ppolicy and ACLs of pwdAccountLockedTime?
by chantra
Hi all,
I have exactly the same issue.
My repro config is within the .tgz attached to this email.
admin user is cn=admin,dc=example,dc=com and test user is
uid=chantra,ou=users,dc=example,dc=com
password for both of them is "foobarcode".
To reproduce, on Debian Lenny,
* untar the archive
* cd ldaps
* ./install.sh (WARNING: ONLY DO THIS ON A TEST MACHINE, current
setup/db will be ERASED).
That will stop slapd, override the config with the repro config, erase
the current database, inject the testing one with slapadd, give
credential to /var/lib/ldap to openldap user, start slapd
Then, run:
for i in {1..10}; do ./ldapauth.sh $i; sleep 2; done; ./ldaps.sh
which will perform 10 failed authentication, with a pause of 2 seconds.
Finally, ldaps.sh will output the details of user
uid=chantra,ou=users,dc=example,dc=com
@Jiri, have you found a solution yet?
In my repro, here is the result after the 10 failed auth:
# chantra, users, example.com
dn: uid=chantra,ou=users,dc=example,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 2e93af32-2d8d-102e-8fab-21ae2aafa5d0
creatorsName:
createTimestamp: 20090904105519Z
entryCSN: 20090904105519.875933Z#000000#000#000000
modifiersName:
modifyTimestamp: 20090904105519Z
pwdFailureTime: 20090904105614Z
pwdFailureTime: 20090904105616Z
pwdFailureTime: 20090904105618Z
pwdFailureTime: 20090904105620Z
entryDN: uid=chantra,ou=users,dc=example,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
Again, here, we see only 4 pwdFailureTime (the 5th should have locked
user ). Output of syslog is in the attached file called:
pwdaccountlockout.txt
but, the main part might be:
Sep 4 12:53:11 lenny32-tpl slapd[4079]: bdb_modify_internal:
0x00000004: uid=chantra,ou=users,dc=example,dc=com
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => access_allowed:
delete access to "uid=chantra,ou=users,dc=example,dc=com"
"pwdAccountLockedTime" requested
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => dn: [2]
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => acl_get: [3] attr
pwdAccountLockedTime
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => slap_access_allowed:
result not in cache (pwdAccountLockedTime)
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => acl_mask: access to
entry "uid=chantra,ou=users,dc=example,dc=com", attr
"pwdAccountLockedTime" requested
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => acl_mask: to all
values by "", (=0)
Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= check a_dn_pat: *
Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= acl_mask: [2]
applying read(=rscxd) (stop)
Sep 4 12:53:11 lenny32-tpl slapd[4079]: <= acl_mask: [2] mask:
read(=rscxd)
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => slap_access_allowed:
delete access denied by read(=rscxd)
Sep 4 12:53:11 lenny32-tpl slapd[4079]: => access_allowed: no
more rules
Sep 4 12:53:11 lenny32-tpl slapd[4079]: hdb_modify: modify
failed (50)
Same here,
changing:
access to *
by dn="cn=admin,dc=example,dc=com" write
by * read
to
access to *
by dn="cn=admin,dc=example,dc=com" write
by * write
will write pwdAccountLockedtime, but then, users or even anonymous will
get far too much credentials :s
I also tried with the settings of
openldap-2.4.17/tests/data/slapd-ppolicy.conf, e.g:
access to attrs=userpassword
by self write
by * auth
access to *
by self write
by * read
to no avail.
Michael mentioned to try 2.4.17 which as changes that might affect
pwdLockout (actually, ITS#6168 was because users where locked out while
pwdLockout was set to FALSE, AFAICS), to no avail
Then, I tried the setting from the archive on Fedora11, and Debian Etch,
same issue... There is surely something that I am missing here, but
shouldn't pwdAccountLockedTime being handled by the daemon? no access
rule should be set ( except the for the fact that the admin user can
write/delete it).
What rule am I missing here?
If needed, I can provide a VMDK of the repro, let me know and I will
upload it somewhere.
Cheers,
chantra
> Hi,
>
> I am having troubles making the ppolicy overlay to prevent password
> guessing attacks with pwdLockout with slapd-2.4.11-1 in Debian Lenny.
