openldap-technical November 2010

openldap-technical@openldap.org

86 participants
113 discussions

cn=config and authz-regexp
by Julien Vehent 30 Nov '10

30 Nov '10

Hi list, I'm moving a LDAP directory on a freshly installed Debian Squeeze and I'm discovering cn=config. On my former installation, I have SASL configured using : --- authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$" "ldap:///dc=domain,dc=net??sub?(uid=$1)" authz-policy to password-hash {CLEARTEXT} --- How do I translate this into cn=config directives ? I believe it should be stored into /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif is that correct ? Thanks, Julien

2 2

RE: Problems Enabling Authentication using Cyrus SASL
by Fernando Torrez 29 Nov '10

29 Nov '10

Hi all I got work sasl authentication to access ldap server by correcting two things: 1.- inserting the proxyuser's userpassword in clear text (userPassord=secret) 2.- fixing the proxyuser's authzTo atributte to authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account) (results at the end of this mail) As far as it can be seen, there's no need for cyrus-sasl for these matter but my final purpose is to enable Cyrus-sasl with openldap as backend to authenticate users for cyrus-imapd and postfix services. Any hints would be appreciated. Thanks to all for your support Fernando firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: u:test SASL SSF: 128 SASL data security layer installed. dn:uid=test,ou=people,dc=plainjoe,dc=org firewall:~ # ldapsearch -Y digest-md5 -U proxyuser -b 'dc=plainjoe,dc=org' '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: SASL username: proxyuser SASL SSF: 128 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=plainjoe,dc=org> with scope subtree # filter: (objectclass=*)

3 4

Re: syncrepl with accesslog not replicating
by Quanah Gibson-Mount 29 Nov '10

29 Nov '10

--On Monday, November 29, 2010 10:46 PM +0100 Dieter Kluenter <dieter(a)dkluenter.de> wrote: > Quanah Gibson-Mount <quanah(a)zimbra.com> writes: > > OK, this is what I had, so going back to original configuration. You had scope specified, and the missing new line between the syncrepl and updateref clauses. Please keep this on the list. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Let user's modify some LDAP entry ?
by Frank Bonnet 29 Nov '10

29 Nov '10

Hello I'm searching for some web based software to let users modify "some" data in our LDAP database after having been authenticated. Typically I would like to let them the possiblity to modify their loginShell , password , phone number ... etc Does such software exists ? Thank you

2 3

Using shell database
by krishan kumar 29 Nov '10

29 Nov '10

Hello, I have compiled openldap-2.4.23 from source. Recently I am learning to use shell database so I try running searchexample.sh script file provided with the openldap sources. But I am not successful in doing so. I think script is not getting executed and I am not getting any search results. Search gives the following result-: #ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W -b 'dc=shell1,dc=com' '(uid=root)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=shell1,dc=com> with scope subtree # filter: (uid=root) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 --------------------------------------------------------------------------- My slapd.conf section for shell database is as follows-: database shell suffix "dc=shell1,dc=com" search /usr/local/openldap-test/etc/openldap/searchexample.sh ---------------------------------------------------------------------------- When started slapd with -d 1 option, I am getting following debugging information upon executing above search example-: -------------------------------------------------------------------------------------------------------------- <output truncated>.. send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 17connection_get(17): got connid=1002 connection_read(17): checking for input on id=1002 ber_get_next ber_get_next: tag 0x30 len 53 contents: op tag 0x63, time 1291033804 ber_get_next conn=1002 op=1 do_search ber_scanf fmt ({miiiib) ber: >>> dnPrettyNormal: <dc=shell1,dc=com> <<< dnPrettyNormal: <dc=shell1,dc=com>, <dc=shell1,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: ==> limits_get: conn=1002 op=1 self="cn=manager,dc=example,dc=com" this="dc=shell1,dc=com" execv failed shell: fgets failed: Success (0) str2result () expecting "RESULT" send_ldap_result: conn=1002 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 17 connection_get(17): got connid=1002 connection_read(17): checking for input on id=1002 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1291033804 ber_get_next conn=1002 op=2 do_unbind connection_close: conn=1002 sd=17 ---------------------------------------------------------------------------------------------------------------------- Please help me to got shell database working. Thanks.

