Host based authentication using OpenLDAP
by Per Kristiansen
Hello, I've been working on implementing a LDAP solution for the last 8
months (in-between task, you know how it is :D )
I now have a working LDAP directory, have all my users imported, things
actually work! :D..(jinx!)
But now I wanna get fancy..
I've been googeling for some sort of clear description on how I can set
up a system using groups of hosts and user groups to create a selective
ACL for ssh'ing to a set of servers based on group membership.
One of my primary goals is to have it work as much "out of the box" as
possible for RHEL4 and 5 (and CentOS )
That means I want to avoid having to make changes to hosts (I have
around 60-80 linux servers today that I want over on LDAP)
So I try to avoid the solutions involving /etc/security/*
I have it working with the ldapns schema with no changes to PAM.
But this means I have to enter the specific host into each user record.
But I'm a contrary and difficult guy, and love making problems for my
self so I want to assign groups of users to groups of servers.
Oh..and SSH keys :D..but that is for when life looks sunny and I need to
be reminded that the world is a bad place.
is there anyone that can point me towards resources that are written on
this?..I already have a list of links I've been reading, and are adding
those here in case other people want to look at them:
https://help.ubuntu.com/community/LDAPClientAuthentication
http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf
http://www.padl.com/OSS/nss_ldap.html
http://www.padl.com/OSS/pam_ldap.html
http://quark.humbug.org.au/publications/ldap/system_auth/sage-au/system_a...
Thanks for taking the time to read this :)
--
Per
13 years, 10 months
Jabber and LDAP
by Gavin Henry
Hi All,
Does anyone have any recommendations on Jabber servers that have great
LDAP support and a small-ish footprint (i.e. not OpenFire)?
I've been looking at http://xmpp.org/software/servers.shtml eJabberd
and jabberd2 are the ones I've once used.
Thanks.
13 years, 10 months
Migration Lotus Notes
by Clenio W. e Silva
Lotus Notes Migration to OpenLDAP. Any tips on how to start?
--
Clenio W. e Silva
(62) 8414-5089
Gtalk: cleniogyn(a)gmail.com
Jabber: cleniogyn(a)casabrasil.gov.br
MSN: cleniogyn(a)hotmail.com
--------------------------------------------------------------------
Ter Jesus como amigo é melhor do que qualquer outra conquista na vida!
13 years, 10 months
MMR get inconsistent when updating entries concurrently to both Masters(2-masters configuration)
by hu zhang
Hi, all,
I set up a testing environment for the MMR(2 master server), it did work
well when I tested it in a "test050" style, that was, send updated requests
to one of the master server, waited for seconds, then send update requests
to another master server. All updates could be properly replicated among
both servers. However, when I tried to update entries in an interleave style
to these servers, I mean, like, the first update request was sent to server
A, and the second request was sent to server B, then A, then B, .... there
was no waitting between the update requests, and all requests were differnt.
>From my understanding of the MMR, I hoped all updated in server A would be
finally replicated to server B, and same to server B. But, the real test
result was, I could see all updates in one of the server, but only partial
updates in another server, the partial updates were exactly made by the
requests directly comes to that sever, that is to say, the replication samed
to be *monodirectional *in this situation.
My question, is this scenario a bug for current openLdap, or, it is just not
a supported use case ?* *
I've been trying to find an answer in past mail threads, but I failed. Hope
you guys can help me out from this confusion about MMR, if you need any
further information, like configuration, I'll put them on, but I don't think
that's a configuration problem, because the "test050" style testing works.
Thanks!
Hu
13 years, 10 months
authenticate group of hosts
by François Mehault
Hi All,
I have install openldap to authenticate users on system Unix. So, I use the module pam_ldap / nss_ldap with primitive pam_check_host_attr yes, and I have the attribute host for each person in my LDAP. I want to have 3 levels of authentication :
- First level : a person have numerous attributes « host » so he is able to authenticate on these hosts
- Second level : a person could be able to authenticate on a group of host
- Third level : a person is able to authenticate on all hosts
For the first level, for each host I declare one primitive « host » for my user in openldap :
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/fmehault
loginShell: /usr/local/bin/sh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: hostObject
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
host: labobe1
host: labobe2
For the third level, I put just the primitive « host : * »
But I don't know how i could do the second level. I would like something like groupRadiusName, I want to define numerous group with host primitive, and each users can be in one group or plus.
The goal is that my user have his host primitive plus the host primitive of his group. Is it possible ?
Thanks for your help,
Regards,
François
13 years, 10 months
getting rid of "request done" messages
by Heiko Petzsch
Hi,
I've tried to ask the following question in the openldap-software mailing list:
> I have a beginners question: when I log in as root on one of my systems, I
> get quite a lot of messages of the form
>
> request done: ld 0x5654f0 msgid 1
> request done: ld 0x5654f0 msgid 2
> ...