>
> I set pwdMaxFailure to 3. In the user object I am testing with, I
never get
> more than two entries for pwdFailureTime and pwdAccountLockedTime is
never
> added at all.
>
> I tracked the problem down to the ACL settings in slapd.conf. With my
default
> access to *
> by dn="cn=admin,dc=example,dc=net" write
> by * read
> , I get the above result. When I rewrite the last line to "by *
write", it works.
>
> The pwdFailureTime is updated, because it is defined as
> NO-USER-MODIFICATION, which bypasses te ACL checks for write.
> The problem happens when pwdMaxFailure failed logins are reached,
> and ppolicy.c tries to update pwdFailureTime and pwdAccountLockedTime
> in a single request.
>
> How is this supposed to work?
> - Shouldn't pwdAccountLockedTime also be defined with NO-USER-MODIFICATION?
>
> - couldn't the update request in ppolicy.c be executed with higher
> privileges? I tried to set up an non-anonymous bind in
> pam_ldap but this did not help.
>
> - is there some recommended ACL setting to grant the necessary privileges so that
> ppolicy.c can update pwdAccountLockedTime, but users can't?
> I am a splapd newbie, so maybe I don't see something obvious, but in
> the log below, I see: "acl_mask: to all values by "", (=0)" -- that
> looks like an anonymous bind, right? Allowing write for the
> pwdAccountLockedTime attribute to anyone does not seem a good idea ;-)
>
>
>
> Thanks for any insight!
>
>
> Jiri
>
>
>
> P.S.: some detailed notes from my debugging are attached below:
>
> I am authenticating with pam-ldap. When I mis-type the password
> of a user and do a search on the user object (with a +, to see
> the operational attributes), the pwdFailureTime is created. This
> is good.
>
> When I preform the bad login again, I get a second value for
> pwdFailureTime. Still good.
>
> But on the next login, instead of getting a third value for
> pwdFailureTime and an updated value for pwdAccountLockedTime, nothing
> happens. I put some more debug info into ppolicy_bind_response() like
> this:
>
> -----
> * We only count those failures
> * which are not due to expire.
> */
> Debug(LDAP_DEBUG_ANY, "xxx: counting pwdFailureTime %i/%d\n", i, fc, 0);
> }
> }
> if ((ppb->pp.pwdMaxFailure > 0) &&
> (fc >= ppb->pp.pwdMaxFailure - 1)) {
> Debug(LDAP_DEBUG_ANY, "xxx: trying to insert pwdAccountLockedTime\n", 0, 0, 0);
> -----
>
> ... in the logs (with loglevel 65535), I really see:
>
> ------
> Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 0/1
> Aug 8 00:05:42 localhost slapd[15416]: xxx: counting pwdFailureTime 1/2
> Aug 8 00:05:42 localhost slapd[15416]: xxx: trying to insert pwdAccountLockedTime
> [snip]
> Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: delete access to "uid=j.bohac,ou=users,dc=example,dc=net" "pwdAccountLockedTime" requested
> Aug 8 00:05:42 localhost slapd[15416]: => acl_get: [2] attr pwdAccountLockedTime
> Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: result not in cache (pwdAccountLockedTime)
> Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: access to entry "uid=j.bohac,ou=users,dc=example,dc=net", attr "pwdAccountLockedTime" requested
> Aug 8 00:05:42 localhost slapd[15416]: => acl_mask: to all values by "", (=0)
> Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: cn=admin,dc=example,dc=net
> Aug 8 00:05:42 localhost slapd[15416]: <= check a_dn_pat: *
> Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] applying read(=rscxd) (stop)
> Aug 8 00:05:42 localhost slapd[15416]: <= acl_mask: [2] mask: read(=rscxd)
> Aug 8 00:05:42 localhost slapd[15416]: => slap_access_allowed: delete access denied by read(=rscxd)
> Aug 8 00:05:42 localhost slapd[15416]: => access_allowed: no more rules
> ------
>
!DSPAM:4aa1064790404668414040!
12 years, 4 months
Bizzar Behaviour from openldap-2.4.16 on Centos
by sysadmin@shakenbake.net
Hi,
Forgive me if this is an obvious one, as i'm new to openldap.
I have setup Openldap 2.4.16 from source with db-4.7.25 on Centos 5.3 x64, running on a VMWARE-ESXI Server.
