cn=config config problem
by Alex Samad
Hi
I have setup a multimaster setup and some slave nodes, using cn=config.
I am looking at trying to create a user in the cn=config space
i have test.ldif that looks like
dn: cn=test,cn=config
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: test
userPassword: test
description: test
structuralObjectClass: organizationalRole
and I use
ldapadd -D "cn=config" -w
T25src1Rbe65RR6vwd53VTrB1x6EszFGMjhh7m8OOPjNyJ9h7nJO97p00lHMn08m -f
test.ldif
I get
adding new entry "cn=test,cn=config"
ldap_add: Server is unwilling to perform (53)
additional info: shadow context; no update referral
Which from my investigation tells me my ldap server doesn't know where
to send the update, which is strange because I can make other changes to
cn=config - add a olcsyncrepl and make changes to loglevel
Alex
13 years, 8 months
meta database - password problems with one target
by Matthew Harrell
Before I forget the link here is the config file I'm using
http://alecto.bittwiddlers.com/files/slapd.conf
I have two separate databases of user information and a meta database at
the bottom of the file that joins them together so both can log in. The
meta database is what's used for the system pam and nss settings. All
of that seems to work fine - no problems with the logging in, groups, or
any of that. Users that belong to the second database, zone2, can
change their passwords using any of the standard commands including
passwd. Users in the first database, zone1, are unable to change
their passwords
{153}: passwd
New password:
Re-enter new password:
LDAP password information update failed: Strong(er) authentication required
modifications require authentication
passwd: Permission denied
passwd: password unchanged
I've looked at the ACL and stats logs for both the accounts that work and
those that don't but there's a lot of information there and I can't tell
what the problem is. I'm rather new to LDAP in general. Can someone give
me some pointers or ideas for what I can look for?
Thanks for any help
13 years, 8 months
Bind accepts any password where the real password is a prefix?
by Christopher Kenna
Greetings,
We are running OpenLDAP at our organization to do authentication for
Linux machines. One strange thing I noticed is that I can bind to the
server using my password, or *any* password that contains my actual
password as a prefix. Let me explain with an example.
Suppose my password is "banana" (it's not). Then these passwords work
to bind to the database:
- banana
- banana2
- bananafjksdfs
But these won't work:
- mbanana
- banan
I'm testing this with this command:
ldapsearch -x -W -ZZ -H ldap://<server_address>.com \
-b dc=mydomain,dc=com \
-D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \
'(uid=<my_uid>)'
Any ideas about why this happens? Thanks.
-- Chris
13 years, 8 months
LDAP logging
by Ivan Ordonez
Hi,
I want to create logging for LDAP (version 2.4.19-r1) using syslog-ng on
Gentoo box.
Hope someone here can point me in the right direction. I'm lost here.
Here is my syslog-ng conf file:
@version: 3.0
# $Header:
/var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3.0,v
1.1 2009/05/25 20:07:21 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
options {
chain_hostnames(no);
# The default action of syslog-ng is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats_freq(43200);
};
source src {
unix-stream("/dev/log" max-connections(256));
internal();
file("/proc/kmsg");
};
#options { sync(n); };
destination messages { file("/var/log/messages"); };
destination authlog { file("/var/log/auth.log"); };
#destination syslog { file("/var/log/syslog"); };
destination ldap { file("/var/log/ldap.log"); };
destination cron { file("/var/log/cron.log"); };
# Create Filters
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_authpriv { facility(auth, authpriv); };
#filter f_syslog { not facility(auth, authpriv) and not match(slapd); };
filter f_ldap { match("regexp" value ("slapd")); };
filter f_cron { facility(cron); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
# Connect Filters and Destinations
#log { source(src); destination(messages); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_authpriv); destination(authlog); };
#log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_ldap); destination(ldap); };
log { source(src); filter(f_cron); destination(cron); };
# Default Log
log { source(src); destination(console_all); };
Thanks in advance.
-Ivan
13 years, 8 months
Ppolicy, password lockout status
by Radosław Antoniuk
Hi,
Quick question. How is it possible to check the account lock status?
I've configured the ppolicy according to the guide, the lock is
working, the account is locked.
