October 2010 - openldap-technical

by Matt Juszczak

Hi all, We are currently evaluating which directory server to use for our authentication implementation, pdns backend, and puppet backend. We have a proof of concept working with openldap but have recently begun looking into 389. For those who have worked with these two, which do you find to be better for your needs? Which has better replication options? What about community and active development? Any major features in one that isn't in the other that are important to you? Thanks, Matt

10 years, 6 months

1
0
0 / 0

memberOf module install on ubuntu 10.04 slapd package gives: "Insufficient access"

by Jon Skarpeteig

Attempting to enable memberOf module, following http://dimaj.net:1784/blog/2010/07/howto-verify-that-a-member-is-part-of -a-secondary-group-in-openldap/ gives me: ldap_modify: Insufficient access (50) - I am root on Ubuntu 10.04 using slapd package. What am I doing wrong?

10 years, 6 months

1
0
0 / 0

Fine Grained Permission System

by AdaXi

Hi everyone, I am kind of a newbie in OpenLDAP and LDAP in general, and I really need your help, I have been looking for a fine grained permission system to a project that I am in now, but could not find anything that satifies me. I have multiple applications that will authenticate using LDAP, but I also want to control user access in each application. I want to be able to allow specific acces to an element in one application. Examples : For database, I would like to assign read permissions to one or more database for one user. For a bulletin board, users can only post in some specifec boards. For a FTP server, users can only access specific directories. In first place is it realistic ? Do you know a way to do this only with LDAP ? (if yes, could you show me a manual or guide) Do you know some piece of software that could help me ? Thanks in advance, AdaXi

10 years, 6 months

2
2
0 / 0

How to retrieve monitoring information

by Simon Gao

Hi, I am trying to retrieve information from monitoring database. However, the command like below does not return actual number for total connections. ldapsearch -x -D 'cn=admin,dc=xzy,dc=com' -W -b 'cn=Total,cn=Connections,cn=Monitor' Did I miss anything? or the command syntax is not right? Simon

10 years, 6 months

2
1
0 / 0

Removing entries from cn=config

by Diego Lima

Hi all, I've been trying cn=config for some time now but I have a question: I can add/modify entries using ldapadd/ldapmodify, but so far I have not found a way to remove configurations without stopping slapd, going to slapd.d and manually removing the entry from there. What is the proper way to remove entries? If I try to remove the monitor database I get this error, for example: # ldapdelete -x -Dcn=admin,cn=config olcDatabase={2}monitor,cn=config -W Enter LDAP Password: ldap_delete: Server is unwilling to perform (53) I've tried to google it but had no success. Thank you! -- Diego Lima

10 years, 6 months

2
1
0 / 0

Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=lo

by Diego Lima

Hi Cole, What does your /etc/nsswitch.conf look like? And your /etc/libnss-ldap.conf? 2010/9/27 Cole <colewashere(a)gmail.com>: > Sorry about the subject. I think I hit paste by accident. > > On Mon, Sep 27, 2010 at 5:30 PM, Cole <colewashere(a)gmail.com> wrote: >> >> Hello all, >> I have an LDAP server that I can use for authentication. On this server I >> can authenticate as these users locally and ldapsearch them, whatever. On >> any of the LDAP clients, however, I can see them using an ldapsearch, but an >> id or su will return no such user. >> Example: >> root@garion:~# ldapsearch -x uid=connor >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=muncc,dc=loc> (default) with scope subtree >> # filter: uid=connor >> # requesting: ALL >> # >> # connor, People, muncc.loc >> dn: uid=connor,ou=People,dc=muncc,dc=loc >> uid: connor >> cn: connor >> objectClass: account >> objectClass: posixAccount >> objectClass: top >> objectClass: shadowAccount >> shadowMax: 99999 >> shadowWarning: 7 >> loginShell: /bin/bash >> uidNumber: 1002 >> gidNumber: 100 >> gecos: connor,,, >> homeDirectory: /shared/home/connor >> # search result >> search: 2 >> result: 0 Success >> # numResponses: 2 >> # numEntries: 1 >> root@garion:~# id connor >> id: connor: No such user >> >> Now, I'm pretty sure that this must be an NSS or PAM problem, but the >> files on the clients and the server seem to be configured the same. I can't >> seem to pinpoint exactly what is wrong. Any suggestions? >> Thanks in advance. >> -- >> Cole Gleason >> ---------------------- >> Student, Marmion Academy >> Email: cg(a)colegleason.com >> Website: colegleason.com > > > > -- > Cole Gleason > ---------------------- > Student, Marmion Academy > Email: cg(a)colegleason.com > Website: colegleason.com > -- Diego Lima

