openldap-technical May 2009

openldap-technical@openldap.org

58 participants
48 discussions

Re: Host based authentication using OpenLDAP
by Gavin Henry 25 May '09

25 May '09

----- "Per Kristiansen" <perk(a)funcom.com> wrote: > Hello, I've been working on implementing a LDAP solution for the last > 8 > months (in-between task, you know how it is :D ) Time flies! > I now have a working LDAP directory, have all my users imported, > things > actually work! :D..(jinx!) Excellent work, well done! > But now I wanna get fancy.. > > I've been googeling for some sort of clear description on how I can > set > up a system using groups of hosts and user groups to create a > selective > ACL for ssh'ing to a set of servers based on group membership. > It sounds to me like you are almost here and just need help creating the LDAP groups, ACLs and LDAP search/filters for use with nss_ldap on RHEL 4/5 and Centos? Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

5 12

OpenLDAP 23 client with 24 server?
by Matt Juszczak 25 May '09

25 May '09

Hi All, Most of our boxes are FreeBSD. FreeBSD has ports for openldap22, openldap23, and openldap24. Not using slurpd much anymore in my setups, I decided to run with openldap24 in our recent setup. Setup openldap24 server, and all the FreeBSD clients have openldap24 clients. Everything is working well. Recently, we had to introduce a few RHEL boxes into our setup. We're pointing to the redhat repositories, but they seem to only have openldap23-* client packages. I know I could potentially make my own packages, or perhaps get RPM's from the Internet, but I was wondering if by some chance openldap23 clients (and pam_ldap/nss_ldap libraries) are compatible with openldap24 servers? I would assume the other way around (openldap24 clients with openldap23 servers) would work fine. Thanks! -Matt

3 2

Najmuddin C has sent you a private message
by Najmuddin C 24 May '09

24 May '09

1 0

Matthew GARRETT is out of the office.
by Matthew GARRETT 23 May '09

23 May '09

I will be out of the office starting 22/05/2009 and will not return until 27/05/2009. I will respond to your message when I return. For IT issues please see Drew Harvey Registered in England and Wales No.811900 Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information. If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.

1 0

freeBSD 7.0 + passwd + openldap
by François Mehault 22 May '09

22 May '09

Hi all Maybe it's not the good mailing list (sorry !)to post my question, but I hope someone can help me. I use OpenLDAP to authenticate some users. Then I want my users are able to change their passwords themselves with the command passwd. But I have this message : <14:59>[labobe1:~]$ passwd passwd: Sorry, `passwd' can only change passwords for local or NIS users. I read that I have to modify passwd.c in /usr/src/usr.bin/passwd but I can't find this path, I just have /usr/src/sys Is-there another way to change users's password ? Thanks for your help, Regards, François

2 1

Re: Host based authentication using OpenLDAP
by Gavin Henry 22 May '09

22 May '09

> And fyi, here's an example... For a given host: > > dn: cn=hostX,ou=hosts,dc=example,dc=com > objectClass: ipHost > objectClass: authorizedServiceObject > cn: hostX > ipHostNumber: 192.168.1.127 > authorizedService: sshd > authorizedService: ftp > > you use the authorizedService attribute to list the PAM services that > are > available. Then you set ACLs to control who can access each service, > like so: > > access to dn.subtree=ou=hosts,dc=example,dc=com > attrs=authorizedService val.exact=sshd > by group.exact="cn=admins,ou=groups,dc=example,dc=com" write > by peername.ip=192.168.2.0%255.255.255.0 read > by * search > > The overlay performs a Compare operation to check for the required > service, so > if you deny Compare access to a particular service, then users aren't > allowed > to use that service. Very nice! We did something like this for a hosting company that had users accounts with the services that the user was allowed to access and the specific apps had the appropriate filters in the authz/auth searches. Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 13 Whiteley Well Place, Inverurie, Aberdeenshire, AB51 4FP. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html

