openldap vs. 389
by Matt Juszczak
Hi all,
We are currently evaluating which directory server to use for our authentication implementation, pdns backend, and puppet backend.
We have a proof of concept working with openldap but have recently begun looking into 389.
For those who have worked with these two, which do you find to be better for your needs? Which has better replication options? What about community and active development? Any major features in one that isn't in the other that are important to you?
Thanks,
Matt
10 years, 6 months
Fine Grained Permission System
by AdaXi
Hi everyone, I am kind of a newbie in OpenLDAP and LDAP in general, and I
really need your help, I have been looking for a fine grained permission
system to a project that I am in now, but could not find anything that
satifies me.
I have multiple applications that will authenticate using LDAP, but I also
want to control user access in each application. I want to be able to allow
specific acces to an element in one application.
Examples :
For database, I would like to assign read permissions to one or more
database for one user.
For a bulletin board, users can only post in some specifec boards.
For a FTP server, users can only access specific directories.
In first place is it realistic ?
Do you know a way to do this only with LDAP ? (if yes, could you show me a
manual or guide)
Do you know some piece of software that could help me ?
Thanks in advance,
AdaXi
10 years, 6 months
How to retrieve monitoring information
by Simon Gao
Hi,
I am trying to retrieve information from monitoring database. However,
the command like below does not return actual number for total
connections.
ldapsearch -x -D 'cn=admin,dc=xzy,dc=com' -W -b
'cn=Total,cn=Connections,cn=Monitor'
Did I miss anything? or the command syntax is not right?
Simon
10 years, 6 months
Removing entries from cn=config
by Diego Lima
Hi all,
I've been trying cn=config for some time now but I have a question: I
can add/modify entries using ldapadd/ldapmodify, but so far I have not
found a way to remove configurations without stopping slapd, going to
slapd.d and manually removing the entry from there. What is the proper
way to remove entries? If I try to remove the monitor database I get
this error, for example:
# ldapdelete -x -Dcn=admin,cn=config olcDatabase={2}monitor,cn=config -W
Enter LDAP Password:
ldap_delete: Server is unwilling to perform (53)
I've tried to google it but had no success. Thank you!
--
Diego Lima
10 years, 6 months
Re: id: No such userroot@garion:~# ldapsearch -x uid=connor # extended LDIF # # LDAPv3 # base <dc=muncc, dc=loc> (default) with scope subtree # filter: uid=connor # requesting: ALL # # connor, People, muncc.loc dn: uid=connor,ou=People,dc=muncc,dc=lo
by Diego Lima
Hi Cole,
What does your /etc/nsswitch.conf look like? And your /etc/libnss-ldap.conf?
2010/9/27 Cole <colewashere(a)gmail.com>:
> Sorry about the subject. I think I hit paste by accident.
>
> On Mon, Sep 27, 2010 at 5:30 PM, Cole <colewashere(a)gmail.com> wrote:
>>
>> Hello all,
>> I have an LDAP server that I can use for authentication. On this server I
>> can authenticate as these users locally and ldapsearch them, whatever. On
>> any of the LDAP clients, however, I can see them using an ldapsearch, but an
>> id or su will return no such user.
>> Example:
>> root@garion:~# ldapsearch -x uid=connor
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=muncc,dc=loc> (default) with scope subtree
>> # filter: uid=connor
>> # requesting: ALL
>> #
>> # connor, People, muncc.loc
>> dn: uid=connor,ou=People,dc=muncc,dc=loc
>> uid: connor
>> cn: connor
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: shadowAccount
>> shadowMax: 99999
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 1002
>> gidNumber: 100
>> gecos: connor,,,
>> homeDirectory: /shared/home/connor
>> # search result
>> search: 2
>> result: 0 Success
>> # numResponses: 2
>> # numEntries: 1
>> root@garion:~# id connor
>> id: connor: No such user
>>
>> Now, I'm pretty sure that this must be an NSS or PAM problem, but the
>> files on the clients and the server seem to be configured the same. I can't
>> seem to pinpoint exactly what is wrong. Any suggestions?
>> Thanks in advance.