10 years, 6 months

1
0
0 / 0

"Blank" node in multi-master OpenLDAP 2.4.21 setup (findbase failed)

by Mark Cairney

Hi, Apache Directory Studio appears to have FUBAR'ed one of the nodes in our multi-master OpenLDAP setup and I'd appreciate some help or pointers. Im running OpenLDAP 2.4.21 and BDB 4.8.26 with Kerberos 5 and GSSAPI SASL. On the "afflicted" node the DIT is empty other than the Root DSE and ldapsearch returns "32" no such object. The logs contain the following: ** ld 0x2aab4c4b7c70 Outstanding Requests: connection_get(44): got connid=1095 connection_read(44): checking for input on id=1095 * msgid 4, origid 4, status InProgress outstanding referrals 0, parent count 0 ldap_pvt_sasl_generic_install ld 0x2aab4c4b7c70 request count 1 (abandoned 0) ** ld 0x2aab4c4b7c70 Response Queue: ber_get_next Empty ld 0x2aab4c4b7c70 response count 0 ldap_chkResponseList ld 0x2aab4c4b7c70 msgid 4 all 0 ldap_chkResponseList returns ld 0x2aab4c4b7c70 NULL ldap_int_select ber_get_next: tag 0x30 len 292 contents: op tag 0x63, time 1286205781 ber_get_next conn=1095 op=3 do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <dc=authorise,dc=ed,dc=ac,dc=uk> <<< dnPrettyNormal: <dc=authorise,dc=ed,dc=ac,dc=uk>, <dc=authorise,dc=ed,dc=ac,dc=uk> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: => get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical) ber_scanf fmt ({i) ber: ber_scanf fmt (m) ber: ber_scanf fmt (b) ber: ber_scanf fmt (}) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (b) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical) <= get_ctrls: n=2 rc=0 err="" ==> limits_get: conn=1095 op=3 self="uid=replicator.authorise.is.ed.ac.uk,ou=people,ou=central,dc=authorise,dc=ed,dc=ac,dc=uk" this="dc=authorise,dc=ed,dc=ac,dc=uk" => bdb_search bdb_dn2entry("dc=authorise,dc=ed,dc=ac,dc=uk") bdb_dn2entry("cn=admins,ou=group,ou=central,dc=authorise,dc=ed,dc=ac,dc=uk") bdb_entry_get: rc=0 send_ldap_result: conn=1095 op=3 p=3 findbase failed! 32 send_ldap_result: conn=1095 op=3 p=3 send_ldap_response: msgid=4 tag=101 err=32 ber_flush2: 14 bytes to sd 44 connection_get(43): got connid=0 =>do_syncrepl rid=030 =>do_syncrep2 rid=030 ldap_result ld 0x2aab4c4b7c70 msgid 4 wait4msg ld 0x2aab4c4b7c70 msgid 4 (timeout 0 usec) wait4msg continue ld 0x2aab4c4b7c70 msgid 4 all 0 ** ld 0x2aab4c4b7c70 Connections: * host: alder.authorise.is.ed.ac.uk port: 636 (default) refcnt: 2 status: Connected last used: Mon Oct 4 16:23:01 2010 ** ld 0x2aab4c4b7c70 Outstanding Requests: * msgid 4, origid 4, status InProgress outstanding referrals 0, parent count 0 ld 0x2aab4c4b7c70 request count 1 (abandoned 0) ** ld 0x2aab4c4b7c70 Response Queue: Empty ld 0x2aab4c4b7c70 response count 0 ldap_chkResponseList ld 0x2aab4c4b7c70 msgid 4 all 0 ldap_chkResponseList returns ld 0x2aab4c4b7c70 NULL ldap_int_select read1msg: ld 0x2aab4c4b7c70 msgid 4 all 0 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x2aab4c4b7c70 msgid 4 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x2aab4c4b7c70 0 new referrals read1msg: mark request completed, ld 0x2aab4c4b7c70 msgid 4 request done: ld 0x2aab4c4b7c70 msgid 4 res_errno: 32, res_error: <>, res_matched: <> ldap_free_request (origid 4, msgid 4) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_err2string do_syncrep2: rid=030 LDAP_RES_SEARCH_RESULT (32) No such object ldap_err2string ldap_err2string do_syncrep2: rid=030 (32) No such object ldap_err2string ldap_msgfree connection_get(43): got connid=0 ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 43 connection_get(44): got connid=1095 connection_read(44): checking for input on id=1095 ber_get_next TLS trace: SSL3 alert write:warning:close notify ldap_free_connection: actually freed ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1286205781 ber_get_next do_syncrepl: rid=030 rc -2 retrying TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 44 failed errno=0 (Success) conn=1095 op=4 do_unbind connection_close: conn=1095 sd=44 TLS trace: SSL3 alert write:warning:close notify So far to fix it I've tried running slapd with the "-c rid=" option, deleting the contents of /var/openldap-data, running db_verify and db_recover (with and without the -c flag) and doing a slapadd from one of the other working nodes but nothing has worked. Interestingly the file sizes in /var/openldap-data/authorise look OK but the LDAP tree appears to have vanished without a trace. Any ideas? Kind regards, Mark -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.