1 0

OpenLDAP runs OK, Mac Mail and Address book do not display entries.
by Toomas Vendelin 29 Nov '10

29 Nov '10

Hi, I have set up an OpenLDAP server on a CentOS 5.5 machine and uploaded test data from ldif file. Apache directory studio connects to server nicely from my Mac and displays the records. Apple Mail and address book also seem to connect OK, but no search results returned in Address Book, and e-mails are not auto-completed in Mail. At the same time, I successfully connect to other publicly accessible servers, so it is probably a fault in my LDIF data. What is it? Do I need to use some schema specific to Apple? As for now, only the default ones are used. My LDIF data (all characters are fictional): Code: dn: dc=minu,dc=biz dc: minu objectClass: dcObject objectClass: organization o: Vendelin & Barilko dn: ou=people,dc=minu,dc=biz ou: people objectClass: organizationalUnit dn: cn=Deniska Borilko, ou=people,dc=minu,dc=biz cn: Deniska Borilko objectClass: inetOrgPerson sn: Borilko mail: denis(a)somedomain.com My LDAP settings both in Mail and address book: Code: Search base: ou=people,dc=minu,dc=biz Scope: subtree Thanks in advance! Toomas

2 1

Content-Based Access Control?
by Frank Rust 29 Nov '10

29 Nov '10

Hi all, would it be possible to configure a content-based access control? I have following configuration: my ldap contains user data. Some of the users are local ones and have a regular password entry. They shall be able to change their password. Other users are remotely authenticated with saslauthd. They shall not be able to change their 'password' which is just a redirection. Example: dn: uid=remoteuser,ou=People,dc=mydomain,dc=de uid: remoteuser cn: Adam Example uidNumber: 9007 gidNumber: 90 sn: Example userPassword: {SASL}remoteuser dn: uid=localuser,ou=People,dc=mydomain,dc=de uid: localuser cn: Bruce Somename uidNumber: 1001 gidNumber: 10 sn: Somename userPassword: {SHA}03de6c570bfe24bfc328ccd7ca46b76eadaf4334 User localuser shall be able to change his password, user remoteuser not. Can this be done by a fancy ACL entry, rejecting to change passwords starting with '{SASL}' ? Thanks in advance, Frank

2 2

Problem when trying to authenticate squid with openldap server
by Bruno Lamps 26 Nov '10

26 Nov '10

Hi everybody, I spent some days reading the ebook "Ldap for rocket scientists" ( zytrax.com/books/ldap/) and I've succesfully (I think it's a success =3 ) created a VM with debian lenny and openldap running. After that, I created another VM, running IPfire (www.ipfire.org) distro, this will be the firewall of the SMB I'm working for. Now I'm trying to authenticate the squid proxy, installed in IPFire distro, integrating it with my openldap server. A screenshot of my IPFire's webGUI and phpldapadmin webGUI can be seen at this topic: http://forum.ipfire.org/index.php?topic=3404.0 But the authentication isn't running, the browser using squid proxy keeps asking me for username and password. Suspecting that the webGUI could be making some mistake in squid config file, I started editing it's parameters manually. Right now, the ldap authentication line in my squid.conf looks like this: *auth_param basic program /usr/lib/squid/squid_ldap_auth -D "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h 192.168.1.7 -v 3* * * *cn=admin,dc=pisolar *= my root user. * * *ou=usuarios,dc=pisolar *= the OU where my users are stored. * * I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser: daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 busy >>> slap_listener(ldap:///) daemon: listen=8, new connection on 13 daemon: added 13r (active) listener=(nil) daemon: activity on 2 descriptors daemon: activity on: 13r daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 34 02 01 01 60 2f 02 04...`/. ldap_read: want=46, got=46 0000: 01 03 04 20 75 69 64 3d 6c 61 6d 70 73 2c 6f 75 ... uid=lamps,ou 0010: 3d 75 73 75 61 72 69 6f 73 2c 64 63 3d 70 69 73 =usuarios,dc=pis 0020: 6f 6c 61 72 80 08 6c 34 77 64 30 67 67 30 olar..userpassword ber_get_next: tag 0x30 len 52 contents: ber_dump: buf=0xa0598a0 ptr=0xa0598a0 end=0xa0598d4 len=52 0000: 02 01 01 60 2f 02 01 03 04 20 75 69 64 3d 6c 61 ...`/.... uid=la 0010: 6d 70 73 2c 6f 75 3d 75 73 75 61 72 69 6f 73 2c mps,ou=usuarios, 0020: 64 63 3d 70 69 73 6f 6c 61 72 80 08 6c 34 77 64 dc=pisolar..userpass 0030: 30 67 67 30 word ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero conn=0 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0xa0598a0 ptr=0xa0598a3 end=0xa0598d4 len=49 0000: 60 2f 02 01 03 04 20 75 69 64 3d 6c 61 6d 70 73 `/.... uid=lamps 0010: 2c 6f 75 3d 75 73 75 61 72 69 6f 73 2c 64 63 3d ,ou=usuarios,dc= 0020: 70 69 73 6f 6c 61 72 80 08 6c 34 77 64 30 67 67 pisolar..userpasswor 0030: 30 d ber_scanf fmt (m}) ber: ber_dump: buf=0xa0598a0 ptr=0xa0598ca end=0xa0598d4 len=10 0000: 00 08 6c 34 77 64 30 67 67 30 ..userpassword >>> dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar> => ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar,0) <= ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0 <<< dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>, <uid=lamps,ou=usuarios,dc=pisolar> do_bind: version=3 dn="uid=lamps,ou=usuarios,dc=pisolar" method=128 ==> bdb_bind: dn: uid=lamps,ou=usuarios,dc=pisolar bdb_dn2entry("uid=lamps,ou=usuarios,dc=pisolar") => bdb_dn2id("dc=pisolar") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0xb => bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0x10 entry_decode: "uid=lamps,ou=usuarios,dc=pisolar" <= entry_decode(uid=lamps,ou=usuarios,dc=pisolar) => access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=pisolar <= check a_dn_pat: anonymous <= acl_mask: [2] applying none(=0) (stop) <= acl_mask: [2] mask: none(=0) => slap_access_allowed: auth access denied by none(=0) => access_allowed: no more rules send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 02 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0xa0039c0 ptr=0xa0039c0 end=0xa0039c5 len=5 0000: 02 01 02 42 00 ...B. ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 13 failed errno=0 (Success) connection_read(13): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=13 for close daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_close: deferring conn=0 sd=13 conn=0 op=1 do_unbind connection_resched: attempting closing conn=0 sd=13 connection_close: conn=0 sd=13 daemon: removing 13 daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 busy >>> slap_listener(ldap:///) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero ================================= I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates. What I'm doing wrong? Is there any problem with my openldap server? With squid? =( I'd like to thank you all in advance for any support, and say sorry for my broken english. =D