#Installed with following options
export CPPFLAGS="-I/usr/local/db-4.7.25/include"
export LDFLAGS="-L/usr/local/db-4.7.25/lib -R/usr/local/db-4.7.25/lib"
export LD_LIBRARY_PATH="/data/extracted/db-4.7.25/build_unix/.libs/"
./configure --prefix=/usr/local/openldap-2.4.16
make depend
make
make install
###
cd db-4.7.25/build_unix
../dist/configure --prefix=/usr/local/db-4.7.25
make
make install
###
#
The behaviour is very odd, the process appears to start up but doesn't show up in netstat properly and basic ldapadd commands stall after the first entry.Firewall & selinux is turned off. I can't seem to see too many errors?
ldapadd -v -W -x -D "cn=admin,dc=labs,dc=example,dc=com,dc=au" -W -f <base ldiff file here>
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add dc:
labs
add o:
example
add objectClass:
top
domain
adding new entry "dc=labs,dc=example,dc=com,dc=au"
########## QUERY PAUSES HERE ######
####
#tail from syslog with loglevel -1
###
Sep 4 23:50:25 safevm-ldap slapd[2684]: slap_listener_activate(8):
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 busy
Sep 4 23:50:25 safevm-ldap slapd[2684]: >>> slap_listener(ldap:///)
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: listen=8, new connection on 14
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: added 14r (active) listener=(nil)
Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 fd=14 ACCEPT from IP=127.0.0.1:48114 (IP=0.0.0.0:389)
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:50:25 safevm-ldap slapd[2684]:
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:50:25 safevm-ldap slapd[2684]: 14r
Sep 4 23:50:25 safevm-ldap slapd[2684]:
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: read active on 14
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: connection_get(14)
Sep 4 23:50:25 safevm-ldap slapd[2684]: connection_get(14): got connid=3
Sep 4 23:50:25 safevm-ldap slapd[2684]: connection_read(14): checking for input on id=3
Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 do_bind
Sep 4 23:50:25 safevm-ldap slapd[2684]: >>> dnPrettyNormal: <cn=admin,dc=labs,dc=example,dc=com,dc=au>
Sep 4 23:50:25 safevm-ldap slapd[2684]: <<< dnPrettyNormal: <cn=admin,dc=labs,dc=example,dc=com,dc=au>, <cn=admin,dc=labs,dc=example,dc=com,dc=au>
Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 BIND dn="cn=admin,dc=labs,dc=example,dc=com,dc=au" method=128
Sep 4 23:50:25 safevm-ldap slapd[2684]: do_bind: version=3 dn="cn=admin,dc=labs,dc=example,dc=com,dc=au" method=128
Sep 4 23:50:25 safevm-ldap slapd[2684]: ==> bdb_bind: dn: cn=admin,dc=labs,dc=example,dc=com,dc=au
Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 BIND dn="cn=admin,dc=labs,dc=example,dc=com,dc=au" mech=SIMPLE ssf=0
Sep 4 23:50:25 safevm-ldap slapd[2684]: do_bind: v3 bind: "cn=admin,dc=labs,dc=example,dc=com,dc=au" to "cn=admin,dc=labs,dc=example,dc=com,dc=au"
Sep 4 23:50:25 safevm-ldap slapd[2684]: send_ldap_result: conn=3 op=0 p=3
Sep 4 23:50:25 safevm-ldap slapd[2684]: send_ldap_result: err=0 matched="" text=""
Sep 4 23:50:25 safevm-ldap slapd[2684]: send_ldap_response: msgid=1 tag=97 err=0
Sep 4 23:50:25 safevm-ldap slapd[2684]: conn=3 op=0 RESULT tag=97 err=0 text=
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:50:25 safevm-ldap slapd[2684]:
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:50:25 safevm-ldap slapd[2684]: 14r
Sep 4 23:50:25 safevm-ldap slapd[2684]:
Sep 4 23:50:25 safevm-ldap slapd[2684]: daemon: read active on 14
Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:50:26 safevm-ldap slapd[2684]: connection_get(14)
Sep 4 23:50:26 safevm-ldap slapd[2684]: connection_get(14): got connid=3
Sep 4 23:50:26 safevm-ldap slapd[2684]: connection_read(14): checking for input on id=3
Sep 4 23:50:26 safevm-ldap slapd[2684]: conn=3 op=1 do_add
Sep 4 23:50:26 safevm-ldap slapd[2684]: conn=3 op=1 do_add: dn (dc=labs,dc=example,dc=com,dc=au)
Sep 4 23:50:26 safevm-ldap slapd[2684]: >>> dnPrettyNormal: <dc=labs,dc=example,dc=com,dc=au>