>
> on the console. I assume that they originate from my openldap installation
> - but I don't even understand the mechanism how they are send to me
> (openldap was installed by my predecessor). Could someone please tell me
> how to get rid of these messages ?
The moderator rejected my question, giving as his reason:
(I hope he doesn't mind being quoted with this)
"Given these messages occurred when you "log in", it is likely that
issue relates to LDAP client software you are using to manage system
log ins. Your question of "how to get rid of these" is likely lead to
off-topic discussion of that LDAP client software. However, your
message does at seem to relate to the use of OpenLDAP Software, hence
it suggested you submit your submission to the OpenLDAP-technical
list."
I must admit that I had and have have no certainty at all which software produces these
messages - I only searched the internet, and saw the same messages in connection with
questions other people asked about openldap. They are, though, not a direct result of me
logging in - they arrive continously and even after hours of being logged on.
Could anybody tell me where these messages originate from, and how I can disable them ?
Any help will be appreciated.
Heiko
--
Heiko Petzsch
GTS Systems and Consulting GmbH
D-52134 Herzogenrath
13 years, 10 months
SDK: ldap_simple_bind gives Protocol error
by Stephen
Hi everyone,
I'm trying to work out why some sample code doesn't work against a
Centos 5 system (Centos being a RedHat Enterprise clone).
Client is Mac OS X 10.5, and server is Centos 5.3, OpenDLAP 2.3.43. The
sample code is from
http://docs.sun.com/source/816-5616-10/example.htm#13303.
(Am not using the Sun SDK, it was just a convenient place to find sample
code. If there are OpenLDAP sample code resources, a link is welcome.)
In particular the problem occurs at this piece of code:
/* Bind anonymously to the LDAP server. */
rc = ldap_simple_bind_s( ld, NULL, NULL );
if ( rc != LDAP_SUCCESS ) {
fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc));
return( 1 );
}
The resultant output is an error, namely;
'ldap_simple_bind_s: Protocol error'
In comparison, if I run the same code against a Gentoo Linux system that
also has OpenLDAP 2.3.43 the sample code works just fine.
If I do an ldapsearch from the Mac OS X client with the query
below, it succeeds.
ldapsearch -x -h remoteCentosldapsvr -b basedn
Can anyone suggest why the Centos 5 system is showing the protocol error?
Thanks
Regards
Stephen
13 years, 10 months
New DC
by Tech Only
Hello,
I am new to LDAP. I have a basic question.
How do I delete the default domain which is in the slapd.conf file and
create my own?
I have suffix "dc=example, dc=com"
in slapd.conf file and if i chnge the above line and other lines where
dc=example, dc=com to dc=test, dc=com
I am not able to connect to it.
Pelase let me know how to get rid of default dc and create my own domain.
Thanks
13 years, 10 months
replication between different slapds versions
by jakjr
Hello,
Is there any problem to use the syncprov (refreshAndPersist) between a ldap
master version 2.3.30 and a consumer version 2.4.16 ?
I did some tests and couldn't find any problem.
Best regards,
João Alfredo
13 years, 10 months
OpenLDAP 2.1 High Availability
by Kukkala Prasad
Hi All,
We are planning to configure High Availability for OpenLDAP 2.1 on Linux CentOS.
We are looking at following options and we want to check our understanding about corresponding options and looking for your valuable suggestions.
1. Using Replica Service
a. This is not enough because if master machine goes down then LDAP updates will not be possible.
2. Migrating to OpenLDAP2.4
a. Master-Master solution looks promising but in our current project time line it is not possible to migrate.
3. Sharing LDAP file system on NFS
a. After going through the thread http://www.openldap.org/lists/openldap-software/200209/msg00256.html it is understood that OpenLDAP does not support GFS or NFS.
b. But the thread discussion happened very long back around in 2000 to 2002. ????Is that conclusion applicable to OpenLDAP 2.1????
4. Hosting LDAP Service on CentOS Cluster Suite
a. ????Is it possible to configure "Active-Passive" setup using CentOS Cluster Suite????
5. H/W based clustering
a. We don't know what are the possible solutions in this approach and cost incurred. !!!!Please share your ideas.!!!!
6. NetApp2020
a. We have NetApp 2020 Appliance http://www.b2net.co.uk/netapp/network_appliance_netapp_fas2020.htm with us. ????Does this any way help us????
7. Other alternatives
a. !!!!We need your valuable ideas and suggestions.!!!!
Please help me in this regard.
Regards,
Prasad.
________________________________
The information contained in this communication is confidential, intended solely for the use of the individual or entity to whom it is addressed and may be legally privileged and protected by professional secrecy. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. This email does not constitute any commitment from Cordys Holding BV or any of its subsidiaries except when expressly agreed in a written agreement between the intended recipient and Cordys Holding BV or its subsidiaries. Cordys is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Cordys does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.
13 years, 10 months