And now how can I find out which accounts are currently locked out?
--
Best regards,
Radek Antoniuk
w: www.radek.org.pl
13 years, 8 months
back-sql quote characters in query
by Anatoly
Hello.
I'm using openldap 2.4.19 with sql backend. I have a troubles with
queries that contains single-quote ( ' ) character.
For example, if I searching for (cn=Zool'man):
<==backsql_srch_query() returns SELECT DISTINCT
ldap_entries.id,phpbb_users.user_id,varchar_ci('phpbbUser') AS
objectClass,ldap_entries.dn AS dn FROM ldap_entries,phpbb_users WHERE
phpbb_users.user_id=ldap_entries.keyval AND ldap_entries.oc_map_id=?
AND 9=9 AND (varchar_ci(phpbb_users.username)='ZOOL'MAN')
Constructed query: SELECT DISTINCT
ldap_entries.id,phpbb_users.user_id,varchar_ci('phpbbUser') AS
objectClass,ldap_entries.dn AS dn FROM ldap_entries,phpbb_users WHERE
phpbb_users.user_id=ldap_entries.keyval AND ldap_entries.oc_map_id=?
AND 9=9 AND (varchar_ci(phpbb_users.username)='ZOOL'MAN')
id: '2'
backsql_oc_get_candidates(): error executing query
Return code: -1
nativeErrCode=7 SQLengineState=S1000 msg="[unixODBC]ERROR: syntax
error at or near "MAN" at character 271;
In this case query should be like
varchar_ci(phpbb_users.username)='ZOOL\'MAN' instead of 'ZOOL'MAN'
How to solve this issue? Thanks.
13 years, 8 months
supported SASL mechanisms
by Mark Beavis
Hi -
Is anyone able to tell me the complete list of SASL mechanisms that OpenLDAP supports.
Also, does OpenLDAP support custom SASL mechanisms (in this case written using the Java SASL API).
Thanks - Mark
This email may contain privileged and confidential information intended only for the use of the intended recipient. If you are not the intended recipient of this message, any use, dissemination, distribution or reproduction of this message is prohibited. Any views expressed in this message are for those of the individual sender and may not necessarily reflect the views of RHE Group.
13 years, 8 months
openldap mirror mode
by Megan
Good Day All!
I am running two boxes with CentOS 5.4 and
openldap-servers-2.3.43-3.el5. I am trying to configure openldap in
mirrormode. I have a third box with CentOS 5.4 and
openldap-servers-2.3.43-3.el5 that I will be using as a proxy,but ldap
is not yet configured on this server. Below are my two ldap servers
that I want in mirror mode. If I set the standard Syncrepl
configuration, the master and slave talk, I can write to the master,
and the slave is updated. But when I switch to mirror mode with the
below configuration, and try to write to either of them, I get:
ldapadd: Server is unwilling to perform (53)
additional info: shadow context; no update referral
Which makes me think they are both in read-only mode???? I thought
with mirrormode server 1 would be writable until server 1 went down,
then server 2 would know to be writable, and they stay in sync with
each other
#==========================
#Server1
#==========================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
loglevel 256
serverID 1
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
#moduleload accesslog.la
#moduleload auditlog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload lastmod.la
#moduleload pcache.la
moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
#moduleload smbk5pwd.la
#moduleload translucent.la
#moduleload unique.la
#moduleload valsort.la
TLSCACertificateFile /etc/openldap/cacerts/server1cacert.pem
TLSCertificateFile /etc/openldap/cacerts/server1crt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/server1key.pem
TLSVerifyClient try
sasl-secprops noanonymous,noplain,noactive
access to *
by * write
by * read
database bdb
suffix "dc=domain"
rootdn "uid=admin,ou=service,dc=domain"
rootpw {SSHA}secret
directory /var/ldap/databases/users
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldap://192.168.1.3
type=refreshAndPersist
interval=00:00:00:10
searchbase="dc=domain"
schemachecking=off
retry="60 +"
filter="(objectClass=*)"
attrs="*"
bindmethod=simple