Sep 4 23:50:26 safevm-ldap slapd[2684]: <<< dnPrettyNormal: <dc=labs,dc=example,dc=com,dc=au>, <dc=labs,dc=example,dc=com,dc=au>
Sep 4 23:50:26 safevm-ldap slapd[2684]: conn=3 op=1 ADD dn="dc=labs,dc=example,dc=com,dc=au"
Sep 4 23:50:26 safevm-ldap slapd[2684]: bdb_dn2entry("dc=labs,dc=example,dc=com,dc=au")
Sep 4 23:50:26 safevm-ldap slapd[2684]: => bdb_dn2id("dc=labs,dc=example,dc=com,dc=au")
Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:50:26 safevm-ldap slapd[2684]:
Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:50:26 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:51:21 safevm-ldap slapd[2684]: 14r
Sep 4 23:51:21 safevm-ldap slapd[2684]:
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: read active on 14
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_get(14)
Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_get(14): got connid=3
Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_read(14): checking for input on id=3
Sep 4 23:51:21 safevm-ldap slapd[2684]: ber_get_next on fd 14 failed errno=0 (Success)
Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_read(14): input error=-2 id=3, closing.
Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_closing: readying conn=3 sd=14 for close
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on 1 descriptor
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: activity on:
Sep 4 23:51:21 safevm-ldap slapd[2684]:
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 4 23:51:21 safevm-ldap slapd[2684]: daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 4 23:51:21 safevm-ldap slapd[2684]: connection_close: deferring conn=3 sd=14
cya
Craig
12 years, 4 months
perl module to read ldif
by William Bryan
I was once told that there is an add on to perl that would allow you
to read an ldif just like it was a slapd directory. I guess that calls
to ldapsearch get rerouted to search the ldif.
Does anyone know the package and/or details.
thank you
12 years, 4 months
Creating Structural Objects Under User Records
by Tim Gustafson
I'd like to be able to create "sub-objects" inside each user object. So, my account is:
uid=tjg,ou=People,dc=soe,dc=ucsc,dc=edu
I'd like to be able to create an object like:
cn=foo,uid=tjg,ou=People,dc=soe,dc=ucsc,dc=edu
This object would be of objectClass "soeDegree", which I've defined as follows:
attributetype (
1.1.2.1.32
NAME 'soeDegreeYear'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype (
1.1.2.1.33
NAME 'soeDegreeType'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype (
1.1.2.1.34
NAME 'soeDegreeDepartment'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype (
1.1.2.1.35
NAME 'soeDegreeThesisTitle'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
attributetype (
1.1.2.1.36
NAME 'soeDegreeThesisURL'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
objectclass (
1.1.2.1.997
NAME 'soeDegree'
DESC 'Jack Baskin School of Engineering Degree'
SUP top
STRUCTURAL
MUST ( cn )
MAY ( soeDegreeYear $ soeDegreeType $ soeDegreeDepartment $ soeDegreeThesisTitle $ soeDegreeThesisURL ))
However, when I attempt to add the sub-object, the server returns:
0x35 (LDAP_UNWILLING_TO_PERFORM)
How can I tell OpenLDAP to allow me to create child objects inside accounts like this?
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
12 years, 4 months
syncrepl "modified by peer" question
by Robert Hanson
(verson 2.4.17)
This code is in syncrepl.c
/* Don't send changed entries back to the originator */
if ( sid == srs->sr_state.sid && srs->sr_state.numcsns ) {
Debug( LDAP_DEBUG_SYNC,
"Entry %s changed by peer, ignored\n",
rs->sr_entry->e_name.bv_val, 0, 0 );
return LDAP_SUCCESS;
Can someone explain to me what the intention of this code is? I can read the comment, but it looks to me like the condition for the if is broken.
I think it is saying - if (the system id of the modification is "this system") and (there was a sync cookie found at startup) then discard the update
The longer I look at this, the less I'm convinced that the condition check matches what the comment says it does. Any comments?
