openldap-technical October 2010

openldap-technical@openldap.org

99 participants
93 discussions

Tree, ACL and auth...
by Jarek 11 Oct '10

11 Oct '10

Hello! I'd like to create administrator groups under each OU, so this administrator will be allowed to manage everything in this OU. by default, I'm creating simpleSecurityObject with cn=admin in each administrators group, so OU administrator can login as OU, or if there are more administrators, they can use admin_name@OU as username. This works nice if I have OU on one level. I have no idea, how to do it, if I will have more complicated structure, i.e.: root +-ou=department1 | +-ou=administrators | +-cn=admin | +-cn=admin2 | +-ou=department2 +-ou=administrators | +-admin | +-ou=subdepartment1 | +-ou=administrators | +-admin +-ou=subdepartment2 | +-ou=administrators | +-admin ... I can assume that all departments will have unique names. I'd like that each admin will be able login as department (=>admin@department) or as user@department. Is there any way, to ensure that each ou (with specific objectClass=departement) will have unique name ? Is it possible to construct bind dn, with only department (ou) name ? I'd like to avoid using loginname as: admin2(a)subdepartment2.departmnt2 if I'm sure that supdepartment2 name is unique. I've tried to do it in two steps: search DN of subdepartment-N as anonymous, than add "cn=admin,ou=administrators" as prefix and then login as right user with password. It works, but it requires read access to all tree for anonymous which may not be acceptable. I've tried to limit annonymous access to only dc and ou attributes, but with such ACL I see only first level of ou. Thanks in advance! -- Jarek <jarek(a)poczta.srv.pl>

1 0

problems updating from provider?
by Tim Tyler 11 Oct '10

11 Oct '10

Openldap experts, I am currently running openldap 2.3.43 on a RedHat 5.5 system. I recently had to move one of my replication ldap servers to another box. After doing so, it won’t update from the provider any more. I had simply done a slapcat of the provider’s db into a ldif file and then slapadd it into the replication server. It runs fine and looks up data, but it won’t update any changes from the provider. I have a second replication server which works just fine with updates from the provider. So I am pretty sure the problem is with this replication server. I restored the configurations exactly as I had it previously when it was working. What might I be doing wrong? Does this suggest that I might have a permissions problem or perhaps a corrupt database? I can’t seem to find a permission difference between my two replications servers. Is it acceptable to simply do a slapadd –l filename.ldif or should I include other parameters when adding in the files from scratch? Note: the only file that exists in the ldap database directory is the DBCONFIG file when restoring the ldif. Below is a part of my syncrepl config in slapd.conf in case that helps. syncrepl rid=102 provider=ldaps://xxx.beloit.edu:636 type=refreshAndPersist interval=00:01:00:00 searchbase="dc=beloit,dc=edu" filter="(objectclass=*)" attrs="*,+" scope=sub schemachecking=off bindmethod=simple binddn="cn=Admin,dc=beloit,dc=edu" I must be missing something. Any advice? Tim Tyler Network Engineer Beloit College

2 1

Recommended approach for LDAP as backend for virtual domain mail hosting?
by Andreas Ntaflos 11 Oct '10