binddn="uid=userrepl,ou=services,ou=administrative,dc=domain"
credentials=password
mirrormode on
#===========================
#server 2
#===========================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
##LOG Level
loglevel 256
serverID 2
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
#moduleload accesslog.la
#moduleload auditlog.la
#moduleload denyop.la
#moduleload dyngroup.la
#moduleload dynlist.la
#moduleload lastmod.la
#moduleload pcache.la
moduleload ppolicy.la
#moduleload refint.la
#moduleload retcode.la
#moduleload rwm.la
#moduleload smbk5pwd.la
#moduleload translucent.la
#moduleload unique.la
#moduleload valsort.la
TLSVerifyClient try
sasl-secprops noanonymous,noplain,noactive
access to *
by * write
by * read
database bdb
suffix "dc=domain"
rootdn "uid=admin,ou=service,dc=domain"
rootpw {SSHA}secret
directory /var/ldap/databases/users
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
syncrepl rid=001
provider=ldap://192.168.1.2
type=refreshAndPersist
interval=00:00:00:10
searchbase="dc=domain"
schemachecking=off
filter="(objectClass=*)"
attrs="*"
retry="60 +"
bindmethod=simple
binddn="uid=userrepl,ou=services,ou=administrative,dc=domain"
credentials=password
#updateref ldap://192.168.1.3
mirrormode on
13 years, 8 months
Re: OpenLDAP does not seem to start
by sgmayo@mail.bloomfield.k12.mo.us
Jaap Winius wrote:
> Hi Scott,
>
> Did you ever manage to fix your problem? I'd be interested to hear
> what the problem and the solution turned out to be, and maybe a few
> other people on the mailing list would be as well.
>
> Cheers,
>
> Jaap
>
Yes, the problem was what I really expected from the first. It was just a
corrupt DB I guess. I did a db_recover (actually on fedora it was a
slapd_db_recover) and that fixed everything. Got it all back to working
now. thanks for all the replies.
--
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669 FA: 573-568-4565
Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?
13 years, 8 months
Re: Server-Side Sort Overlay ordering problems
by Diego Lima
Hi,
2010/1/15 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Friday, January 15, 2010 12:06 PM -0500 Edward Capriolo <
> edlinuxguru(a)gmail.com> wrote:
>
> Diego,
>>
>> You and I have the same issue. UID and CN are not in the schema they
>> are compiled into LDAP some how, so there is no way to apply an
>> ordering rule. I can not find if this is possible, or what is involved
>> in making it happen.
>
>
I'm currently testing a quick and dirty hack that I made to
servers/slapd/schema_prep.c:
--- schema_prep.c.ori 2010-01-15 13:28:04.000000000 -0200
+++ /root/openldap-2.4.21/servers/slapd/schema_prep.c 2010-01-15
13:04:56.000000000 -0200
@@ -915,6 +915,7 @@ static struct slap_schema_ad_map {
offsetof(struct slap_internal_schema, si_ad_name) },
{ "cn", "( 2.5.4.3 NAME ( 'cn' 'commonName' ) "
"DESC 'RFC4519: common name(s) for which the entity is known by' "
+ "ORDERING caseIgnoreOrderingMatch "
"SUP name )",
NULL, 0,
NULL, NULL,
@@ -924,6 +925,7 @@ static struct slap_schema_ad_map {
"DESC 'RFC4519: user identifier' "
"EQUALITY caseIgnoreMatch "
"SUBSTR caseIgnoreSubstringsMatch "
+ "ORDERING caseIgnoreOrderingMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )",
NULL, 0,
NULL, NULL,
By making these changes I've been able to get around my current problem, but
it might not be as stable as you expect.
> You can find these attributes defined in the code in servers/slapd.
>
> However, I will note, the definitions of these attributes are RFC defined.
> They have no ORDERING rule on purpose.
>
> --Quanah
Thanks for the input Quanah, but the problem is we have some legacy
applications that used a really old LDAP server where this was allowed. I'm
trying to migrate the server (that's a fedora directory from fedora 6) to a
new openldap-based one. I must, however, maintain compatibility with the
existing applications.
Is there any problem (despite not being RFC-compliant) on enabling ordering
on these attributes?
--
Diego Lima
13 years, 8 months
