openldap-technical June 2009

openldap-technical@openldap.org

87 participants
100 discussions

Re: password change and ppolicy
by Gustavo Mendes de Carvalho 17 Jun '09

17 Jun '09

Hi Tizo, Suposed that your users has to login in some linux/Unix machine using their LDAP accounts, I sugest you to create some binary or script to allow your users to change their passwords invoking ldappasswd command. I mean, you can create a C program or shell script or even a PHP page, to validate some weaks in their passwords, like min length, capital letters, numbers, and so on. After that, you can call ldappasswd command with all parameters (using system() call in a C source code) to change it. I know that this is not an elegant option, but it works. Let me know if it works for you that I can post my C source code here to help you there. See you Gustavo Date: Wed, 10 Jun 2009 18:54:14 -0300 From: tizo <tizone(a)gmail.com> Subject: Re: password change and ppolicy To: openldap-technical(a)openldap.org Message-ID: <e55f48520906101454i3e5b4b59v2b755278cd34437(a)mail.gmail.com> Content-Type: text/plain; charset="utf-8" On Tue, Jun 9, 2009 at 12:12 PM, tizo <tizone(a)gmail.com> wrote: > > Before starting this, I have been testing password changing with > phpLDAPAdmin. The fact is that I could only change a user password with > clear text. I guess that this behaviour happens because we have > pwdCheckQulity setting in 2 in our default password policy. So, when the > client (phpLDAPAdmin) tries to modify the password enconding it, the server > (OpenLDAP) cannot check the min length of the password, as it is encoded, > and then fails. I am guessing too, that phpLDAPAdmin is performing a simple > modify operation to change the password, as it is stored in clear text. On > the other hand, I could change passwords with ldappasswd withouth problem, > and they are stored with SSHA. I know that this command uses RFC 3062. > > tizo > >

3 2

slapd-config(5) Disaster Recovery - Best Practices?
by gruntler-ldap＠yahoo.com 16 Jun '09

16 Jun '09

Hi, I am considering migrating from a monolithic slapd.conf file to the newer DIT slapd-config(5). My primary concern is how to recover if a dynamic change brings down slapd so it becomes difficult to recover since the configuration is in a database and slapd will not start. Is it as simple as making a slapcat backup of the configuration database (or some other backup of the configuration database that resides in the slapd.d directory) prior to making changes so that a roll-back would consist of replacing the contents of the slapd.d directory? Or is there some other recovery method that is preferred? Thanks, Ken

2 1

pwdFailureTime not being deleted
by Adam Leach 16 Jun '09

16 Jun '09

I'm having a problem with the pwdFailureTime entries not being deleted after a successful login. What steps could I take to see if there is an error occurring? I'm running openldap 2.4.11 RHEL5, rpms came from http://staff.telkomsa.net/packages/rhel5/openldap/i386/ Thanks -- Adam Leach BS Computer/Electrical Engineering West Virginia University Systems Administrator - Raytheon (304)677-4455

2 1

LDAP search question
by Tihomir Culjaga 16 Jun '09

16 Jun '09

Hello, maybe it is a dummy question but i'd like to know why i have so big discrepancy in execution between two apparently identical ldapsearch ? The 1st search takes 94 ms while the 2nd one only 7 ms. It doesn't matter how many times i execute the 1st search (meaning everytihng should be already cached) .. it is always the same. Does anyone know why? ~$ time ldapsearch -h localhost -x -b ou=redirecting,ou=Dir,dc=ot,dc=hr -D cn=admin,dc=ot,dc=hr -w **** uniqueID=38512303736 # extended LDIF # # LDAPv3 # base <ou=redirecting,ou=Dir,dc=ot,dc=hr> with scope subtree # filter: uniqueID=38512303736 # requesting: ALL # # 38512303736, redirecting, Dir, ot.hr dn: uniqueID=38512303736,ou=redirecting,ou=Dir,dc=ot,dc=hr objectClass: top objectClass: uniqueID Prefix: 68A10 uniqueID: 38512303736 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 *real 0m0.094s* user 0m0.004s sys 0m0.000s ~$ time ldapsearch -h localhost -x -b ou=redirecting,ou=Dir,dc=ot,dc=hr -D cn=admin,dc=ot,dc=hr -w **** uniqueID=38515000400 # extended LDIF # # LDAPv3 # base <ou=redirecting,ou=Direktor,dc=ot,dc=hr> with scope subtree # filter: uniqueID=38515000400 # requesting: ALL # # 38515000400, redirecting, Dir, ot.hr dn: uniqueID=38515000400,ou=redirecting,ou=Dir,dc=ot,dc=hr objectClass: top objectClass: uniqueID Prefix: 68B99 uniqueID: 38515000400 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 *real 0m0.007s* user 0m0.000s sys 0m0.004s tculjaga@l01sipindir2:~$

