openldap-technical August 2009

openldap-technical@openldap.org

65 participants
73 discussions

Replicate AD User and Group accounts
by James A. Cleland 25 Aug '09

25 Aug '09

Hi, I need to simulate an Active Directory server to an LDAP client application using openldap. I am only interested in retrieving users and groups from openldap, but I need to have attributes match those in AD. I have found a number of guides on how to migrate from AD to OpenLDAP, but my application is not quite this complicated. At least I don't think it is. Here's what I've got so far. My AD server is Windows Server 2008. I have dumped ldif using ldifde: ldifde -d "CN=Users,DC=[domain],DC=com" -f export.ldif This returns me an ldif of Users and Groups, which is what I want. I have set up OpenLDAP as suggested in numerous migration docs to include core, cosine, and nis schemas. I am able to access the LDAP server and browse it using a manager DN and a clear password for now. I have attempted to import my ldif using the following: Ldapadd -H ldap://<server> -f export.ldif -x -D "cn=Manager,dc=[domain],dc=com" -W The reply from the server is: ldapadd: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax I believe this error is due to the second (#1) record in the ldif which is the first group and has an objectClass: group. "group" does not appear to be a defined object class in any of the aforementioned schema. Can I obtain schema for this ldif? I can't find any docs on doing this or any schema files that contain this objectClass. BTW, I am a complete LDAP newbie, so please forgive any terminology misuse, etc. Thanks!

2 1

Replace Active Directory with OpenLDAP and Others
by Serge Fonville 25 Aug '09

25 Aug '09

Both, Thanks for the info > To get a drop-in replacement for AD you probably should ask in a Samba forum; AD does a lot more than just LDAP service and you need Samba to bring all the pieces together. If you only need directory service, then we can talk about it more here. But when migrating off MS, you typically need more than just LDAP to work... I will ask there then, thanks for the tip >> I was wondering if there is an uptodate guide/tutorial/howto to >> replace Active Directory. >> I found http://www.bayour.com/LDAPv3-HOWTO.html but that was last >> updated in 2005. >> >> Also I could not find any references to people actually having >> replaced Active Directory. >> In my head it should be possible, but replacing MS products does not >> always make sense in practice. ;-) >> >> I have not yet had the time to fully work through the howto. but >> either way I will give it a try (well a couple probably) >> > There is currently no drop-in replacement for Active directory in open > source world. Samba in conjunction with LDAP gets as close as replacing > NT4.0 domain controller. This is a legacy in MS world and has it's > disadvantages over Active directory. > I recommend reading the following SAMBA docs > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ > http://us3.samba.org/samba/docs/man/Samba-Guide/ I've been looking at samba a couple of times in the last couple of years. But in it's current form, it is only suitable for SMB/CIFS imho Thanks for the help and the info! Regards, Serge Fonville

2 1

Replace Active Directory with OpenLDAP and Others
by Serge Fonville 25 Aug '09

25 Aug '09

Hi, I was wondering if there is an uptodate guide/tutorial/howto to replace Active Directory. I found http://www.bayour.com/LDAPv3-HOWTO.html but that was last updated in 2005. Also I could not find any references to people actually having replaced Active Directory. In my head it should be possible, but replacing MS products does not always make sense in practice. ;-) I have not yet had the time to fully work through the howto. but either way I will give it a try (well a couple probably) Has anyone have any experience or advice with this? Thanks in advance Regards, Serge Fonville

