cn=config and authz-regexp
by Julien Vehent
Hi list,
I'm moving a LDAP directory on a freshly installed Debian Squeeze and
I'm discovering cn=config.
On my former installation, I have SASL configured using :
---
authz-regexp "^uid=([^,]+).*,cn=[^,]*,cn=auth$"
"ldap:///dc=domain,dc=net??sub?(uid=$1)"
authz-policy to
password-hash {CLEARTEXT}
---
How do I translate this into cn=config directives ?
I believe it should be stored into
/etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif
is that correct ?
Thanks,
Julien
12 years, 3 months
RE: Problems Enabling Authentication using Cyrus SASL
by Fernando Torrez
Hi all
I got work sasl authentication to access ldap server by correcting two things:
1.- inserting the proxyuser's userpassword in clear text (userPassord=secret)
2.- fixing the proxyuser's authzTo atributte to
authzTo: ldap:///ou=people,dc=plainjoe,dc=org??sub?(objectClass=account)
(results at the end of this mail)
As far as it can be seen, there's no need for cyrus-sasl for these matter
but my final purpose is to enable Cyrus-sasl with openldap as
backend to authenticate users for cyrus-imapd and postfix services.
Any hints would be appreciated.
Thanks to all for your support
Fernando
firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: u:test
SASL SSF: 128
SASL data security layer installed.
dn:uid=test,ou=people,dc=plainjoe,dc=org
firewall:~ # ldapsearch -Y digest-md5 -U proxyuser -b 'dc=plainjoe,dc=org' '(objectclass=*)'
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: proxyuser
SASL SSF: 128
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=plainjoe,dc=org> with scope subtree
# filter: (objectclass=*)
12 years, 3 months
Re: syncrepl with accesslog not replicating
by Quanah Gibson-Mount
--On Monday, November 29, 2010 10:46 PM +0100 Dieter Kluenter
<dieter(a)dkluenter.de> wrote:
> Quanah Gibson-Mount <quanah(a)zimbra.com> writes:
>
> OK, this is what I had, so going back to original configuration.
You had scope specified, and the missing new line between the syncrepl and
updateref clauses. Please keep this on the list.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
12 years, 3 months
Let user's modify some LDAP entry ?
by Frank Bonnet
Hello
I'm searching for some web based software to let users
modify "some" data in our LDAP database after having
been authenticated.
Typically I would like to let them the possiblity to modify
their loginShell , password , phone number ... etc
Does such software exists ?
Thank you
12 years, 3 months
Using shell database
by krishan kumar
Hello, I have compiled openldap-2.4.23 from source. Recently I am learning
to use shell database so I try running searchexample.sh script file provided
with the openldap sources. But I am not successful in doing so. I think
script is not getting executed and I am not getting any search results.
Search gives the following result-:
#ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W -b 'dc=shell1,dc=com'
'(uid=root)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=shell1,dc=com> with scope subtree
# filter: (uid=root)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
---------------------------------------------------------------------------
My slapd.conf section for shell database is as follows-:
database shell
suffix "dc=shell1,dc=com"
search /usr/local/openldap-test/etc/openldap/searchexample.sh
----------------------------------------------------------------------------
When started slapd with -d 1 option, I am getting following debugging
information upon executing above search example-:
--------------------------------------------------------------------------------------------------------------
<output truncated>..
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 17connection_get(17): got connid=1002
connection_read(17): checking for input on id=1002
ber_get_next
ber_get_next: tag 0x30 len 53 contents:
op tag 0x63, time 1291033804
ber_get_next
conn=1002 op=1 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=shell1,dc=com>
<<< dnPrettyNormal: <dc=shell1,dc=com>, <dc=shell1,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
==> limits_get: conn=1002 op=1 self="cn=manager,dc=example,dc=com"
this="dc=shell1,dc=com"
execv failed
shell: fgets failed: Success (0)
str2result () expecting "RESULT"
send_ldap_result: conn=1002 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 17
connection_get(17): got connid=1002
connection_read(17): checking for input on id=1002
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1291033804
ber_get_next
conn=1002 op=2 do_unbind
connection_close: conn=1002 sd=17
----------------------------------------------------------------------------------------------------------------------
Please help me to got shell database working.
Thanks.
12 years, 3 months
OpenLDAP runs OK, Mac Mail and Address book do not display entries.
by Toomas Vendelin
Hi,
I have set up an OpenLDAP server on a CentOS 5.5 machine and uploaded
test data from ldif file. Apache directory studio connects to server
nicely from my Mac and displays the records. Apple Mail and address
book also seem to connect OK, but no search results returned in
Address Book, and e-mails are not auto-completed in Mail.
At the same time, I successfully connect to other publicly accessible
servers, so it is probably a fault in my LDIF data. What is it? Do I
need to use some schema specific to Apple? As for now, only the
default ones are used.