>> --
>> Cole Gleason
>> ----------------------
>> Student, Marmion Academy
>> Email: cg(a)colegleason.com
>> Website: colegleason.com
>
>
>
> --
> Cole Gleason
> ----------------------
> Student, Marmion Academy
> Email: cg(a)colegleason.com
> Website: colegleason.com
>
--
Diego Lima
10 years, 6 months
"Blank" node in multi-master OpenLDAP 2.4.21 setup (findbase failed)
by Mark Cairney
Hi,
Apache Directory Studio appears to have FUBAR'ed one of the nodes in our multi-master OpenLDAP setup and I'd appreciate some help or pointers.
Im running OpenLDAP 2.4.21 and BDB 4.8.26 with Kerberos 5 and GSSAPI SASL.
On the "afflicted" node the DIT is empty other than the Root DSE and ldapsearch returns "32" no such object.
The logs contain the following:
** ld 0x2aab4c4b7c70 Outstanding Requests:
connection_get(44): got connid=1095
connection_read(44): checking for input on id=1095
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
ldap_pvt_sasl_generic_install
ld 0x2aab4c4b7c70 request count 1 (abandoned 0)
** ld 0x2aab4c4b7c70 Response Queue:
ber_get_next
Empty
ld 0x2aab4c4b7c70 response count 0
ldap_chkResponseList ld 0x2aab4c4b7c70 msgid 4 all 0
ldap_chkResponseList returns ld 0x2aab4c4b7c70 NULL
ldap_int_select
ber_get_next: tag 0x30 len 292 contents:
op tag 0x63, time 1286205781
ber_get_next
conn=1095 op=3 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=authorise,dc=ed,dc=ac,dc=uk>
<<< dnPrettyNormal: <dc=authorise,dc=ed,dc=ac,dc=uk>, <dc=authorise,dc=ed,dc=ac,dc=uk>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
=> get_ctrls: oid="1.3.6.1.4.1.4203.1.9.1.1" (noncritical)
ber_scanf fmt ({i) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (b) ber:
ber_scanf fmt (}) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (critical)
<= get_ctrls: n=2 rc=0 err=""
==> limits_get: conn=1095 op=3 self="uid=replicator.authorise.is.ed.ac.uk,ou=people,ou=central,dc=authorise,dc=ed,dc=ac,dc=uk" this="dc=authorise,dc=ed,dc=ac,dc=uk"
=> bdb_search
bdb_dn2entry("dc=authorise,dc=ed,dc=ac,dc=uk")
bdb_dn2entry("cn=admins,ou=group,ou=central,dc=authorise,dc=ed,dc=ac,dc=uk")
bdb_entry_get: rc=0
send_ldap_result: conn=1095 op=3 p=3
findbase failed! 32
send_ldap_result: conn=1095 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=32
ber_flush2: 14 bytes to sd 44
connection_get(43): got connid=0
=>do_syncrepl rid=030
=>do_syncrep2 rid=030
ldap_result ld 0x2aab4c4b7c70 msgid 4
wait4msg ld 0x2aab4c4b7c70 msgid 4 (timeout 0 usec)
wait4msg continue ld 0x2aab4c4b7c70 msgid 4 all 0
** ld 0x2aab4c4b7c70 Connections:
* host: alder.authorise.is.ed.ac.uk port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Oct 4 16:23:01 2010
** ld 0x2aab4c4b7c70 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
ld 0x2aab4c4b7c70 request count 1 (abandoned 0)
** ld 0x2aab4c4b7c70 Response Queue:
Empty
ld 0x2aab4c4b7c70 response count 0
ldap_chkResponseList ld 0x2aab4c4b7c70 msgid 4 all 0
ldap_chkResponseList returns ld 0x2aab4c4b7c70 NULL
ldap_int_select
read1msg: ld 0x2aab4c4b7c70 msgid 4 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x2aab4c4b7c70 msgid 4 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x2aab4c4b7c70 0 new referrals
read1msg: mark request completed, ld 0x2aab4c4b7c70 msgid 4
request done: ld 0x2aab4c4b7c70 msgid 4
res_errno: 32, res_error: <>, res_matched: <>
ldap_free_request (origid 4, msgid 4)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
do_syncrep2: rid=030 LDAP_RES_SEARCH_RESULT (32) No such object
ldap_err2string
ldap_err2string
do_syncrep2: rid=030 (32) No such object
ldap_err2string
ldap_msgfree
connection_get(43): got connid=0
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 43
connection_get(44): got connid=1095
connection_read(44): checking for input on id=1095
ber_get_next
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1286205781
ber_get_next
do_syncrepl: rid=030 rc -2 retrying
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 44 failed errno=0 (Success)
conn=1095 op=4 do_unbind
connection_close: conn=1095 sd=44
TLS trace: SSL3 alert write:warning:close notify
So far to fix it I've tried running slapd with the "-c rid=" option, deleting the contents of /var/openldap-data, running db_verify and db_recover (with and without the -c flag) and doing a slapadd from one of the other working nodes but nothing has worked.
