openldap-technical December 2010

openldap-technical@openldap.org

82 participants
96 discussions

invalid credentials (49) for normal user
by rui 25 Dec '10

25 Dec '10

Hi, I have imported my passwd and groups file in ldap using migrate_all_online.sh script. I am able to simple bind to ldap using binddn= uid=root,ou=People,o=M1,c=GB but i can't seem to bind with any other user like rui etc with their linux password. Its says invalid credentials. I need to bind for authentication and then get all the primary and secondary groups of a user(how can i do that). Why am i having this problem - do i have to do something extra? When bound as root, if i do "memberUid=root" i get all the secondary groups but i want to do it for any user. I am using c ldap api at the moment. Here is my slapd.conf file: ################################################## # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "o=M1,c=GB" rootdn "uid=root,ou=People,o=M1,c=GB" rootpw abc123 directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial # # ACLs # #access to dn="ou=People,o=M1,c=GB" #attr=userPassword #by self write #by dn="uid=root,ou=People,o=M1,c=GB" write #by * auth access to dn=".*,o=M1,c=GB" by self write #by dn="uid=root,ou=People,o=M1,c=GB" write #by * read access to dn=".*,o= M1,c=GB" #by * read defaultaccess read access to attr=userpassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * read access to * by self write by dn=".+" read by * read ############################################### Regards, rui

2 1

Openldap Authentication
by Sachin Bhugra 23 Dec '10

23 Dec '10

Hi All, I have configured a ldap server and trying to login to same ldap server using a ldap user. However, I am not able to login and getting the following in /var/log/secure: Dec 22 20:06:29 redhat5 sshd[7241]: Invalid user ldapu1 from 192.168.85.1 Dec 22 20:06:31 redhat5 sshd[7242]: input_userauth_request: invalid user ldapu1 Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): check pass; user unknown Dec 22 20:06:37 redhat5 sshd[7241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.85.1 Dec 22 20:06:37 redhat5 sshd[7241]: pam_succeed_if(sshd:auth): error retrieving information about user ldapu1 Dec 22 20:06:39 redhat5 sshd[7241]: Failed password for invalid user ldapu1 from 192.168.85.1 port 4461 ssh2 Following appears in ldap.log: Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=30 SRCH base="ou=Users,dc=homeldap,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=ldapu1))" Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=30 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=30 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=31 SRCH base="ou=Computers,dc=homeldap,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=ldapu1))" Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=31 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Dec 22 20:07:52 redhat5 slapd[2966]: conn=1 op=31 SEARCH RESULT tag=101 err=0 nentries=0 text= I can see that if I use the ldapsearch with same filter, I am not able to locate the user "ldapu1". However, if I change the filter to (|(objectClass=posixAccount)(uid=ldapu1))", it shows me the ldap user: ============= [root@redhat5 ~]# ldapsearch -x -b "ou=Users,dc=homeldap,dc=com" -D "cn=Manager,dc=homeldap,dc=com" -W -H "ldap://127.0.0.1/" "(|(objectClass=posixAccount)(uid=ldapu1))" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=Users,dc=homeldap,dc=com> with scope subtree # filter: (|(objectClass=posixAccount)(uid=ldapu1)) # requesting: ALL # # ldapu1, Users, homeldap.com dn: cn=ldapu1,ou=Users,dc=homeldap,dc=com objectClass: inetOrgPerson cn: ldapu1 sn: ldapu1 uid: ldapu1 userPassword:: bGRhcHV1MQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ============= Can someone please tell me where I have made a mistake? -- Is it necessary to create an account on Linux box and then migrate it to ldap? -- I was just wondering if I can somehow change the default filter from AND to OR at the time of login. I used "pam_filter |objectClass=inetOrgPerson" in ldap.conf however, it didn't change the filter. Regards,

2 1

Is large size of __db file a problem?
by Amol Kulkarni 22 Dec '10

22 Dec '10

Hi List, On one of my servers, the size of a __db file is about 1.9 gb. What does this mean ? Will it cause prbs? The bdb cachesize is also set to about 1.9 gb on this server bcos the that is the size of .bdb files. The server has 4gb ram and 8gb swap. Kindly share your learnings and experiences about this. Thanks and Regards, Amol.