3 2

Not able to authenticate Apache against OpenLDAP
by Michael March 24 Aug '09

24 Aug '09

I'm using Centos / RHEL 5.2 using the stock LDAP.. I'm trying to get Apache to authenicate with my LDAP server... Using other client software I can bind as the user 'bob'. Here is my Apache config: <VirtualHost *:443> ServerName addressbook-stage.acme.com AllowEncodedSlashes on ProxyPass / http://domu-140.acme.com/ ProxyPassReverse / http://domu-140.acme.com/ <Proxy *> allow from all </Proxy> <Location /> AuthType Basic AuthName "Login with your Acme ID" #AuthLDAPEnabled on AuthBasicProvider ldap AuthLDAPURL ldap://192.168.150.140:389/ou=People,dc=acme,dc=com AuthLDAPBindDN uid=root,ou=People,dc=acme,dc=com AuthLDAPBindPassword passwd #require group cn=it,ou=groups,dc=acme,dc=com require valid-user bob </Location> </VirtualHost> Here is my LDAP config: access to attrs=userPassword by anonymous auth by self write by * none # private LDAP Addressbook is readable and writable for the owner only access to dn.regex="(.*,)?ou=Contacts,uid=([^,]+),ou=People,(.*)$" by dn.regex="uid=$2,ou=People,$3" write by * none # global LDAP Addressbook is writable for all authenticated users # This entry has to be _before_ any other entry that matches the contact # tree eg. the * entry access to dn.subtree="ou=Contacts,dc=acme,dc=com" by users write by users read # The admin dn has full write access access to * by users read by peername="IP=192\.168\.150\.5" read Here is the error from from OpenLDAP: Aug 24 03:57:06 localhost slapd[23856]: conn=2 fd=14 ACCEPT from IP= 192.168.150.5:59041 (IP=0.0.0.0:389) Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bob))" Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:06 localhost slapd[23856]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 fd=17 ACCEPT from IP= 192.168.150.5:59042 (IP=0.0.0.0:389) Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 BIND dn="uid=root,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=0 RESULT tag=97 err=0 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SRCH base="ou=People,dc=acme,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=bmason))" Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND anonymous mech=implicit ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" method=128 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 BIND dn="uid=bob,ou=People,dc=acme,dc=com" mech=SIMPLE ssf=0 Aug 24 03:57:37 localhost slapd[23856]: conn=3 op=2 RESULT tag=97 err=0 text= -- <admiral> Michael F. March ----- mmarch(a)gmail.com Ph: (415)462-1910 ---- Fax: (602)296-0400 P.O. Box 2254 ---- Phoenix, AZ 85002-2254 "Seriously" - HSR

5 6

Cannot dynamically delete olcOverlay configuration object
by Barry Colston 24 Aug '09

24 Aug '09

As part of an emergency failover situation, I was attempting to change a syncrepl provider to a syncrepl consumer. When I tried to delete the "olcOverlay={0}syncprov,olcDatabase={1}bdb,cn=config" object, I received a "Server is unwilling to perform (53)" error. Can this be accomplished dynamically or do I have to make the changes while slapd is not executing? Barry Colston

2 1

master-slave replication woes
by charles 24 Aug '09

24 Aug '09

{i'm sorry if this a duplicated} i've "successfully" set up replication in a master-slave orientation, with persistent replication; the consumer receives database changes as they are made to the master. i initialize the consumer database using a ldif created on the provider: *"* *slapcat -b dc=murphy,dc=bz-v -l transfer.ldif" * it has been functional for the past three weeks.for the most part it works, entries are updated immediately. however, twice the data entires within all organizational units have been deleted and about four times either the syncuser or the admin cn's have been deleted from the consumer. i'm about to start over and entirely reconfigure the consumer. i'd appreciate any feedback on anything that needs adjusting in my configuration or any gotchas. specifically - is my syncrepl directive accurate? - in initial configuration (dpkg) should i setup a different database than the one i intend to replicate? both consumer and provider are running openldap 2.4.15-1ubuntu3 thanks. provider's configuration: dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=murphy,dc=bz olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=murphy,dc=bz" write by dn="cn=syncuser,dc=murphy,dc=bz" read by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=murphy,dc=bz" write by dn="cn=syncuser,dc=murphy,dc=bz" read by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: entryCSN,entryUUID eq structuralObjectClass: olcHdbConfig entryUUID: e1dbc798-0ac2-102e-9977-37c480b68b78 creatorsName: cn=admin,cn=config createTimestamp: 20090722042133Z olcLimits: {0}dn.exact="cn=syncuser,dc=murphy,dc=bz" time.soft=unlimited time. hard=unlimited size.soft=unlimited size.hard=unlimited entryCSN: 20090806001008.586987Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20090806001008Z dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov structuralObjectClass: olcModuleList entryUUID: e1da8df6-0ac2-102e-996f-37c480b68b78 creatorsName: cn=config createTimestamp: 20090722042133Z entryCSN: 20090805014105.909778Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20090805014105Z dn: olcOverlay={0}syncprov objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig entryUUID: c94c1ab2-15ac-102e-8886-213db5dc8256 creatorsName: cn=admin,cn=config createTimestamp: 20090805014105Z entryCSN: 20090805014105.945605Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20090805014105Z consumer's configuration: dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=murphy,dc=bz olcAccess: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTPassword by dn="cn=admin,dc=murphy,dc=bz" write by dn="cn=syncuser,dc=murphy,dc=bz" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=murphy,dc=bz" write by dn="cn=syncuser,dc=murphy,dc=bz" write by * read olcLastMod: TRUE olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub olcDbIndex: entryCSN,entryUUID eq structuralObjectClass: olcHdbConfig entryUUID: ac0c4eee-1c74-102e-8275-a73f90e057e6 creatorsName: cn=admin,cn=config createTimestamp: 20090813164703Z olcRootDN: cn=admin,dc=murphy,dc=bz olcSyncrepl: {0}rid=16 provider=ldaps://marcos.murphy.bzbinddn="cn=syncuser,dc=murphy,dc=bz" bindmethod=simple credentials=replication searchbase="dc=murphy,dc=bz" scope=sub type=refreshAndPersist interval=00:00:20:00 retry="10 5 3 00 5" entryCSN: 20090813183713.024346Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20090813183713Z dn: cn=module{0} objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov structuralObjectClass: olcModuleList entryUUID: ac04c368-1c74-102e-826d-a73f90e057e6 creatorsName: cn=config createTimestamp: 20090813164703Z entryCSN: 20090813183712.967024Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20090813183712Z dn: olcOverlay={0}syncprov objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig entryUUID: 10653536-1c84-102e-9258-bf448f0d99c4 creatorsName: cn=admin,cn=config createTimestamp: 20090813183714Z entryCSN: 20090813183714.001905Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20090813183714Z -- Charles Belmopan, Belize "... we just love cars and we love driving them!" http://www.cardomain.com/ride/2400106