Interestingly the file sizes in /var/openldap-data/authorise look OK but the LDAP tree appears to have vanished without a trace.
Any ideas?
Kind regards,
Mark
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
10 years, 6 months
back_meta and referrals authentication
by Javier Sanz
Hi,
After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it
looks like the bindings to the referrals of the external LDAP servers
are no longer being made using the authentication information
specified in pseudorootdn and pseudorootpw, but are being made
anonymously. I have a backend meta that encapsulates a local LDAP
server and some remote ones, mainly Active Directory ones not under my
control. It also has a pcache overlay. Until now, pseudoroot* auth.
info. was used both when binding to Active Directories and when
chasing their referrals, but now it is only being used to bind to the
ADs and the binds to their referrals are being made anonymously.
Is that behavior still supported?. When slapd starts, it prints:
line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use
"idassert-bind" and "idassert-authzFrom" instead.
But slapd starts correctly. Does that mean that the directive works as
it used to but it will be removed in the future, or that its
functionality is deactivated until the user replaces it with
idassert-bind?.
If it is the former, then the problem should be related to some other
change between 2.3 and 2.4, what could it be?.
If it is the later and pseudorootdn must be replaced with
ideassert-bind, I have tried it with all kinds of modes (none, self,
legacy), flags, and different idassert-authzFrom's,
with no sucess.
I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried
upgrading to 2.4.17 with the same results. Bindings from clients to my
server are always done using the same DN (rootdn).
It has been some days now since I started looking into this, so any
help is greatly appreciated.
Here is the relevant config:
(...includes...)
loglevel config stats stats2
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_ldap
moduleload back_meta
moduleload pcache
allow update_anon
access to * by * write
database meta
suffix "dc=myldap,dc=local"
rootdn "cn=manager,dc=myldap,dc=local"
rootpw "passwd"
chase-referrals yes
rebind-as-user no
dncache-ttl forever
network-timeout 5
nretries 5
idle-timeout 5m
pseudoroot-bind-defer yes
overlay pcache
(...cache options..)
uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local"
suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com"
pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com"
pseudorootpw windowsadminpasswd
(...maps...)
Thanks,
Javier
10 years, 6 months
acl issue
by Troy Knabe
I am working on implementing open ldap and I am having an issue with my acls. At this point I want users to be able to authenticate and I want them to be able to search through the directory, but only return the attributes that I specify, and restrict attributes that I want restricted. slapacl returns what I would expect, but an ldapsearch as a user is returning no data at all.
This is all I have for acls at this point.
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=entry
by users read
access to attrs=mail,cn,l,telephoneNumber
by users read
access to attrs=mailhost
by users none
by anonymous none
10 years, 6 months
Glued Entries.
by karthik kumar
Hi ..
Few of my ldap entries got changed like this
objectClass: glue
objectClass: top
structuralObjectClass: glue
Those glued entries are not showing up in the ldapsearch. I took a dump and
from the ldif file, realized the objectClass/ structuralObjectClass got
changed.
I wanted to recover my ldap. So removed all those entries ( including the
childnodes ). ldapadd them back from a previous dump ( which wasnt glued).
But after some time when I access those entries from application, they get
glued.
Can you please advice how do I recover my ldap from this.
10 years, 6 months