openldap-technical May 2009

openldap-technical@openldap.org

58 participants
48 discussions

Host based authentication using OpenLDAP
by Per Kristiansen 19 May '09

19 May '09

Hello, I've been working on implementing a LDAP solution for the last 8 months (in-between task, you know how it is :D ) I now have a working LDAP directory, have all my users imported, things actually work! :D..(jinx!) But now I wanna get fancy.. I've been googeling for some sort of clear description on how I can set up a system using groups of hosts and user groups to create a selective ACL for ssh'ing to a set of servers based on group membership. One of my primary goals is to have it work as much "out of the box" as possible for RHEL4 and 5 (and CentOS ) That means I want to avoid having to make changes to hosts (I have around 60-80 linux servers today that I want over on LDAP) So I try to avoid the solutions involving /etc/security/* I have it working with the ldapns schema with no changes to PAM. But this means I have to enter the specific host into each user record. But I'm a contrary and difficult guy, and love making problems for my self so I want to assign groups of users to groups of servers. Oh..and SSH keys :D..but that is for when life looks sunny and I need to be reminded that the world is a bad place. is there anyone that can point me towards resources that are written on this?..I already have a list of links I've been reading, and are adding those here in case other people want to look at them: https://help.ubuntu.com/community/LDAPClientAuthentication http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf http://www.padl.com/OSS/nss_ldap.html http://www.padl.com/OSS/pam_ldap.html http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_aut… Thanks for taking the time to read this :) -- Per

1 0

Jabber and LDAP
by Gavin Henry 19 May '09

19 May '09

Hi All, Does anyone have any recommendations on Jabber servers that have great LDAP support and a small-ish footprint (i.e. not OpenFire)? I've been looking at http://xmpp.org/software/servers.shtml eJabberd and jabberd2 are the ones I've once used. Thanks.

2 1

Migration Lotus Notes
by Clenio W. e Silva 18 May '09

18 May '09

Lotus Notes Migration to OpenLDAP. Any tips on how to start? -- Clenio W. e Silva (62) 8414-5089 Gtalk: cleniogyn(a)gmail.com Jabber: cleniogyn(a)casabrasil.gov.br MSN: cleniogyn(a)hotmail.com -------------------------------------------------------------------- Ter Jesus como amigo é melhor do que qualquer outra conquista na vida!

2 1

MMR get inconsistent when updating entries concurrently to both Masters(2-masters configuration)
by hu zhang 18 May '09

18 May '09

Hi, all, I set up a testing environment for the MMR(2 master server), it did work well when I tested it in a "test050" style, that was, send updated requests to one of the master server, waited for seconds, then send update requests to another master server. All updates could be properly replicated among both servers. However, when I tried to update entries in an interleave style to these servers, I mean, like, the first update request was sent to server A, and the second request was sent to server B, then A, then B, .... there was no waitting between the update requests, and all requests were differnt. >From my understanding of the MMR, I hoped all updated in server A would be finally replicated to server B, and same to server B. But, the real test result was, I could see all updates in one of the server, but only partial updates in another server, the partial updates were exactly made by the requests directly comes to that sever, that is to say, the replication samed to be *monodirectional *in this situation. My question, is this scenario a bug for current openLdap, or, it is just not a supported use case ?* * I've been trying to find an answer in past mail threads, but I failed. Hope you guys can help me out from this confusion about MMR, if you need any further information, like configuration, I'll put them on, but I don't think that's a configuration problem, because the "test050" style testing works. Thanks! Hu

2 2

authenticate group of hosts
by François Mehault 18 May '09

18 May '09

Hi All, I have install openldap to authenticate users on system Unix. So, I use the module pam_ldap / nss_ldap with primitive pam_check_host_attr yes, and I have the attribute host for each person in my LDAP. I want to have 3 levels of authentication : - First level : a person have numerous attributes « host » so he is able to authenticate on these hosts - Second level : a person could be able to authenticate on a group of host - Third level : a person is able to authenticate on all hosts For the first level, for each host I declare one primitive « host » for my user in openldap : dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/fmehault loginShell: /usr/local/bin/sh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: hostObject userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg== host: labobe1 host: labobe2 For the third level, I put just the primitive « host : * » But I don't know how i could do the second level. I would like something like groupRadiusName, I want to define numerous group with host primitive, and each users can be in one group or plus. The goal is that my user have his host primitive plus the host primitive of his group. Is it possible ? Thanks for your help, Regards, François