3 5

How to temporarily downgrade to LDAPv2 ?
by J. Bakshi 15 Jun '09

15 Jun '09

Dear all, I like to downgrade the ldap communication protocol to do some experiments. An api which has been designed in 2005 can not work with my ldap server ( suse 11.1) as the log reports ````````````````````````` historical protocol version requested, use LDAPv3 instead ````````````````````````````````````` so i need to temporarily allow the old v2 protocol so that the api can communicate with the ldap server. How can i do this ? Thanks

3 6

RE: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG
by Brett Maxfield 15 Jun '09

15 Jun '09

I checked ownership and permissions on /var/lib/ldap: francesco@bob:/var/lib$ ls -l | grep ldap drwxr-xr-x 5 openldap openldap 4096 2009-06-15 17:03 ldap --=-- Have you run the process under strace(linux) or truss (solaris) as that will give you the exact file/path failing.. Perhaps it is writing files outside the directories you have prepared?

1 0

Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG - SOLVED
by Francesco Cicolani 15 Jun '09

15 Jun '09

You got it Matt! I really missed the point that an apparmor profile for slapd is generated by default in Ubuntu during openldap installation. I did a test putting slapd apparmor profile in compliant-mode and all went well this time! Now, time for a resume of the steps I eventually made to successfully change Berkeley DB data and log file directories, integrated with a BDB backup and recovery, on Ubuntu 8.04.2 with Apparmor framework enabled, just in case it could also help someone else having similar problems in the future: 1. Make a standard BDB backup (see Berkeley DB Reference Guide, in particular: http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transapp/…): 1.1. stop slapd 1.2. force a checkpoint with db4.2_checkpoint -1v 1.3. copy all .bdb files returned by db4.2_archive -s to backup location /backup (cp -p) 1.4. copy all log.XXXXXXXXXX files returned by db4.2_archive -l to backup location /backup (cp -p) 2. Update apparmor profile for slapd (/etc/apparmor.d/usr.sbin.slapd): ## customized bdb data and log files: /new/path/to/bdbdata/ r, /new/path/to/bdbdata/* rw, /new/path/to/bdblogs/ r, /new/path/to/bdblogs/* rw, ## lock file in customized bdbdata dir /new/path/to/bdbdata/alock kw, 3. Parse updated apparmor profile for slapd: apparmor_parser -r < /etc/apparmor.d/usr.sbin.slapd 4. Update bdb data 'directory' directive in slapd.conf directory "/new/path/to/bdbdata" 5. remove all .bdb, alock, __db.XXX and log.XXXXXXXXXX files from /var/lib/ldap (old default location) 6. edit DB_CONFIG file with new directives set_data_dir and set_lg_dir: # Directory for the data files set_data_dir /new/path/to/bdbdata [...] # Directory for the logfiles set_lg_dir /new/path/to/bdblogs 7. move DB_CONFIG file to /new/path/to/bdbdata and verify ownerships are preserved: -rw-r--r-- 1 openldap openldap 410 2009-06-15 22:00 DB_CONFIG 8. copy .bdb files from backup location /backup to /new/path/to/bdbdata (cp -p) 9. copy log.XXXXXXXXXX file from backup location /backup to /new/path/to/bdblogs (cp -p) 10. Finally, cd to /new/path/to/bdbdata and issue the recovery command (as root): root@bob:/new/path/to/bdbdata# db4.2_recover -cv db_recover: Finding last valid log LSN: file: 1 offset 141201 db_recover: Recovery starting from [1][28] db_recover: Recovery complete at Mon Jun 15 22:14:04 2009 db_recover: Maximum transaction ID 80000044 Recovery checkpoint [1][141201] 11. Restart slapd and force a checkpoint just to keep things clean on db side: root@bob:/new/path/to/bdbdata# /etc/init.d/slapd start root@bob:/new/path/to/bdbdata# db4.2_checkpoint -1v db_checkpoint: checkpoint: Mon Jun 15 22:18:03 2009 Note1: doing a backup and recovery of bdb could not be strictly required, but I thought that removing the bdb data and log files from the old path would contribute to keep things cleaner. Note2: putting slapd logging level to 'any' prior to restarting slapd would help to troubleshoot startup problems and verify that bdb starts cleanly. Thank you again guys!... and see you to the next 'mayday' thread! =) fra --- On Mon, 6/15/09, Matt Kassawara <battery(a)writeme.com> wrote: > From: Matt Kassawara <battery(a)writeme.com> > Subject: Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG > To: "Klaus Lemkau" <klaus.lemkau(a)tu-berlin.de> > Cc: "Francesco Cicolani" <francescocicolani(a)yahoo.it>, openldap-technical(a)openldap.org > Date: Monday, June 15, 2009, 6:40 PM > By default, the Ubuntu AppArmor > profile for slapd prevents it from writing databases to > anywhere but /var/lib/ldap. You'll need to modify the > usr.sbin.slapd profile in /etc/apparmor.d to correct the > problem. > > Matt

