openldap-technical January 2010

openldap-technical@openldap.org

56 participants
66 discussions

cn=config config problem
by Alex Samad 26 Jan '10

26 Jan '10

Hi I have setup a multimaster setup and some slave nodes, using cn=config. I am looking at trying to create a user in the cn=config space i have test.ldif that looks like dn: cn=test,cn=config objectClass: simpleSecurityObject objectClass: organizationalRole cn: test userPassword: test description: test structuralObjectClass: organizationalRole and I use ldapadd -D "cn=config" -w T25src1Rbe65RR6vwd53VTrB1x6EszFGMjhh7m8OOPjNyJ9h7nJO97p00lHMn08m -f test.ldif I get adding new entry "cn=test,cn=config" ldap_add: Server is unwilling to perform (53) additional info: shadow context; no update referral Which from my investigation tells me my ldap server doesn't know where to send the update, which is strange because I can make other changes to cn=config - add a olcsyncrepl and make changes to loglevel Alex

3 3

meta database - password problems with one target
by Matthew Harrell 26 Jan '10

26 Jan '10

Before I forget the link here is the config file I'm using http://alecto.bittwiddlers.com/files/slapd.conf I have two separate databases of user information and a meta database at the bottom of the file that joins them together so both can log in. The meta database is what's used for the system pam and nss settings. All of that seems to work fine - no problems with the logging in, groups, or any of that. Users that belong to the second database, zone2, can change their passwords using any of the standard commands including passwd. Users in the first database, zone1, are unable to change their passwords {153}: passwd New password: Re-enter new password: LDAP password information update failed: Strong(er) authentication required modifications require authentication passwd: Permission denied passwd: password unchanged I've looked at the ACL and stats logs for both the accounts that work and those that don't but there's a lot of information there and I can't tell what the problem is. I'm rather new to LDAP in general. Can someone give me some pointers or ideas for what I can look for? Thanks for any help

1 0

Bind accepts any password where the real password is a prefix?
by Christopher Kenna 26 Jan '10

26 Jan '10

Greetings, We are running OpenLDAP at our organization to do authentication for Linux machines. One strange thing I noticed is that I can bind to the server using my password, or *any* password that contains my actual password as a prefix. Let me explain with an example. Suppose my password is "banana" (it's not). Then these passwords work to bind to the database: - banana - banana2 - bananafjksdfs But these won't work: - mbanana - banan I'm testing this with this command: ldapsearch -x -W -ZZ -H ldap://<server_address>.com \ -b dc=mydomain,dc=com \ -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \ '(uid=<my_uid>)' Any ideas about why this happens? Thanks. -- Chris

2 1

LDAP logging
by Ivan Ordonez 26 Jan '10

26 Jan '10

Hi, I want to create logging for LDAP (version 2.4.19-r1) using syslog-ng on Gentoo box. Hope someone here can point me in the right direction. I'm lost here. Here is my syslog-ng conf file: @version: 3.0 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $ # # Syslog-ng default configuration file for Gentoo Linux options { chain_hostnames(no); # The default action of syslog-ng is to log a STATS line # to the file every 10 minutes. That's pretty ugly after a while. # Change it to every 12 hours so you get a nice daily update of # how many messages syslog-ng missed (0). stats_freq(43200); }; source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); }; #options { sync(n); }; destination messages { file("/var/log/messages"); }; destination authlog { file("/var/log/auth.log"); }; #destination syslog { file("/var/log/syslog"); }; destination ldap { file("/var/log/ldap.log"); }; destination cron { file("/var/log/cron.log"); }; # Create Filters filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); }; filter f_authpriv { facility(auth, authpriv); }; #filter f_syslog { not facility(auth, authpriv) and not match(slapd); }; filter f_ldap { match("regexp" value ("slapd")); }; filter f_cron { facility(cron); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # ...if you intend to use /dev/console for programs like xconsole # you can comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); }; # Connect Filters and Destinations #log { source(src); destination(messages); }; log { source(src); filter(f_messages); destination(messages); }; log { source(src); filter(f_authpriv); destination(authlog); }; #log { source(src); filter(f_syslog); destination(syslog); }; log { source(src); filter(f_ldap); destination(ldap); }; log { source(src); filter(f_cron); destination(cron); }; # Default Log log { source(src); destination(console_all); }; Thanks in advance. -Ivan