My LDIF data (all characters are fictional):
Code:
dn: dc=minu,dc=biz
dc: minu
objectClass: dcObject
objectClass: organization
o: Vendelin & Barilko
dn: ou=people,dc=minu,dc=biz
ou: people
objectClass: organizationalUnit
dn: cn=Deniska Borilko, ou=people,dc=minu,dc=biz
cn: Deniska Borilko
objectClass: inetOrgPerson
sn: Borilko
mail: denis(a)somedomain.com
My LDAP settings both in Mail and address book:
Code:
Search base: ou=people,dc=minu,dc=biz
Scope: subtree
Thanks in advance!
Toomas
12 years, 3 months
Content-Based Access Control?
by Frank Rust
Hi all,
would it be possible to configure a content-based access control?
I have following configuration: my ldap contains user data.
Some of the users are local ones and have a regular password entry.
They shall be able to change their password.
Other users are remotely authenticated with saslauthd.
They shall not be able to change their 'password' which is just a
redirection.
Example:
dn: uid=remoteuser,ou=People,dc=mydomain,dc=de
uid: remoteuser
cn: Adam Example
uidNumber: 9007
gidNumber: 90
sn: Example
userPassword: {SASL}remoteuser
dn: uid=localuser,ou=People,dc=mydomain,dc=de
uid: localuser
cn: Bruce Somename
uidNumber: 1001
gidNumber: 10
sn: Somename
userPassword: {SHA}03de6c570bfe24bfc328ccd7ca46b76eadaf4334
User localuser shall be able to change his password, user remoteuser
not. Can this be done by a fancy ACL entry, rejecting to change
passwords starting with '{SASL}' ?
Thanks in advance,
Frank
12 years, 3 months
Problem when trying to authenticate squid with openldap server
by Bruno Lamps
Hi everybody,
I spent some days reading the ebook "Ldap for rocket scientists" (
zytrax.com/books/ldap/) and I've succesfully (I think it's a success =3 )
created a VM with debian lenny and openldap running.
After that, I created another VM, running IPfire (www.ipfire.org) distro,
this will be the firewall of the SMB I'm working for. Now I'm trying to
authenticate the squid proxy, installed in IPFire distro, integrating it
with my openldap server. A screenshot of my IPFire's webGUI and phpldapadmin
webGUI can be seen at this topic:
http://forum.ipfire.org/index.php?topic=3404.0
But the authentication isn't running, the browser using squid proxy keeps
asking me for username and password. Suspecting that the webGUI could be
making some mistake in squid config file, I started editing it's parameters
manually. Right now, the ldap authentication line in my squid.conf looks
like this:
*auth_param basic program /usr/lib/squid/squid_ldap_auth -D
"cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h
192.168.1.7 -v 3*
*
*
*cn=admin,dc=pisolar *= my root user.
*
*
*ou=usuarios,dc=pisolar *= the OU where my users are stored.
*
*
I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered
VM, and this is the text shown when I try to authenticate in my browser:
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(8):
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 busy
>>> slap_listener(ldap:///)
daemon: listen=8, new connection on 13
daemon: added 13r (active) listener=(nil)
daemon: activity on 2 descriptors
daemon: activity on: 13r
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 34 02 01 01 60 2f 02 04...`/.
ldap_read: want=46, got=46
0000: 01 03 04 20 75 69 64 3d 6c 61 6d 70 73 2c 6f 75 ... uid=lamps,ou
0010: 3d 75 73 75 61 72 69 6f 73 2c 64 63 3d 70 69 73 =usuarios,dc=pis
0020: 6f 6c 61 72 80 08 6c 34 77 64 30 67 67 30
olar..userpassword
ber_get_next: tag 0x30 len 52 contents:
ber_dump: buf=0xa0598a0 ptr=0xa0598a0 end=0xa0598d4 len=52
0000: 02 01 01 60 2f 02 01 03 04 20 75 69 64 3d 6c 61 ...`/.... uid=la
0010: 6d 70 73 2c 6f 75 3d 75 73 75 61 72 69 6f 73 2c mps,ou=usuarios,
0020: 64 63 3d 70 69 73 6f 6c 61 72 80 08 6c 34 77 64
dc=pisolar..userpass
0030: 30 67 67 30 word
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
conn=0 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0xa0598a0 ptr=0xa0598a3 end=0xa0598d4 len=49
0000: 60 2f 02 01 03 04 20 75 69 64 3d 6c 61 6d 70 73 `/.... uid=lamps
0010: 2c 6f 75 3d 75 73 75 61 72 69 6f 73 2c 64 63 3d ,ou=usuarios,dc=
0020: 70 69 73 6f 6c 61 72 80 08 6c 34 77 64 30 67 67
pisolar..userpasswor
0030: 30 d
ber_scanf fmt (m}) ber:
ber_dump: buf=0xa0598a0 ptr=0xa0598ca end=0xa0598d4 len=10
0000: 00 08 6c 34 77 64 30 67 67 30 ..userpassword
>>> dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>
=> ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar,0)
<= ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0
<<< dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>,
<uid=lamps,ou=usuarios,dc=pisolar>
do_bind: version=3 dn="uid=lamps,ou=usuarios,dc=pisolar" method=128
==> bdb_bind: dn: uid=lamps,ou=usuarios,dc=pisolar
bdb_dn2entry("uid=lamps,ou=usuarios,dc=pisolar")
=> bdb_dn2id("dc=pisolar")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("ou=usuarios,dc=pisolar")
<= bdb_dn2id: got id=0xb
=> bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar")
<= bdb_dn2id: got id=0x10
entry_decode: "uid=lamps,ou=usuarios,dc=pisolar"
<= entry_decode(uid=lamps,ou=usuarios,dc=pisolar)
=> access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr
"userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=pisolar
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying none(=0) (stop)
<= acl_mask: [2] mask: none(=0)
=> slap_access_allowed: auth access denied by none(=0)
=> access_allowed: no more rules
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 13
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 02 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0xa0039c0 ptr=0xa0039c0 end=0xa0039c5 len=5
0000: 02 01 02 42 00 ...B.