1 0

Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG
by Francesco Cicolani 15 Jun '09

15 Jun '09

Hi Klaus, thx for your reply. I checked ownership and permissions on /var/lib/ldap: francesco@bob:/var/lib$ ls -l | grep ldap drwxr-xr-x 5 openldap openldap 4096 2009-06-15 17:03 ldap while the two subdirs I'm trying to place bdb data files and logs have: francesco@bob:/var/lib$ ls -l ldap [...] drwxr-xr-x 2 openldap openldap 4096 2009-06-14 18:39 bdbdata drwxr-xr-x 2 openldap openldap 4096 2009-06-14 18:39 bdblogs [...] During test, I also tried to change permissions on bdbdata and bdblogs to 775 and even 777: but I had no success in getting bdb log.0000000001 accessible when placed in bdblogs. I'm running short of ideas... I'm even wondering if someone else had similar problems when trying to set different dir for data files and logs... see you fra --- On Sun, 6/14/09, Klaus Lemkau <klaus.lemkau(a)tu-berlin.de> wrote: From: Klaus Lemkau <klaus.lemkau(a)tu-berlin.de> Subject: Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG To: "Francesco Cicolani" <francescocicolani(a)yahoo.it> Cc: openldap-technical(a)openldap.org Date: Sunday, June 14, 2009, 9:03 PM Hi Francesco, likely the files in /var/lib/ldap/ have the wrong owner (root?). chown -R openldap:openldap /var/lib/ldap should solve Your problem. Greetings Klaus

3 2

Re: TLS certificates
by Michael Ströder 15 Jun '09

15 Jun '09

Matthew, please stay on the mailing list (Cc:-ed) when answering so others can answer and learn as well. Matthew Edlefsen wrote: > 2009/6/13 Michael Ströder <michael(a)stroeder.com>: >> Matthew Edlefsen wrote: >>> Hello, I'm trying to get TLS setup with openldap and am having some >>> issues. I have a CA signed certificate (not self-signed) and have >>> created a chain with my CA cert and the root CA cert. I've verified >>> that it works with openssl verify -CAfile on both the client and >>> server but then when I try to connect using ldaps I get the following >>> error on the client: >>> >>> TLS certificate verification: depth: 2, err: 19, subject: >>> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust >>> External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP >>> Network/CN=AddTrust External CA Root >>> TLS certificate verification: Error, self signed certificate in >>> certificate chain >>> TLS trace: SSL3 alert write:fatal:unknown CA >>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>> TLS trace: SSL_connect:error in SSLv3 read server certificate B >>> TLS: can't connect. >>> >>> I assume it's saying that the root CA is self signed, but if I don't >>> include it in the chain it says it can't trust the CA. >> Could you please elaborate on how you configured TLS settings on your >> LDAP client? I assume that your OpenLDAP build was linked to OpenSSL >> libs. Is that right? > > I did not configure my client at all. I confirmed it is linked to > OpenSSL though. I'm hoping to not have to do any client configuration > (other than turning it on obviously) because we would like end users > to be able to use ldaps without any hassle. You have to configure each LDAP client to trust the CA cert. For OpenLDAP command-line clients or derived clients you should consult the man page ldap.conf(5) about how to place system-wide or specific configuration files and the client-side (TLS-related) configuration options. Ciao, Michael.

1 0

OpenLDAP and AD integration
by Santosh Balan 15 Jun '09

15 Jun '09

Hi Friends, I am newbee to this community and want to know how I can integrate an OpenLdap Server with MS Active Directory. Such that I create a user in LDAP it reflects in AD as well and vice-a-versa. Similarly any changes should effect on both AD and LDAP. Also I want to know how this can be done with a technical documentation. Also a user incase AD is not available gets authenticated using LDAP and vice-a-versa. Your urgent help on this issue will be highly appreciated. Expecting a reply from you at the earliest. Thanks and Regards Santosh Balan +91-9819419509 -- Be Yourself @ mail.com! Choose From 200+ Email Addresses Get a Free Account at www.mail.com

4 3

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2009