11 Oct '10

Hi, I will probably also post this to the Postfix mailing list but it is fundamentally an (Open)LDAP question so here goes: Short version: What is a recommended way to set up virtual mail hosting based on OpenLDAP? I.e. providing mail and authentication services, like SMTP and IMAP, using Postfix and Dovecot, for multiple *independent domains* such as example.net, example.org, example.com? I am looking for RTFMs, HOWTOs, blogs, or any experience and anecdotes users on this list can provide. I myself no experience designing a DIT in LDAP (I am more at home in Postgres) and have much learning to do. Long version: I know such setups exist and I have found many references in the archives of this list but there was never a completely straigt- forward answer that didn't say "it depends on your requirements" or involve frontends/add-ons like Jamm or Phamm, which I have no interest in. So the requirements are basically: * Independent domains and users, i.e. john.doe(a)example.org is completely different/distinct from john.doe(a)example.net, even though both may be the same physical human being. * Thus accounts in different domains must have separate passwords fields * Groups and aliases must be possible * Performance should not be terrible, obviously * Applications such as Apache, Ejabberd, Wikis and Webmail clients (to name a few) which support LDAP authentication should be able to query the DIT or DITs without needing any hacks or ugly constructs (this is a vague requirement, I know). Now I believe the question basically boils down to this: Should we use multiple independent backend databases (DITs) or one large "hosting" database as described in [1,2]? Which of the two is the better approach? Which is more flexible, which has less administrative or functional overhead? If we use multiple DITs we probably will have to glue them together somehow, won't we? How would queries against multiple independent DITs look? Our current setup is more like [1,2], one big hosting database. It is a PostgreSQL database with a few tables for virtual domains (virtual_mailbox_domains in Postfix), virtual users (virtual_mailbox_maps), virtual aliases (virtual_alias_maps) and a few others. It is based loosely on [3]. This works fine but now the need has arisen to see if we can migrate that setup to an LDAP-based one, mainly for flexibility and compatibility with various authentication needs: many applications and services provide some kind of LDAP-based authentication but are hopelessly overwhelmed with SQL backends, especially when the queries are a bit complex. Thanks in advance! Andreas PS: I gathered much from the article in [1] but by now it is over 7 years old and many things have changed so I can't follow it to the letter. [1] http://www.linuxjournal.com/article/5917 [2] http://www.linuxjournal.com/files/linuxjournal.com/linuxjournal/articles/05… [3] http://workaround.org/ispmail/lenny

4 13

Question about openldap and Outlook
by David Díaz Díaz 08 Oct '10

08 Oct '10

Hello All, I'm not sure if this list is the appropiate place to make a question about ldap & outlook, in case not, please let me know. I'm newbie with Open Ldap, I'm using it with qmail and vpopmail (my mailserver) and I can access to my LDAP book address using outlook, I can search users and everithing works fine, but the only issue that I had is when I tried to display info for any group; let me explain, I can see the group, outlook identify it, but when I tried to see the members of that group, the outlook doesn't display any info, instead of members, the outlook display the records as another member... I was looking on a lot websites info about my issue, but I couldn't find anything... any idea? Saludos! davidiaz

2 1

OpenLDAP configured as Proxy
by Marco Pizzoli 08 Oct '10

08 Oct '10

Hi all, is there a way to obtain a OL configuration to permit proxying an ldap connection without knowledge in advance about the target ldap server? Simple scenario, I would like to put a proxy system in front of a client which is trying to check a Certificate Revocation List (CRL), which is published via internet. I cannot "register" in advance all possibile public CAs in my slapd configuration. I'm searching a way similar to a SOCKS server but specialized for the LDAP protocol. Any hint eventually involving other LDAP tools are obviously appreciated. Thanks Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

2 1

Replication server won't update from provider after moving it?
by Tim Tyler 08 Oct '10

08 Oct '10

1 0

How can I make the unique overlay play nicely with my ACL?
by Owen Jacobson 08 Oct '10