1 0

MirrorMode and Failover
by Mike A Meyer 22 May '09

22 May '09

1 0

Re: Deleting hundreds of Entry under a OU
by Daniel Spannbauer 22 May '09

22 May '09

Rein Tollevik schrieb: > Michael Ströder wrote: >> Daniel Spannbauer wrote: > >>> I have to deleted abount 500 Entrys under a OU in my LDAP-Tree cause I >>> have to change the objectClass from "account" to "inetorgPerson". >>> Can I do this with ldapdelete? I always used that tool only to delete >>> one entry. >> >> Yes. But you have to provide a file with a list of the DNs of the >> entries to be deleted. >> >> $ ldapdelete -h >> usage: ldapdelete [options] [dn]... >> dn: list of DNs to delete. If not given, it will be readed from stdin >> or from the file specified with "-f file". > > Or you could try to simply change the objectclass and all required > attribute values in one operation using ldapmodify with the "-e relax" > control. It should allow you to replace the structural objectclass, > which otherwise is forbidden. > Hmm, my ldapmodify don't know this switch. How can I delete all entrys under an OU? If this works I delete all entrys and add them with the right ObjectClass. Regards Daniel > Rein -- Daniel Spannbauer Software Entwicklung marco Systemanalyse und Entwicklung GmbH Tel +49 8333 9233-27 Fax -11 Rechbergstr. 4 - 6, D 87727 Babenhausen Mobil +49 171 4033220 http://www.marco.de/ Email ds(a)marco.de Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München

1 0

Newbie planning for the future
by Alex Moen 21 May '09

21 May '09

Hi all, I am a newbie to LDAP, and have just gotten my first directory server up and running, using openldap. I have been researching and reading a lot of material for quite a while about schema design and planning, and haven't found much pertaining to what I want to do. We have 50+ servers, serving thousands of customers. I want to migrate those servers to LDAP authentication and authorization, but have not found the proper design for multiple servers and duplicated users. Most references just do the basic "example.com" example and never expand on it from there. Ultimately, I would like to allow my admins to have a single account across multiple servers (kind of "authorization account merging"), but still allot the schema to be "separate" enough that duplicated usernames on different machines, corresponding to different people, still exist. Are there any really good references out there that do step-by-step walk throughs of the type of schema designing that I am thinking of? Or is it impossible? Or am I just really making too much of this? :) Thanks for any insights... Alex

3 2

unable to add certain entries
by Andrew Zirkel 19 May '09

19 May '09

I'm having a growing problem where certain entries won't add and I get these errors in slapd stats output: conn=7 op=160 MODRDN dn="cn=Untitled_1,cn=computer_groups,dc=chetwood,dc=local" => bdb_dn2id_add: subtree (cn=mslib,cn=computer_groups,dc=chetwood,dc=local) put failed: -30996 conn=7 op=160 RESULT tag=109 err=80 text=DN index add failed conn=7 op=161 MOD dn="cn=Untitled_1,cn=computer_groups,dc=chetwood,dc=local" conn=7 op=161 MOD attr=cn entry failed schema check: value of naming attribute 'cn' is not present in entry conn=7 op=161 RESULT tag=103 err=64 text=value of naming attribute 'cn' is not present in entry conn=7 op=162 MODRDN dn="cn=Untitled_1,cn=computer_lists,dc=chetwood,dc=local" => bdb_dn2id_add: subtree (cn=mslib,cn=computer_lists,dc=chetwood,dc=local) put failed: -30996 conn=7 op=162 RESULT tag=109 err=80 text=DN index add failed conn=7 op=163 MOD dn="cn=Untitled_1,cn=computer_lists,dc=chetwood,dc=local" conn=7 op=163 MOD attr=cn entry failed schema check: value of naming attribute 'cn' is not present in entry conn=7 op=163 RESULT tag=103 err=64 text=value of naming attribute 'cn' is not present in entry conn=7 op=164 SRCH base="cn=computer_groups,dc=chetwood,dc=local" scope=2 deref=0 filter="(&(objectClass=posixGroup)(objectClass=apple- group)(objectClass=extensibleObject)(|(cn=untitled_1)))" conn=7 op=164 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=7 op=165 ABANDON msg=165 This is slapd 2.3.27, which is included in Apple OSX 10.5. This particular entry is for a computer group called mslib, and I'm using Apple's workgroup manager tool to add it. Other names will add, it seems to be entries that were created before but aren't showing up now. This is also happening for other object classes, like computer entires. slapcat and the other tools I use don't show an existing entry for mslib or the other names that won't add. Any advise on where to go from here would be appreciated. Thanks, Andy Zirkel.

2 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2009