had the appropriate filters in the authz/auth searches.
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie,
Aberdeenshire, AB51 4FP.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
14 years, 4 months
Re: Deleting hundreds of Entry under a OU
by Daniel Spannbauer
Rein Tollevik schrieb:
> Michael Ströder wrote:
>> Daniel Spannbauer wrote:
>
>>> I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I
>>> have to change the objectClass from "account" to "inetorgPerson".
>>> Can I do this with ldapdelete? I always used that tool only to delete
>>> one entry.
>>
>> Yes. But you have to provide a file with a list of the DNs of the
>> entries to be deleted.
>>
>> $ ldapdelete -h
>> usage: ldapdelete [options] [dn]...
>> dn: list of DNs to delete. If not given, it will be readed from stdin
>> or from the file specified with "-f file".
>
> Or you could try to simply change the objectclass and all required
> attribute values in one operation using ldapmodify with the "-e relax"
> control. It should allow you to replace the structural objectclass,
> which otherwise is forbidden.
>
Hmm, my ldapmodify don't know this switch.
How can I delete all entrys under an OU?
If this works I delete all entrys and add them with the right ObjectClass.
Regards
Daniel
> Rein
--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220
http://www.marco.de/ Email ds(a)marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München
14 years, 4 months
Newbie planning for the future
by Alex Moen
Hi all,
I am a newbie to LDAP, and have just gotten my first directory server
up and running, using openldap.
I have been researching and reading a lot of material for quite a
while about schema design and planning, and haven't found much
pertaining to what I want to do.
We have 50+ servers, serving thousands of customers. I want to
migrate those servers to LDAP authentication and authorization, but
have not found the proper design for multiple servers and duplicated
users. Most references just do the basic "example.com" example and
never expand on it from there. Ultimately, I would like to allow my
admins to have a single account across multiple servers (kind of
"authorization account merging"), but still allot the schema to be
"separate" enough that duplicated usernames on different machines,
corresponding to different people, still exist.
Are there any really good references out there that do step-by-step
walk throughs of the type of schema designing that I am thinking of?
Or is it impossible? Or am I just really making too much of this? :)
Thanks for any insights...
Alex
14 years, 4 months
unable to add certain entries
by Andrew Zirkel
I'm having a growing problem where certain entries won't add and I get
these errors in slapd stats output:
conn=7 op=160 MODRDN
dn="cn=Untitled_1,cn=computer_groups,dc=chetwood,dc=local"
=> bdb_dn2id_add: subtree
(cn=mslib,cn=computer_groups,dc=chetwood,dc=local) put failed: -30996
conn=7 op=160 RESULT tag=109 err=80 text=DN index add failed
conn=7 op=161 MOD
dn="cn=Untitled_1,cn=computer_groups,dc=chetwood,dc=local"
conn=7 op=161 MOD attr=cn
entry failed schema check: value of naming attribute 'cn' is not
present in entry
conn=7 op=161 RESULT tag=103 err=64 text=value of naming attribute
'cn' is not present in entry
conn=7 op=162 MODRDN
dn="cn=Untitled_1,cn=computer_lists,dc=chetwood,dc=local"
=> bdb_dn2id_add: subtree
(cn=mslib,cn=computer_lists,dc=chetwood,dc=local) put failed: -30996
conn=7 op=162 RESULT tag=109 err=80 text=DN index add failed
conn=7 op=163 MOD
dn="cn=Untitled_1,cn=computer_lists,dc=chetwood,dc=local"
conn=7 op=163 MOD attr=cn
entry failed schema check: value of naming attribute 'cn' is not
present in entry
conn=7 op=163 RESULT tag=103 err=64 text=value of naming attribute
'cn' is not present in entry
conn=7 op=164 SRCH base="cn=computer_groups,dc=chetwood,dc=local"
scope=2 deref=0 filter="(&(objectClass=posixGroup)(objectClass=apple-
group)(objectClass=extensibleObject)(|(cn=untitled_1)))"
conn=7 op=164 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=7 op=165 ABANDON msg=165
This is slapd 2.3.27, which is included in Apple OSX 10.5. This
particular entry is for a computer group called mslib, and I'm using
Apple's workgroup manager tool to add it. Other names will add, it
seems to be entries that were created before but aren't showing up
now. This is also happening for other object classes, like computer
entires.
slapcat and the other tools I use don't show an existing entry for
mslib or the other names that won't add. Any advise on where to go
from here would be appreciated.
Thanks,
Andy Zirkel.
14 years, 4 months