5 9

Ppolicy, password lockout status
by Radosław Antoniuk 25 Jan '10

25 Jan '10

Hi, Quick question. How is it possible to check the account lock status? I've configured the ppolicy according to the guide, the lock is working, the account is locked. And now how can I find out which accounts are currently locked out? -- Best regards, Radek Antoniuk w: www.radek.org.pl

3 4

back-sql quote characters in query
by Anatoly 24 Jan '10

24 Jan '10

Hello. I'm using openldap 2.4.19 with sql backend. I have a troubles with queries that contains single-quote ( ' ) character. For example, if I searching for (cn=Zool'man): <==backsql_srch_query() returns SELECT DISTINCT ldap_entries.id,phpbb_users.user_id,varchar_ci('phpbbUser') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,phpbb_users WHERE phpbb_users.user_id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND (varchar_ci(phpbb_users.username)='ZOOL'MAN') Constructed query: SELECT DISTINCT ldap_entries.id,phpbb_users.user_id,varchar_ci('phpbbUser') AS objectClass,ldap_entries.dn AS dn FROM ldap_entries,phpbb_users WHERE phpbb_users.user_id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND (varchar_ci(phpbb_users.username)='ZOOL'MAN') id: '2' backsql_oc_get_candidates(): error executing query Return code: -1 nativeErrCode=7 SQLengineState=S1000 msg="[unixODBC]ERROR: syntax error at or near "MAN" at character 271; In this case query should be like varchar_ci(phpbb_users.username)='ZOOL\'MAN' instead of 'ZOOL'MAN' How to solve this issue? Thanks.

2 1

supported SASL mechanisms
by Mark Beavis 23 Jan '10

23 Jan '10

Hi - Is anyone able to tell me the complete list of SASL mechanisms that OpenLDAP supports. Also, does OpenLDAP support custom SASL mechanisms (in this case written using the Java SASL API). Thanks - Mark This email may contain privileged and confidential information intended only for the use of the intended recipient. If you are not the intended recipient of this message, any use, dissemination, distribution or reproduction of this message is prohibited. Any views expressed in this message are for those of the individual sender and may not necessarily reflect the views of RHE Group.

2 1

openldap mirror mode
by Megan 23 Jan '10

23 Jan '10

Good Day All! I am running two boxes with CentOS 5.4 and openldap-servers-2.3.43-3.el5. I am trying to configure openldap in mirrormode. I have a third box with CentOS 5.4 and openldap-servers-2.3.43-3.el5 that I will be using as a proxy,but ldap is not yet configured on this server. Below are my two ldap servers that I want in mirror mode. If I set the standard Syncrepl configuration, the master and slave talk, I can write to the master, and the slave is updated. But when I switch to mirror mode with the below configuration, and try to write to either of them, I get: ldapadd: Server is unwilling to perform (53) additional info: shadow context; no update referral Which makes me think they are both in read-only mode???? I thought with mirrormode server 1 would be writable until server 1 went down, then server 2 would know to be writable, and they stay in sync with each other #========================== #Server1 #========================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ppolicy.schema loglevel 256 serverID 1 allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap #moduleload accesslog.la #moduleload auditlog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload lastmod.la #moduleload pcache.la moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la #moduleload smbk5pwd.la #moduleload translucent.la #moduleload unique.la #moduleload valsort.la TLSCACertificateFile /etc/openldap/cacerts/server1cacert.pem TLSCertificateFile /etc/openldap/cacerts/server1crt.pem TLSCertificateKeyFile /etc/openldap/cacerts/server1key.pem TLSVerifyClient try sasl-secprops noanonymous,noplain,noactive access to * by * write by * read database bdb suffix "dc=domain" rootdn "uid=admin,ou=service,dc=domain" rootpw {SSHA}secret directory /var/ldap/databases/users index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.168.1.3 type=refreshAndPersist interval=00:00:00:10 searchbase="dc=domain" schemachecking=off retry="60 +" filter="(objectClass=*)" attrs="*" bindmethod=simple binddn="uid=userrepl,ou=services,ou=administrative,dc=domain" credentials=password mirrormode on #=========================== #server 2 #=========================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ppolicy.schema ##LOG Level loglevel 256 serverID 2 # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib64/openldap #moduleload accesslog.la #moduleload auditlog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload lastmod.la #moduleload pcache.la moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la #moduleload smbk5pwd.la #moduleload translucent.la #moduleload unique.la #moduleload valsort.la TLSVerifyClient try sasl-secprops noanonymous,noplain,noactive access to * by * write by * read database bdb suffix "dc=domain" rootdn "uid=admin,ou=service,dc=domain" rootpw {SSHA}secret directory /var/ldap/databases/users index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 syncrepl rid=001 provider=ldap://192.168.1.2 type=refreshAndPersist interval=00:00:00:10 searchbase="dc=domain" schemachecking=off filter="(objectClass=*)" attrs="*" retry="60 +" bindmethod=simple binddn="uid=userrepl,ou=services,ou=administrative,dc=domain" credentials=password #updateref ldap://192.168.1.3 mirrormode on