1 0

doubt about cache tuning
by Amol Kulkarni 22 Dec '10

22 Dec '10

Hi List, I read the performance tuning document in the openldap admin guide. It says ideal case is to allocate cachesize for all entries in ldap. In case I do set cachesize for all entries, is it necessary to allocate cache for bdb in the DB_CONFIG ? Currently I'm facing a problem on a server where I've foll. config : slapd.conf : cachesize 419363 idlcachesize 419363 the cachesize here is the number of entries in ldap. Also in DB_CONFIG, I have set set_cachesize 0 2026582016 1 This cache size in DB_CONFIG is abt 1.9 gb. It was calculated by adding file sizes of all .bdb files in the ldap data folder. The problem is that the slapd process is using more than 100% cpu ( on a multicpu server ) . The usage does fluctuate from 20% to 200%. Higher cpu usage is triggered when there are ldap write operations. I doubt that I have overtuned the cache. Kindly share your learnings and experiences. Thanks and Regards, Amol

1 0

Enable SASL and GSSAPI authentication
by Jörg Herzinger 22 Dec '10

22 Dec '10

Hi, I've been running openLDAP with GSSAPI authentication for quite a while now and everything has been running quite fine. The last days I tried enabling SASL password auth as described in [1] Now password authentication works fine, but it seems that GSS somehow has been disabled: root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn: While without SASL enabled I get: root@ldap1 ~ # ldapsearch -x -H ldap:// -b '' -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI Is it possible to enable both, GSS and SASL pass through auth? I checked the dokumentation and couldn't find a clue if it is or not. openLDAP version is 2.4.11 on Debian Lenny, Kerberos is MIT version 1.6 also on Lenny. Slapd config can be found here [2] tia, Jörg Herzinger [1] http://www.openldap.org/doc/admin24/security.html#Pass-Through authentication [2] https://github.com/joerg/global2000-puppet/blob/master/modules/ldapserver/t…

3 4

adding a custom objectClass
by Troy Knabe 21 Dec '10

21 Dec '10

I just figured out creating custom schema definitions for 2.3, and now I am trying to move that to 2.4 and cn=schema,cn=config. I have an existing schema definition: dn: cn={3}ours,cn=schema,cn=config with attributes and one objectClass. I would like to add another objectClass that inherits from the current one. Here is the current one: olcObjectClasses: {0}( 1.3.6.1.4.1.32879.1 NAME 'myobjclass' DESC 'Custom ObjectClass ' SUP inetOrgPerson STRUCTURAL MAY ( userType $ gradeLevel $ mailHost $ mailalternateaddress ) ) Here is the LDIF of what I am trying to add: dn: cn={3}ours,cn=schema,cn=config objecClass: olcSchemaConfig cn: {3}ours olcObjectClasses: ( 1.3.6.1.4.1.32879.1.0.1 NAME 'eSIS' DESC 'Custom ObjectClass2' SUP myobjclass MAY (gender $ birthdate $ pupilNumber $ ssIdNumber $ withdrawlDate $ homeRoom $ sped $ lep $ school)) But I am getting this error. (I have confirmed that all of the MAY attributes are defined in the schema. ldap_add: Undefined attribute type (17) additional info: objecClass: attribute type undefined

2 2

Can't read attribute except as root
by Richard Connon 20 Dec '10

20 Dec '10

Hi. I'm having some trouble reading certain attributes using non-root DNs on my directory. My olcAccess attributes on the relevant database are these: olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell,gecos by self write by anonymous auth by * none olcAccess: {1}to * by * read My understanding suggests that the second line should allow any user and even anonymous to read all attributes but I can't read the loginShell attribute as anonymous