3 5

Re: How to set Multiple base dn
by Hallvard B Furuseth 26 Nov '10

26 Nov '10

Please keep replies on the list. Then others can help when I'm not around. Laurent gobalraja writes: > In fact i need a complete split of the bases. The reason is that i need > duplication of cn in both domain and that is not possible in a single base > as the CN must be unique. I think you mean "dc" instead of "cn" here, but I don't think that's what you're supposed to mean:-) Maybe you mean the part of the DN below the database suffix must include the fully qualified domain name, like this? Domain here.org in database foo and there.org in database bar: database bdb suffix o=foo database bdb suffix o=bar Object names: o=foo dc=org,o=foo dc=here,dc=org,o=foo o=bar dc=org,o=foo dc=there,dc=org,o=bar or o=foo associatedDomain=here.org,o=foo o=bar associatedDomain=there.org,o=bar 'o' is short for organization name. associatedDomain, unlike dc, is for full domain names. For 'o' you need the organization object class, for associatedDomian you need domainRelatedObject from cosine.schema. Anyway, you don't need to use 'dc' if that does not suit you. Look for attributes and object classes that describe the actual structure of your intended directory tree. Though note that 'ou' (organizational unit) is often abused for "container" objects like "ou=people". >> Or write slapd.conf first according to the Admin Guide and then use >> sbin/slaptest -f <slapd.conf filename> -F <slapd.d directory> >> to convert to cn=config format. > > Is it safe to make successives updates of slapd.conf and then convert to the > slapd.d directory directly without removing it each time ? That's not supposed to work. Maybe you should just stay with slapd.conf instead? Or find some tool to help edit cn=config - there are supposed to be several, but I'm not up to date on that. -- Hallvard

1 0

Re: memberof overlay 2.4.08
by Marc Patermann 26 Nov '10

26 Nov '10

Hi, Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr: > LALOT Dominique wrote: >> I'm testing memberof overlay and I'd like to get it working >> properly for a database migration >> >> My tests showed me that's it's working when adding members in >> groups, but for an initial loading, it does not work. > Correct. This still seams to be true. >> I tested slapadd -q or slapadd without success. Could you tell us, >> or write something in the documentation to explain, the right way >> for an initial loading. > Currently, there is no solution besides writing a script that > populates the memberOf attribute in the LDIF file. > >> When we will be in production, I imagine that sometimes, we can >> get out of sync between members and memberof. What can we do in >> such case. > It should not happen. I have a lot of syncrepl consumers. For disaster recovery these are repopulated with slapadd and a recent provider dump. With overlay memberof this would not work any more, because the memberOf references are lost on this consumer until the "member" object changes, right? > The overlay should be reworked in order to have some means to repair > its connectivity. This is known but not hardly worked at. You could > open an ITS requesting this as an enhancement (or a bug fix, it's a > matter of taste). Is there any yet or do I have to do it? Marc

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2010