10 years, 6 months

1
0
0 / 0

back_meta and referrals authentication

by Javier Sanz

Hi, After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it looks like the bindings to the referrals of the external LDAP servers are no longer being made using the authentication information specified in pseudorootdn and pseudorootpw, but are being made anonymously. I have a backend meta that encapsulates a local LDAP server and some remote ones, mainly Active Directory ones not under my control. It also has a pcache overlay. Until now, pseudoroot* auth. info. was used both when binding to Active Directories and when chasing their referrals, but now it is only being used to bind to the ADs and the binds to their referrals are being made anonymously. Is that behavior still supported?. When slapd starts, it prints: line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use "idassert-bind" and "idassert-authzFrom" instead. But slapd starts correctly. Does that mean that the directive works as it used to but it will be removed in the future, or that its functionality is deactivated until the user replaces it with idassert-bind?. If it is the former, then the problem should be related to some other change between 2.3 and 2.4, what could it be?. If it is the later and pseudorootdn must be replaced with ideassert-bind, I have tried it with all kinds of modes (none, self, legacy), flags, and different idassert-authzFrom's, with no sucess. I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried upgrading to 2.4.17 with the same results. Bindings from clients to my server are always done using the same DN (rootdn). It has been some days now since I started looking into this, so any help is greatly appreciated. Here is the relevant config: (...includes...) loglevel config stats stats2 modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap moduleload back_meta moduleload pcache allow update_anon access to * by * write database meta suffix "dc=myldap,dc=local" rootdn "cn=manager,dc=myldap,dc=local" rootpw "passwd" chase-referrals yes rebind-as-user no dncache-ttl forever network-timeout 5 nretries 5 idle-timeout 5m pseudoroot-bind-defer yes overlay pcache (...cache options..) uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local" suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com" pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com" pseudorootpw windowsadminpasswd (...maps...) Thanks, Javier

10 years, 6 months

1
1
0 / 0

acl issue

by Troy Knabe

I am working on implementing open ldap and I am having an issue with my acls. At this point I want users to be able to authenticate and I want them to be able to search through the directory, but only return the attributes that I specify, and restrict attributes that I want restricted. slapacl returns what I would expect, but an ldapsearch as a user is returning no data at all. This is all I have for acls at this point. access to attrs=userPassword by self write by anonymous auth by * none access to attrs=entry by users read access to attrs=mail,cn,l,telephoneNumber by users read access to attrs=mailhost by users none by anonymous none

10 years, 6 months

1
0
0 / 0

Glued Entries.

by karthik kumar

Hi .. Few of my ldap entries got changed like this objectClass: glue objectClass: top structuralObjectClass: glue Those glued entries are not showing up in the ldapsearch. I took a dump and from the ldif file, realized the objectClass/ structuralObjectClass got changed. I wanted to recover my ldap. So removed all those entries ( including the childnodes ). ldapadd them back from a previous dump ( which wasnt glued). But after some time when I access those entries from application, they get glued. Can you please advice how do I recover my ldap from this.

10 years, 6 months

2
3
0 / 0

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2010