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_close: deferring conn=0 sd=13
conn=0 op=1 do_unbind
connection_resched: attempting closing conn=0 sd=13
connection_close: conn=0 sd=13
daemon: removing 13
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(8):
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 busy
>>> slap_listener(ldap:///)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
=================================
I tried to set a lot of different config syntaxes at squid.conf, but it
always come to the same kind of problem at slapd debug: After reading the
user CN and his password, slapd fails to read something else (ldap_read:
want=8 error=Resource temporarily unavailable) and then it doesn't
authenticates.
What I'm doing wrong? Is there any problem with my openldap server? With
squid? =(
I'd like to thank you all in advance for any support, and say sorry for my
broken english. =D
12 years, 4 months
Re: How to set Multiple base dn
by Hallvard B Furuseth
Please keep replies on the list. Then others can help when I'm not
around.
Laurent gobalraja writes:
> In fact i need a complete split of the bases. The reason is that i need
> duplication of cn in both domain and that is not possible in a single base
> as the CN must be unique.
I think you mean "dc" instead of "cn" here, but I don't think that's
what you're supposed to mean:-) Maybe you mean the part of the DN
below the database suffix must include the fully qualified domain name,
like this?
Domain here.org in database foo and there.org in database bar:
database bdb
suffix o=foo
database bdb
suffix o=bar
Object names:
o=foo
dc=org,o=foo
dc=here,dc=org,o=foo
o=bar
dc=org,o=foo
dc=there,dc=org,o=bar
or
o=foo
associatedDomain=here.org,o=foo
o=bar
associatedDomain=there.org,o=bar
'o' is short for organization name. associatedDomain, unlike dc, is
for full domain names. For 'o' you need the organization object class,
for associatedDomian you need domainRelatedObject from cosine.schema.
Anyway, you don't need to use 'dc' if that does not suit you. Look for
attributes and object classes that describe the actual structure of your
intended directory tree. Though note that 'ou' (organizational unit)
is often abused for "container" objects like "ou=people".
>> Or write slapd.conf first according to the Admin Guide and then use
>> sbin/slaptest -f <slapd.conf filename> -F <slapd.d directory>
>> to convert to cn=config format.
>
> Is it safe to make successives updates of slapd.conf and then convert to the
> slapd.d directory directly without removing it each time ?
That's not supposed to work. Maybe you should just stay with slapd.conf
instead? Or find some tool to help edit cn=config - there are supposed
to be several, but I'm not up to date on that.
--
Hallvard
12 years, 4 months
Re: memberof overlay 2.4.08
by Marc Patermann
Hi,
Pierangelo Masarati schrieb am 25.03.2008 18:52 Uhr:
> LALOT Dominique wrote:
>> I'm testing memberof overlay and I'd like to get it working
>> properly for a database migration
>>
>> My tests showed me that's it's working when adding members in
>> groups, but for an initial loading, it does not work.
> Correct.
This still seams to be true.
>> I tested slapadd -q or slapadd without success. Could you tell us,
>> or write something in the documentation to explain, the right way
>> for an initial loading.
> Currently, there is no solution besides writing a script that
> populates the memberOf attribute in the LDIF file.
>
>> When we will be in production, I imagine that sometimes, we can
>> get out of sync between members and memberof. What can we do in
>> such case.
> It should not happen.
I have a lot of syncrepl consumers. For disaster recovery these are
repopulated with slapadd and a recent provider dump.
With overlay memberof this would not work any more, because the memberOf
references are lost on this consumer until the "member" object changes,
right?
> The overlay should be reworked in order to have some means to repair
> its connectivity. This is known but not hardly worked at. You could
> open an ITS requesting this as an enhancement (or a bug fix, it's a
> matter of taste).
Is there any yet or do I have to do it?
Marc
12 years, 4 months