2 2

top-level data entries not replicating, 2.4.15
by Brian Neu 24 Aug '09

24 Aug '09

Even with no logfilter on the consumer, cn=replicator,dc=domain,dc=com & sambaDomainName=SRG,dc=domain,dc=com don't replicate, even after wiping the database and restarting. Everything else seems to replicate fine. How do I get top-level data entries to replicate?

2 4

Password policy
by Aravind M D 23 Aug '09

23 Aug '09

Hi All, Can anyone provide me check_password.so with cracklib. I tried to compile check_password.c but its giving me a lot of error. Regards, Aravind M D

1 0

ldap search filters and groups..
by Michael March 23 Aug '09

23 Aug '09

First, can anyone recommend a good link or book on ldap search filters? I have a few books on LDAP ("Deploying OpenLDAP" from Apress and the O'reilly LDAP book) and they devote less than a page to the topic. There doesn't seem to be a ton of info on the Google about it either. What am I overlooking? What I'm trying to do is create a search filter so when I search a certain tree for all DNs the result will return only DNs that are members of a certain "groupOfNames" group. Is that possible? thanks!

2 1

Re: top-level data entries not replicating, 2.4.15, now 2.4.17
by Brian Neu 21 Aug '09

21 Aug '09

--- On Fri, 8/21/09, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > From: Quanah Gibson-Mount <quanah(a)zimbra.com> > Subject: Re: top-level data entries not replicating, 2.4.15, now 2.4.17 > To: "Brian Neu" <proclivity76(a)yahoo.com>, openldap-technical(a)openldap.org > Date: Friday, August 21, 2009, 12:05 PM > --On Friday, August 21, 2009 8:52 AM > -0700 Brian Neu <proclivity76(a)yahoo.com> > wrote: > > > I really only created the test2 record to find out why > the > > > > sambaDomainName=SRG,dc=srg,dc=com > > > > record wasn't replicating. > > > > This entry won't replicate either, even with a cn > attribute . . . > > dn:cn=test3,dc=srg,dc=com > > objectclass: top > > objectclass: person > > userpassword:blah > > sn:test3 > > cn:test3 > > Please don't top post. > > Your config is a little... odd. You have per-db > access rules, and yet you break them like you expect more: > > database hdb > suffix "cn=accesslog" > ... > access to * > by dn.base="cn=replicator,dc=srg,dc=com" > read > by * break > > > Not that this hurts anything, but it is a weird read. > > Also, I don't see *any* access rules on the main DB. > You have: > > database hdb > suffix > "dc=srg,dc=com" > .... > database monitor > access to * > by dn.exact="cn=Manager,dc=srg,dc=com" > write > by > dn.exact="uid=root,ou=People,dc=srg,dc=com" write > by dn.base="cn=replicator,dc=srg,dc=com" > read > by * break > > > Which means you just gave a lot of access to the *monitor* > database but not your *primary* database. I suggest go > re-read the slapd.access(5) man page. If you want > global ACLs, they need to come before any "database xyz" > line. If you want per-db ACLs, which I think is what > you're trying to do, then you need to do them > *per-db*. Not the odd acl in accesslog, none in your > main db, and some for your monitor database. > > > > --Quanah > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and > collaboration OK, my sloppy ACL is cleaned up and makes much more sense now -- but the problem remains.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2009