1 0

getting rid of "request done" messages
by Heiko Petzsch 18 May '09

18 May '09

Hi, I've tried to ask the following question in the openldap-software mailing list: > I have a beginners question: when I log in as root on one of my systems, I > get quite a lot of messages of the form > > request done: ld 0x5654f0 msgid 1 > request done: ld 0x5654f0 msgid 2 > ... > > on the console. I assume that they originate from my openldap installation > - but I don't even understand the mechanism how they are send to me > (openldap was installed by my predecessor). Could someone please tell me > how to get rid of these messages ? The moderator rejected my question, giving as his reason: (I hope he doesn't mind being quoted with this) "Given these messages occurred when you "log in", it is likely that issue relates to LDAP client software you are using to manage system log ins. Your question of "how to get rid of these" is likely lead to off-topic discussion of that LDAP client software. However, your message does at seem to relate to the use of OpenLDAP Software, hence it suggested you submit your submission to the OpenLDAP-technical list." I must admit that I had and have have no certainty at all which software produces these messages - I only searched the internet, and saw the same messages in connection with questions other people asked about openldap. They are, though, not a direct result of me logging in - they arrive continously and even after hours of being logged on. Could anybody tell me where these messages originate from, and how I can disable them ? Any help will be appreciated. Heiko -- Heiko Petzsch GTS Systems and Consulting GmbH D-52134 Herzogenrath

3 3

SDK: ldap_simple_bind gives Protocol error
by Stephen 17 May '09

17 May '09

Hi everyone, I'm trying to work out why some sample code doesn't work against a Centos 5 system (Centos being a RedHat Enterprise clone). Client is Mac OS X 10.5, and server is Centos 5.3, OpenDLAP 2.3.43. The sample code is from http://docs.sun.com/source/816-5616-10/example.htm#13303. (Am not using the Sun SDK, it was just a convenient place to find sample code. If there are OpenLDAP sample code resources, a link is welcome.) In particular the problem occurs at this piece of code: /* Bind anonymously to the LDAP server. */ rc = ldap_simple_bind_s( ld, NULL, NULL ); if ( rc != LDAP_SUCCESS ) { fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc)); return( 1 ); } The resultant output is an error, namely; 'ldap_simple_bind_s: Protocol error' In comparison, if I run the same code against a Gentoo Linux system that also has OpenLDAP 2.3.43 the sample code works just fine. If I do an ldapsearch from the Mac OS X client with the query below, it succeeds. ldapsearch -x -h remoteCentosldapsvr -b basedn Can anyone suggest why the Centos 5 system is showing the protocol error? Thanks Regards Stephen

2 2

New DC
by Tech Only 16 May '09

16 May '09

Hello, I am new to LDAP. I have a basic question. How do I delete the default domain which is in the slapd.conf file and create my own? I have suffix "dc=example, dc=com" in slapd.conf file and if i chnge the above line and other lines where dc=example, dc=com to dc=test, dc=com I am not able to connect to it. Pelase let me know how to get rid of default dc and create my own domain. Thanks

2 3

replication between different slapds versions
by jakjr 15 May '09

15 May '09

Hello, Is there any problem to use the syncprov (refreshAndPersist) between a ldap master version 2.3.30 and a consumer version 2.4.16 ? I did some tests and couldn't find any problem. Best regards, João Alfredo

1 0

OpenLDAP 2.1 High Availability
by Kukkala Prasad 15 May '09

15 May '09

Hi All, We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS. We are looking at following options and we want to check our understanding about corresponding options and looking for your valuable suggestions. 1. Using Replica Service a. This is not enough because if master machine goes down then LDAP updates will not be possible. 2. Migrating to OpenLDAP2.4 a. Master-Master solution looks promising but in our current project time line it is not possible to migrate. 3. Sharing LDAP file system on NFS a. After going through the thread http://www.openldap.org/lists/openldap-software/200209/msg00256.html it is understood that OpenLDAP does not support GFS or NFS. b. But the thread discussion happened very long back around in 2000 to 2002. ????Is that conclusion applicable to OpenLDAP 2.1???? 4. Hosting LDAP Service on CentOS Cluster Suite a. ????Is it possible to configure "Active-Passive" setup using CentOS Cluster Suite???? 5. H/W based clustering a. We don't know what are the possible solutions in this approach and cost incurred. !!!!Please share your ideas.!!!! 6. NetApp2020 a. We have NetApp 2020 Appliance http://www.b2net.co.uk/netapp/network_appliance_netapp_fas2020.htm with us. ????Does this any way help us???? 7. Other alternatives a. !!!!We need your valuable ideas and suggestions.!!!! Please help me in this regard. Regards, Prasad. ________________________________ The information contained in this communication is confidential, intended solely for the use of the individual or entity to whom it is addressed and may be legally privileged and protected by professional secrecy. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. This email does not constitute any commitment from Cordys Holding BV or any of its subsidiaries except when expressly agreed in a written agreement between the intended recipient and Cordys Holding BV or its subsidiaries. Cordys is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Cordys does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.

6 13

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2009