08 Oct '10

Hi there, I'm trying to enforce that the 'uid' attribute is globally unique in my tree using the unique overlay. For a collection of mostly-uninteresting reasons, the LDAP server is publicly connectable but not publicly searchable (details below). It appears that the unique overlay uses the *worst possible* combination of credentials to perform the searches it uses to guarantee uniqueness. All of the following information was obtained from ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -- it's really what slapd thinks it's seeing. My unique configuration: dn: olcOverlay={0}unique,olcDatabase={1}hdb,cn=config objectClass: olcUniqueConfig olcOverlay: {0}unique olcUniqueURI: ldap:///dc=unreasonent,dc=com?uid?sub? My database configuration (indexes and hdb configuration elided): dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap/unreasonent.com olcSuffix: dc=unreasonent,dc=com olcAccess: {0}to attrs=userPassword by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by group="cn=Directory Administrator,ou=Roles,dc=internal,dc=unreasonent,dc=com" manage by anonymous auth by self write by * none olcAccess: {1}to attrs=shadowLastChange by self write by * break olcAccess: {2}to dn.base="" by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by group="cn=Directory Administrator,ou=Roles,dc=internal,dc=unreasonent,dc=com" manage by * break olcAccess: {3}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by group="cn=Directory Administrator,ou=Roles,dc=internal,dc=unreasonent,dc=com" manage by users read by peername.regex="IP=10.27.70.6\:\d+" read by * none (The peername.regex ACL entry is shrapnel from my attempts to make this work on my own, but it came in handy. The IP address there is the IP address of my LDAP server.) As you can see anonymous users are allowed to do one thing: authenticate. My tree contains the following user already: dn: uid=owen,ou=People,dc=internal,dc=unreasonent,dc=com When I log in with the user above (who is in the group cn=Directory Administrator,ou=Roles,dc=internal,dc=unreasonent,dc=com) and add the following test user dn: uid=owen,ou=test,ou=People,dc=unreasonent,dc=com changetype: add objectClass: inetOrgPerson uid: owen sn: Test cn: Test the add succeeds (which should not happen, as the UID is already in use). A little digging with slapd -d -1 reveals that the unique overlay is doing a search of its own: ==> unique_add <uid=owen,ou=test,ou=People,dc=unreasonent,dc=com> ==> unique_search (|(uid=owen)) str2filter "(|(uid=owen))" put_filter: "(|(uid=owen))" put_filter: OR put_filter_list "(uid=owen)" put_filter: "(uid=owen)" put_filter: simple put_simple_filter: "uid=owen" begin get_filter OR begin get_filter_list begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0xb5dd5438 ptr=0xb5dd543a end=0xb5dd5447 len=13 0000: a3 0b 04 03 75 69 64 04 04 6f 77 65 6e ....uid..owen end get_filter 0 end get_filter_list end get_filter 0 => hdb_search bdb_dn2entry("dc=unreasonent,dc=com") => access_allowed: search access to "dc=unreasonent,dc=com" "entry" requested => dn: [3] => acl_get: [4] attr entry => acl_mask: access to entry "dc=unreasonent,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= check a_dn_pat: users <= check a_peername_path: IP=10.27.70.6\:\d+ => acl_string_expand: pattern: IP=10.27.70.6\:\d+ => acl_string_expand: expanded: IP=10.27.70.6\:\d+ => regex_matches: string: IP=10.27.70.210:46908 => regex_matches: rc: 1 no matches <= check a_dn_pat: * <= acl_mask: [5] applying none(=0) (stop) <= acl_mask: [5] mask: none(=0) => slap_access_allowed: search access denied by none(=0) => access_allowed: no more rules send_ldap_result: conn=1029 op=33 p=3 send_ldap_result: err=32 matched="" text="" => unique_search found 0 records As you can see, (a) the IP address the search "comes from" is not the IP address of the LDAP server nor is it the LDAP server's ldapi:// socket (it's actually my client machine's IP address) and (b) the authenticated DN used in the search is empty. Combined, these two facts lead to slapd deciding the search is not permitted by the ACL, which in turn causes the unique overlay to decide no other entries with the same uid exist. This seems wrong: the connection from that IP and port has already authenticated as a user (which would've permitted the search). Assuming for the moment that allowing the world at large to search my LDAP server is not an option, how can I allow the unique overlay to enforce my constraint? -o