2 1

Re: OpenLDAP does not seem to start
by sgmayo＠mail.bloomfield.k12.mo.us 23 Jan '10

23 Jan '10

Jaap Winius wrote: > Hi Scott, > > Did you ever manage to fix your problem? I'd be interested to hear > what the problem and the solution turned out to be, and maybe a few > other people on the mailing list would be as well. > > Cheers, > > Jaap > Yes, the problem was what I really expected from the first. It was just a corrupt DB I guess. I did a db_recover (actually on fedora it was a slapd_db_recover) and that fixed everything. Got it all back to working now. thanks for all the replies. -- Scott Mayo - System Administrator Bloomfield Schools PH: 573-568-5669 FA: 573-568-4565 Question: Because it reverses the logical flow of conversation. Answer: Why is putting a reply at the top of the message frowned upon?

1 0

Re: Server-Side Sort Overlay ordering problems
by Diego Lima 22 Jan '10

22 Jan '10

Hi, 2010/1/15 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Friday, January 15, 2010 12:06 PM -0500 Edward Capriolo < > edlinuxguru(a)gmail.com> wrote: > > Diego, >> >> You and I have the same issue. UID and CN are not in the schema they >> are compiled into LDAP some how, so there is no way to apply an >> ordering rule. I can not find if this is possible, or what is involved >> in making it happen. > > I'm currently testing a quick and dirty hack that I made to servers/slapd/schema_prep.c: --- schema_prep.c.ori 2010-01-15 13:28:04.000000000 -0200 +++ /root/openldap-2.4.21/servers/slapd/schema_prep.c 2010-01-15 13:04:56.000000000 -0200 @@ -915,6 +915,7 @@ static struct slap_schema_ad_map { offsetof(struct slap_internal_schema, si_ad_name) }, { "cn", "( 2.5.4.3 NAME ( 'cn' 'commonName' ) " "DESC 'RFC4519: common name(s) for which the entity is known by' " + "ORDERING caseIgnoreOrderingMatch " "SUP name )", NULL, 0, NULL, NULL, @@ -924,6 +925,7 @@ static struct slap_schema_ad_map { "DESC 'RFC4519: user identifier' " "EQUALITY caseIgnoreMatch " "SUBSTR caseIgnoreSubstringsMatch " + "ORDERING caseIgnoreOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )", NULL, 0, NULL, NULL, By making these changes I've been able to get around my current problem, but it might not be as stable as you expect. > You can find these attributes defined in the code in servers/slapd. > > However, I will note, the definitions of these attributes are RFC defined. > They have no ORDERING rule on purpose. > > --Quanah Thanks for the input Quanah, but the problem is we have some legacy applications that used a really old LDAP server where this was allowed. I'm trying to migrate the server (that's a fedora directory from fedora 6) to a new openldap-based one. I must, however, maintain compatibility with the existing applications. Is there any problem (despite not being RFC-compliant) on enabling ordering on these attributes? -- Diego Lima

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2010