12 years, 4 months
labeledURI search result objectClass restriction
by Torsten Rehn
Hi,
it appears that a search triggered from a labeledURIObjects search URI
can't have any results that are the same objectClass as the triggering
object.
I had one groupOfNames that was looking for other groups to be added as
members. Debugging told me OpenLDAP came up with this when doing the
internal search:
put_filter: "(&(!(objectClass=groupOfNames))(objectClass=groupOfNames))"
while I had of course specified only (objectClass=groupOfNames) as a filter.
Can anyone please explain this behavior and/or provide a workaround?
Thanks,
--
Torsten Rehn
12 years, 4 months
OpenLDAP client authentication against JDS 6.3.1 server
by Cannon, Andrew C
Dear list members,
I've been fighting with this problem on and off for 6 months now (you
can see some of my queries if you Google for me...) and I cannot for the
life of me figure out what is going on. We are trying to get a Fedora 9
test box to authenticate against a Solaris 10 (SPARC) Sun Java Directory
Server 6.3.1 box using anonymous binding and no SSL (we are on an
internal, trusted network).
The JDS is running the NIS-to-LDAP script that Sun provide and can get
information from the directory.
The Fedora box is running OpenLDAP client (version:
openldap-clients-2.4.10-2.fc9.x86_64) and can't get any infromation from
the directory after I switch to LDAP authentication from NIS
authentication using system-config-authentication. NIS on the Fedora
box works fine, so it isn't a network issue.
An extract from the access log on the server shows the following:
[01/Sep/2009:11:11:24 +0100] conn=2618 op=-1 msgId=-1 - fd=47 slot=47
LDAP connection from 172.28.1.172:46682 to 172.28.1.173
[01/Sep/2009:11:11:24 +0100] conn=2618 op=0 msgId=1 - BIND dn=""
method=128 version=3
[01/Sep/2009:11:11:24 +0100] conn=2618 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0 dn=""
[01/Sep/2009:11:11:24 +0100] conn=2618 op=1 msgId=2 - SRCH
base="ou=people,dc=example,dc=com" scope=1
filter="(&(objectClass=posixAccount)(uid=dmm))" attrs="uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description
objectClass"
[01/Sep/2009:11:11:24 +0100] conn=2618 op=1 msgId=2 - RESULT err=0
tag=101 nentries=0 etime=0
[01/Sep/2009:11:11:42 +0100] conn=2618 op=2 msgId=0 - RESULT err=80
tag=120 nentries=0 etime=0
[01/Sep/2009:11:11:42 +0100] conn=2618 op=-1 msgId=-1 - closing from
172.28.1.172:46682 - A1 - Client aborted connection -
[01/Sep/2009:11:11:42 +0100] conn=2618 op=-1 msgId=-1 - closed.
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - SRCH
base="ou=hosts,dc=example=com" scope=1
filter="(&(objectClass=ipHost)(cn=lin05))" attrs=ALL
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - SORT cn uid
(1)
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - VLV
0:49999:0:0 1:1 (0)
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - RESULT err=0
tag=101 nentries=1 etime=0 notes=U
[01/Sep/2009:11:12:25 +0100] conn=4 op=4167 msgId=4168 - SRCH
base="automountkey=userf,automountmapname=auto_home,dc=example,dc=com"
scope=0 filter="(objectClass=automount)" attrs=ALL
[01/Sep/2009:11:12:25 +0100] conn=4 op=4167 msgId=4168 - RESULT err=0
tag=101 nentries=1 etime=0
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - SRCH
base="ou=people,dc=example=com" scope=1
filter="(&(objectClass=posixAccount)(uidNumber=254))" attrs=ALL
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - SORT cn uid
(1)
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - VLV
0:49999:0:0 1:1 (0)
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - RESULT err=0
tag=101 nentries=1 etime=0 notes=U
Connection 2618 is from the Fedora box and is unsuccessful. Connection
4 is the NIS-to-LDAP service on the Solaris box and is successful.
I have a number of questions, but, chiefly, am I actually using
anonymous binding? If I need to set a bind DN, what should it be? Can
I modify the search base so that it looks more like the search given in
msgid 4168?
I'm sorry for the newbie questions (especially about a JDS server) but I
am really tearing my hair out over this.