3 3

meta backend olc?
by Marc Patermann 07 Oct '10

07 Oct '10

Hi, while migrating servers form 2.3.x to 2.4.x I stumbled upon this with openldap2-2.4.20-0.4.29 SLES11SP1. When I try online config based on my slapd.conf file, I get an error # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d -u config file testing succeeded fine so far. # slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d WARNING: No dynamic config support for database meta. WARNING: No dynamic config support for database meta. WARNING: The converted cn=config directory is incomplete and may not work. ... cn=config # cat olcDatabase={1}meta.ldif dn: olcDatabase={1}meta objectClass: olcDatabaseConfig olcDatabase: {1}meta olcSuffix: ou=AllgV,ou=foo olcSubordinate: TRUE olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: 4e829d54-6661-102f-959b-c114632c1572 creatorsName: cn=config createTimestamp: 20101007131949Z entryCSN: 20101007131949.541278Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20101007131949Z There is no URI or any meta specific attribute here. from slapd.conf: database meta suffix "ou=AllgV,ou=foo" uri "ldap://server/ou=AllgV,ou=foo" suffixmassage "ou=AllgV,ou=foo" "ou=allgv,ou=proxy,o=bar" conn-ttl 30 idle-timeout 1m30s subordinate Is there something wrong with my config or does meta not work with olc? According to the mail from p. http://www.openldap.org/its/index.cgi/Documentation?expression=meta;downloa… it seems to be "not me". Whereas Howard replied: "All of the core overlays now support cn=config." http://www.openldap.org/its/index.cgi/Documentation?id=6277;expression=meta… Marc

3 2

Re: (ITS#6666) Feature Request: Triggers implementation
by Buchan Milne 07 Oct '10

07 Oct '10

On Thursday, 7 October 2010 08:35:45 nick(a)eurobjects.com wrote: > Sorry, I' m not a developer. I'm trying to find a solution from an > administrator's point of view. I think you should have discussed this on a mailing list first, coming to some feasible method that would be acceptable, before deciding whether an ITS should be filed. > How about doing something like: > on log attr <attrname> notify <[ip]:[port]> > which would send a "message" with the attr name, the old and the new > value of the attribute to [ip]:[port]. But, slapd already "publishes" changes via syncrepl. > Then, someone can set up a net listening process like netcat (nc) to > read data and do whatever. But it is possible to provide an example perl script to search for changes in the directory, and have it execute actions which are configurable in a configuration file. I have a daemonised perl script using Net::LDAPapi that could potentially be modified to read from a configuration file (but, it was written to feed commands into a long-running interactive tool, so I would need to re-work it a bit). Regards, Buchan

1 0

Re: OpenLDAP session authentication
by Erik Lotspeich 07 Oct '10

07 Oct '10

Hi Dan, OK, I got things working. Thank you for your patience! >> What DN would I use for simple authentication? Maybe Thunderbird cannot >> perform a SASL BIND? It seems Thunderbird only performs a simple bind. > For simple authentication, you'd need to specify the DN of an entry within > your LDAP tree. This statement helped me put it all together. Another missing piece for me was the userPassword attribute. I didn't realize that it was to be part of an entry (for some reason, I thought it was a slapd.conf parameter). I added this entry for the users who I want to allow to authenticate. It is acceptable to me to bind against the full dn of users entry, so I bind against this: cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org The userPassword attribute is set to: userPassword: {SASL}erik So now, simple binds work now: erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -D 'cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org' -W Enter LDAP Password: dn:cn=Erik Lotspeich,ou=family,ou=people,dc=lotspeich,dc=org For SASL binds, it also works: erik@starfish:~/ldif$ ldapwhoami -H ldaps://localhost/ -U erik -W Enter LDAP Password: SASL/PLAIN authentication started SASL username: erik SASL SSF: 0 dn:uid=erik,cn=plain,cn=auth Looking through the Admin guide, I decided on a set of rules that seem to accomplish what I want: access to attrs=userPassword by self =xw by anonymous auth by * none access to * by self write by users write by * none Again, thanks for your help. I learned a lot -- I believe I know enough now to make better sense of the Admin guide. Regards, Erik

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2010