2 1

Re: Filesystem & backend options for embedded openldap
by Bruce Edge 20 Dec '10

20 Dec '10

On Sat, Dec 18, 2010 at 12:26 PM, Peter Lambrechtsen <plambrechtsen(a)gmail.com> wrote: > Or perhaps TinyLdap? http://www.fefe.de/tinyldap/ > > Also FreeRadius (if your app's support Radius and LDAP) supports a myriad of > backend databases. > Hmm, very interesting. I was not aware of this project. My concern is that there's been very little activity on the project in recent years. Is there no simple, reliable, backend config for openldap? I'm not concerned with speed, just reliability and data integrity. I'd settle for a 10x performance penalty for data integrity. -Bruce > On Sun, Dec 19, 2010 at 5:59 AM, Bruce Edge <bruce.edge(a)gmail.com> wrote: >> >> On Sat, Dec 18, 2010 at 12:19 AM, Peter Lambrechtsen >> <plambrechtsen(a)gmail.com> wrote: >> > Why don't you use SQLite instead??? It's pretty rock solid backend >> > database. >> > >> > Unless your client side only wants to talk LDAP. >> >> Hi, >> Thanks the the response. One of the reasons for ldap is that it >> handles all the authentication for a lot of the packages we're using >> out of the box so it was a natural progression to extend it to handle >> the other data we need as well. >> The only probems, it appears, is how to make it more failsafe on the back >> end. >> >> -Bruce >> >> > >> > On Sat, Dec 18, 2010 at 6:48 AM, Bruce Edge <bruce.edge(a)gmail.com> >> > wrote: >> >> >> >> Perhaps a bit more detail... >> >> During testing our developers frequently hang the target machines. >> >> This usually results in a corrupted ldap database even though no write >> >> activity was present on the box since long before the crash. >> >> >> >> What ldap config tuning options are required to get slapd to sync the >> >> backend to a state where power loss / kernel crashes do not corrupt >> >> the data? >> >> >> >> Thanks >> >> >> >> -Bruce >> >> >> >> On Wed, Dec 15, 2010 at 10:25 AM, Bruce Edge <bruce.edge(a)gmail.com> >> >> wrote: >> >> > I'm working on an embedded system for which I would like to use >> >> > openldap as the means of config storage. >> >> > I've spent a lot of time RTFM'ing and still feel that there is a lot >> >> > that is escaping me as far as the optimal configuration. >> >> > >> >> > If the primary goal is data safety and zero human intervention, what >> >> > would be the optimal combination of file system / backend storage / >> >> > and config options? >> >> > >> >> > I would like to never have to manually recover a database and have it >> >> > gracefully recover from power failures. Speed is not an issue as it's >> >> > very low traffic. Integritiy is everything. >> >> > It's target storage is a USB flash device. Are there any special >> >> > considerations WRT flash storage and ldap? >> >> > >> >> > Thanks in advance. >> >> > >> >> > -Bruce >> >> > >> > >> > > >

4 7

Constant invalid credentials error (49)
by gael therond 19 Dec '10

19 Dec '10

Dear members, I installing/configuring a new OpenLDAP server with compiled sources today. But unfortunatly I got a serious issue with this server. Here are the specs: OpenLDAP Slapd 2.4.23. Configure Commands: ./configure --prefix=/usr/local/ldap/ --sysconfdir=/etc/ldap/ --enable-ipv6=no --enable-dynacl --enable-cleartext=no --enable-crypt --enable-lmpasswd --enable-rlookups --enable-backends=no --enable-bdb --enable-dnssrv --enable-ldap --with-tls --enable-kerberos "Make" commands have been correctly and without errors tested. But now, if I launch my slapd, and if I want to access it throught a LDAP Browser, for exemple JXplorer, I can't. I've got an Invalid Credentials error = 49 message. Here is link my slapd.conf and ACL file.(Pastebin): slapd.conf: http://pastebin.com/3bfu5exy acl file: http://pastebin.com/wJUjJAT0 If I try to pass the following command to change the password and connect me with the new one but it failed: ldappasswd -x -v -D "cn=manager,dc=lab,dc=geka" -A -S -W Then when it ask me the old password I type "test" without the ", then I confirm it. The following message ask me to a new password, that I type (123123 for informations) and confirm again. Then it ask me for the LDAP Password, and so I test with 123123 without success. Same way if I test with the following command and test as password: ldappasswd -v -D "cn=manager,dc=lab,dc=geka" -W Here is the error message: ldap_bind: Invalid credentials (49) I now my password, 'cause it's simply write on the slapd.conf file, but it seems that the LDAP server refuse any connections.

2 1

LDAP installation
by Stefano Malini 18 Dec '10

18 Dec '10

Dear all, i'm installing OpenLdap 2.4.23 on a virtual box with linux ubuntu 2.4.31-14 in /usr/local/. I first succesfully installed Berkeley DB 4.8.26 always in /usr/local/ My problem is launching ./configure command from OpenLDAP directory. The last lines are: checking db.h usability... no checking db.h presence... no checking for db.h... no configure: error: BDB/HDB: BerkeleyDB not available Could you help me, please? Thank you very much, Stefano

3 5

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2010