I hope some of you can help.
Thanks in advance.
Andy
--
This email contains confidential information. The contents must
not be disclosed to anyone else except with the authority of the sender.
Unauthorised recipients are requested to maintain this confidentiality and
immediately advise the sender of any error or misdirection in transmission.
The following notice applies to emails originating in the UK.
E-mails sent on behalf of AMEC are sent on behalf of the relevant AMEC
company below. These are registered in England and Wales with registered
office at Booths Park, Chelford Road, Knutsford, Cheshire WA16 8QZ and
number as shown: AMEC plc 01675285, AMEC Group Limited 04612748,
AMEC Capital Projects Limited 02804109, AMEC Earth and Environmental UK
Limited 04987981, AMEC Nuclear Holdings Limited 03725076,
AMEC Nuclear M & O Limited 05664844, AMEC Nuclear UK Limited 01120437,
AMEC Nuclear International Limited 03260477, AMEC Nuclear Projects
Limited 05664962 and National Nuclear Corporation Limited 02290928
--
12 years, 4 months
Sycrepl cookie question
by Robert Hanson
(2.4.17; linux, bdb 4.5 backend; two nodes in a multi-master configuration)
When I start up a slapd server, it reads the contextCSN from the database. There are some synchronization issues I'm dealing with (see the email I sent yesterday to this group). The question of the day is, what are the implications if I delete this from the database before I start up? That is:
Assume that in a 2-node multi-master scenario, both sides are completely in sync. One of the nodes goes down; assume that the remaining node gets some updates. The down node comes back up. If the down node does not have this synchronization cookie, will it still sync correctly with the other node?
12 years, 4 months
PADL migration tools / NIS to LDAP
by Ivan De Masi
Hello,
I'm fairly new to LDAP and testing for migration (NIS to LDAP).
I found the PADL migration tools
http://www.padl.com/OSS/MigrationTools.html which are great and now im
testing the export of data-sources to *.ldif files.
When exporting the passwd-file for example, I have all system-accounts
like "daemon", "bin", "sys", etc. (let's say everything with the uid
below 1000) in the ldif file.
Do I need this all these accounts in LDAP? I see that there is "krbName"
for all exported entrys/accounts. That's good for some services and
kerberos, but do I really need *all* system accounts in LDAP?
Thanks!
Regards,
Ivan
12 years, 4 months
Slow LDAP
by sgmayo@mail.bloomfield.k12.mo.us
Is there some way to speed up LDAP? I am guessing this has to do with it
searching the database on ldap? This is a new server and my old one did
not take that long. It is not as slow if just one or two people are
logging in with ldap, but when many login, it seems to bring ldap to a
bottle neck, I guess while searching the directory for all the names.
There are probably about 1000 users in my LDAP. Is that too large? I
assume it isn't since most of the other schools around have AD which is
basically Microsoft LDAP if I understand correctly and they have no
problems and have many more users than I have.
Can multiple schema's in the config file cause this? I know that on my
old server I had the following in slapd.conf:
core
cosine
inetorgperson
nis
samba
On my new one it has the above plus:
corba
duaconf
dyngroup
java
misc
openldap
ppolicy
collective
Those were just in there when I installed it so I left them. Should I
take them out or would that not have any affect on logins at all? I am
guessing that they wont' affect anything and it is more related to some
sort of configuration in my ldap configs.
Is there something else I need in a config? Here are my configs.
slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
loglevel -1
sizelimit -1
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=school,dc=bloomfield.k12.mo.us"
checkpoint 1024 15
rootdn "cn=Manager,dc=school,dc=bloomfield.k12.mo.us"
rootpw *****
directory /var/lib/ldap
index objectClass eq
index cn,sn,uid,displayName eq,pres,sub
index uidNumber,gidNumber eq
index memberUid eq
index sambaSID,sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
database monitor
ldap.conf
SIZELIMIT 200
HOST 127.0.0.1 10.0.0.5
BASE dc=school,dc=bloomfield.k12.mo.us
I have a DB_CONFIG file that contains the following, but not sure if it
needs anything else or not:
set_cachesize 0 268435456 1
set_lg_regionmax 262144
set_lg_bsize 2097152
Thanks for any info.
--
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669 FA: 573-568-4565
Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?
12 years, 4 months
